One of the cool trends I've seen at different hacker events like Shmoocon and Defcon this year is interest in hacking physical security instead of digital security.  More and more people are getting interested in 'lock sports' or the art of picking and bumping locks for the sheer challenge of it.  The same curiosity that creates computer hackers is driving these people to learn everything they can about the internals of locks of every variety and shape.

Lock sports have a similar set of ethics as computer hacking originally had: do no harm, explore but don't do anything bad.  All of the lock sports people I've talked to so far have stressed the fact that they aren't learning so that they can break into the neighbor's house, they're learning just to satisfy their curiosity.  As they teach new people how to use their skills, it's made clear that there's a set of ethics that people are expected to follow.

There are some actions you should take only after careful consideration, and there are some you shouldn't take at all.  Going undercover at Defcon with the intent to try and catch a hacker on camera agreeing to commit a crime definitely falls under the second category, something you shouldn't do at all.  Unluckily, Michelle Madigan from Dateline NBC failed to recognize the difference and was frightened and embarrassed at Defcon in front of a packed room of hackers, most of which was caught on camera as she tried to flee the scene. 

Virtual Machines are all the rage right now, but that might be about to change.  One of the main attractions to VM's was the knowledge that even if the virtual machine was compromised, the host OS was secure.   Or at least it was until now.  Ed Skoudis and Tom Liston from Intelguardians have discovered a way to crash the guest operating system and run arbitrary code on the host operating system.  They demonstrated their technique to attendees at SANSFIRE 2007 last Friday, though the specific details of the compromise were kept secret from the audience.

I've got a Bachelors Degree in Information Systems Management, my Certified Information Security Systems Professional (CISSP) certification, the SANS GIAC Systems and Network Auditor (GSNA) certificate and I used to be a CCNA.   I spent two years getting my B.S. by attending night courses, the CISSP took me 6 months of constant study, the GSNA required a week's worth of intense instructor lead study, and I spent the better part of a school year taking the official Cisco course work at the local junior college before taking the test.  And with the exception of the CCNA, the time I spent earning my degree and getting my certifications was aimed strictly at filling in a check box on an HR person's list rather than learning something.  Not to say I didn't learn something in studying for each, but my goal was fulfilling a job requirement instead of education.

In a previous incarnation, I ran the web traffic monitoring software for a major company.  It was my job to make sure that the employees of the company couldn't get to sites they weren't supposed to and occasionally run reports for the Human Resources department.  The company's policy was relatively simple: no pornography, no hate sites, no gambling at work.  They didn't monitor time online or have any automated reports to tell  who was spending too much time online, they only asked for details if there was a problem.  Having had that experience I'm more than a little dubious of any claim by a vendor that their product is going to "make companies more efficient and effective".

Cox Communication has been attempting to help their customers by routing traffic destined for botnet controlled IRC servers to their own IRC servers.  Many, if not most, of today's bots use IRC channels to allow botnet owners to control infected computers, a fact that Cox is trying to use to their customers' advantage by using DNS tricks to send requests destined for these control channels to their own servers.  The Cox controlled IRC server then tries a number of commands to get the bot to uninstall itself.  Even if this doesn't work, the fact that the bot running on a home system is connecting to Cox's IRC server rather than the bot herder's means that the bot will not get commands from the real IRC channel, effectively rendering it useless to the bot herder.

I'll admit freely that I'm a little jealous of people who have iPhones; I want one for myself just because they're so new, so pretty and shiny.  But even if I could afford one right now, I doubt I'd pick one up.  Between of the problems with Safari and the efforts being made to attack the phone by anyone looking to make a name for themselves, the security on the iPhones is going to be more than a little questionable for the next few months.  Given that the latest set of vulnerabilities discovered can lead to full control over the iPhone, I'm doubly glad I haven't purchased one.

This is starting to get just plain silly.  It turns out that the Information Security Sellout most likely isn't LMH as supposed by Cutaway on his blog Tuesday night.  But it definitely isn't David Maynor either.  There are new rumors floating around about the identity of the Sell Out, but nothing anyone is willing to commit too at this point.

