Since graduating back in 2006 I’ve been honoured by Northumbria University by being asked to return and speak with their students with the hindsight of having spent time out in industry, I covered my last trip here. So when I got an email at the tail end of last year I didn’t think twice in agreeing; though in hindsight I should have asked more questions, previous sessions have been 15minute slots, this time around I was booked in for 2 HOURS!, after I’d already agreed. – Think I nearly fainted at that point.
Thankfully one thing I’ve never had a problem with is telling war-stories, anecdotes and lessons learned. As the Uni were looking for real world experience this seemed ideal so I based the presentation around incidents I’ve encountered and (hopefully) help others learn from my experiences. For anyone willing to follow along at home the slide deck can be found here, though I doubt it’s particularly useful as the slides were more memory jogs for me, than actually useful information.
As I was unsure how long I’d be able to talk for (anyone that has seen me talk previously will know I can get rather, speedy, as I get excited) I setup a lab environment to demo some of the technologies discussed, honeypots – no surprises there. The plan was that the lab could expand and fill whatever time was left in the session after I ran out of slides. At least that was the plan; as it happens the content generated sufficient levels of debate, interest and questions that I managed to fill the whole slot and even overrun slightly with some Q&A after the event.
Remembering my experience on the other side of the divide, bored stiff listening to those in the ‘real world’ whilst at Uni caused me plenty of trepidation for the last couple of weeks that I’d be wasting everyone’s time. So I was delighted to (nervously) check my twitter feed after the session closed, to find several messages with positive feedback in my timeline; taking a leap that all the students weren’t just being polite the session seems to have been a success and of some benefit. Adding this to the usual buzz I gain after public speaking in general I’m currently a very happy geek.
Many thanks to Northumbria University for extending the invitation in the first place, and for Onyx Group’s continued understanding and flexibility to enable me the time to get involved with this and similar activities – not all profit is commercial.
The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.
Some, like @CancelThatCard/http://cancelthat.cc/ attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.
As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:
As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.
I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.
Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.
In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).
To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.
— Andrew Waite
P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.
More of a personal post this time; the post title(*) is about as geeky as it gets, if you’re only here for the tech then you may want to skip this one 🙂
I’m a geek (no surprises there), and thanks to too many hours hunched of the keyboard in the dark coding away into the small hours I’ve come to resemble the stereotype; overweight, four-eyed and (preferably) in black. I always assumed that this was me, and was happy with that; but towards the end of last summer there appeared to be an increase in geeks and hacker-types pushing to get fitter: Hackerrun came and went, and a couple of my clients participated in a local 10k run. So I thought I’d see what all the fuss was about and join in.
At the time I came across the Couch to 5k program, which claims to be a nine week training program that will take you from zero fitness to being able to run 5k. Three workouts a week, no more than 30minutes a workout; even I can find time to squeeze that into my routine when I try to. I can definitely vouch for the zero fitness aspect of the program, the very first workout has you running for only one minute at a time (and who can’t run for a minute?). Well, it turned out I couldn’t…..
I’m still not running 5k yet despite being training for more than nine weeks, but I’m definitely getting there and I’m now completing training sessions that would have killed me 6 months ago without complaint.
Running has been going well, but I wanted to round out my training to get stronger as well as fitter; but as I don’t have room at home for large and expensive weight machines and don’t want to get locked into paying a gym for the next 12months or more I was struggling to find a way to incorporate this, until I came across the 100 pushup challenge.
The theory and training programme are similar to c25k, which I’m already comfortable with, follow a training plan and in eight weeks you’ll be able to do 100 consecutive pushups. Starting with an initial strength test of ‘how many pushups can you do without collapsing’ (I managed a meagre 6) you find a column on the training programme, and again have three workouts a week. This takes even less time than the 30minutes needed for the running sessions, I completed each of the week 1 sessions in ~5minutes each.
