Oh, look! Another web-based vulnerability!

According to this article, some vulnerability researchers have found a new vulnerability that can definitely be exploited through Safari for Windows. They believe the vulnerability can also be exploited through other web browsers on Windows. The article notes that the exploit uses a Windows library that web browsers call, so it's really a problem with Windows.

The web browser has become the most common vector through which malware gets on a victim's system. It used to be all about bad guys exploiting systems through the OS directly. Now, they make use of the ubiquitous WWW and all the software that's designed to browse it.

---

Web Browser Vulnerabilities

Your web browser gapes
Like a path through underbrush.
Secret garden found.

Invite the foxes
Into the warm, dry hen house.
Open your browser.

Take care! You go where
Vulnerabilities live.
Spiders on The Web.

Oh, look! Another Firefox!

New versions of Firefox have been coming fast and loose lately. Firefox 9.0.1 is being released a day after version 9.0.0 was released. Such speed inspires the mind.

---

Firefox Haiku

Try to count the flakes!
Snow falls on itself and grows.
New Firefox out.

Growth must follow birth.
The hunters prey on the young.
Security patch.

Firefox versions
Like June firefly flashes.
Miss one, one more comes.

Chamber of Secrets

Hot on the tail of news of the US Chamber of Commerce being hacked, I offer some haiku.

---

Chamber of Commerce
Pierced by winds and driving rain.
Servers are all wet.

Feds investigate
Like deer browsing underbrush.
Fresh morsels are found.

China will insist:
Innocent like sprouting bulbs.
Do you smell something?

Who's Afraid of SCADA?

By request...

---

Who's Afraid of SCADA?

The lights, they are a-dimmin'.
Humidity's high, I'm swimmin'.
'gainst heat, AC's not winnin'.
All fans have stopped their spinnin'.

None of the doors will a-open.
All locks are completely frozen.
The stop lights won't stop their blinkin'.
Fountains think ghosts are a-drinkin'.

We put 'em on the Internetwork.
Now they're hacked by some stupid dumb jerk.
In shadows those bad guys seem to lurk
Creating for us so much more work.

Social Network De Jour

It seems like new social networks of various types are popping up everywhere. They all have different themes and work in slightly different ways. But one thing is common among them all: they make you a product that they sell to others. Your data is worth a lot to these people.

---

Social Network De Jour

I rolled myself a VM
And deployed. Carpe Diem!
No time to plan a mature service out.

My server was unhardened.
My code could not be pardoned.
First to market's what it's all about.

I encouraged you to share
All your facts and details there.
My social network links from all around.

I never promised you I'd hide
The juicy details found inside.
I'll ship your data off without a sound.

Marketers will love me.
I'm selling you, you must see.
Another item sitting on a shelf.

Privacy is long gone,
Not something you can count on.
You handed it all over your own self.

Outsource Rock

My boss was lamenting the lack of Schoolhouse Rock-esque songs about outsourcing and sending things "to The Cloud".

I took that as a challenge.

---

Outsource Rock

CHORUS
Outsource is the horse to bet on,
Though your service is nervous to leave.
Just consider the better return on
Your investment in business IT.

Backups and patching's for losers.
Running a helpdesk's a bore.
Do like those savvy tech choosers:
Send servers packing for off-shore!

CHORUS

We watch as your email host flounders.
We see hard drives falling away.
Fly in the face of your founders.
IT wasn't destined to stay!

CHORUS

Don't worry too much over data.
Privacy's lawyers' concern.
It's only the service that mattas!
Just let your old server farm burn!

BRIDGE
Don't be annoyed at the marketer's ploy
She's trying so hard to assist.
When all's said and done you'll have so much more fun
Your old ways will hardly be missed!

Staff costs just lower the margin,
There's no need to keep them around.
Just like the poor echo and chargen,
They'll bury us all in the ground.

So, ho!
Outsource is the horse to bet on,
Though your service is nervous to leave.
Just consider the better return on
Your investment in business IT.

APT Haiku

The buzzword "APT" is met with fear and derision. But Advanced Persistent Threats are real, and information security programs must address them. Still, the term has a habit of causing visceral reactions during important conversations.

---

Snowfall's silence screams
Across the full conference room.
You said "APT".

Among Autumn's leaves
Falls a juggernaut disguised,
Hiding in plain sight.

Wild seeds in springtime
Sprout unexpected flowers.
How long did they sleep?

Vendor Call

IT Security folk have to fight off attackers and vandals and the careless and ignorant. We also have to fight vendors. Maybe fight isn't the right word. It all depends on your perspective.

---

Vendor Call

We vendors have what you need.
Just taste, you'll understand.
You think vendors just care about greed?
No, we're trying giving you a hand.
No one can solve the world's troubles,
Isolated and on your own.
You need friends though the crashes and bubbles,
For when the bad guys are looking to pwn.

