Hard Working Families & Benefit Scroungers

Could be something, could be nothing but I’m hearing a lot of the following phrases in UK politics.

“hard working families” & “benefit scroungers”


Google Trends does a nice (if unscientific) job of showing the use of “hard working”  and “benefit scrounger” over time.

Leave a Comment

44Con Trip Report

44Con Trip report

Last week I attended the UK security conference, 44Con.  I went into 44Con feeling a little jaded with the overall security community, but left with a real spring in my step.  There are many very approachable and knowledgeable people doing some amazing work. It’s easy to forget if you focus on the minority of the community who bring arrogance and elitism to the table in large amounts.

44Con is now in its second year and is shaping up into a very nice conference indeed.  My views may appear slightly more biased as I’ve helped with chaperoning speakers, but if anything that would actually tend to make me more critical.

For me the key points were

  • A local conference with great, high quality content.
  • Value for money (at ~£300 its cheap if you’re based near London).
  • 4* venue in central London (with lunch and free coffee provided).
  • Access to speakers. At the bigger conferences, getting time with top class security speakers is limited.  At 44Con (I noticed this at BlackHat Abu Dhabi too), you have great access to speakers, who are all willing to spend time and talk about their work.  This is where interesting partnerships can occur.
  • Local peers – Although I try and attend Defcon London once a month, it’s really only at BSides London and 44Con that I get to meet up with most of my UK peers and have quality time to talk.

If you’re in the UK, it will be worth checking out in 2013 (as will BSides London ). For London locals, the montly DC4420 is worth a visit.

In terms of talks, these were the highlights for me:

Terrorism, tracking, privacy and human interactions:  (Daniel Cuthbert and Glenn Wilkinson of Sensepost)

This was arguably the talk of the conference. Daniel and Glenn set about creating a low budget distributed data interception framework with functionality for simple analysis of collected data.  In simple terms, they demonstrated that they could track almost anyone who carried a smart phone and link most of those smart phones to a human. Everyone in the audience, including myself, immediately reached for their phones to switch them off.

The duo created access points (AP’s) that would collect the probe requests of wireless devices as people passed by them and deployed a number of these AP’s around London.  They also provided a proof of concept that showed how these AP’s could mimic the wireless networks that devices were trying to contact, before servicing those requests. For example, if someone’s mobile device was looking for a link to say Starbucks, the AP would record the MAC address of the device and (have the potential to) respond saying “Hey, I’m ‘Starbucks’ connect to me”. At this point, any web traffic, including social media services with appropriate settings would pass through their AP (momentarily), enabling the guys to build a database of which devices were passing through which points and at what times, and also link a device to an identity based on what goes over social media. They were able to pick out people’s houses purely through SSID’s (i.e. no data interception was required. That’s interesting because via no illegal data interception, the duo can figure out where you live) and determine where people pick up their morning coffee and what time they’re likely to do that.

Finally, they also  demonstrated this using the newly released Maltego Radium tool, which adds powerful visualization to reconnaissance activities (from network enumeration to social network enumeration . The extendable nature of Maltego makes it one of my favorite tools for data analysis.  Here’s a short video demonstrating Maltego Radium

If you get a chance to see Daniel and Glenn present on this, or any other topic, I strongly encourage you to attend. They are both excellent security minds with a superb ability to communicate.

Maltego is available here : http://www.paterva.com/web6/products/maltego.php


Other notable talks…

Cryptanalysis of the Enigma Machine: (Robert Weiss, Password Crackers Inc and Ben Gatti, OpenVPN)

Robert Weiss and Ben Gatti wrote a tool to crack text encrypted by an Enigma machine.  They provided an excellent description of the history and some of the failures of the Enigma implementation and asked, how would Allen Turing have approached the problem with today’s tools.  Their software demonstrated, through to use of examining letter frequencies how to crack Enigma encrypted text.  I was surprised to hear that there are still some unencrypted Enigma messages out there so I look forward to seeing if they can help decrypt them.

