I have recently started using an iPhone for a variety of different functions related to my work. All in all, I have to say it is not my favorite phone, but it is serving a purpose in allowing me to become familiar with a variety of different options that this mainstream device offers. In working with the device and looking for a new Twitter client, I came across an application named Twinkle. I wanted to share with the community some of my observations from using the application.

Twinkle is a social networking application created by Tapulous for the iPhone or iPod Touch. It is similar to Twitter, with a few key differences. When a user first installs and runs Twinkle, the application requests an e-mail address to generate a Tapulous account. The e-mail address is utilized to confirm the account and a profile is created.

So, the Internet gets broken one last time in 2008.

Complete details are up and it is a really good write up. Take the time to read the whole thing. The short detail of it is MD5 in SSL is bad and should not be used. Using the attack detailed in the write up, the group was able to create a rogue CA certificate allowing them to “issue SSL certificates to any website we like, including rogue websites claiming to be legitimate ones“. This is bad, bad news. Users have been (attempted to be) trained to look for the “lock” symbol to see if sites are legitimate or not. This invalidates those sorts of checks for users, destroying any sort of trust on the Internet.

There are a number of CAs which could be attacked in such a manner.

Criticism has been thrown already saying that a demo of this attack was not needed, that all it did was help the bad guys. I disagree, as this sort of attack has been a theory for quite a while. But as it was never demonstrated, no one took it serious. Now it should be taken serious. You have to remember, vendors have no desire to release secure products. They have a desire to make money. Secure products are only desired in so far as it is a selling point to have them and it turns customers away when you don’t have them.

Congrats to the group for putting this together. And here is hoping this problem is taken care of soon.

Oh, and I do find it interesting a cluster of PS3s were utilized to assist with the attack.

It seems to be a new trend to have security research conducted and an announcement made that “we can’t tell you” what is going to happen but if you come to our talk you will see everything. Well, its happening again.

And, word is it will be big:

First things first; the reason for secrecy. Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works. This process required interaction with a third party that will likely do whatever they can to save face once the details become public.

…

Their research required massive computational resources that had to be utilized within a specific window of time. Although computing costs have dropped significantly over the last few years, the researchers estimated that commercially available computation resources such as Amazon EC2 put the technique within the grasp of a profitable criminal organization, large botnet operator and certainly state sponsors. The attack only has to be performed once in order to reap rewards for a long time afterward (months, if not years). This one-time investment model could pay for itself many times over if it was used to provide services to criminal organizations. Finally, they actually did it. This isn’t a pie-in-the-sky talk about what may happen or what someone might be able to do, this is a demonstration of what they actually did with the results to prove it.

The presentation is scheduled to be shown tomorrow morning. Might be worth a watch to see what is going on. I expect this model of hype will be around for a while, so get used to it. It serves a purpose (secrets exist for a reason), and it gets a lot of attention.

Here is hoping we get a good show out of this.

The fallout from the Lori Drew case continues. The St. Louis Dispatch published an article about seven people recently charged with the new cyber-bullying law in Missouri. In the article there were some quotes criticizing the new law. Wired.com sums up the arrests:

• A 21-year-old woman named Nicole Williams was charged for allegedly sending harassing text messages to a 16-year-old girl and allowing others to use her cell phone to leave vulgar voicemail messages for the victim threatening her with rape, among other things. Williams allegedly targeted the teen over a jealous dispute involving a boy, according to the Post-Dispatch.
• Two St. Louis men were charged separately with sending harassing text messages to their ex-girlfriends.
• A man protesting the development of a proposed resort was charged with sending a threatening e-mail to city hall staff.
• A 28-year-old woman was accused of sending harassing text messages to her ex-husband’s girlfriend.
• A 19-year-old man was charged with sending some 17 text messages to his mother’s husband.
• A 17-year-old involved with a classmate in a dispute over a girl is accused of sending the classmate death threats via text messages.

Bruce Schneier said there haven’t been any new crimes invented in a millennia. He’s probably right. Look at the descriptions of the seven people arrested – harassment and threats! The only difference between these descriptions and the “traditional crimes” is the medium the threats took place on.