My product can save you from evil!
My product can show ROI!
My product could defeat the devil
And stop an APT spy!

UTM, PCI, and IDS!
A+, CISA, ISC2!
SOX, ISO, and IDS!
We cooked a full acronym stew.

We've got webinars, glossies, a PowerPoint slide.
We can send you evangelists and experts.
Let's talk! Let's chat! Please, let us inside!
Let us know everywhere it hurts.
We'll buy you some lunch, bring a T-shirt or two.
We've got pens and foam balls to spare.
Every promise we make is totally true.
You'll be relieved, without a care.

You cringe when we send you an email.
You ignore our voice messages.
But it's not just about making a sale
And removing your budget's vestiges.
Honest and true, our product is good.
Just give us a chance to show it.
We're solution providers! We're misunderstood!
It's your business, we wouldn't want to blow it!

Mandatory Notification

In the last decade, state legislatures around the US created mandatory notification laws for security incidents involving specific personally identifiable information, such as Social Security Numbers, drivers license numbers, or financial account information. Usually, these laws mandated that anyone who knows to have lost such information must publicly notify their attorneys general as well as those affected by the data breach. Creating a severe liability for not notifying people when there are data breaches helped stir up new information security efforts, certainly within higher ed at least. Even so, we see news stories left and right of websites and other data stores being compromised.

The question of whether or not to notify when there is a potential data breach is a complex one. At least in New York State, notifications have to happen after an investigation is complete, but not until that investigation is done. For the unscrupulous, these details can be used to delay notifications. Also, notifications only have to happen if there is a reasonable chance that data was lost. What "reasonable" means is up for interpretation, and people can weasel their way out of notifications by interpreting the facts in certain ways.

---

Mandatory Notification

It used to be
My infosec diary
Was something just for me.

'Till my blasted state
Had to go and create
A notification-type mandate.

Now every one little sin,
Every hack of /bin,
requires Public Relations' spin.

So I have to decide:
Should I show or hide
When bad guys get inside?

And if they post a file,
Or our homepage defile,
Or pollute our Twitter with bile,

We'll blame the hacker!
Be a victim, not a slacker!
Fault will lie with the evil attacker.

It's not that we failed,
Or through open gates that they sailed
In the end we will have prevailed.

Haiku for compromised websites

Web sites compromised:
Stars falling from the heavens,
Their whispers made loud.

Looking to sting true,
SQL injections fly.
Angry summer bees.

A weed will wither
When denied air and water.
Store data offline.

I couldn't find me without having you

We InfoSec types have been spending lots of time of late catching up to the exploits (and use of exploits) of various hacking groups. These bad, bad people have been hacking websites and services, extracting the logins and passwords for thousands of users, and posting them to the net for all to see. Of course, since password reuse is so common, other bad guys come along, take these logins, and use them to send spam and malware through accounts that might use the same login and passwords as the compromised accounts.

The logic behind the activity is complex, and most users who are affected by it all don't seem to care. They care that their online selves have been violated. They care that these attacks lead to identity theft.

We, as the InfoSec community, have tried to educate people to have better account management practices, such as using complex passwords and not reusing logins. Often this advice falls on deaf ears. There have been many studies as to why this is the case, and not all the blame falls on the end user. That said, an ounce of prevention would be a huge help in the cases of the Sony breach and the other recent website breaches.

And yet we still hear the users singing a sad song...

---

I Couldn't Find Me Without Having You


I'm lost, I don't know what to do
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!


I signed up for Sony's gaming net
Bosses to kill, achievements to get.
But now someone who I've never met
Logged in as me, filling me with regret.

Not only have they my gamer tag
They're causing my credit card to sag
I wish I could blame them for the lag
As I blame them for the creditor's nag.


I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!


So I look to the net and search for my name.
I find that lulzsec is playing a game.
So what if my logins are all the same?
Who'd want my ID, I haven't got fame!

And an Anonymous group has entered the fray.
They seem to hack sites each and every day.
Now my login and passwords are on display.
If I ever forget them, I will know the way:


I'm lost, I don't know what to do.
Can't find the words, don't have a clue
But Google, you're there, you're always true.
I couldn't find me without having you!


They're on my laptop, they're in my iPod.
All my tech toys seem to act rather odd.
I've lost all control, upon my ego they've trod.
It's a matter of time before they hack my poor bod.

I hear your advice, you say what to do.
But I cannot recall more than a password or two!
And you want it complex, even with symbols too?
You're asking too much, your rules make me boo!


I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!

The Question of Bitcoin

I've been watching this one closely. The question of Bitcoin is being considered more frequently and publicly by economists, politicians, technologists, and more and more users.

