The InfoSec Blog

There’s this idiot …

http://www.timesonline.co.uk/tol/sport/formula_1/article3221830.ece

Nigel Stepney, the former Ferrari mechanic who sparked the Ferrari/
McLaren Mercedes espionage scandal last year, has admitted that he
handed information to McLaren, but did not imagine that it would be used
by the Woking-based team to the degree that it was.

Why ever not?
Once he handed the information over it was outside his control.
What people do with it then is up to them, not up to him. Its not as if there was some binding contract and he can sue them for misuse of the information.

This boy is a fool to think he retains any control over the use of the information. Heck, by giving it away he shown that his employers don’t have control over the use to which its put, so why is he spouting nonsense like this:-

“I don’t feel responsible in anyway for what happened at McLaren,”
Stepney said in an interview due to be transmitted on Sky Sports World
Motor Sport show this evening.

This boy is a fool! Does he imagine everyone in the world is honest, is happy to abide by his agenda?

Or perhaps he’s a fool in a different way. Perhaps that’s all a smoke screen that he’s throwing up, hoping we’ll think him an innocent fool. Perhaps he’s fully aware of what he did and hopes we’ll think he’s just a naive and gullible idiot.

“Obviously it got a bit sensitive and somebody used information more
than I actually thought it [should have been] or not more than it should
have been, it should never have been used . . . to that extreme.”

And of course any leaked information could be put together with information from other sources, used to verify information obtained elsewhere, lead to other stuff … Anyone who has read things like David Kahn’s “The Codebreakers” or, perhaps more relevant to this guy the BBC documentary in May of last year.

This boy’s a fool on many levels. How is any employer going to trust him ever again? It doens’t matter if his intentions were as he claims or is this patter is a smokescreen, he’s shown that he can’t be trusted and that is what matters.

http://www.theregister.co.uk/2008/01/17/globalization_of_crimeware/

… In many respects, malware creation mimics open
source communities, in which legions of programmers spanning the globe
tweak one another’s code to add new features and fix bugs.

So what happened to the proverbial socially maladjusted hacker in the bask room eating twinkies and drinking jolt?

“It seems somewhat different than the standard way of thinking of a
hacker,” says Thomas Holt, a professor of criminal justice at
the University of North Carolina at Charlotte, who presented his
findings Thursday to military and law enforcement officials at the US
Department of Defense’s Cyber Crime Conference. Crime groups “are
looking to one another for assistance. It’s no longer just a single
person distributing malware. Now there
appear to be groups and there appears to be a distribution of labor.”

And this when so many ‘mainstream’ companies are finding reasons to avoid using open source. No doubt they will misunderstand and use this as another reason.

http://aluigi.altervista.org/adv/quicktimebof-adv.txt

You’d think by now … after all, SC Magazine, at least in the print edition, lists the “top 5 attacks” used by US and foreign hackers, and ‘overflow’ attacks have been in the number 1 or number 2 slot for as far back as I can remember.

I keep going on about how the Morris Worm brought this to the public attention TWENTY years ago. I keep going on about how I continue to meet programmers of varying maturity, not just the ones fresh out of college, who are unaware of this kind of programming flaw - along with many other flaws and egregious habits.

I suspect what we have is the old phenomena of assigning junior (aka inexperienced) coders to doing the maintenance programming. Why else would this kind of bug be introduced into a mature product?

Did I say ‘introduced‘? Perhaps it was there all along, which is even worse, since it means it took this long to discover it.

Perhaps this applies to ore than Oracle users?
Sybase? MySQL?
Windows?
Perhaps even Linux!

http://www.informationweek.com/news/showArticle.jhtml?articleID=205603104

Slavik Markovich, chief technology officer of Sentrigo, a database
security firm, said he’s been making presentations at Oracle Users
Groups around the U.S. since August, and at each one he asks for a show
of hands on how many attendees have adopted one of the two most recent
Oracle Critical Patch Updates. He also asks how many have adopted at
least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the
answers that he’s gotten have surprised him. At that meeting last
August, two out of 40 attendees said they had installed one of the two
latest patches; 15 said they had installed at least one patch in the
four years of the program. That left 62.5% who had not installed any
patches since the program began in November 2004.

And the effect of this?

“That leaves many databases vulnerable to what are now publicly known vulnerabilities.”

I think we could have guessed that.
The issue is did the people in the organizations that run un-patched systems think about that, think about the consequences of that.

Probably not.
All the studies I’ve read indicate that the ‘high performers’ not only follow though on security procedures like this, but have proactive monitoring (e.g. IDS, log file scanning) and proactive response procedures. The people who don’t bother to patch will in all likelihood not even know if they have been hacked unless the hack has catastrophic results. If the hacker was subtle and just did some identity theft, small-but-many financial theft, then the database owner might never know.

So: When did you …

• last update ..

• your OS
• your browser
• your database

Enquiring minds want to know, and many of them belong to malicious hackers.