Skip to content
Home » Exploitation


Three things to remember from Verizon’s Data Brach Investigations Report

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)

My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.

Read More »Three things to remember from Verizon’s Data Brach Investigations Report

Another day, another router backdoor

Ars Technica dropped this bombshell toward the end of the day yesterday: A backdoor in Linksys and Netgear (and possibly other) routers. The exploit works on a weird port, so it’s not remotely exploitable, nor is someone going to drop it with some crafty Javascript like the recent D-Link backdoor, but it’s not out of the question at all for malware to do a pivot attack. Here’s how it would work: Once a computer is infected, it could attack the router and infect it too, so that once someone disinfects their computer, the router could re-infect the computer at a later date. A router is a great place to hide, because nobody looks at it, and they have ample storage on them to exploit..

What can you do about it? Read More »Another day, another router backdoor

Webcam spying gets more attention

So, apparently Miss Teen USA’s computer got infected with a webcam-spying remote access trojan. So someone got some sneaky pictures of her, and tried to blackmail her. Fortunately, instead, she decided to talk about it.

This is good. The majority of people don’t take computer security seriously enough. This could get some people talking, finally.

Unfortunately, the one effective technique against something like this–application whitelisting–isn’t available for the home versions of Windows. Most people think of application whitelisting is a corporate thing, but a signature-based whitelist would keep this kind of software from running on a home PC, which is the target for webcam snooping. Home users need it too. And unfortunately, it’s the people who are most likely to buy the cheaper home version who need it the most. Are you listening, Microsoft?

In the meantime, keep a piece of tape on your webcams, I guess.

But maybe now that Miss Teen USA is running around the talk show circuit talking about this stuff, people will start thinking that maybe, just maybe, bad stuff doesn’t always just happen to other people’s computers. Because it doesn’t.

As a security professional, I’m glad for anything that raises awareness. Because security awareness is one of the DSD Top 35 migitations–it’s #20. And of the 35, it’s the hardest to buy.

And if you’re not scared enough yet, it’s possible to do webcam spying not only with a laptop, but also with a smart TV. It’s a little harder with smart TVs because they’re all a little different, but nobody thinks about their smart TV, and the manufacturers rarely, if ever update them to fix security bugs. Fortunately, TV hacking is, as far as we know, more in the realm of theory right now than active exploitation, but it’s only a matter of time before that changes. The time to pressure manufacturers–or just stop buying smart TVs–is now.

A more likely use of the Medtronic exploit

Yesterday morning, as I completed the long journey from my parking spot to my office, another more likely use of the security vulnerability in Medtronic insulin pumps occurred to me. Yes, the risks involving insulin are very real. And yes, a determined attacker could use this vulnerability to take a Medtronic owner’s life. But those chances are slim.

But nothing says this vulnerability has to be used to do mortal harm. An attacker could use it just for exploitation. And there’s enough difference that some people wouldn’t have a problem with crossing that line.
Read More »A more likely use of the Medtronic exploit

Another meaningless security report…

So Symantec is saying that IE is more secure than Mozilla-based browsers because there were 25 security vulnerabilities disclosed in the first half of 2005 for Mozilla, as opposed to 13 for IE.

Such reports are fine for Clueless Information Officers. Let’s analyze this like someone who actually knows what to do with that thing that sits between your ears.First and foremost, Mozilla lacks tight integration into the operating system, making it fundamentally less dangerous. Internet Explorer is like a bank that leaves its vault open after hours because it locked the front door. Since Mozilla lacks those ties that go directly into the operating system, it’s like a bank that locks the front door and the vault. The more locks the crook has to crack, the better.

Also, past performance isn’t necessarily an indication of future gains. People who invest know this all too well. Remember, the first half of 2005 was when Mozilla was seeing explosive growth. It was still a young product and had a lot of things to shake out.

But the potential is certainly there. Let’s look at Apache vs. IIS. You see fewer Apache vulnerabilities than IIS, even though Apache’s source code is visible for everyone to see, and even though Apache is a much larger market. Mozilla has this same potential.

In the meantime, Mozilla is still a minority browser. Since most hackers these days are motivated by profits, they’re going to do the same thing any other businessman does: Look for volume. Internet Explorer still has 12 times the exposure that Mozilla does. And Internet Explorer is often used in corporate environments, since many corporate intranets rely on IE-specific technology. That makes it an attractive target, since it’s easier to get through a browser than it is a corporate firewall. And once you do manage to get in, there’s a lot more good stuff inside a corporate LAN than there is inside a home LAN.

And by Symantec’s own admission, “at the time of writing, no widespread exploitation of any browser except Microsoft Internet Explorer has occurred.”

That tells us the Mozilla developers are working faster than the would-be Mozilla hackers, and it also suggests that hackers are looking harder at Internet Explorer.

