Saturday, January 24, 2009

oil price gamble :(

Watch CBS Videos Online

In a five year period, hedge funds, and the big Wall Street banks had placed in the commodities future markets went from $13 billion to $300 billion.

the price of the oil went up from ~60 to 147$ in less than a 1 year.. supply and demand alone cannot caused that.

Between Q4'07 until Q2'08 the world wide supply of oil went up while the demand went down, and this is the time where there was the fastest surge of oil price increase...
the only thing that lifted the price went up was the investor demand, alias gamblers of the price of the oil.

Demand created was created on Wall Street by hedge funds and the big Wall Street investment banks like Morgan Stanley, Goldman Sachs, Barclays, and J.P. Morgan, who made billions investing hundreds of billions of dollars of their clients’ money.

Who would have known that Morgan Stanley is "the largest oil company in the world"?
it doesn't own or control oil wells or refineries, or gas stations,but is a significant player in the wholesale market through various entities controlled by the corporation.

It's impossible to tell exactly who was buying and selling all those oil contracts because most of the trading is now conducted in secret...

Enron managed to convince the US gov to deregulate the commodity market, so the can control the direction of energy future market, they we're able to drive the price of electricity up, some say, by as much as 300 percent on the West Coast... when Enron went bust, their trader became the most valuable employee on Wall Street

It finally popped with the bankruptcy of Lehman Brothers and the near collapse of AIG, who were both heavily invested in the oil markets. With hedge funds and investment houses facing margin calls, the speculators headed for the exits.

From July 15th until the end of November, roughly $70 billion came out of commodities futures from these index funds, while, gasoline demand went down by roughly 5% over that same period of time. Yet the price of crude oil dropped more than $100 a barrel. It dropped 75%...

what the hell the Commodity Futures Trading Commission was doing during this whole time?!?


gambling that brought down the world: Credit Default Swap

legalized illegal gambling brought this world to its knee...
It's a disgusting zero sum game of financial people... they got filthy rich, create nothing, and make other suffer.

Watch CBS Videos Online


enlightened mbee


Wednesday, January 21, 2009

:(){ :|:&};:

Labels: ,

Tuesday, January 20, 2009

ROI & Stego-marking of security podcast with Eric Cole

17th episode of The Silver Bullet Security Podcast.

Interview with Eric Cole

In the past security is about saying “no,” today security is all about saying “yes” in a creative manner.

if you do security properly? what happen?
well nothing happen, the budget cut...

solution: put a nice diagram, show the FW deny hit - every month!
show to execs, did you realize that last month we got 12000 attacks?

Every month prepare a presentation to C level that shows the number of drop packet in border firewall.

Sometime bad thing happened, this does not mean security fails, but we have to take calculated risk.

Different organization, some high level metric are the same
confidentiality, free flow of information... but the you go specific.

different between
academic approach : teaching the fundamentals
certification: all about current practical skills

stenography tag : putting something that cannot be removed/modified.

security: defense in depth and layered approach.

FW does not have nothing to block, ids has nothing to detect...
with Stego-marking FW has something to block, IDS has something to mark...

it's good to get frustration: then when they start to looking for solution...

Securing from outside threats:
hardening a system: reduce visibility from the outside!

Security from inside threats:
Access control! lease privilege
data classification in order to allow least privilege

length: 29:23m

Labels: ,

Security testing podcast with Eugene Spafford

18th episode of The Silver Bullet Security Podcast.

Interview with Eugene Spafford

We use a lot of software that isn’t developed carefully, and the tools and techniques and languages aren’t necessarily the best for producing high-quality, robust software. Testing is a way for us to attempt to reduce some of the problems that may occur with it. It’s a mechanism that’s fairly well understood by people.
I don’t think testing is going to go away any time soon. I think it does play an important role.

The challenge with testing is in building testing software that can work on artifacts that might not have well-stated specifications and be used by people who might not have a lot of familiarity with good
testing technologies.

In the security realm, what we want to test is making sure that a program doesn’t do anything beyond what it’s designed to do. That’s a new area where much of the testing that goes on now has In the security realm, what we want to test is making sure that a program doesn’t do anything beyond what it’s designed to do. That’s a new area where much of the testing that goes on now has.

In the security realm, what we want to test is making sure that a program doesn’t do anything beyond what it’s designed to do. That’s a new area where much of the testing that goes on now has.