See more here. http://enigmacrack.com/


Software Security Austerity – Software security debt in modern software development: (Ollie Whitehouse – NCC Group plc)

One of the key elements of Ollie’s presentation was that organizations who tackle the issue of security involvement in the lifecycle now have another problem, namely “what to do with all the issues you find”. Organizations tend to focus on High and Critical vulnerabilities and as a result accrue medium and low vulnerabilities that tend to go unfixed. This is where Ollie positions the concept of software security debt.

As the talks abstract states “What happens when you’ve implemented your SDLC or started your security mindfulness activities and got good at finding security issues? Typically you won’t be able to fix them all and as a result you start to accrue vast amounts of known security debt. This is compared to doing nothing and having large amounts of latent security debt.

The presentation will discuss the business realities when dealing with security debt, how these realities can be balanced and why there are parallels with the recent financial austerity measures we’ve seen and what we should learn from recent events.”

You can read an excellent SC Magazine article on this topic here http://www.scmagazineuk.com/paying-off-your-security-debts/article/248652/

And/or obtain Ollie’s paper here: http://www.recx.co.uk/papers.php



An Idiot Abroad:  – Don Bailey – (Capitol Hill Consultants)

Many people know Don from his work in unlocking a Subaru and starting it engine, with an Android Phone (read more).

In “An Idiot Abroad”, Don demonstrated how the components at the core of traffic control systems, IP cameras, security access units, and electrical control systems, are all affected by security weaknesses. He showed how patterns can be detected in firmware, which allow attackers to find vulnerabilities and critical sections of code quickly and efficiently.

Don’s area of focus seems to highlight that people are working on systems, often deployed in public places, where security hasn’t been a strong consideration in the design.  He pretty much answers the question of “who would want to do that?”.



Hacking and Forensics on the Go:  (Prof. Philip Polstra – Hacker in Residence at University of Dubuque)

Phil introduced “The Deck”, a BeagleBoard configured for hacking and forensics on the go.  The Deck runs an Ubuntu-based linux OS with many of the tools from Backtrack also present, including: wireshark, Metasploit (complete with backend database), Jack the Ripper, remote access tools, nmap, and wifi tools.  The Deck is small, lightweight and doesn’t demand much power, perfect for more covert operation.

Many people left Philips talk discussing the potential for creating or extending devices such as those discussed in Daniel and Glens talk (above) and deploying these data collection devices using RC and/or UAV’s.  This sort of deployment neatly defeats a number of physical controls, such as high fences with barbed wire.  Of course, there are many less ‘black hat’ applications possible. As a keen skier, I like the idea of using the heads-up SDK for the Recon goggles and adding a twitter feed, a geographical map of where my buddies are, which restaurants have the shortest queue etc.



2012 in review: Tor and the censorship arms race: (Runa Sandvik – The Tor Project)

Provided an overview of Tor and showed how/where it was getting blocked. Runa described the cat and mouse tactics of seeing the Tor block, then updating Tor to by-pass the blocks.  For me, the most interesting Tor block was in Ethiopia. At first glance I wondered why Ethiopia would be interested in blocking Tor, until Runa explained the business relationships between China and Ethiopia.

With censorship/restriction very much in the news (Arab Spring, London Riots 2011), I found this both timely and informative.

Slides available here: http://encrypted.cc/44con-2012-09-07.pdf



IPS Reconnaissance and Enumeration – false positive (ab)use:  ( Arron Finnon – activityim.com)

Arron has been working on IDS and IPS evasion for a number of years and this year looked at using false positives for enumerating infrastructure. As his abstract states “the very reaction to a “False Positive” in the first place may very well reveal more detailed information about defences than you might well think.”

He goes on to state “With a simple crafted email it is possible to tell that clamAV is running on a mail server, or a  simple fake URL parameter could well inform you that SNORT is defending a web application”

Arron is an expert in this field so worth tracking down if you’re working on IPS/IDS solutions.  He’s incredibly approachable and collaborative.



Malware Analysis as a Hobby: (Michael Boman and Siavosh Zarrasvand)

“How can one with limited time and budget create an environment that analyses suspected sites and software for malicious behavoir  at speed?”.  As a father of 5, Michael wanted to see how one could simplify the process and make it accessible to the masses.

