SPC 2014 - Bounty

Charlie Miller got me thinking about software bug bounty programs.  Are they good?  Are they bad?  Hard to say.

---

Bounty

I found myself a little bug.
It's in your favorite app.
It makes me feel a little smug.
It'll put me on the map.

I spent a year on Mountain Dew
While plowing through some code.
I fuzzed and fuzzed, just like you do
To find a weakly node.

So after months of grinding hard,
I thought I would cash in.
I finally played my final card
The money filled my bin.

For months I longed to hear the tale
Of how the app was lacking.
But the buyer seemed to cop a fail
and others started hacking.

It was my bug that broke the app,
But someone else had found it.
They used it like a leaky tap
To hack some more, confound it!

If I had let more people know,
They may have fixed it early.
Instead I chose to make some dough,
And now I'm feeling surly.

Yes, I spent a lot of time
And did a lot of work.
But did I help commit a crime
By acting like a merc?

SPC 2014 - Keynote #2

The second keynote for this year's SPC is "Failures of the InfoSec Community" by Charlie Miller.

He ended up depressing me.  The barbarians are at the gates and within our PCs.  So much work to do.

---

Exploding PCs:
Reality written wrong.
Goat describes tractors.

Time marches onward
But the headlines stay the same.
Earth around the sun.

Software bugs hiding,
Dormant for years upon years.
Cicadas emerge.

How much is too much?
You could fuzz inputs all day.
A bear fishing.

Assuming a breach
Will bring you serenity.
Water finds a way.

SPC 2014 - Risky Poetry

The first break-out panel I attended this year was "A Consolidated Approach to Risk and Standards Management" by Matthew Dalton from The Ohio State University.  OSU has a nice tool for doing risk assessments, which I plan to steal (once he's made it available).  It is a method for defining your assets, measuring the likelihood and impact of different events, and creating a risk report that C-level folks can easily understand.  It also contains a way to track mitigating controls (including their costs and their effectiveness) that affect those risks.  Pretty slick.

---

If you use all those frameworks from NIST,
Regulators will never be pissed.
You'll look like a pro
And put on a good show
When the auditors search for what's missed.
_____________________

Measuring your risk:
Teaspoons carefully poured, then:
A tsunami comes.

Red, yellow, and green.
Sunset flairs above lush grass.
Or fire, tornado.

SPC 2014 - Keynote Haiku

Greetings from St. Louis and the 2014 EDUCAUSE Security Professionals Conference.  Today's keynote speaker has been Harriet Pearson talking about privacy, cybersecurity, and law.  Here are my notes in haiku form.

---

Government listens
For cybersecurity.
Thunder all around.

Higher ed moves slow:
The sun setting behind hills.
Eternal sunset.

NIST builds a framework.
Robin weaving tangled nest
To protect her eggs.

Lawyers are friendly:
Guard dogs that know their master
And protect their yard.

The Inbox March on April First

Sadly, this post isn't an April Fool's joke.  The flood of spam, delivering phishing messages trying to steal your information or malware trying to do the same, continues to assail our email Inboxes without pause.  Criminals use this technique because it works; many people click on the links and images in the messages they receive, which may point to malware, a form trying to steal your information, or just a flood of webpages that will make money for the criminals the more that people view them.

Well, take up your Sousaphone and get ready to march the April blues away!

---

The Inbox March on April First

Everyday's the first of April in my Inbox!
Everyday someone's playing a big joke.
Some would say I should just delete the junk mail,
But instead it just makes me want to choke!

It would seem that my mailbox is all filled up,
And I must log in now to save my skin.
'nother one says I came into some money,
If I send my bank login to Prince Jim.

Jim it seems is a prince living in exile.
Royalty, they have never seemed so kind,
Unlike those who robbed my dear friend in London.
Didn't know that he had vacation time.

All these banks want to check my information
Even though I don't bank there anyway.
Lucky me, someone's checked my online profile.
Russian bride? Doubt my wife would say "OK!"

