eMarkLee

It’s interesting to see where we are today for the Internet security arena. First, the MySpace kid, who was just basically playing a joke to add friends to his profile. Why not get more MySpace friends? Of course, for his exploits, he got a nice 3 year probation and 90 days of picking up trash at the local park. Sucks for him but nothing was malicious really in his hack.

Then there’s the case where a substitute teacher gets found guilt for showing pr0n to children. They never scanned the computer for any spyware/malware that displays popups. They never did any true forensics on the computer to see what was going on. Basically the children clicked on some links that may have installed spyware or allowed for popups. This could happen to anyone…ok, maybe not anyone, but could happen to any substitute teacher for sure. The problem here is who the hell is trying to prosecute a substitute teacher for pr0n popups?

Moral of the story: stop surfing for pr0n and get back to work….but if you surf for pr0n, make sure you’re blocking popups and spyware.

This past week, the RSA Conference, the biggest information security conference of the year, went down. Some highlights of the RSACon for me include seeing what new technologies are on the market, getting free stuff, meeting up with the hardcore security folks at the WASC, and hitting some free parties afterwards. It’s gotten more commercialized in the past few years as security has become more and more of an issue for users and corporations. There are still a lot of new players in the space that can hijack your computer in 90 seconds, though.

Here are some pictures that I took there:

RSA, the company that runs this event.

What the information security space does not look like. (except for this one day of the year).

The Aqua Teen Hunger Force blinking sign purchased on eBay

Verisign

From one of the hanging signs.

At first glance, I thought I had read another Onion article with a title of “Romania “built our country on pirated Windows“. It is, however, a real article and a fact of life. All of those phishing emails and identity theft stories you read about probably came from Romania in some shape or form.

The reasons are pretty simple: Economics. When you can get a month’s wages from scamming fat Americans in one day, the incentive is there. Also the laws are so lax internationally, that you almost never see arrests being made. It’s especially true with Americans being hated internationally because of George Bush. Good job, Dub-ya. You see the same attacks by China, Nigeria, and Romania…but each have their own characteristics:

1. Romanians – highly technical and skilled. They are good at finding exploits and writing tools that are then sold on the Black Market to other countries.
2. Chinese – Medium technical skills but good at copycatting. Will take existing exploits and try to reproduce it everywhere. Also likes to apply brute-force attacks.
3. Nigerians – Low skill, low technical. Rudimentary 419 scams are their trademark. These Africans basically use the most basic of social engineering attacks. Basically you get the emails that say to use Western Union and wire them $10,000 and they will return the favor with $1 million. Sounds like a great deal! Unfortunately, some dumb-asses actually fall for these, keeping them in business.

Done deal. There was a war between HD DVD and Sony’s Blu-Ray. I hate Sony’s proprietary technologies, including Memory Stick. I would never buy a Sony digicam just because they keep everything proprietary. It’s like Apple.

There is good news, though.

First, the Blu-Ray DRM has been cracked. That was quick. HD-DVD was cracked earlier and the extra piece of protection on Blu-Ray was cracked a short time later. Thank goodness. DRM is all doomed to failure at the end of the day. Why even try?

Second, but definitely not least, the pr0n industry has decided to go with HD-DVD because it is easier and cheaper to produce.

So if you’re thinking about the future and want to pick one technology, HD-DVD is the way to go. Although, the future is probably going to bring us combo drives that allow either format.

What is this Second Life phenomenon that is printed in every other BusinessWeek and Economist? What is this Matrix that people keep talking about?

Let’s find out.

I had the chance to attend a talk by Second Life CEO Philip Rosedale on how he started Second Life, what his vision was, and what the F it is. It looked great when he busted out his classic character that you can see on the front page of the Second Life website:

Phillip basically went over his vision for what Second Life could be, which admittedly sounded fascinating. He gave us a demo of his character doing some stuff in God-Mode (what I will never have) and showed us some interaction with other SL characters. He also showed us Circuit City and IBM as they exist in Second Life. All in all, it is interesting….but I still don’t really get it.