When the Information Security Sell Out site appeared in February, I wasn't particularly happy about it, since one of the first posts on the site was a rant against the Security Bloggers Meetup I helped organize at RSA in February.  If it had just been a rant by someone who had been willing to identify themselves, I wouldn't have been too put out, but the author was making claims of having been there.  I don't mind being criticized for something I've done, as long as you're willing to identify yourself and take a dose of your own medicine.  I find hiding behind a mask of anonymity dishonest, especially if you're just using it to make malicious attacks.

According to a report by the Veterans Affair Department, an employee of the organization attempted to minimize the apparent impact of a breach in January.  The IT specialist deleted and encrypted files on his system to minimize the apparent impact of the theft of an external hard drive, though he later admitted to the changes.  The use of an external drive was against policy and the files were likely deleted to hide the extent of the data that was stolen.  The specialist remains unnamed but has been put on administrative leave pending investigation.

Remember back in November of 2005 when the Sony rootkit fiasco began?  Sony BMG included software from developer SunnComm to prevent piracy of CD's.  One of the problems with the software was that it dug into your computer and made itself invisible to almost every tool on your system.  That would have been bad enough, but the software also left a few holes open so that viruses or trojans could use SunnComm's software to hide their own presence from the operating system.  We raised a big stink in the blogosphere, Sony got sued and settled with customers and everything got quietly forgotten.  Or so it seemed. 

It happens all the time to companies around the globe; I even remember remember several security companies it's happened to.  Someone wasn't paying attention when they created a directory or published a file to the web server and suddenly sensitive documents are being exposed to the Internet and anyone who wants to download or view them.  A recent example is Astroglide and the 250,000 customer records they recently published to their web site.  There's a lot of people who are going to be embarrassed and the makers of Astroglide are facing enough fines that it could put them out of business.  But this doesn't even come close to the possible damage that could happen when the people who accidentally expose records are in the military or government.  It's one thing if your data exposure puts someone's credit card information at risk, but it's a different beast all together when it's lives your putting at risk.

I'm back.

In case you don't follow my personal travails, I've spent the last four months working for security software vendor StillSecure as their Cobia Product Evangelist. It was a dream job, or so I thought. The reality turned out to be that it's a dream job, just not my dream job. Any one with a clear head would have realized that a job titled "Product Evangelist" would be a marketing job. I obviously did not have a clear head when I took the job, because I would have realized at the time that I'm allergic to marketing and spin.

Over the weekend I had the pleasure of attending Shmoocon. I've never attended an event like it, though I plan on attending again next year if humanly possible.  It was a ton of fun and almost as educational as it was entertaining.  Of course, getting up at 4:50 this morning to catch my flight was painful, especially since I was supposed to get up at 4:30.

Of the many discussions I saw over the weekend, one of the most fascinating was a talk on the security of the One Laptop Per Child project.  This is the effort by Nicholas Negroponte to create a sub-$100 laptop to distribute to over 100 million children between 5 and 12 in underprivileged countries.  The project has quite a few very lofty goals, and one of the biggest problems is that many of the goals seem to be mutually exclusive, such as the source code for all software on the laptop being open and viewable while still being secure.  Not an easy goal, especially given that a large portion of the work is being done by volunteers.

I just got through reading the latest Internet Security Threat Report (ISTR) from Symantec and Brian Krebs' analysis.  It makes for some interesting reading on the current trends and some educated guesses by the experts with the raw data at their fingertips.  The full paper should be released in the next few days.

Brian Krebs pointed out that a large portion, approximately 77%, of malicious software isn't using a vulnerability to infect systems.  This means someone is installing or giving permission to install this software.  If you couple this with the finding that SMTP, email, is responsible for the propagation of 78% of all malware, it means people are still clicking on software they get in emails and the spammers know it.  Zangosearch was listed as the most common security risk reported, a program listed as 'adware' but which could probably be reported as a trojan just as easily.  People are still installing these programs at an astonishing rate, despite all efforts at education.