And some of them actually have an idea how to make things better. Worth taking into account when your business relies on people buying your security solutions or services. It seems like the very least you should do is to make sure your users and customers understand how THEY benefit from the introduced security measures and why the inconveniences they introduce are absolutely necessary for them to work. And better make sure they really are necessary.

Last week Tom Fishburne’s This One Time at Brand Camp (his latest cartoon book) got to me finally and I’m here to report to you that it’s been a wonderful read! The cartoons generally talk about marketing. I’m not a marketing pro or anything, you probably know this, so I think I am a pretty good test for Tom’s toons and their amusingness to a layperson. And I have to say, they passed the test surprisingly well. Even better, I learned quite a bit while laughing out loud. Can you wish for more?

One of the best cartoons from the book (in my opinion of curse) is the one on the left (click it to enlarge).

Brilliant! Not even a word and the message is crystal clear. Makes you nod and go “Right. That’s how it is.” Just brilliant!

Great job Tom! Please keep it going :-)

And face it, you wouldn’t work on a report or an email while in a cab or a plane if it wasn’t an essential and really urgent thing to do. So, I guess we can safely assume that the data you have on the device may be worth a lot for someone who knows this and that about your business.

So, what options do we have here? Not getting much into technical details, let’s just try to figure out what could work for someone who most importantly wants to do their job without their phone driving them nuts and secondly wants the solution to provide a reasonable level of security to the precious data in it. It’s quite obvious that we need to encrypt, but how? Again, technical details aside, let’s just focus on user-device interaction.

And this leads us to another important question: how to make this solution at least remotely acceptable to a user? It’s quite obvious that no sane person would agree to type in a strong password on a phone keyboard (even a QWERTY) each time they need to access their mailbox. And to make the solution reliable it’s quite important to automatically expire the session after a short period of inactivity (hence even more of password typing). Also, what if the phone is taken from us while it’s in use and unlocked?

So, to restate the question: how could we make it user friendly and mugger unfriendly enough to eventually turn it into a useful feature and not just another pseudo-solution that nobody wants to use?

Here is what we need: 1) a quick and easy way to authenticate (unlock the encryption key and allow memory to be decrypted), 2) a quick way to lock the device and the encryption key when someone wants to snatch our mobile and 3) an automatic device locking mechanism.

So, how about building a quality fingerprint scanner into a phone providing an easy way to quickly authenticate and unlock it? As for a quick and super-easy way to automatically lock the device and an encryption key – ever heard of an accelerometer? A motion sensor. Some phones already have it, Wii remote has it. How about locking a phone just by shaking it? This way when someone snatches the phone from your hand and runes… well… they may as well wave all the data goodbye as the phone will instantly lock itself. And timer based locking mechanisms, well, that’s been already done like a million times.

Well, Nokia, there you have it! How about a fingerprint scanner and an accelerometer put to some good use in the next business-targeted phone for a change?

[UPDATE: If you are planning to come to the meeting, we will need your name in order for security to let you into the building. So, please send us an email with a subject "[ISSA] Potwierdzenie udziału w spotkaniu - Wroclaw 2008-09-23" to wroclaw at issa.org.pl

Be sure to actually include your name!]

I’m happy to invite you to this month’s ISSA meeting on September 23. We'll be talking about security policies and, more on the technical side, about DNS cache poisoning.

When: September 23, 6:30 PM

Where: Credit Suisse, Grunwaldzki Center building B, fourth floor, Grunwaldzki Square 25, Wrocław

Agenda:
1. Welcome after summer - Michał Sobiegraj
2. Development and Deployment of Security Policies - Radek Michalski
3. DNS Cache Poisoning (recent update) - Jarek Sajko

We plan to end the official part of the meeting around 8:30.

See you!

As some say (me included), it’s nice to give people something of value just the moment you first meet. It binds. And what is of more value than an insightful point delivered in a funny way? Plus it doesn’t cost you much and has potential to change the world (a wee bit, but still).

So why not add some value to the usual biz-card exchange? Say, in form of couple of valuable words on the back side of a card? And I bet you can also make it fun to read. In order to boost up the fun factor I used couple of doodles by Hugh MacLeod.