Also, Symantec is being selective about the flaws it’s looking at. The article states that it only counts confirmed flaws. IE has 19 unconfirmed flaws versus 3 unconfirmed flaws for Mozilla. So IE has 19 unconfirmed and unfixed flaws plus 13 confirmed flaws, for a total of 32. Mozilla has 25 confirmed flaws plus 3 unconfirmed and unfixed, for a total of 28.

I don’t know about anyone else, but I’m more concerned about those unconfirmed and unfixed ones. As long as I’m running the current version of either browser, I’m protected against those 25 big bad flaws (for Mozilla) or the 13 (for IE) from earlier in the year. I can’t do anything about those 19 unfixed Internet Explorer flaws.

Frankly, I think Symantec is just trying to get a headline on a slow news day, and maybe trying to kiss up a bit to Microsoft, with whom it’s always had a very close relationship since Symantec traditionally has been willing to write the pieces of software that Microsoft for whatever reason doesn’t want to touch.

I’m sticking with Mozilla Firefox. Not only is it the safer browser when you look at the things that actually matter, it’s also the better one.

Can I ever buy a record again?

I read something today that tells an awful lot about the record industry, and it’s not a pretty picture.
Usually when I write a Wikipedia entry, it’s because something popped up on my watchlist, I read it, and found a reference to something that hadn’t been written yet. Today, a link to Doug Hopkins showed up, so I wrote it. It would be a nice break from writing journalism history, which I’m more qualified to write about, but pop culture is more fun.

Doug Hopkins isn’t a household name, but if you’ve listened to popular music for the past decade, you’ve heard his songs. He was the songwriting talent behind the Gin Blossoms, an alt-rock band from Arizona that rocketed onto the landscape in 1993 and then faded fast.

There isn’t much information out there about Hopkins now, but it’s a typical garage band story: Hopkins founded a band in 1987, the lineup shuffled a bit, they spent a few years writing songs, recorded a one-off album that they sold themselves that contained early versions of what would become all their major hits, then they got discovered, and in 1990 they signed a big-time record deal. They recorded an EP that went nowhere, then recorded a full-length debut, only there was a problem. Hopkins, for whatever reason, couldn’t handle the pressure. He was a self-destructive type anyway, prone to depression and alcoholism and had first attempted suicide way back in 1983. He’d get nervous so he’d drink, then he’d go into the studio and flub up his guitar parts so he’d drink some more to feel better, and then he’d go in the next day and be even worse. Supposedly most of the guitar work on the songs that made the Gin Blossoms famous was actually Jesse Valenzuela, who was normally the rhythm guitarist, and little of Hopkins’ playing actually appeared on the album.

Eventually it got to a point where the band was wondering if they still had a record deal, and Hopkins became the catch. If Hopkins was in the band, they didn’t. If he was out, they did. So in April 1992 they put Hopkins on a plane back to Arizona and had someone back there tell him he was fired. They hired one of their groupies to play lead guitar, paid him half of the salary due to Hopkins ($760 a month–Hopkins got half and his replacement got half), and went on tour to support their album.

A year later, “Hey Jealousy” was being played on every modern rock station in the country, and by summertime, it would be on MTV and on the mainstream rock stations as well. I remember I couldn’t go anywhere in 1993 and not hear that song. Not that I’m complaining.

The deposed Hopkins wrote a few new songs and formed a new band, then another, but he was bitter. His friends were getting famous off his songs and downplaying his role in their creation, while he played small-time bars in and around Phoenix. He wrote a few pop songs for other people to try to make ends meet. But in late 1993, he started to self-destruct. In November, his girlfriend left. One Friday in early December, he went into a detox center for an evaluation, and on his way home, he stopped at a pawn shop and bought a gun. His sister came over that night and found the phone book open to gun shop ads. When she said goodbye to him for the last time, she knew it was the last time.

You probably can guess the rest. One of his new bandmates found him at 1:15 Sunday morning in his apartment.

The guy was obviously self-destructive, and everyone who knew him knew it and tried to get him help, and, having had my own struggles with depression, I know you can’t be helped until you want help. His band members knew it–when you listen to the lyrics, the the Gin Blossoms songs on New Miserable Experience that weren’t written by Hopkins seem like they were written about him–and his family members knew it.

But on top of that, he had to deal with the question of how you pay your bills. At least when I struggled with depression, I didn’t have anyone hounding me for money I didn’t have. I was pulling in a couple thousand a month before taxes–not huge money, but enough to live on. This guy was making $380 a month, plus whatever he could manage to get from songwriting gigs and playing bars.

After his death, Hopkins’ lawyer guessed that his future songwriting royalties would be worth at least $500,000. Not bad for a two-hit wonder, and who knows how much staying power he was anticipating. (The two hits the Gin Blossoms would have after NME weren’t written by Hopkins.)

So Hopkins had a solid financial future ahead of him and anyone could see it. But he died with $498 in his pocket. He had no money in the bank.

There’s a word for that. Exploitation. Hopkins’ depression made for some good songs and some good money, but not for him.

And I’m supposed to run out and buy a bunch of records? When this is how the people who make them get treated? I don’t think so.