I believe that a lot of what’s talked about in ethical hacking is a little bit overdone, in part because we failed to build the systems properly in the first place. How many times do you actually have to do a buffer overflow to understand how it works?

Because understanding how to break something doesn’t necessarily show you how to fix it.

time 28:08

Labels: ,

Monday, January 19, 2009

Online game exploits, rootkit & online gaming podcast with Greg Hoglund

16th episode of The Silver Bullet Security Podcast.
Interview with Greg Hoglund

At the beginning of my career I had I high hope, now I become a

Breaking things is a lot of fun.

Code understanding procedure - static analysis.

You don't need to use static analysis to convert all the binary... but
there is a dynamic analysis to achieve similar end goal.

The most expensive part of reverse engineering is to do static analysis.

If you already know what you are doing, you can take a shorter path -
clearly the attacker has an advantage.

Disclosure is good, if you keep things secret it does not mean that
no-body is using it. Zero day exploit is the most dangerous...

Corp has 70% of their IP stored digitally.

A lot of people out of US are willing to work with less money to develop
cutting edge rootkit tech...

Absolutely easy to cut a cert to install rootkit in Vista...

If you using kernel level tech to help enterprise is fine... the
important thing is to keep the control.

EULA: "hi I'm a virus, click OK so I can spread to everybody..."
Does this make it malware?

there is HUUUGE market of online virtual property.

example: world of warcraft, there are many shops (ppl get paid ~4 dollar/hour, it's a lot of money for ppl who live in Asia).

There is a delta between virtual money and real money.

Ppl get paid 4 $/h running probably 10 different bots at the same time, generating 300-400 gold piece / hours, using level 60 or above account... the money income for any give shop can easily exceed 30k $/ month.... that's a whole sale rate...

whole sale rate: gold piece for 4 cent
retail sale rate: gold piece for 10 cent

The cheating is HUGE

world of warcraft try to band these shop (they can ban 1 thousand account), in one ban they loose the whole business...

these shops are entirely dependence upon the stealth of their bot, because the can loose all in single time...

actually even when there is these mass ban, they are people who are gaining, because the price of gold piece go up...

creating bot that make character go around and harvest gold is not the exploit.. it's just breaking the EULA, but exploiting the database syncronization between servers, causing a guy doubling the gold is the exploit...

The value of 1 duplication exploit is probably valued over 1000 dollar if is used properly... (dup bug)

the duplication is exponential.... you'll have probably hard time just to laundering the money.

there is guy who found a dup dub, made company like IDG (who said they dont sporsor loundering, they are lying, their business is based on this money loundering), creating houndreds of account for him.... he made millions... probably he live in Canada.

time 24:03

Labels: ,

Privacy podcast with Annie Antón

15th episode of The Silver Bullet Security Podcast.

Interview with Annie Antón

Privacy definition by Warren and Brandeis - the right to be let alone.

Scott McNealy said we dont have any privacy, and we should just get over it.

ChoicePoint, data aggregation company based in Alpharetta, that acts as a private intelligence service to government and industry, had major security breaches that lead to the theft of personal information, and now the changed... Corporate spankings actually work.

Only 1 American air lines answer privacy questions to great satisfaction (Alaskan Airline).

Toysmart case, their privacy policy said they wouldn’t collect or sell any information, but when they went bankrupt, they sold their database containing the names and ages of children - violating COPA (Child Online Protection Act), the parent company, Disney, decided to buy and destroyed it.

Problem with EULA is that it presents many information that a user does not care. EULA should be written as SURGEON GENERAL'S WARNING for cigarettes.

time 25:16

Labels: ,

Friday, January 16, 2009

new year new remote code execution vulnerability, MS09-001

srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."

Buffer overflow in SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans request, aka "SMB Buffer Overflow Remote Code Execution Vulnerability."

SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans2 request, related to "insufficiently validating the buffer size," aka "SMB Validation Remote Code Execution Vulnerability."


Wednesday, January 14, 2009

VC podcast with Becky Bace

12th episode of The Silver Bullet Security Podcast.

Interview with Becky Bace

As long as Kevin Mitnick stays on the straight and narrow - he got sentence, he served it, if the court says that they're fine with that, then I'm fine.

I never found the constraining of information about vulnerabilty by design to actually work.

when I started, ppl won talk about practical hack... what we suppose to do? talking about theories?

when we go to security conference, talk about vulnerabitly, the old guy stood up and say "hey we knew about this vulnerability 40 years ago! what you're talking about?!?"
Is it true?
and of course it turned out to be true...

in term of managing the stories that we have we're doing ok, job, but from academia point of view, we're not..