What some are calling a “knee-jerk reaction to one case” is simply legislation trying to catch up with technology. Laws have to be changed to adapt to to the tools criminals use. If cell phones and email are the instrumentality of the crime and there is currently no law that defines this usage as a crime, the laws need to be updated to reflect that.

Looking at Nebraska Statutes as an example, you quickly see that everything is defined within the law and statutes contain very specific language. Numerous officers in Nebraska had successful online enticement arrests. During the course of these types of investigations, officers would have contact with potential offenders who would show themselves engaging in lewd acts on their webcams. There was no law that prohibited this act. Even though an adult male thought they were “putting on a show” for an underage female (under the age of 16), there was no criminal act committed according to Nebraska Criminal Statutes. A new law was passed to address this issue.

The seven people arrested based on this new cyber-bullying law aren’t doing anything new. The law has simply been adapted to help prosecute a traditional crime. If anything, using a cell phone may make it easier for police to collect evidence. An officer can observe the entries on the phone and subpoena the call detail records to back the observation up. A threatening email can often include the sender’s IP Address. Text messages, voicemails, and emails leave a nice transcript of the actual content of the threat. What used to be a “he said / she said” situation is now being proved in court via the technology used.

Sadly, the new technology can always be used to manipulate new laws. Look at the Maryland situation with speed cameras. People who were not at fault were sent citations. It is possible to send a threatening text message with a spoofed phone number. Will the officer investigating this crime ever get to the true sender or will the unknowing “suspect” be charged? Lawmakers and police officers need to take these things into consideration when dealing with laws based on new technology.

Ideally, any new law that is passed quickly is done so with little emotion playing into the decision. Lawmakers should have clear heads and rely on outside expert opinion when needed. Emotionally charged laws could become bad laws, but all new laws are tested out in the courts. This is why we have case law, good or bad. If it is determined that the law doesn’t work well enough, it will be updated or a new one will be enacted. While some have criticized the Missouri lawmakers for acting too quickly, at least they are taking steps to catch up with technology.

Why steal when you can buy for pennies on the dollar?

Your records for sale to the highest bidder:

Earlier this month, the Mini Self Storage company in Scarborough was prepared to auction off the contents of a unit rented to a mortgage brokerage that hadn’t paid its bill: 60 boxes of financial records, including loan applications with personal financial information such as Social Security and bank account numbers.

…

Nothing in Maine law prevents storage facilities from selling sensitive financial, personal or medical records to the highest bidder, when their original owners do not pay their storage bills. And that is becoming a real concern, with the failure of several dozen mortgage companies in Maine since the recession began one year ago.

As a follow up to the carder post, I thought I would link to a post regarding methodologies that are being utilized on attacks against banks. Going back to the know your enemy series, these sorts of write ups have always fascinated me.

The article includes a lot, from malware to money laundering (if you ever wondered what some of those “work from home” items were, this is for you). The points made in the article about two factor authentication are very valid, and we have seen multiple situations lately where that would have been helpful.

Nice thing is, the article end with suggestions for improving the situation. This is always refreshing, as it is easy to point out what is wrong, but much more difficult to improve the situation.

There is a decent write up on Wired about CardersMarket.

Settling into his chair and resting his fingers on his keyboard like a concert pianist, Butler began his attack. Most illegal online loot was fenced through four so-called carder sites—marketplaces for online criminals to buy and sell credit card numbers, Social Security numbers, and other purloined data. One by one, Butler took them down.

This is a very entertaining read. Matt and I have ran into some of the fall out from this investigation and its all pretty amazing. Sometimes it is nice to see how the press spins some of these stories.

Interesting story regarding privacy in the home:

A Dubuque man who secretly videotaped his wife in their bedroom must pay her $22,500 for invasion of privacy, the Iowa Supreme Court ruled Friday in the couple’s divorce case.

I found some good commentary on the matter as well with some additional details:

“Even before their marriage, Jeffrey and Cathy had recorded each other’s telephone conversations without the other’s knowledge and consent. Apparently undeterred by their history of discord, they were married on December 31, 1999. Jeffrey surreptitiously installed recording equipment and recorded Cathy’s activities during the marriage in the marital home.”

These sorts of stories always make me wonder what is going through some people’s heads. I can’t say I disagree with the outcome of this one.