Everyday's the first of April in my Inbox!
Everyday someone's trying to fool me!
Wish there was some neat way that we could stop them,
But instead I'll just have to hit delete!

I Won't Be Abandoning Windows XP

Windows XP is at an end.  Microsoft announced a while back that they were stopping support of the operating system, and as of April 9th, they will no longer be providing security updates to the graying OS.  This leaves many people in a lurch.  Some users of XP cannot upgrade because their current computer cannot run a more modern OS and they cannot afford to upgrade their hardware.  Other users, especially on college campuses, have laboratory and specialized equipment that was build on a Windows XP platform and the vendor either cannot upgrade it or went out of business years ago.

Of course, there are also those who just don't want to change their OS.  Their computer runs "just fine", and why fix what isn't broken?  Warnings about security problems fall on deaf ears, and resistance grows with every attempt to sway them away from their Windows XP.

---

I Won't Be Abandoning Windows XP

I've had this here laptop since twenty-oh-one.
The two of us have had all sorts of great fun.
The best part about it was all it could be
Because I upgraded from Me to XP!

XP was the better OS, sir, by far.
'Twas faster and stabler and shined like a star.
It ran all my programs, a crash was quite rare.
It made my computing come without a care.

Oh, sure it had updates to fix this and that.
Three service packs later, quite stable it sat.
Occasional viruses might have caused harm,
But after a cleaning I'd feel snug and warm.

And now you all tell me that this is all done.
You tell me that XP's a race that is run.
I just won't believe it, I won't let it go.
Hell no, I won't upgrade, I just love it so!

Sure MS won't update my box any more.
They've thrown in the towel, they've shut up the door.
They've moved on to 7 and gross Windows 8.
But I just refuse to accept that whole fate.

So keep all your warnings, they won't be observed.
To me it all sounds like a notion absurd.
My XP keeps running, my XP loves me!
No, I won't be abandoning Windows XP!

NTP is DoS-ening.

Criminals recently have been using poorly-configured NTP (Network Time Protocol) servers to launch Denial of Service (DoS) attacks on a number of victim networks and sites on the Internet.  Proper NTPD configuration would help stop this misuse.

---

NTP is DoS-ening

Pardon me.  What time is it?
The answer could cause a fit.
I'll bet your site can't handle it.
A DoS attack will flip its bit.

NTP is listening.
A golden ring is glistening.
A DoS attack is quite the thing!
The packetstorm is littering.

The bad guys find an open host,
And with the proper query post,
They fake the source, and with a boast,
They turn your website into toast.

'Cause they all got themselves some bots
That wait for them to call the shots
The bots all front and lie a lots
Like "eating healthy tatertots".

A million bots all say hello
And tell the answers where to go.
And NTP? Heck, it don't know.
It sends them to some lucky shmoe

Whose network pipe gets overfilled.
Their ISP gets over-billed.
Like gardens that are never tilled,
They're strangled and then fin'lly killed.

So if you're running NTP,
Please take the time, listen to me:
Help make a net that's clear and free.
Secure that stuff! Yo, hear my plea.

My Twin - A Reminder for Unique Passwords

Over this past weekend, Kickstarter.com emailed their userbase to inform them that there was a data breach that allowed the usernames, email addresses, other personal information, and encrypted passwords of the users to get out.  Bad guys could use these data to attack and take control of other accounts owned by the users, especially if they crack the passwords and those passwords are used on other sites.

http://news.cnet.com/8301-1009_3-57618976-83/kickstarter-hacked-user-data-stolen/

Always use unique passwords on each site you visit.  Don't make it any easier on the bad guys.

---

My Twin

Did you know I have a twin?
Do you know where it's been?
Lingering in sites around
The Internet, where sites abound.
When my dear user must create
An account with which to participate,
He always uses my little twin,
And doing that's a little sin.

