Jeff Moss + DHS = Super Security

“Godfather of Hackers” Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was sworn in as one of the new members of the Department of Homeland Security’s Advisory Council (HSAC). And we think it’s a shrewd and thoughtful move. Obama seems to be getting serious about cyber security now by hiring “Dark Tangent.”

on gizmodo

Jeff Moss is not only a celebrity in the world of hacking, he is also a powerbroker. He is a respected force to be reckoned with. I am not going to say that I think he is some sort of cyber mafia boss but I will say that he could destroy just about anyone with a 100 word post on a forum. Getting “street cred” in the hacker world is something that must be truly earned usually by technical expertise proven by hundreds or even thousands of your hacker peers validated by published technical papers, famous/infamous system infiltrations, the discovery of 0-day exploits that make major corporations take notice, or some combination of these.

Jeff has his finger on the pulse of the entire spectrum of hacking.

Jeff is now going to advise the president.

Now that is good judgement.

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

where the hell is DC719?

I’ve been thinking of going to Defcon17 this year, but I’m reluctant because I keep remembering how lonely I was the last time I went Defcon14. There I was at the MECCA of all things security basking in the glow of technological brilliance and completely alone.

Everyone seems to have a crew there. All loners I meet are to paranoid to talk to anyone. So I end up going from lecture to lecture alone. Don’t get me wrong. I like learning new things.. But too often I feel like it was something I could have just watched on TV (if it was on TV). I want to get more involved, but I don’t have skills or the time to dedicate to another mega hobby like Hacking.

So I thought about rolling out with DC719 (my local defcon group), but I’ve yet to find them. dc719.org seems to have not paid their bill or something. I heard they are all crazy gun nuts, which I think is pretty awesome. Guns and hacking seems like my kind of crowd. Strange, huh?

Anyway, dc719.. if your out there hit me up .. I might want to roll with you guys [or at least say hi]. elamb[dot]security[at]gmail.com

Al Qaeda Sites getting Hacked

This was an article that really cheered me up today. Al Qaeda websites are still getting hacked constantly. Sometimes it seems that the free world is WAY off on the “War on Terror”. With most resources going to Iraq, political rhetoric and pandering and the almost complete absence of anyone talking about capturing and/or killing Osama bin Laden, its easy to get discouraged. Its good to see that the cyberwar is still being waged on those who promote and or support terrorism.

Octavia Nasr | BIO
CNN senior editor for Arab affairs

A hacking war is raging on Jihadi websites. Radical Islamist sites have been attacking and getting attacked for quite some time. The website hacking practice was common in 2001 and 2002… Following the 9/11 attacks when al Qaeda used only one website to communicate its messages to supporters and foes alike. That website was called alneda.com. It was getting constantly hacked… sometimes several hackings a day. After every hacking the site managed to resurface on the net until it disappeared from the scene in 2004 to be replaced by other websites — What started as one al Qaeda-linked site mushroomed into dozens which branched out into hundreds of supporting sites that serve as dissemination centers over the internet.


More.

I want to go to the Black Hat

Trip to BlackHat 2008

I’m hope my corporate master will let me go to the Blackhat and Defcon training/convention this year. I doubt it since “Massa” Corporate isn’t in the business of giving out anything that the gubment hasn’t paid for. Then again… they did offer to pay my way through a Masters degree program provided I stay with them for the entire time. Over all, they are not a bad lot… I’ve dealt with much worse that is for certain.

If I go to BlackHat 2008, I’ll probably attend Security Horizons, NSA Information Assurance Management course.

Point and click Gmail hacking at Black Hat

This hack uses sniffing on a network:
The attack is actually quite simple. First Graham needs to be able to sniff data packets and in our case the open Wi-Fi network at the convention fulfilled that requirement. He then ran Ferret to copy all the cookies flying through the air. Finally, Graham cloned those cookies into his browser – in easy point-and-click fashion – with a home-grown tool called Hamster.