I only completed the last workout session of week 1 this morning, and already I managed a total of 44 pushups, with my last set being 12; twice what I was capable of at the start of the week. How’s that for progress?
So, why am I sharing this? For one, I’m hoping that by throwing the fact that I’m training out in the public domain I’ll generate some peer pressure to keep going. It’s harder to stop if you have to explain to everyone why you’ve gone back to being lazy and unfit. Secondly, I wanted to share some of the apps, tech and services I’ve used so far in the hope it might help someone else.
I track all of my runs (and longer dog walking sessions) with RunKeeper. With the Runkeeper app on any GPS enabled smartphone it will track your route and pace of any run. Personally I find having stats, maps and other geekery tracking my progression helps keep my attention overtime. It’s also very simple to program the c25k workouts into runkeeper so your phone will beep when you’ve reach the time to switch between running and walking. Security warning: runkeeper doesn’t enforce HTTPS at login or elsewhere on the site, make sure your protected when you connect.
One word of caution, I found the GPS antenna on my phone becoming flaky so I recently upgraded to a dedicated sports watch, Garmin Forerunner 110. Not cheap, but still far cheaper than my outlay would have been if I was pounding the treadmill in a gym rather than the pavement for free.
On the pushup front, I’ve been using the Stronger app for tracking strength training and integrates nicely with RunKeeper to keep everything in the same place. The app works well, but I’ve found it to be ssssllllllloooooowwwwwwww at times.
Peer pressure time; if you’re a RunKeeper user my profile is here, feel free join my street team. If you’re not a RunKeeper user you can still use the same link to track my training progress and give me a friendly kick if I stop being active 😉
Never thought I’d say this, but I’m actually enjoying doing physical exercise now. And losing 10% of my starting body weight so far doesn’t hurt either; if I can do it, anyone can.
(*) for the none ‘nix geeks reading this, the post title is a Bash one-liner. With the sed command changing the eventual output from fat to fit…..
Originally I wasn’t planning on reviewing this year, didn’t think that much had happened, but during some end of year house keeping came across the InfoSanity review of 2009 and wanted to keep the trend going. In keeping with last years review. I’ll start with the non-technical (again on pain of death 😉 ); wedding plans going strong so I should be a married man early 2011.
Back to the technical: Despite my initial concerns; the site, blog and research environment are still here and still growing. To all those who’ve read, contributed and (most importantly) told me I’m wrong over the past year (you know who you are), thank you.
Lab Environment(s): To complement the home lab established in 2009, 2010 saw the introduction of a hosted virtual lab which has provided the opportunity to easily try new (and old) technologies in the real world. As part of this InfoSanity has setup (and in some cases also removed) instances of honeyd, Dionaea, Amun and Kippo. These systems have also resulted in some new utilities being developed and released as I worked through various findings.
Whilst standing on the shoulders of giants (thanks Markus), some of the findings from the InfoSanity environment are now available publically. Although I really must complete both automating the process and including findings from other systems, 2011’s to-do list is already growing.
Public Speaking: For some reason I’ve still been asked to talk in public about topics I find fascinating; so thanks to the Disaster Protocol team for having me on the show. I felt it was a great discussion of honeypot technologies and infosec in general, and from feedback I’ve had others seem to agree.
Trying new things: Whilst trying to grow and mature over the year InfoSanity tried a few different themes and topics, some worked, like basic ssh hardening guidelines (potentially more to come in new year) and some didn’t, like the ‘Infosec Triads’ series. But if you don’t stretch yourself you’ll stop learning, so expect more posts that don’t quite work in 2011.
Friends, contact and groups: As with last year, the best part of 2010 has definitely been the people I’ve either continued talking to and/or working with and those I’ve met for the first time. 2010 saw a growth spurt in local and online groups I’ve been involved in, including the start of NEBytes, ToonCon and the Kippo User Group. There are also a huge number of awesome groups which I don’t get as much time to get involved with as I’d like; EH-Net, Group51, DissectingTheHack, Exotic Liability…the list goes on.