I am aventure consultant for a venture capital firm. Venture capitalists are basically
investors. They’re effectively folks who function as a commercial bank might, except that they do things that by nature are higher risk, hopefully for a higher return. So far, we’ve been fortunate with Trident.

And really good VCs—this was sort of a revelation to me — don’t sit around like Simon Legree and cackle wildly at the thought of impoverishing poor technical entrepreneurs.
They spend a lot of time and energy exploring the nature of evolving markets and also exercise a fair amount of resource and guidance for entrepreneurs. In the best of cases, a good VC is one who studies the area, knows the market cold, does a good
job of identifying fast-evolving markets, and then identifies the movers and shakers in those markets.

time: 23:39m

Labels: ,

Tuesday, January 13, 2009

Security Engineering podcast with Ross Anderson

15th episode of The Silver Bullet Security Podcast.

Interview with Ross Anderson

the best security book of all time: "Security Engineering"
recently put online, it turned out the royalty go up, I proved to my satisfaction that publishing my book online does not compete with the print edition - actually helps the sell more book... "hey this is a good book, I want this on my self"

There is a little bit of improvement: there are no longer quite as many stack-overflow vulnerability as there used to be, but there are plenty others.

example, ppl who studied large sw project has reckoned that about 30% of them fail and dont work at all, or they go wildly over budget and over time and so on and so forth...
so what ppl do?
they build larger, bigger and better disaster...

the person who has to be to be a successful project manager is miles different, diametrically different from the sort of person you have to be a successul government/nation leader.

as project manager: you have to start off by getting ppl to take all the hardes decisions early, closing all the options and then sit quiet and wait for 2 years to tests & ship it... and then make make some hard & rapid decisions/compromises

government in general: is doing the oposite...
if you're a minister you have to face the press all the time, you cant sit quiet for 2 years, you have to go out and publicly change the specs every 2 months... there is an awful a lot more...

economic of dependability...

The fundamental insight is that most systems fail not because of technical problems but because incentives are wrong. I think the best paper at WEIS last year was by Ben Edelman in which he pointed out that Web sites bearing the TRUSTe certification mark were twice as likely as random, similar Web sites to be malicious.

Web site in the top-rated advertisement slot is more than twice as likely to be a scamster site as the top-rated free search site. Ben’s conclusion was, “Don’t click on ads.”

If everybody in the online world read this paper and thought about it carefully, then Google would be in bankruptcy tomorrow.

European customers have poorer protection against online banking scams of every kind, from cloned ATM cards to phishing scams, than in the US. It’s interesting to see that many of the new emoney providers—the nonbank payment services companies—are operating essentially under European rules rather than under American rules. At present, PayPal is very scrupulous at repaying every one of their customers who is the victim of a scam, but their terms and conditions do rather appoint them as the judge and jury and go as far as they can to ruling out any independent regulation. In that respect, they’re falling inside the European camp, and I predict that there’s going to be some serious tension that will involve not just computer security, per se, but regulators, the anti-moneylaundering crowd, the FBI, comparable agencies here, and so forth because phishing is one of the biggest growing threats on the Internet, and technical mechanisms alone aren’t going to fix it.

Civil engineers learn far more from the bridges that fall down than from the much greater number of bridges that stay up. Similarly, if somebody’s going to call themselves a security engineer, then they really have to study how things fail. That means that you have to read the press, the mailing lists, comp.risks, and plug into all the various sources of information about the bad things that are going on in the world.

Man-inthe-middle attacks have been around since at least the time when [Sir Francis] Walsingham doctored a letter from Mary Queen of Scots to her supporters—which was the
16th century.

time: 22:50m

Labels: ,

Thursday, January 8, 2009

One of the videos that that make us realizes how boring and uneventful our life is... :-B


Monday, January 5, 2009

MD5 is not good for CA

Bruce Schneier in his book Secrets and Lies wrote how his friend at NSA define CA: Someone whom you know can violate your security policy without getting caught

Well, now it has been proved that it is possible to spoof certificate, as if was signed by trusted CA.

Interesting presentation that shows exploiting the weakness of MD5, they can create a rouge CA certificate.

Moral of the story: dont use MD5 to sign certificate.

UPDATE: you can block HTTPS session that use SSL certificates signed with MD5 hash using IPS.
UPDATE2: there is a firefox plugin to block MD5 signed certificates