There’s only one way to find out….I’ll give Second Life a second try (I tried it a little while back but couldn’t figure out wtf). So first things first, I edit my character. I had a black shirt on, but then lost it when I decided to take it off…couldn’t figure out how to put another shirt on…oh well

Ok, I have a character now (Beastman Magellan). Now let’s go somewhere cool in Second Life. I click on the Search button on the bottom of the screen to give me the list of most popular places:

The most popular destinations pretty much look like the rest of the Internet. Pr0n, Pr0n, Gambling, Pr0n, Pr0n. I guess that’s to be expected…ok let’s try the club:

There is streaming techno, there are characters dancing all over. It’s actually kind of cool….if I was on shrooms. Probably was I didn’t know how to dance and nobody was talking to me, so I felt kind of out of the party. That sucks. I can’t really figure out what to do in there other than walk around and look at other characters. I guess people ask that same question in their first life.

But what about all the Linden currency that flow through SL? They have a whole currency, the Linden dollar, that is traded, with Linden Lab acting like the Fed. People build items and sell them to others, whether it is necklaces or penises…yeah penises. My character has a 19″ schlong. Apparently there is a good 4 million dollars worth of Linden dollars trading through every day. There are stories of people making 60-70k on SL just opening up shop and selling virtual goods.

I don’t really get it, and apparently neither does an analyst who thinks SL is a pyramid scheme. While I won’t go that far, I’m not completely sure how easily one could monetize on this Matrix. At least eBay still allows virtual Second Life items to be sold, unlike World of Warcraft artifacts.

All in all, Second Life is interesting and a great story, but I just don’t get it. If you are on Second Life and you want to hang with my character’s 19″ penis, let me know.

RSA announced this week its uncovering of a universal Man In the Middle kit that can be used by anyone to create more advanced/elaborate spoof sites than the plain old one page spoof site. While phishing kits are not a new thing, this one is a bit more interesting because it is universal and therefore can be used to create simple spoof sites of whatever site they want to attack…ie eBay, PayPal, BofA, etc.

There are a number of ways you can protect yourself from these type of attacks, most of which are common sense but people get phished everyday by these unsophisticated social engineering attacks:

1. Install a security suite on your computer. I have not identified what is the best security suite out there yet but just have something that includes: Firewall, AntiVirus, AntiSpyware, AntiWussy, and AntiGettingFatInTheAss. Remember that the top two AV software suites(Symmantec, Mcafee) are used as the standard testing basis for hackers and therefore may not be the best choices.
2. Do not click on links in emails without analyzing the links first. For n00bs, just don’t click on links in emails.
3. Look for grammatical and spelling errors in emails and on spoof sites. As intelligent as some hackers might be, they will never be smart enough for the intricacies of the cryptic English language.
4. Run scans on your computer regularly to make sure there’s no malware on your system. These include some serious processes that run on your computer from keyloggers, trojans, etc.
5. Don’t use your computer because you will get hacked regardless of what I am telling you to do.

A Adobe Acrobat vulnerability was announced by some hackers today. It is interesting because this is a very simple hack that shows the vulnerability of PDFs to XSS injection. This is a pretty big deal for any sites out there that have PDFs on site as it could allow for hackers to use your site as a means to do XSS. Security exploits are announced by the hour, but this one was important enough to make Slashdot and eMarkLee because of its span. We’re talking about millions of sites/pdfs out there that are vulnerable to this.

It is a pretty simple hack, just doing this:

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

like this:
http://www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something=javascript:alert(‘%59%6F%75%72%20%63%6F%63%6B%20%69%73%20%73%6D%61%6C%6C’);

Of course, one could do much worse things like cookie stealing, spoof-site redirection, etc. There are workarounds and this only affects some browsers (IE6, of course), but in the meantime you should be a bit more careful with links to PDFs for a while.