2011?: Who knows? Every time I try to make plans or predictions the Sky Fairies and Flying Spaghetti Monsters mock me, so I won’t try to make any. But whatever the outcome, I’m not expecting a letup in the pace, and can already see some exciting new opportunities on the horizon.
Another decade down, and a new year of opportunity ahead. See you all in 2011.
Apologises for the break in regular postings, I was caught by surprise when I realised that it had been over a month since the last InfoSanity post. Unfortunately I haven’t won the lottery and been living in the lap of luxury, just real life and work getting in the way of extra curricula activities.
Normal service should now be resuming shortly.
— Andrew Waite
I want to say thank you to everyone who has supported this site and blog, but it is closing down as I am now rich thanks to the Central Bank of Nigeria. No, seriously, they sent me an email and everything….
Okay, maybe not, but it’s a while since I’ve seen a 419 (advance fee fraud) slip through to my inbox so thought I’d share. Originally I hand planned to critique different parts of the email, but I still can’t believe people fall for these so instead I’ll just share the ‘wealth’ for all.
This is to congratulate you for scaling through the hurdles of screening by the board of directors of this payment task force. Your payment file was approved and the instruction was given us to release your payment and activate your ATM card for use.
The first batch of your card which contains 1,000.000.00 MILLION U.S. DOLLARS has been activated and is the total fund loaded inside the card. Your fund which is in total 10,000.000.00 MILLION U.S. DOLLARS will come in batches of 1,000.000.00 MILLION U.S. DOLLARS and this is the first batch.
Your payment would be sent to you via UPS or FedEx, Because we have signed a contract with them which should expired by MARCH 30th 2010 Below are few list of tracking numbers you can track from UPS website(www.ups.com) to confirm people like you who have received their payment successfully.
JOHNNY ALMANTE ==============1Z2X59394198080570
CAROL R BUCZYNSKI ==============1Z2X59394197862530
KARIMA EMELIA TAYLOR ==============1Z2X59394198591527
LISA LAIRD ==============1Z2X59394196641913
POLLY SHAYKIN ==============1Z2X59394198817702
Good news, We wish to let you know that everything concerning your ATM CARD payment despatch is ready in this office and we have a meeting with the house (Federal government of Nigeria) we informed them that your fund should not cost you any thing because is your money (Your Crad). Moreover, we have an agreement with them that you should pay only delivering of your card which is 82 U.S. DOLLARS by FedEx or UPS Delivering Company.
However, you have only three working days to send this 82 U.S. DOLLARS for the delivering of your card, if we don’t hear from you with the payment information; the Federal Government will cancel the card.
This is the paying information that you will use and send the fee through western union money transfer.
Name: IKE NWANFOR
I wait the payment information to enable us proceed for the delivering of your card.
Do I really need to suggest anyone ignore similar opportunities that they may reach their inbox?
Additionally if you want to find out more, or a good laugh at the expense of these ‘con-men’ take a trip over to the excellent 419Eater site, these guys (and gals) do great work.
Yesterday I got curious:
My initial count was five, but released I missed some with the responses that I received. In a ‘general’ sorting of most common to least from my (admittedly small) sample set, the available contact methods are:
- Email (always multiple accounts per person)
- Instant Messaging (MSN, AOL, etc.) (usually multiple per person)
- Twitter (often multiple accounts)
- Google Wave
Which seems to be a lot, and from the responses I seem to be behind the curve in contactability. All this makes me wonder, in a world where outdated and not updated client applications are a growing intrusion vector do we really need all these ways for people and systems to communicate with us?
While you’re thinking, are they any of your communication tools that you could do without? If you stopped signing into MSN (for example) would you lose contact with anyone who couldn’t contact you via a different communication channel?
I’m not sure if there is a purpose to these thoughts or the very unscientific findings, but I’ve been thinking about this for a while so thought I’d share.
— Andrew Waite
P.S. thanks to those who participated, you know who you are.