If you want to print each card with a unique picture on the back, moo.com is the place.

When: July 23, 6PM

Where: Credit Suisse, Kameleon building at Szewska st., 1st. floor

See you at the meeting!

To the point: if you're from Wrocław area or if you happen to be around on July 3, be sure to come to the ISSA Polska meeting in Wrocław. We plan the meeting to be real fun this time. We'll be having a guest from Credit Suisse IT Risk dept. giving a talk. We also plan to discuss latest incidents in Poland.

When: July 3, 6PM

Where: Credit Suisse, Kameleon building at Szewska st., 1st. floor

See you there!

When was the last time you got a phishing email? Not that long ago, I bet. Me too. There is nothing unusual in it, nowadays we get so much of it that we simply get used to it and usually just silently delete or ignore it (if spam filters don’t do it for us).

So, why am I talking about this? Well, because of a funny coincidence. Or maybe it wasn’t that much of a coincidence… Here is the story.

And suddenly, within minutes, I got one! Whoohoo! The nice piece of email pictured at the beginning of this post landed in my mailbox. Then it repeated once or twice a day or two later and stopped. My first reaction was that I got myself some malware that got hold of the credit card activation process and triggered the mailing. But it wouldn’t make much sense. If I had something locally (and I hadn’t, as all sorts of scans showed some time later), what would stop it from reading my previous credit card number and all the authentication information when I submit it during an on-line transaction? It wasn’t on the line with the bank either, as the connection was securely SSLed. So, how come? It might have been an accident, of course, but… a funny one…

The whole thing got me thinking. And what if this information leaked from VISA themselves (I’m not even trying to guess how it could happen). Yes, I know it sounds stupidly paranoid, but, well, you know… things happen. So, if you experienced something like this, I would be really happy to hear from you. I’d at least know I’m not delusional (or not that much at least).

We're gonna do it for the fifth time already! Whooohoo! :)

This time the main theme will be Intrusion Detection Systems and Web Application Firewalls. Also a discussion panel is planned so that we all could shout at each other and throw blunt objects in each other’s general directions.
Here is the agenda:

1. A warm welcome (myself)
2. Intrusion Detection Systems (Wojtek Wirkijowski)
3. Web Application Firewalls (Edward Weinert)
4. Discussion Panel (Andrzej Piotr Kleśnicki)

And as always, there is a prize to be won.

See you at the meeting!

As probably most of you guys, I’m not spending my day fuzzing stuff, but, probably as most of you again, I’m bumping over a software glitch from time to time. Sometimes, when I’m in the mood, I’m poking the hole to see what happens.

And I was in the mood that day.

..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp%00.txt

a victim will most likely end up sending a winnt.bmp file from their windows directory instead of what they actually intended to send. The actual content of a file that the victim is trying to attach is of course irrelevant.

I wouldn’t be me if I left it at this. So, as an enhancement to the basic idea, we can add some more jumps to the upper directory to have better chance that we get to the root level of the file system:


..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Fwinnt.bmp

And to add some more fun we can, say, get ourselves someone's SAM file from the windows\repair directory:


..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2FWINDOWS%2Frepair%2Fsam%00.bmp

The .bmp extension ensures proper encoding of a binary file (I've been really impressed how perfectly the %00 gets its job done).

Finally we can do some obfuscation:


%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%49%4E
%44%4F%57%53%2F%72%65%70%61%69%72%2F%73%61%6D%00%.bmp

As for the severity of this flaw, it certainly couldn’t be called serious as 1) it takes a lot of user interaction (i.e. downloading the funny named file and then sending it as an attachment) and 2) an attacker needs to be able to sniff the sent email off the wire. I can think of some highly directed attacks under which this bug can potentially result in exploitable conditions, but my guess is that one would rather find an easier way to get the job done.

Even though it’s nothing serious this time, it gives us some food for thought. Firstly, there is no such thing as "we know this kind of bugs for ages and they don’t happen anymore". Secondly, a well thought over architecture, a robust coding framework and a proper code quality assurance shouldn’t be optional. And finally, you can never have enough of code quality assurance.