To me, from my layperson point of view, economies are one part math, one part sociology, one part psychology, and many parts luck. Bitcoin seems to be behind the 8-Ball on all of those factors. It will be interesting to see how it all works out.

---

Bitcoin, Bitcoin,
What are we to do?
They wanted a revolution,
Created a new solution.
An economy built for me and you.

But me and you have bills to pay.
And mining coins won't be a way
To pay a mortgage,
Settle a loan,
Buy an apple,
Recharge a phone.

But if you wanted some crazy drugs,
Or asked a hooker for more than hugs,
Or wanted to purchase endangered pets,
Or wanted to place some baseball bets,

My Uncle couldn't track me.
That's happy freedom, baby!

No, wait, it's not about that.
Open source is where it's at!
Power to the people!
Down with the State!
We can engineer any problem.
Algorithms are great!

It's peer-to-peer
It's in The Cloud
Not valued by fiat,
Sourced by the crowd.

The crowd that's learning to game the system.

Mine the coins in someone's browser
While they're streaming Doogie Howser.
Hack a computer, a server or two,
Those stolen cycles are free to you.
Or find a way to steal a wallet.
If unencrypted, "wide open" you'd call it.

All investment has some risk
Those on the ground floor hold most of it.
But is that risk worth the gain?
Is this new system really sane?

I Sing of Spam

I sing of spam,
Not meat like ham.
It comes in bits
And gives us fits

So much comes in,
flooding our bin.
We cannot read
the stuff we need

It's not all fun,
games to be won.
There are bad guys,
criminal lies.

It's about cash,
money, your stash.
They want to trick,
Just have to click.

Or choose "Reply".
Let your words fly
Tell them your name,
You are to blame.

Credit card lost,
Drugs for low cost.
4-1-9 scams,
All come from spams.

Should we give up?
One string, two cup?
Filter or read?
It's help we need.

Passwords in the Clouds

Considering the recent news of the Cloud-based password storage site LastPass getting hacked this week, the idea of storing one's passwords in the Cloud becomes more obviously a bad one. Inspired by some conversation about it, I offer a haiku.

One should consider
Do the clouds high in the sky
Have all my passwords?

Should the cold rain fall
Will all of my credentials
Shower down to Earth?

If they did scatter
From the storm's harsh, brutal gale,
Who would become me?

Victory!

I won the aforementioned haiku contest with this haiku:

Losing your cell phone
Is worse than losing your keys
My thumbs get so bored

Another step toward being the poet laureate of the higher ed infosec community.

Life in the Mobile World Haiku

My entries to this Haiku contest:

http://www.educause.edu/Mobile+Sprint/MobileComputingA5DaySprint/Contests/227381

---

Losing your cell phone
Is worse than losing your keys.
My thumbs get so bored.

---

Any time or place
The world at our fingertips.
Data on the wind.

---

Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."

---

"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".

---

InfoSec Haiku

Data breach occurred
Like wind through a closed screen door.
Notification.

Birds softly singing
Sad songs of un-patched systems.
SysComps like leaf buds.

Summer rains come hard
Like spam through email servers.
An endless torrent.

Oh, CAPTN, My CAPTN

I am pursuing a CAPTN certification.  Part of the certification process is to compose a poem literary essay or fictional short story on the topic of APT.  This is my composition.

---

Beware, my dear friends, of the A-P-T,
A threat so insidious it will make you flee!
It is here for your data and will use it for sin!
It is here to hack you and steal all your women!


A-P-T does descend from the Axis of Evil.
It attacks your resources like cotton, the weevil.
Through intrusion detection and strong firewalls
Like a venereal infection to a young man's... pride!


A-P-T's gonna get you, it's the new Boogie Man.
A-P-T's gonna own you, get out while you can!

WesBot's Hat

This is the story of Wes' Hat
It's hip head gear, knows where it's at.
It's been on statues, it's gone sight-seeing
The hat's attended the Member Meeting.

Wes' Hat is loved by all.
You'll find it happily on top a wall.
The hat may come, the hat may go.
The hat may visit the Alamo!

But Hat and Wes can never part.
Hat loves Wes with all its heart.
Hat may travel, hat may roam,
But Hat will always come back home.

WesBot Rap

I'm MC Wes/I'm here to say/Get you some SES/It's here to stay.  

Don't you know/punks be playin'?/You think your BRO/Knows what they sayin'?

SESbot knows/what you needs/SESbot grows/with all my feeds.

I got your logs/your spam email/When your IDS bogs/SES won't be fail.

You might think your know the score

What you might know makes my SES snore.

My Powerpoint might be a bore.

But SES will kick hackers out your door.

I'm MC Wes/Hacker über leet/I gave us SES/Don't drop the beat!