One of my biggest gripes about the upcoming cybersecurity legislation is the threat of mandatory certification for security professionals.

I didn't get a chance to thank Richard Bejtlich for his kind comments regarding my Blackhat talk, so let me take the time now to thank him for taking a stand on this issue:

There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.

The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."

This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros.

My opinion? This is a jobs program for security training and certification companies.

Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:

Train Federal non-IT managers first.

If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.

TaoSecurity: "Untrained" or Uncertified IT Workers Are Not the Primary Security Problem

Rattle:

I'm glad to see this is finally getting some attention. As bad as these articles makes the extent of the ongoing Chinese espionage sound, it's actually worse...

Human rights groups as well as Washington-based think tanks that have helped shape the debate in Congress about China were also hit.

sigh...

"Usually it's a group using one type of malicious code per target," said Eli Jellenc, head of international cyber-intelligence for VeriSign's iDefense Labs, a Silicon Valley company helping some firms investigate the attacks. "In this case, they're using multiple types against multiple targets -- but all in the same attack campaign. That's a marked leap in coordination."

The division of labor is what I think stands out the most.

"This is a big espionage program aimed at getting high-tech information and politically sensitive information -- the high-tech information to jump-start China's economy and the political information to ensure the survival of the regime," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "This is what China's leadership is after. This reflects China's national priorities."

Google China cyberattack part of vast espionage campaign, experts say - washingtonpost.com

If the U.S. Air Force is ever ordered into a cyberwar with a foreign country or computer-savvy terrorist group, the 100-plus citizen cybersoldiers at the Air National Guard's 262nd Information Warfare Aggressor Squadron will boast an advantage other countries can't match: They built the very software and hardware they're attacking.

That's because the 262nd, based at McChord Air Force Base outside Tacoma, Washington, draws weekend warriors from Microsoft, Cisco Systems, Adobe Systems and other tech companies, in a recruitment model that senior military leadership is touting as vital to the Air Force's expanded mission to achieve "dominance in cyberspace."

Wow...

Air Force Draws Weekend Cyberwarriors From Microsoft, Cisco

A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

"The whole point was to show how scary cross-site scripting has become."

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."

There are already 50k hits for a Google search on "Jitko". A few comments from around the web: Jeremiah Grossman, of Whitehat Security, and "Pascal". Anurag Agarwal offered a Reflection on Billy Hoffman, along with a photo:

This week on Reflection we have a very young guy from the webappsec field.

Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.

Billy got an amazing amount of press out of this one. Google is up to 74,000!

Billy Hoffman: 'Would you like a destoyed Internet with your JavaScript?'

Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, �ber-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.

He is embedding a web bug in certain tor requests that implements a javascript based check for local IP address and a udp query to get an external IP. This raises some interesting questions:

1. People running anti-tor servers can undermine the anonymity provided by tor unless users are serious enough not to have their DNS going out in the clear, and serious enough to have browser extensions disabled. None of these ideas are new.

2. This seems to suggest the idea that someone would go to the trouble of running a tor server because they want to protect anonymity but decide to run this because they are uncomfortable with some of the uses of that anonymity.

3. In this case the anonymity they are providing is undermined based on a keyword match which is unreliable at best.

4. H.D. Moore is pro full disclosure of exploit code but against anonymous web browsing?

5. Why go to a lot of trouble undermining your anonymity system in order to target people downloading child porn through your proxy when you can use the same filter script to identify the server if you are running an exit node? Servers are worse than users, targetting them doesn't undermine the purpose of the service you are running, and you don't need any javascript tricks to target them.

Bottom line: The goal here is to educate tor users, not to track them.

Hacker builds tracking system to nab Tor pedophiles | Zero Day | ZDNet.com

The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.

27B Stroke 6 covered Billy's talk at the RSA security conference.

Billy rocks.

Wired: 27B Stroke 6- Billy Hoffman on Ajax Security at RSA

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

I can hear Nelson saying "HA-HA." The details are here but let me see if I can offer a simpler explanation.

In RSA, your public key is made up of an exponent and a modulus. In some RSA implementations, your public exponent is simply set to 3. Seems like a simple number, but you're going to tell everyone what it is anyway, and choosing a small number makes your calculations faster. (I'll use N for the modulus.)

As a reminder, public key crypto lets you encrypt something, or sign something. When you encrypt, you encrypt with the recipient's public key, and only their private key can decrypt. When you sign, you encrypt with your private key, and anyone with your public key can decrypt...

So, lets say your public exponent is 3. When someone wants to check your signature, they decrypt it with your public key. Literally, they perform this operation:

X = signature^3 modulo N

Now, RSA signatures are usually shorter then N before they are encrypted, so they get padded out to N first. It turns out that in some poor implementations of RSA its trivially easy to screw around with that padding so that a fake signature becomes a perfect cube, and the implementation won't examine what was inside the signature carefully enough to notice that you've done this. When your unencrypted signature is a perfect cube, it is easy to calculate it's cube root. This cube root will be accepted by RSA as a valid encrypted signature.

OpenSSL | RSA Signature Forgery (CVE-2006-4339)

Or: How Acidus [*] learned how to port scan company intranets using JavaScript!

Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.

You can visit the proof of concept page he created and test drive it now.

This is really, really, really scar^H^H^H^H cool!

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

dc0de wrote:

For those of you who care about Computer Forensics, please see the current situation in Georgia.

There is a bill before the GA Legislature -- HB 1259

If passed, it will make it a Felony to perform and testify in a State Court about any computer forensics performed, unless you are a licensed Private Investigator.

Here is some more discussion of the issue. Here is the actual text of the legislation. The Atlanta High Technology Crime Investigation Association is holding a meeting on this subject on May 8th. Calvin Hill, Representative who sponsored the bill, and John Villanes, Chairman, Georgia Board of Private Detectives will be at the meeting.

Georgia Law to put Computer Forensics experts in Jail -- HB 1259

The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle.

Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.

Lots of links to interesting stories here...

Microsoft meets the hackers | CNET News.com