Thomas Ptacek: Too Quick By Far!

This weeks nomination for SecurityIdiot (TM) goes to Thomas Ptacek.

In fact, we think he nominated himself.

Summary:
- Dan finds big DNS bug
- co-ordinates with Vixie, CERT et al - fixes get prepared
- Dan announces to world + dog: "patch now, I'll disclose in 4 weeks at BlackHat"
- Doubting Thomas proclaims the bug can't be all that serious
- Dan confides in Thomas, who does an about turn and announces 'Its the real deal'
- Mucho guessing on DailyDave mailing list
- Halvar - who really should have been studying for his exams - chimes in with his theory
- Thomas tells Halvar - via the Matasano blog - 'By jove, you've gone and guessed what that Kaminsky fella told me down the pub about his DNS sploit'.
- Story catches fire, exploits are written
- Thomas goes 'Duh' and publishes below apology...

Earlier today, a security researcher posted their hypothesis regarding Dan Kaminsky’s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.

We dropped the ball here....

Continues at the Matasano Chargen Blog

Future Vulnerability Researcher?

Grasping the linga franca of your mother tongue is sometimes a waste of neurons.

If you want to be a kick-ass vulnerability researcher, less is sometimes more.

Your formative years could be better spent studying Intel developer manuals.

Watch this video to determine if you may be harbouring someone in your family that has haxxor tendancies...

Courtesy of Beast or Bhudda

Pwnie Awards: Keepin' It Real

Back again at Black Hat this year, the Pwnie awards...

"An annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community".

Look what you could have been nominated for:

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

Obviously here at securityidiot.com, we're most interested in the 'Most Epic FAIL' category (although Best Song could swing it). Lamest Vendor Response may feature but then we'd get lost in Press Release clippings.

Stay tuned for further updates!

Source

Impress Your Peers With Your Grasp of IT Security Terminology

To truly dominate in the IT security field, its vital to be able to 'talk the talk' - the rest can come later.

What follows is an insiders guide to help you apply the right terminology at the right time. Many people tie themselves up in knots with poor use of IT security terminology. Frankly, there's a lot of misunderstanding out there.

Cut through the fog with this helping list. Impress you peers!

24/7
The window of time in which systems are most vulnerable to attack.

BC/DR (Business Continuity/Disaster Recovery Planning)
An alternate spelling for "CISO".

Biometrics
Strong authentication mechanism that streamlines insider attacks.

Business case
A creative writing project, the quality of which is directly proportional to your security budget.

Confidentiality, integrity and availability
The three great myths of the Internet Age.

Cryptography
The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich.

Cybercrime
Crime.

Downtime
Refers to computer systems' natural state; the opposite of anticipated downtime.

E-Commerce
A historical fad (fashion) from the late '90s meant to generate hundreds of billions of dollars in new profits; the inciting factor that generated hundreds of billions of dollars being spent on security products.

Firewalls
Speed bumps.

Hackers
Self-righteous crackers.

Help desk
A place where rude people read instruction manuals to confused people over the phone, for a fee.

Identity theft
The transfer of your personally identifying information from corporations that want to exploit it to hackers who want to exploit it.

Intrusion Detection Systems (IDS)
Log file generators.

JOOTT ("jute")
Acronym for Just One Of Those Things; the primary explanation for most information security problems.

Laptop
A computer designed to allow employees to easily store vast amounts of customer data in the backseat of a taxicab.

Logging
The practice of filling shelves with printouts.

Logical security
A goal; also, an oxymoron (contradition).

Mission critical
Term used to help hackers identify their targets.

Non-repudiation
The opposite of repudiation; repudiation, only not.

O.S. hardening
An attempt to secure your operating system against the next hack by closing the hole used by the previous one

Passwords
Authentication tool that, when properly implemented, drives growth at the help desk

Patching
A mandatory fool's errand.

Pharming and phishing
Ways to obtain phood (i. e. food).

PKI (Public-Key Infrastructure)
A system designed to transfer all of the complexities of strong authentication onto end users.

Regression testing
The process by which you learn how the patches that fixed your system also broke your system.

