Security Idiot Welcomes Kevin Mitnick!

Kevin was recently travelling to a security conference where he was due to demonstrate his lock-picking equipment...ahem..."moderate a panel at a security conference sponsored by the American Society for Industrial Security (ASIS)" when his number came up. As he arrived in Atlanta he was stopped by border security and invited to give a guided tour of his belongings.

The highlight of the 'consultation' came when he was asked to provide evidence of his ASIS attendance. Instead of travelling with a pre-printed itinerary and handing that to the border inspectors he had to pull his laptop and then right in front of the officials he...

1. Deleted his firefox private data...("Just say Yes")
2. Promptly hit the power off button as the officials grabbed the laptop suspecting he was erasing evidence.

This tale could be called 'How To Freak Out Border Inspectors Who Already Suspect You Are Shady'.

Nevertheless, Mitnick was keen to point out that client data was not exposed in any way (Ed: just copied) and that in future he plans to clone himself and travel as a Mitnick swarm in order to conduct birthday attacks on random border guards ("Is it me? Is it me?).

We admire Kevin as he spoke with a CNet reporter:

"There was uncertainty, fear, and panic because I didn't know what was going on, and I didn't do anything wrong," he said in a recent telephone interview with CNET News. "In my mind, I thought I was being set up for something."

If you want to read the rest of the story, including the part about "his package" discovered to have traces of cocaine you won't find us talking about that here. You'll have to go here instead.

Thomas Ptacek: Too Quick By Far!

This weeks nomination for SecurityIdiot (TM) goes to Thomas Ptacek.

In fact, we think he nominated himself.

Summary:
- Dan finds big DNS bug
- co-ordinates with Vixie, CERT et al - fixes get prepared
- Dan announces to world + dog: "patch now, I'll disclose in 4 weeks at BlackHat"
- Doubting Thomas proclaims the bug can't be all that serious
- Dan confides in Thomas, who does an about turn and announces 'Its the real deal'
- Mucho guessing on DailyDave mailing list
- Halvar - who really should have been studying for his exams - chimes in with his theory
- Thomas tells Halvar - via the Matasano blog - 'By jove, you've gone and guessed what that Kaminsky fella told me down the pub about his DNS sploit'.
- Story catches fire, exploits are written
- Thomas goes 'Duh' and publishes below apology...

Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.

We dropped the ball here....

Continues at the Matasano Chargen Blog

Future Vulnerability Researcher?

Grasping the linga franca of your mother tongue is sometimes a waste of neurons.

If you want to be a kick-ass vulnerability researcher, less is sometimes more.

Your formative years could be better spent studying Intel developer manuals.

Watch this video to determine if you may be harbouring someone in your family that has haxxor tendancies...

Courtesy of Beast or Bhudda

Pwnie Awards: Keepin' It Real

Back again at Black Hat this year, the Pwnie awards...

"An annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community".

Look what you could have been nominated for:

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

Obviously here at securityidiot.com, we're most interested in the 'Most Epic FAIL' category (although Best Song could swing it). Lamest Vendor Response may feature but then we'd get lost in Press Release clippings.

Stay tuned for further updates!

Source

Impress Your Peers With Your Grasp of IT Security Terminology

To truly dominate in the IT security field, its vital to be able to 'talk the talk' - the rest can come later.

What follows is an insiders guide to help you apply the right terminology at the right time. Many people tie themselves up in knots with poor use of IT security terminology. Frankly, there's a lot of misunderstanding out there.

Cut through the fog with this helping list. Impress you peers!

24/7
The window of time in which systems are most vulnerable to attack.

BC/DR (Business Continuity/Disaster Recovery Planning)
An alternate spelling for "CISO".

Biometrics
Strong authentication mechanism that streamlines insider attacks.

Business case
A creative writing project, the quality of which is directly proportional to your security budget.

Confidentiality, integrity and availability
The three great myths of the Internet Age.

Cryptography
The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich.

Cybercrime
Crime.

Downtime
Refers to computer systems' natural state; the opposite of anticipated downtime.

E-Commerce
A historical fad (fashion) from the late '90s meant to generate hundreds of billions of dollars in new profits; the inciting factor that generated hundreds of billions of dollars being spent on security products.

Firewalls
Speed bumps.

Hackers
Self-righteous crackers.

Help desk
A place where rude people read instruction manuals to confused people over the phone, for a fee.

Identity theft
The transfer of your personally identifying information from corporations that want to exploit it to hackers who want to exploit it.

Intrusion Detection Systems (IDS)
Log file generators.

JOOTT ("jute")
Acronym for Just One Of Those Things; the primary explanation for most information security problems.

Laptop
A computer designed to allow employees to easily store vast amounts of customer data in the backseat of a taxicab.

Logging
The practice of filling shelves with printouts.

Logical security
A goal; also, an oxymoron (contradition).

Mission critical
Term used to help hackers identify their targets.

Non-repudiation
The opposite of repudiation; repudiation, only not.

O.S. hardening
An attempt to secure your operating system against the next hack by closing the hole used by the previous one

Passwords
Authentication tool that, when properly implemented, drives growth at the help desk

Patching
A mandatory fool's errand.

Pharming and phishing
Ways to obtain phood (i. e. food).

PKI (Public-Key Infrastructure)
A system designed to transfer all of the complexities of strong authentication onto end users.

Regression testing
The process by which you learn how the patches that fixed your system also broke your system.

Road warriors
Traveling employees responsible for delivering malicious code back to headquarters.

Scope creep
Stage three of the standard software development model.

Security administrator
Firefighter.

Security officer
Fall guy.

Total Cost of Ownership (TCO)
In security, an incalculable number always equal to or greater than the budget.

Upgrade
The process by which you introduce new vulnerabilities into software.

Virus
Sort of like a worm, but not exactly.

Worm
Similar to a virus, but different.

Zombie
See "Distributed Denial of Service".

From Comunidade ISMS PT

Stop Following Me on Twitter: Hoff Launches Unprovoked Simile Attack On His Twitiples

• Security is like Escargot. It's crunchy on the outside, chewy on the inside, and like everything else, should be blamed on the French!
• Security is like Kimchee...to make it you have to slap it together, bury it and then dig it up when it smells to explain how special it is..
• Security is like Durian: It's lousy in airports, stinks when exposed and looks oddly out of place no matter how you slice it...
• Security is like fertilizer, the more shit you spread around the worse it gets and watering it down only makes it worse
• Security is like a vibrator...
  

Continued at Rational Survivability

How I Lost a Contest Involving Chihuahuas

"So my lovely gfnd’s co-worker enrolled her pet Chihuahua into a contest to rate the dog against others of the same breed in the local area. Vaguely amused, I took a look at the web application and sure enough, it pretty much sucked.

The developers had used a client side code in Flash to make it so that you couldn’t submit twice, but in re-loading the app you could (and that’s how the newbs in her office were cheating). I, however, looked at what data it was sending and sure enough I could send votes by bypassing the client side app entirely. I took the cheating to a whole new level...."

Continued here

[kudos to the anonymous reader for the tip]