“I collect malware like stamps with detailed analysis on their behaviour and where they were first seen, where they have been seen and if any sample is more spread then others. I do this on a near non-existent budget (I quit smoking and now spend that money on hardware instead) with almost non-existent time. If I can accomplish this kind of work under those circumstances, how can a well-founded organization go from here”

Chatting over a drink, Michael explained that his goal is to make a low cost device available to the masses (he’s not in this for profit though).  My data-geek nature instantly wondered what interesting relationships and predictions might be observed from taking the output of such malware analysis and turning the data over to Kaggle.com to see what predictions could be made (Kaggle host data science competitions).



I’m the guy your CSO warned you about: (Gavin Ewan – Student at University of Abertay)

I have a conflict of interest here, I’m incredibly interested in Psychology in relation to social engineering so I usually make a b-line to watch Gavin talk.  I first saw Gavin Ewan speak at BSides London, where he gave a fabulous presentation titled ‘A salesmans guide to social engineering’. It’s available on YouTube and well worth watching, if only for his comedic genius.

At 44Con he gave another superb talk looking at what tools a hypothetical bad guy (or gal) could use against an organization. The aim of this talk is to raise awareness of how much damage a bad guy can do with only a handful of tools and an internet connection, social engineering for the modern age.



Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention):  (Jayson Street – CIO Stratagem 1 Solutions)

Finally, Jayson Street gave a passionate talk about the state of the security community, encouraging new blood to get involved and for old blood to leave their ego’s at the door.  His point (or my interpretation of it) is largely that some of “InfoSec rock stars” are quick to shoot down new contributors to the security community, ultimately stifling the sharing of ideas and information.

Jayson then ‘walked the talk’ so to speak, by talking to more people than most.  His “Awkward Hug” initiative really captured the imagination of Con-goers; even palace guards couldn’t escape one.  While it may seem whimsical, it really seems to send out a fun and positive message.


Talks I didn’t get to see, but heard good things about.


I’m sure I’ll hear of more.




My biggest take-way was that the ubiquity of lightweight, portable devices, coupled with the ease of deploying them makes all manner of enumeration and analysis more pervasive and more discreet. Whether it’s in relation to Daniel and Glenns talk or in Malware Analysis, it’s clear that the future is small, powerful and easy to hide. If I think about my interest in psychology and Gavin Ewan’s talk, it looks like momentum and research is building in-relation to layer 8 attacks, with these small, portable devices being the perfect (if spooky) accompaniment.


Finally, finding ways to get what you really want out of the data will likely be an increasing skillset for security pro’s and in one field at least, is something the guys at Paterva (Maltego) have been working on for a long time at an accessible price. It’s encouraging to see the fields of security and data science grow as they are doing.



Note: For those looking at the Carbon Black demo on the USB wrist band, it seems that it didn’t include a couple of useful PDF files on there. Visit this link http://44con.com/2012/09/10/44con-usb-carbon-black-404/#more to read more.



Leave a Comment

Don’t #menshn misleading users about your security

This weekend, Conservative MP for Corby and her business partner Luke Bozier launched a new social site called Menshn.

The biggest problem I have with the launch were the blatant untruths about security that went with it and put its users at unnecessary risk. Here’s a quick summary.

Many people pointed out that passwords were being sent over unecrypted links (HTTP rather than HTTPS), yet this is what Louise and Luke were telling their users.

“the password stuff was all guff”


“security issues are unfounded”


These blatant untruths worry me  deeply.  It’s not that they misleading people about the security of their site (that’s small beer in many respects), it’s that politicians and politco’s find it so very easy to mislead (lie to?)  the public when they have been made aware of the truth.  If they can mislead people about something so obvious, what else are they actively misleading us about every single day?

When the public are mislead in such a manner, what hope is there for informed political debate? Who is holding politicians to account?  Sure, there’s an argument that they trusted their advisers, but I’m aware of at least 3 people who contacted them to articulate the password issues with Menshn. Selecting which advice to listen to and then spinning that version of the “truth” to the general public is not new (http://www.guardian.co.uk/science/2012/feb/29/scientific-advisers-ignored-lords-report) but it is getting tired. How much longer will the public put up with being fed lie after lie (whether it’s intentional or note)


What’s that? they’re not lying? prove it?