Road warriors
Traveling employees responsible for delivering malicious code back to headquarters.

Scope creep
Stage three of the standard software development model.

Security administrator
Firefighter.

Security officer
Fall guy.

Total Cost of Ownership (TCO)
In security, an incalculable number always equal to or greater than the budget.

Upgrade
The process by which you introduce new vulnerabilities into software.

Virus
Sort of like a worm, but not exactly.

Worm
Similar to a virus, but different.

Zombie
See "Distributed Denial of Service".

From Comunidade ISMS PT

Stop Following Me on Twitter: Hoff Launches Unprovoked Simile Attack On His Twitiples

• Security is like Escargot. It's crunchy on the outside, chewy on the inside, and like everything else, should be blamed on the French!
• Security is like Kimchee...to make it you have to slap it together, bury it and then dig it up when it smells to explain how special it is..
• Security is like Durian: It's lousy in airports, stinks when exposed and looks oddly out of place no matter how you slice it...
• Security is like fertilizer, the more shit you spread around the worse it gets and watering it down only makes it worse
• Security is like a vibrator...
  

Continued at Rational Survivability

How I Lost a Contest Involving Chihuahuas

"So my lovely gfnd’s co-worker enrolled her pet Chihuahua into a contest to rate the dog against others of the same breed in the local area. Vaguely amused, I took a look at the web application and sure enough, it pretty much sucked.

The developers had used a client side code in Flash to make it so that you couldn’t submit twice, but in re-loading the app you could (and that’s how the newbs in her office were cheating). I, however, looked at what data it was sending and sure enough I could send votes by bypassing the client side app entirely. I took the cheating to a whole new level...."

Continued here

[kudos to the anonymous reader for the tip]

Is It Easier To Get Fired in IT Security As Say A Security Officer on a USAF Installation?

Or, what about getting fired on your day off?

You drop your wife at the hairdressers and you need to find something to do.  What could possibly go wrong?

Favorite quote:

“Hell no, we’re not conducting a sting operation in that area or any

area for that matter.” He then ended the conversation with, “Arrest
his ass, and confiscate his badge!”

Source

Are You A Security Idiot?

You Are "A Security Idiot" If  you...

• Misspell both HIPAA and SOX (how the f does one misspell SOX?)
  
• Confuse "risks" and "threats"
  
• Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
  
• Quote "Insiders are 80%" without thinking for one darn second
  
• Think that a loss of "$20 million is catastrophic to any company"
  
• Talk about "NIST compliance"
  
• Consider IDS a network security control
  
• Shout that "perimeter is dead"
  

Please add your faves to the list and we can create an official list to be used to expose fake experts. If you think that nobody in our industry is that stupid ... think again. F*ck!

Source (with permission)

[update] More Stupidity from Anton :P

Blog Launch

Greetings!

This blog is dedicated to IT Security Professionals that do stupid, idiotic, brain-dead security things.  These could be operational mishaps, dumb technology decisions or strategy decisions that leave an org more vulnerable (and poorer) than when the IT Pro walked in the door.

A few examples to whet the appetite:

• misconfiguring routing tables on mission critical firewalls to bring production networks to a screaching halt
• implementing a non-SSL aware NIDS on a segment that only has HTTPS traffic
• declaring to management that secure email best practices require selecting a white font color on a white background when sending sensitive messages
• screwing up an arpspoof attack during a pen-test, becoming "man-on-the-end" and downing a production network
• spending all the security budget on the latest network security gizmo when the outside door to the data center doesn't shut properly.

It is *not* about non-IT Security Professionals that do stupid, idiotic, brain-dead security things.  This is assumed (no offense lusers!).

The site is powered by you, the reader.  You submit stories and if they're funny enough we'll post 'em.

If you have witnessed a truly idiotic action by someone that claims to be an IT Security Professional, email us at securityidiot@gmail.com.  No need to name names - in fact, if you do, we can't post it - sorry.  

All postings will be strictly anonymous.

Send us your "over beer" stories, we'll figure out what works as we go along...

The SecurityIdiot team.

P.S Curious about the origin of "Security Idiot"?