The counter to this is to NEVER login at open networks (particularly the blackhat and for the love of all things holy and good NEVER login without encryption at the defcon)

td daily – gmail hack @ blackhat

Howto Say the IPV6 Number

If you didn’t know, IPv4, the current network layer protocol used on the Internet is due to be replace with a new networking protocol called IPv6. IPv4 is a 32-bit addressing scheme that allows 4,294,967,296 possible unique addresses. IPv6 is a 128-bit addressing scheme that allows much more.

 

This is the number of possible IPv6 numbers that are possible:
340,282,366,920,938,463,463,374,607,431,768,211,456

 

And here is how to say the number.

 

340- undecillion
282- decillion
366- nonillion
920- octillion
938- septillion
463- sextillion
463- quintillion
374- quadrillion
607- trillion
431- billion
768- million
211- thousand
456

HOW BIG IS THAT REALLY??!

2^128=340,282,366,920,938,463,463,374,607,431,768,211,456 = 3.4×10^38
50 octillion addresses for each of the 6.5 Billion people on earth
Every atom in the human body could have IPv6 address
Windshield wipers on your car may have and IPv6 address (every device can be “pingable”)

Pros and Cons of IPv6:

CON
Lack of migration plan
Definition of “compliance”? (dod)
Long address (2001:0000:1080:8c88:8:800:200C:417A)
Security issues

No tools to check IPv6 packets, so this exploit has no way to be stopped yet
Windows XP supports IPv6 but the SP2 firewall would not detect rogue data inside ICMPv6 packets

 

 

PRO
ipv6 for everything
Japan already on top of it
Help countries like China and India

 

 

Here are some other interesting numbers:

trillion

Googleplex

 


Pirates Vs. Ninjas

PIRATES 

A pirates mission statement is to rape and pillage.  They steal as a way of life.  Morals and values be damn.  A pirate would steal from his own mother if she left her guard down.  He would take advantage of his sister if she had the booty.  New pirates really don’t appreciate anything.  Some pirates steal because they really do appreciate a quality product.  Some of these pirates are activists for individual freedom.  They live by the code and freedom of the sea/nature.  To them ownership and property is an illusion created by man.  These are the most devious types of pirates who usually end up being captains of ships full of pirates.  If these pirates ever get caught it will usually be too late because they will have already exploited, liquidated and stolen so much that most assets they have pilfered will never be recovered.  Furthermore, they are probably completely beyond being rehabilitation by external means such as torture, imprisonment or indoctrination into high society.

 

NINJAS

A ninja, on the other hand, lives and dies by a code because of this they can be very dangerous.  They have a certain belief that they are willing to kill for.  Assassination is what the ninja is trained to do.  They sneak in silently, make the kill and get out quickly without a trace.  A great ninja will only be detected by the absence of evidence.  You will only know that they were there if they want you to know.  To the untrained eye, the ninja’s target died of natural causes.  The ninja’s skill is a thing of deadly grace and beauty like a black widow spider.  The especially good ninjas have an almost spiritual code and mental discipline that gives them seemingly supernatural powers.  To the lay person, ninjas don’t exist, they are just ancient legends.  If someone brags about being a ninja they are more than likely NOT a ninja.  A ninja is so close to the edge that they are love, hated and feared by those who know they exist.  Contrary to popular belief, not all ninja’s are evil.  Some ninja’s are mercenaries, some ninjas only kill bad guys, some ninja don’t kill at all… but they could if they wanted to.      

What is a Hacker?

“A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
The above is a quote from crypto living legend Bruce Shneier’s book, Beyond Fear.  This is exactly how I feel about hacking.  Hacking is a major asset to Information System Security… if fact is THEE only real asset.  I’ve had arguements with some of my peers about this.  Information Security Pro vs. Hacker.  If the typical information system security pro doesn’t get smart on hacking (security/programming) techniques, security will continue to be a losing battle.  Cyber criminals have no problem learning the latest exploits, they have no boundaries and this gives them a “superpower” against security professionals.  Some Information security professionals, on the otherhand, restrict themselves by categorizing hacking as bad.  They see it as unethical and not responsible. 

It is unethical and not responsible to NOT know hacking techniques that might exploit a customers system.

Thanks for the post Bruce.  I hope you will make another appearance at the Defcon
read more | digg story

1 2