Well. generally proving security is a dangerous game that can land you in court, prison and if you’re really unlucky, wearing an orange boiler suit; however, you can monitor your own traffic on your own computer.

I downloaded a program called Fiddler2, which I use for testing my own code.  Fiddler2 looks at the network traffic between your browser and the web server your talking to. It’s incredibly useful for debugging your own site(s), it’s also useful for seeing how other sites protect your data.

He’s is a screen shot of login process on Menshn as it stood on Friday (and up until about midnight Sunday 24th June). Notice that it’s running over HTTP?

Login process clearly over HTTP (Not HTTPS)

What’s the problem with that? Well, in order for your computer to request and obtain a web page from Menshn.com, a network connection must be established which goes over a number of links (other computers, network equipment etc).  ANY of those connections have the ability to see ALL of the HTTP network traffic going over them. The following picture shows what any of those computers/devices could have seen in relation to my account.

The black bars cover my email, password and alias


It may look like gibberish, but the black bars are covering the email I registered with, the password I used and the alias I signed up with on Menshn.

Despite what Louise and Luke may try and tell you. This means that if you logged in prior to around midnight Sunday (24th June) your password was transmitted to menshn.com in clear text.  As a number of friends put it, this is like shouting your password  to a friend on the other side of a crowded room (it doesn’t necessarily mean anyone intercepted your password though, just to be fair)


What’s the problem with that? It’s only a problem if your computer has been hacked right? WRONG!

If one of those connections is malicious or if any part of the connection is rerouted by whatever means (and there are many), your password  (well, anything in clear text) is at risk.  Here’s an interesting news article regarding an issues where Internet traffic was rerouted via China for a short period of time http://www.washingtontimes.com/news/2010/nov/15/internet-traffic-was-routed-via-chinese-servers/.


It’s not just the passwords that the bad guys are after either

Something called the session cookie is also at risk, but you don’t need to take my word on that. World leading security expert Bruce Schneier explains the issue in beautifully simplistic terms in his blog in relation to a tool called Firesheep that was used to demonstrate issues in Facebook before they were addressed.

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people’s social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection.”


Has your password been obtained by hackers?

The truth is that no one will ever really know (unless someone has actually obtained passwords already and goes public – let’s hope not), so the question you have to ask yourself when you’re submitting passwords over any HTTP connections is whether you’re feeling lucky.


A question of trust in politics

The more troubling question is, if politicians and people involved in politics can mislead the public so very easily, what hope does society have when truly critical issues are discussed? (weapons of mass destruction anyone?).

I’d love to hear Louise or Luke be honest and open about the issues they had with the site. Ultimately that would restore some trust and give it’s a users the chance to change passwords elsewhere if they used the same password for other sites. They’d also do well to consider the recent LinkedIn password issues, documented here http://www.theregister.co.uk/2012/06/21/linkedin_class_action_suit_password_leak/


Is it Fixed?

Since around midnight Sunday (24th June), Menshn implemented HTTPS, which is intended to protect the connection between your computer and the web-server.  It’s a good start, but NEVER be fooled into thinking HTTPS or the Padlock mean the site you are on is bulletproof. In fact, the bolder the claims of security, the more cautious I’d be.





For some balance, I do like the name Menshn. I found myself, despite my best intentions, thinking of the site every time anyone uttered the word ‘mention’. Probably means the name works well.


Should I be ranting about this?  Maybe, maybe not.  I’m not trolling though (let’s be clear on that).   Well, it’s true that a number of other popular sites have terrible password and other security issues, however, those sites are not run by a Member of Parliament, someone who should serve the public interest.  Something sits very uncomfortably with me when I see an MP  blatantly mislead the public about something they have been made aware of by many people. Something that they surely wouldn’t have fixed if it wasn’t a problem. To me, TRUST is critical in politicians and it’s never been in shorter supply. That is why I put finger to keyboard. 


Leave a Comment