Now that my dear twin's alive,
It goes along for the ride,
Whether sitting encryptedly
Or left alone for all to see.
And if a bad guy comes along
And hacks the site; oh, it's so wrong!
My twin, it now be known to her!
My twin, it now creates a stir!

My twin will let the hacker know
Other places she can go:
Into my user's email box;
The places seen in Firefox;
Or allow the bad Anonymous
To find some dox and start a fuss;
Or steal my user's bank account:
My twin would show the full amount.

The lesson here for you to learn
Is every password made does yearn
To be unique and used just once.
Don't let yourself be seen a dunce.
Passwords distinct for every site
Will help you sleep throughout the night.

ZeroAccess

This one is dedicated to one of my peers, who recently left the Higher Ed Infosec world for the private sector.  Keep on fighting the good fight, Gabe.

Meanwhile, along with Cryptolocker, we've been seeing lots of ZeroAccess infections.  ZeroAccess is a downloader itself, but it can bring down all sorts of nastiness, from Zeus to Bitcoin miners to clickfraud runners.  It even does fun filesystem tricks to hide itself from antivirus software.  It's a one-stop-shop for badness.

And in the spirit of my Cryptolocker Rap, here's a rap featuring ZeroAccess.

---

ZeroAccess

ZeroAcess:
Worse than taxes!
It's a danger! Don't relaxes.
It's a trojan that harasses.
It infectses all the masses.

Through the I-net,
It's a safe bet,
Through a website when Java abets,
Like a program suid set,
It will take all the things it can get.

ZeroAcess:
Worse than taxes!
It's a danger! Don't relaxes.
It's a trojan that harasses.
It infectses all the masses.

Once it installs,
It has a ball.
Slips by AV and your firewall.
It then makes a little phone call
And downloads friends; makes your jaw fall.

ZeroAcess:
Worse than taxes!
It's a danger! Don't relaxes.
It's a trojan that harasses.
It infectses all the masses.

It does Bitcoin!
IRC joins!
It does click fraud, tries to purloin.
"All your data, it's now all moin!"
Says the malware. It kicks your groin.

ZeroAcess:
Worse than taxes!
It's a danger! Don't relaxes.
It's a trojan that harasses.
It infectses all the masses.

Cryptolocker

The current news is full of reports of a nasty ransomware trojan making the rounds called Cryptolocker.  It shows up as an email attachment, and if the user runs the attachment, the malware will encrypt files and demand payment to decrypt them.  The only way to clean this mess up is to revert to any backups you might have, and if you don't have backups, you will probably lose your data.

This sort of malware makes me angry.  And when I get angry, I want to rap!

---

Cryptolocker

If you see and click a link that's sittin' in your mailbox
The love for your computer will be dashin' on the rocks
You never gonna get all of your data stuff back
'Cause you have fallen victim to a phishing attack!

Cryptolocker gonna get ya', Cryptolocker gonna play.
Cryptolocker got your files, and it won't give them away.
Cryptolocker done encryptin', Cryptolocker walkin' tall.
Cryptolocker want your money, gonna make you take the fall.

Like runnin' ancient Java: you got scissors in your hand,
You're running down a hallway like you late for somethin' grand,
But bullies gonna see you, and they gonna trip you up.
Things will get all stabby when there's Java in your cup.

Cryptolocker gonna get ya', Cryptolocker gonna play.
Cryptolocker got your files, and it won't give them away.
Cryptolocker done encryptin', Cryptolocker walkin' tall.
Cryptolocker want your money, gonna make you take the fall.

Or if you running Flashy or Adobe Acrobat:
It's gonna get all mashy when see what's up with dat.
If your compy still be runnin' wit' the cycles that they hog
You'll end up hacked and broken, and you'll be a botnet's cog.

Cryptolocker gonna get ya', Cryptolocker gonna play.
Cryptolocker got your files, and it won't give them away.
Cryptolocker done encryptin', Cryptolocker walkin' tall.
Cryptolocker want your money, gonna make you take the fall.