Category Archives: Security

Hungarian Election Hack

The Budapest Business Journal has reported an interesting twist in an election race:

A statement published on the web page of the party’s parliamentary group said that the documents had been obtained from a site “accessible with a user name and password available to anyone.”

For some reason the South African Mail and Guardian has posted this version of the story:

Hungary’s main opposition party, Fidesz, said on Thursday that it had made a “serious mistake” in hacking into the server of the governing Socialist party ahead of the April general elections.

Anyone else wonder if the user:password was fidesz:fidesz?

RSA Badge Challenge redux

Well, I said I would post more, and then I actually posted several things over on Bruce’s blog…odd that he took the $100 fee I mentioned to him as gospel. Anyway, the bottom line is that Bruce said I should try to get in without my badge because it wouldn’t work if he tried it (I said he should do it, but he claimed he is too well recognized — yes, I am transferring all blame to Bruce). He had asked me to email the results of my tests, but I guess I didn’t get done in time for his blog entry to pop up.

Anyway, I did as told by the great Bruce and stuck my badge in my pocket and just wore the lanyard and plastic holder with the pocket agenda. The only thing I didn’t try was just walking right up to the booth and saying “I need a new badge, what will that cost me?” I probably would have done it, too, if I hadn’t found it so easy to walk around badgeless. Sadly, I wasn’t challenged sufficiently to actually have to produce my badge. In fact, on a few occaisons I had to actively look around and seek out the guard who was stationed at the main doors. The presentation rooms had a single person for a huge crowd and there were so many issues with the readers during the sudden influx of people that I was not the only person literally forced to enter without my badge being carefully checked.

All-in-all a bizarre situation for a security conference. I started to feel like I needed to beg people to challenge me for my badge so that I could see if the $1900 replacement fee was for real. In fact, at one point I put my badge back on just to see if it mattered and was still working. Of course, at that point I was scanned. Dumb luck, I guess, or it could have been because the woman in line in front of me said she worked for Homeland Security. Alas, sometimes a hypothesis leads to a completely different set of conclusions than was originally expected.

Overall the conference was a huge benefit to me as I managed to meet several people who can help with the secret key issues I’m working on, and I learned a great deal of very useful tidbits from security industry luminaries like Ron Gula and Crispin Cowan (just in casual conversation outside the conference). McNealy’s presentation was very funny and helped me understand how Sun plans to get back on track. His human message was also very appreciated. Honestly I had given up on them back around Solaris 7, but they definitely seem to be back in the swing of things with Open Solaris and Office…tempting to see what it would take to replace our Windows desktops that are mainly used for analytics and email. In the Expo I was particularly impressed with the Identity Engines product and the Array SSL VPN (very fast, very clean). The food was sufficiently edible as well.

I give the conference high marks for bringing so many great minds together, but I really wish they would sort out the conference badge/identity situation properly (hey, this is a chance to really do something secure and efficient and not just talk about it) and work on quality/quantity of presentation issues. A DoJ speaker actually started her talk with “RSA sent me some presentation gurus. They said that I need to use humor and avoid going off-topic into the weeds”. Then she put up a cartoon and said “ok, here’s some humor” and then she proceeded to immediately head right into the weeds, so far off-topic that she (and her presentation buddy) became too lost to continue the slides. Oh, and I can’t forget that at one point she looked at a symbol for the British pound and said “um, that’s in Lira, right?”. I know, boring trivial stuff, but the presentation was so bad I had to wonder what might have been rejected from the conference.

Windshield washer fluid and privacy

I attended a panel discussion yesterday on identity management and privacy. One of the pundits made the observation, in a rather ostentatious manner, that he had been asked for his address when he tried to buy windshield washer fluid at a store. “Kragen shall remain nameless…they had no business reason for this information” he thundered.

Unfortunately, this is the kind of uninformed position that is all too common in information security. People get their shorts up in a bunch about privacy, which is all fine and good, but then they seem to think that everything must be an invasion of their personal rights even though they do not take even the most basic step to confirm/review the risks in their entirety.

Call it the uninformed consumer, if you will, but this guy had all the hallmarks of an American cultural tradition of shoot first, ask questions later. Not the sort of thing I would have expected from a panel at RSA. In fact, the presenter said he was forced to exit the store without his washer fluid — the business was plain wrong and they lost his business. Good for him, but did he try to find out why a business might be forced by the authorities to treat windshield washer fluid as a controlled substance (as opposed to just a random opportunity for marketing data)?

Anyone familiar with engine tuning or meth lab investigations knows the market dynamics of windshield washer fluid (about 30% methanol), not to mention the market for the bottles themselves. Moreover, anyone familiar with the properties of methanol knows the environmental and health impact of its widespread use for illegal purposes.

This begs the question of how effective the control might be (e.g. compared to removing the methanol from the fluid, since even in normal/legal use it’s a toxic substance that is being sprayed into the air and all over the roads that people live on), but in this instance I just wanted to point out that a store is unlikely to let the employees know why they have to ask for the address/information, but at the same time the consumers might be happy to know that the police are trying to cut down on highly-toxic uses of meth in their neighborhood.

This reminds me of Cory Doctorow’s explosive reaction to an American Airlines screener (for now I’ll skip the more well-known example of the hunt for WMD). Profiling is a critical component of our every day lives and people need to learn to seek and sufficiently understand an “other” perspective before they rush into action and demand reform/justice. There are few things more counterproductive in security than reacting to the symptoms and causing widespread outages. In fact, if more people just did a little bit of “root cause” analysis, we might find a more informed and democratic path of resolution for real and present dangers to their livelihood. This would actually help law enforcement by taking the burden of ad hoc policy creation away so they can get back to their proper focus on enforcement.

EFF sues AT&T over wiretap

I wonder if this case will go better than their others…

The Electronic Frontier Foundation (EFF), based in San Francisco, filed the suit against AT&T for giving the NSA direct access to its databases of communications records, including whom their customers had phoned or sent e-mail to in the past. The suit was filed Tuesday in the United States District Court of the Northern District of California. […] The EFF alleges that this behavior on the part of AT&T violates several federal laws, including the Electronic Communications Privacy Act (ECPA), he said. It also violates the first and fourth amendments, which protect U.S. citizens’ right to speak freely and not to be subject to unreasonable searches, Bankston said.