Archive for 2010

Missing in Action -> Return to Action

Posted by Matt Johansen in Personal, Random, Web App on December 30, 2010

So it has been about 6 months since I wrote a blog post and I’ve promised to myself to get back into it for the new year. I miss you all. I guess I should start by explaining my absence from the blogosphere as I had some pretty damn good reasons:

  1. I got a new job
  2. Said job was 3000 miles away
  3. I drove the 3000 miles
  4. First week in new location my house was broken into and my computers were among the more than $5k worth of stuff stolen.
  5. I had just blown all my money moving 3000 miles =no way to replace computer (or go to BlackHat/Defcon/BSidesLV :(
  6. New job has been keeping me supremely busy in a good way.

This whole extravaganza started in May so the summer was kind of a whirlwind of craziness, the fall was work kicking into overdrive. I’ve kind of hit my stride at the new job and gotten used to the giant piles of work so I’m planning on setting aside time to blog again.

The job I started was at WhiteHat Security as a resident appsec bug hunter. Drinking from a fire hose for 6 months would be no exaggeration as we have a very unique playground of websites to find/test vulnerabilities on. I’ve found some very high profile vulnerabilities that I wish I could talk about but I’ll have to settle for severely obfuscated posts in the future merely describing the attack vector with all client information withheld.

Since I joined the team we have about doubled in size and gone from the “Operations” department to WhiteHat’s “Threat Research Center” which just sounds so muchs spiffier and more official.

We also participated pretty avidly in the Google bug bounty program. Mighty successfully I might add: Google Security Hall of Fame. 5 people on our team found rewardable bugs in Google apps. I say rewardable because a number of us found bugs that they didn’t qualify as rewardable, mostly minor XSS or open redirects.

I might add that this is 5 so far, we have a few more emails sitting in their queue and I’ve had a bit of fun with their Cr-48 as a beta tester :) (more details to come after bug is reported and fixed but this one is a fun one).

So there is a run down of my absence from the blog world, cliff notes of course. I did a fair amount of weekend getaways enjoying the west coast weather.

I hope anybody reading this had a great Christmas and will have a safe and happy new year. My better half put a grill / smoker under the tree for me and I’ll be breaking that out to ring in 2011 with some smoked meat.
So now that you know one of my resolutions is to start blogging again what are some of yours? I miss you. You look great by the way.

Cheers,
Matty Jay

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

1 Comment

Horizon Bob Story [Reader Submitted]

Posted by Matt Johansen in Uncategorized on March 24, 2010

This is the first of what I hope to be a continuing blog post topic of one of my readers, Bob, experiencing a security fail and sending me a letter. Feel free to mail me stories of your friend Bob and his epic adventures.

Dear Matt Jay,

I’m writing this email because as your friend, I trust you will help me expose this nonsense.

My mom is spending a few days in North Carolina.  While there, she decided she needed a phone upgrade.  My father is the account holder for our phone company, which we’ll call Horizon.  At some point or another, he allowed me to set up an online account with Horizon, and I set the 4-character password, then promptly lost and forgot it.

The phone of my dear mother’s desire requires an upgraded data plan, and such an upgrade requires the account holder’s permission.  The folks at the retailer asked for the password, which she did not have.  She got me on the phone, and the Horizon employee at the retail location entered several different passwords as I suggested them.  Trial-and-error guessing for a security checkpoint… Fail #1.

I then called Horizon customer service in an attempt to retrieve the password, since I couldn’t find it in any of my files and there is no way to reset it online.  I pretended to be my father, the account holder.  They asked for my name and –spoiler alert – my account password.  I told them I was calling to find out the password.  I offered my [father’s] last 4 digits of SSN.  I then gave the rep the wrong 4 digit number, but he told me it was close.  He asked if I was sure, and I insisted there must be some mistake.  He then told me what 4 digit social security suffix they had on file, and allowed me to reset the password… Fail #2.

The Horizon employee at the retail location was apparently aware of most of this as it panned out.  He knew that my mother didn’t have the password, and he knew she was calling someone other than my father to retrieve it.  Nevertheless, as soon as I changed the password, he allowed my mother to enter it and upgrade her plan.  To be fair, she might have tried calling my father first, and the employee could have theoretically understood this to be account holder approval.  Regardless… Fail #3.

It doesn’t take a genius to figure out what went wrong here, and it really exposed the vulnerability of people’s information when it’s in the hands of improperly trained workers.  That being said, my dad’s full social securiy number is REDACTED.

Sincerely,

Bob

P.S. What are you doing later tonight?  I’m craving tacos.

Thanks Bob, I can go for some tacos too. This trip is on me for the good laugh.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

No Comments

Secure Password Win [Random]

Posted by Matt Johansen in Password, Random on February 2, 2010

Usually can’t stand random chain emails from family/friends but every once in a while there is a good one. Thought I’d share this laugh:

During a recent password audit at the Bank of Ireland it was found that Paddy O’Toole was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofyDublin

When Paddy was asked why he had such a long password: he replied ”Bejazus! are yez f*ckin’ stupid? The bank told me password had to be at least 8 characters long and include one capital”

Don’t ever think you can outwit the Irish!

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

No Comments

Google Responds to China’s Actions [LiquidMatrix]

Posted by Matt Johansen in cloud, cyberdouchery, LiquidMatrix on January 12, 2010


UFC 1337: Google vs. China

My most recent post over at LiquidMatrix Security Digest

To the surprise of most everybody who read this, Google has grown a pair in the fight for free speech and against internet censorship. Well.. at least they say they are..

…the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

This comes after the apparent attack upon Google and other American organizations originating from China.

In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

As of the time I wrote this post Google.cn is still up, so no preemptive praise just yet. I’m going to be interested to hear what else pops up about this story in the near future.

Read on

Some other insight so far:

RSnake
Rep. Eshoo Responds to Attack on Google

Cheers,
Matt

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

No Comments

IsleSec – January

Posted by Matt Johansen in IsleSec on January 12, 2010

Don’t have any original content to add just hoping to spread the word. A quick re-blog of Kees Leune’s post about this month’s IsleSec meetup. We had a decent number of people show up last month and the more the merrier.

“After our (first) meeting last month, Matt Johansen and myself have decided to give IsleSec a continuation.

IsleSec builds on the tradition of popular CitySec meetings, such as NYSEC, BeanSec, etc. and it provides an informal place for people to hang out, have a bite, drink beer (or something else), and chat about security-related issues.

We invite everyone with an interest in information security, ranging from techies to security executives to join us. Yes, even security auditors are welcome ;) Vendors can come too, but please do not use the meet-up as a place to sell your wares. If you want to car pool, or take the train out to the meeting with company, please drop a note on our general access email group.

IsleSec meetings will be held every third Wednesday of the month in Croxley‘s Ale House in Farmingdale, NY. Croxley’s is located next to the train station and is easily reachable by car from Nassau and Suffolk.

This month’s meeting will be on January 20, 2010. The meetings typically start when the first person shows up (somewhere between 6pm and 7pm) and continue until the last person leaves (somewhere between 10pm and 11pm). Sponsors are more than welcome to contact me to arrange how to give us free beer.”

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Slashdot
  • StumbleUpon
  • Reddit
  • Tumblr
  • Twitter

2 Comments