These days when I think of samba overflows I get images of bahais fejoida completa dancing in my head. Fortunately a security alert from the samba team has brought me back to reality. No Caipirinha today.

Two functions of Samba version 3 can be exploited remotely even without authentication due to a buffer overflow error. It was found during an internal code review and a fix has already been released.

The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID).

A SID is the variable length binary value used by Microsoft to uniquely identify a user or group in Windows. It was introduced to manage user permissions independently of human-readable characters such as a username. Changing a username mapped to a SID therefore does not impact the system as much as remapping all the permissions to a username.

Patch, upgrade to Samba 3.5.5 or deploy countermeasures (e.g. strict segmentation and ingress/egress filtering) immediately.

Blizzard Entertainment has raised the stakes for Cheating in StarCraft II

Playing StarCraft II legitimately means playing with an unaltered game client. Doing otherwise violates our policies for Battle.net, and it goes against the spirit of fair play that all of our games are based on. We strongly recommend that you avoid using any hacks, cheats, or exploits. Suspensions and bans of players that have used or start using cheats and hacks will begin in the near future.

A permanent ban for an account is apparently a big step. I am not familiar enough with the game to know whether someone could open multiple accounts and use them for testing cheats. This would be a simple countermeasure to an account ban — lessen the value of the account.

It seems to me an even bigger and more exciting step would be if they offered an incentive system for whistleblowers. Then players not only would engage in battle online but also could try to get ahead by reporting suspicious accounts. Or would they have to change the name to StarNarkCraft?

I am honored to be presenting three topics at the The High Technology Crime Investigation Association (HTCIA) International Conference next week. They just mentioned it on the conference blog:

Davi Ottenheimer, a security and PCI expert, blogs at http://www.flyingpenguin.com/ — not just about infosec, but also on a wide variety of topics including energy, food, and sailing. He’ll be presenting “Anatomy of a Breach” on Wednesday, along with “No Patch for Social Engineering” and “Cloud Investigations and Forensics,” both on Monday.

Well, I’d say it’s all just the poetry of information security :)

The HTCIA is made up of many local chapters designed for information sharing on investigations, as you might guess from who is allowed membership

(a) Peace Officers, Investigators and Prosecuting Attorneys engaged in the investigation and/or prosecution of criminal activity associated with computers and/or advanced technologies. Each member shall be regularly employed by the Federal Government, State Government, Counties, and/or Municipal subdivisions of any state, or

(b) Management Level and Senior Staff Security Professionals in the regular employ of private business or Industry in the various states, the primary duties of which, are the control and responsibility for security and/or investigation in computer or advanced technology environments, or by virtue of his/her position or interest can provide, or have a need for information and training in the areas of computer and/or advanced technologies.

I hope the NZ security community reps will be there and able to discuss the Wilce incident.

News from New Zealand is that their top military scientist quit when “lies” were found on his resume

NEW Zealand’s top military scientist has quit, it was announced today, after allegations that his resume falsely claimed he was an ex-Marine and an Olympic bobsledder who raced against Jamaica’s “Cool Runnings” team.

Lieutenant General Jerry Mateparae said chief defence scientist Stephen Wilce had resigned, a day after TV3’s 60 Minutes made the allegations about him.

The program also accused him of claiming to have designed nuclear weapons guidance systems.

Those are highly visible and easily verifiable claims. It is an embarrassment to the country.

Was he qualified and capable? Did he do a good job? These questions no longer matter after he had to admit he knowingly misrepresented his experience — he lied. A bobsled team in the Olympics? Easy to look that one up, and not too smart for a security scientist.

This reminds me of a more common style of CV obfuscation I have found in the security industry — years of experience. When did Internet security start? It is hard to say, which makes it easy for people to move the line.

I claim sixteen years of experience on my CV because 1994 was when I was hired into a full-time job (Staminet, a subsidiary of Space Applications) after I finished my graduate degree. I worked with computer and network security before then but only as a student so I do not count it in my professional experience.

With that in mind I recently met a security expert who told me he aims to “put audit firms out of business”. He started a website called cloudaudit.org. We had a brief discussion at VMworld about it that left me feeling a bit puzzled.

He mentioned he had experience with audit, but I think he meant he has been audited before. Does being audited qualify someone to reform audit or is there a conflict? I found it hard to get a clear picture of his experience and perspective on audit in order to understand his “put audit firms out of business” comment. Later I searched online for his name.

Two years ago he had over 15 years experience, according to the 2008 BlackHat presenter’s page.

…currently Unisys’ Chief Security Architect…over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems’ chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy.

Today, just two years later, his experience miraculously grew five years to 20:

…20 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

I checked BlackHat again. On their 2010 site he gave himself over 19 years experience — four years more after only two years.

…over 19 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

No olympic bobsleds yet, but it seems the jump from 15 to 20 should be reason for concern. I am not going to split hairs over a year here or there, but a four year variance is unsettling. I did a quick graduation date to double-check. Unfortunately LinkedIn only revealed another vague and potentially sliding timeline:

University of California, Berkeley
Electrical Engineering & Computer Science

1988 — 2000

Twelve years at the UC and no degree? This is not getting better, but still no olympic bobsleds.

This person said to me he is on a mission to transform the world of audit, yet his experience ironically is hard to audit. On the positive side I see glowing recommendations and what seems to be a devoted group of business colleagues, partners and friends. Should that be sufficient? I might say yes except I also noticed that LinkedIn says his career started November 1993, five years after starting at UC Berkeley. That means it would be 17 years of experience today, versus the 19 or 20 years mentioned above. So 15 was probably accurate two years ago and 17 is the right number for today. Where did 20 come from? 19?

At the end of the day, aside from trying to make sense of any self-description or LinkedIn profile, I have not seen any audit firm experience or something to answer my original concern. Why put audit firms out of business?

I’ve done 3 start-ups (and the odd up-start,) raised venture funding, lost my ass, made it all back again, been a CEO, CISO, CTO and still haven’t figured out what I want to be when I grow up.

I wanted to get perspective but instead I pulled up more questions than answers in a quick search for a resume online. Normally I might let it go but the Stephen Wilce story suggests that a quick search probably will not be sufficient.