Thank you! Thanks to all of you who made it to the meeting despite the fact that we have changed the location twice. And my apologies to all of you, who didn’t. We will do our best to make sure it doesn’t happen anymore.

Despite all the trouble, the meeting was fun. We totally run out of schedule due to discussions that broke out during the first talk. Oh, and the cookies were awesome! Not to mention the coffee.

We have one piece of slides this time, so, for all of you who would like to go through the presentation again and for others that didn’t make it to the meeting, here it is.

Thanks again and see you next month!

Let me invite you to another ISSA meeting in Wroclaw. It’s the third meeting already and this time we’ll be discussing Computer Forensics and Incident Response. We’ll be having a discussion panel as the last time and we’ll let you guys win some prizes in a competition.

All that and even more on Mar 11, 2008 at 6pm.

Where? At BZ WBK Wroclaw HQ, Rynek 9/11 (second door if you look from the pl. Solny direction). At Politechnika Wroclawska, Janiszewskiego 11/17, building C3, room 118 (enter either through building C-1 or C-5).

An important note: you need to register for the meeting before Feb 4, 2008, 9pm at the latest. In order to register, please use the following link.

UPDATE: This time we meet at Politechnika Wroclawska, Janiszewskiego 11/17, building C3, room 118 (enter either through building C-1 or C-5).

Tons, and I mean TONS, of "undeliverable message" bounces together with quite a lot of my favourites – out of office notes. When you think about it, quite a lot of information is being thrown at you in such messages. Here are some sanitised examples (all in German, as my email address sells on a German market, apparently).

Automatische Antwort - Zur Zeit nicht erreichbar

Vielen Dank für Ihre Anfrage, die uns erreicht hat.

Für eilige Rückfragen können Sie sich auch direkt an mich unter

Tel. +49 (0)4XXX / XX XXX
Mob. +49 (0)17X / XXX XX X5
Fax. +49 (0)4XXX / XX XX0

wenden.

Mit freundlichen Grüßen aus XXXX,

Ihre XXXX

Some names and email addresses (you can’t have too much of it):

Automated reply from XXX@XXX.de

Ich habe Ihre Mail betreffend 'Man Lebt nur einmal - probiers aus !' erhalten.

Von Freitag, dem 8. Februar bis Freitag dem 15. Februar bin ich nicht im Büro zu erreichen. Bitte wenden Sie sich in dieser Zeit an meine Kollegin Susanne XXX (s.XXX@XXX.de). Ihre Mail wurde nicht weitergeleitet.

Mit besten Grüßen,

XXXX
---------------------------------
XXXX GmbH
XXXX 1
XXXX XXXX (Germany)

Fon: ++49(0)XXXX.XXXX5
Fax: ++49(0)XXXX.XXXX6

Mail: XXX@XXX.de
Web: http://XXXX.de
Web: http://XXXX.com

GF: YYYY YYYY, ZZZZ ZZZZ
XXXXXXXXX
---------------------------------

And some more names together with phones and email addresses:

Susanne XXX nicht erreichbar. Ihre E-Mail wird nicht gelesen.

Ich werde ab 29.01.2008 nicht im Büro sein. Ich kehre zurück am
05.05.2008.

Sehr geehrter Damen und Herren

Ich bin in Elternzeit.
Ihre E-Mail wird nicht weitergeleitet.

Bitte wenden Sie sich entweder an
Alexandra XXX, Tel. 089 - XXX XX - XXX
e-mail XXX.a@XXX.de
oder an
Carolin XXX, Tel. 089 - XXX XX - XXX oder e-mail
XXX.c@XXX.de

Vielen Dank und viele Grüße
Susanne XXX

It’s not much, is it? But still some people would argue that together with some background info about what the particular people are responsible for in the organisation it may be enough to snatch some goodies from them.

It’s never wise to underestimate the power of people’s natural friendliness and urge to help others. Maybe sparing a few details wouldn’t defeat the purpose and would make it more difficult to carry out a successful social engineering attack. Specific procedures and awareness trainings also help, obviously.