In the past I have been blogging over at Binary Intelligence, a joint blog shared with co-worker Jim O’Gorman. Both Jim and I have been busy with work and other projects and have somewhat outgrown the site. I wanted a place where it would be easier to post content that included videos, custom scripts and code, and other downloadable items that didn’t work out so well on a site hosted by Blogger.

I’ve imported most of the content from Binary Intelligence over to here, but because of the way the import works every post lists me as the author. Keep in mind that anything written prior to this post (May 23rd) may have been written by Jim. Binary Intelligence will most likely be dormant, but may see a post every now and then.

Hopefully this new format works out as well I would like it to.

Wow. We all know that social networking can be “bad”. Here are a few recent articles.

• Exclusive: U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets
• How Social Networking Can Hurt You
• How Hackers Find Your Weak Spots
• Opinion: Twitter, Facebook Security Depends on Vigilant Developers, Sensible Users
• Researcher: Hackers Hijack Some Facebook Apps
• Facebook, Twitter users beware: Crooks are a mouse click away
• Does your social class determine your online social network?

Stan B. Walters is well known as “The Lie Guy”. He gets a fair amount of press and I’ve attended his Kinesic Interview and Interrogation course. Stan often uses current events to illustrate his techniques and talking points. In his most recent blog post, he takes on the “Balloon Boy” family.

We now know that the balloon stunt was a hoax. Stan mentions that “it all came down to the verbal and nonverbal cues of deception generated by the Heenes.” Unfortunately, he doesn’t go into any detail on what he thinks those cues were. However, there are a few listed in the CNN article linked above.

Stan talks about narrative based interviews as a way of gathering information. You can learn a lot from just listening to someone talk and watching their body language. He also mentions that the interviewer needs to be aware of what signals they are giving back to the interviewee. These are a lot of the same points I tried to make in the Social Engineering Podcast and Stan’s post is a good read.

Informer subscribers have access to the Pre-Final version of BT4!

With this install, all future updates will be released though a simple apt-get upgrade. So if you don’t have a subscription to Informer already, do so now then not have to DL an updated version again.

New version has an installer, forensic boot mode, etc etc. I have been using it for a bit here, and it is a great update to the older versions. There are a ton of videos on how to interact with it up at the Offensive-Security blog.

New POC for Acrobat was posted.

Been very tied up the last month or so. Sorry for the lack of updates.

Wanted to share a link to an interview j0e did with Johnny Long for Marcus Carey’s That Security Show. Really well done, and worth a watch. Everyone involved in the production of this show is top notch. I have had the pleasure of meeting them all in person at one time or another, and I can say they are all as good of people in person as they appear to be online.

Take a few mins to watch the show. And check out Hackers for Charity while you are at it.

CanSecWest is currently going on, and I am not there. No complaints however, as I am finishing up a week long training class in X-Ways Forensics. (Verdict: top notch. Check out the program.)

Catching up on the news tonight, I found these quotes from an interview with Charlie Miller (winner of the PWN to OWN contest against OS X) very interesting:

Did you consider reporting the vulnerability to Apple?

I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.

I have heard this rumbled about for a while. There is no disputing that there is a market for bugs, and it is sort of refreshing to hear someone be upfront about their reasons for finding bugs. A lot of people like to pretend that this work is done for “the good of the community”. Really, there are a few reasons white hats find the bugs: a) To keep private to add value to their pentests, b) to release to the public to show off their skillz and c) to sell.

I don’t see any shame in that. Why should companies like Apple, MS, etc. expect customers to do their work for them? What is the value?

You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three “high-value” bugs for $5,000 each?

It’s clear he’s incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.

For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.

Other thing that jumped out at me was some of the comments about targeting Macs.

Why Safari? Why didn’t you go after IE or Safari?

It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

Take that quote, combine it with some recent commentary about the number of security professionals using Macs, and with meterpreter now being ported to the Mac (complete with the ability to take pics with built in iSight cameras), and times might get interesting. Going to my above statement about one of the main reasons for tracking down bugs being to show of your skillz, it makes one wonder how many infosec people one could bag at a con…

Saw this article today that had me shaking my head. Turns out Apple rejected an update to a twitter update due to the fact that a curse word shows up on the trend list.

So, lets get this strait. Apple will approve applications where teens share indecent pictures with each other (Twinkle) and apps that are full of nothing other then pornography (Zintin), but they won’t approve an app that shows a “naughty” word?

Good job Apple!

Just wanted to bring up an impressive experience I had today with a vendor.

I have been using Maltego from about this summer, after running into Chris Gates when Matt and I were speaking at ToorCon. Chris highly recommended the product, so I checked it out and bought a copy after I was back from San Diego.

I have been using the product for a while, and have been happy with it. It does its job well. Not much to say about it that has not been said before.

Today however, I received a call to ask me how happy I have been with the product. (Frankly, at first I worried that a customer database was leaked and this was a phishing scam.) I was asked questions such as how often I use the product, what I like, what I don’t like, what I wish it did, etc. Overall, I was pretty impressed that a vendor was soliciting this sort of input. Really, for as much as this product costs, this level of customer service is unheard of. I look at the money we have spent on AccessData products, on EnCase, on Core Impact, etc, and I never got a call like this before.

Then to top it off, less then an hour after I got off the phone I received an e-mail from Roelof from Paterva. While on the call, I had expressed some interest in a feature within the product, and Roelof was contacting me to let me know how to accomplish my wish list within the current feature set.

This level of quick follow up from solicited input was amazing. I wish all my vendors treated me this well.

Well done Paterva.

Anyone interested in trying out Maltego, it is in the beta of BackTrack 4.

Matt sent me the link to this story today. This is a situation I have been following for a while:

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

…

Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

I would be interested in hearing the community’s opinion on this matter.

Personally, I think this is wrong. While it sucks that people would use technology in such a manner, the effect of such a ruling would be extremely negative. With the DHS making claims such as:

A pair of DHS policies from last month say that customs agents can routinely–as a matter of course–seize, make copies of, and “analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States.” (See policy No. 1 and No. 2.)

DHS claims the border search of electronic information is useful to detect terrorists, drug smugglers, and people violating “copyright or trademark laws.”

And you join that with the authority to force users to give up passwords.. Well, lets just say I will not travel with client data on my system, even in an encrypted format. The argument of “If you have nothing to hide, you won’t mind us looking” is invalid as well, as data is entrusted to me and I have an obligation to not share it.

And beyond that, anyone that is savvy enough to use encryption is also going to know to just keep their data in the cloud, encrypted, and access it when they reach their destination. Oh, use a product like Truecrypt, and place the encrypted container in your windows/system32 directory under the name of “explorer.dll”.

These sorts of moves do nothing other then hurt legitimate use of technology while doing nothing to reduce the risk they are targeted too.

Thoughts on this matter are welcome.