Threat Forward

http://krebsonsecurity.com/2014/07/the-rise-of-thin-mini-and-insert-skimmers/

Tiny card skimmers may not be “sophisticated” in their method of attack, but they sure are nifty.

To be fair, the Cyber-Beltway is not known for knowledge of the field or impressive research.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2438164

Didn’t read it?  It’s about how the US should regulate the “0-day vulnerability marketplace” so that “bad guys” can’t get the “0-days”.

There is an underlying flaw in the thinking, which may be pervasive in the beltway cyber-echo-chamber, that vulnerabilities are things — things that someone invents or manufactures.  Vulnerabilities (in the 0-day or Øday or whatever sense) are not inventions.  They are facts that are discovered.  It is an important distinction.  A working exploit is the result of occasional invention on the part of the researcher, but the flaw being exploited is not.

Understanding what a security flaw is helps deconstruct the idea of a “Øday vulnerability marketplace”.  The purchasers in this market are not “buying 0-dayz”.  They are outsourcing vulnerability research and testing.  More to the point, they are outsourcing it as piece-work.  The sellers in this market are engaging in a race/lottery to get paid.

Microsoft, Google, The NSA, etc. have the capability to discover software and hardware security flaws.  In addition to this work, they offer bounties (payment) to any and all comers (or those on a procurement schedule) for usable discoveries.  There are incredible advantages to doing this.

The purchaser pays once to acquire the discovery — the fact.  The seller gets paid a decent amount that made searching for and verifying the vulnerability worthwhile.  Say Google paid $25K for a Chrome vulnerability, which the seller took 95 hours to find and a few hours to weaponize.  The seller earns $250/hr for a labor of love.

What Google isn’t paying for is the hundreds of people who each looked at the same thing and either didn’t see the vulnerability, or brought it to Google a little too late.  That is thousands and thousands of of hours of effort that doesn’t hit Google’s bottom line.  If Google could only rely on their own search for vulnerabilities, they may well have to spend all that extra time and effort themselves to get the same result.

The second conceptual flaw is that this visible market mechanism (that happens to be currently in the news) is the main method by which bad actors are acquiring their discovered facts.  Some research in the matter would show the dedicated student that this is often the exact reverse of reality.

Attempting to regulate the transfer of this kind of knowledge hasn’t worked before.  The discovery of facts happens simultaneously, and is not tied to a particular geography or people.  Regulating the outsourcing of vulnerability research with the aim of preventing your enemies from acquiring the products of research is naive.  It assumes that your enemies are in fact tied to this outsourcing marketplace, and are unable to perform their own research.

For consideration:  When some seedy beltway contractor snags a vBulletin exploit off of a Romanian hacker forum, scrubs the author information, then turns around to sell it to the NSA, there is nothing in the transaction that stops the  People’s Liberation Army (cue scary music) from finding that same exploit on that same forum, discovering the flaw themselves, or paying similar government cronies in Beijing  for the same effort.

If I were attacking a target I knew used something like Certificate Patrol, these last two weeks would be the time to start spoofing every SSL connection they try to make.  There’s been a lot of churn.

Don’t brag about your elite hacking adventures on IRC.

Before making analogies about how Andrew Auernheimer (weev) did this or that, or the ethics of breaking into whatever, pay close attention to what he was actually found guilty of.

Auernheimer was not found guilty of accessing a computer without authorization.  He was found guilty of conspiracy to access a computer without authorization.  The prosecution didn’t make a case that he had actually broken into anything.

You can be found guilty of conspiracy without ever doing the deed.

So, in the case of this minor ICCID enumeration exercise, you can read for yourself the IRC log excerpts about how they were going to bring ATT to its knees, and how this was such a huge hack: “[T]his could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails”.

What Andrew didn’t know is that the FBI had a confidential informant.  So, all that pie-in-the-sky bragging on IRC about what they “totally could do” ends up going into evidence.  Whoops.

It is a hacker tradition to inflate minor finds into Big Deals.  It is tradition to sit on IRC, bragging about what you could do — feasible or not — to impress and one-up your buddies.

It is a matter of time and place.  Bragging in front of a Senate committee that you “could totally take down the internet” can bring you fame and fortune.  Bragging on IRC about sticking it to ATT can put you in court.

Never brag about your exploits on IRC

“Andrew Auernheimer, 26, of Fayetteville, Arkansas, was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization.”

Given that the problem they found was that ATT wasn’t using any authentication, the conspiracy charge is quite the slap in the face.

Previously.

SAP has settled (maybe) Oracle’s lawsuit over TomorrowNow.  The cost so far to SAP is US$306M.  A little advice:  Next time, make sure you use the –clairvoyant flag in your wget scripts!

So far, it appears that Oracle has successfully used the California legal system as an access control method.

Tomorrow Now less of a burden on SAP
What this means for Rimini Street, and the concept of entrapping your competitors for the purpose of civil litigation remains to be seen.  SAP already confessed liability, and this appears to  just mean less of a payout.

See also:  Oracle is Acting Rationally and Access Control in Real Life.