The Race to Zero results are in. And the winner was a group of three consultants from iMandiant Security. While I've only read a single report of the results, it sounds like the Mandiant guys really had their stuff together and used a combination of custom packing code and manual modification of binaries. They may not have been the quickest team to complete the race, but they were the most detail oriented and were able to pass all ten challenges presented to them. Kudos go to these guys and their hard work.

If you recall from a previous blog post, I suggested a "simple" idea of creating a "new" packing routine and simply using that to modify and thus pass the AV checks in the race. Well it turns out the fastest team to compete did exactly that. Team "retem" from the security firm Damballa, finished the contest in 2 hours and 25 minutes making them the fastest team in the competition. They were able to pass 7 of the 10 challenges using their custom packing solution.

"You can take any malware sample and pack it with an original packer, go to VirusTotal and get zero of 32 detections," [Paul Royal of Damballa] said.

I'm still not sure of the why of this competition, however it appears as if some good may be coming from it. If the end result is that companies and the general public don't rely on AV as a silver bullet, then maybe there was indeed a silver lining to the event. I doubt it's going to get the AV industry to attempt to work any harder at creating new methods of detection (they presumably are already researching new techniques as hard as they financially can), but if a single organization stops relying on AV as a sole layer of security, then the effort has been worthwhile.

Man, why didn't I think of this. I've seen video of people social engineering their way through many restricted areas in the past; some claiming to have forgotten something in the target locations, others claiming to be Jason Biggs from American Pie fame. None of them are quite as simple, and effective, as just claiming your the DJ! Watch as this man gets into every club he tries just by claiming he's the DJ and is spinning shortly. Watch to the end of the video to see some reasonably funny attempts at DJ social engineering in completely random places.

A friend just passed me a link to this wonderful article about the public disclosure of the health of executive officers of a company.

Right now there are no laws/rules in place with the United States government or SEC that requires senior management and other high ranking officials to disclose serious illness to stock holders. Part of me agrees completely with this in that the health of an individual is a private matter and should not have to be disclosed to the public. The inventor part of me says screw that!

The particular CEO in the article is none other than Apple Computers CEO, Steve Jobs. In the past, Steve has been diagnosed with a tumor on his pancreas that was "cured" with surgery. He has recently been seen in public looking very haggard and slim. When called on his health, Apple's only public response was: "Steve loves Apple, Steve's health is a private matter."

So this begs the question, should a publicly traded company be required to disclose serious health issues about it's senior management team? In most cases it wouldn't matter all that much, but in this case the implications are HUGE. Without Jobs, Apple is far less of a company. His track record of innovation and marketing excellence are what keeps the Apple stock price at a staggering out of control high. If he were to fall seriously ill, Apple stock would (and rightfully should) plummet.

So should companies be required to report on the health of their senior management team? They all have to get physicals for insurance, so why not make them disclose their results to the world? Thoughts?

Oh, and one other thing, there really are some awesome quote magnets out there, and much like Linus Torvalds, Steve Jobs doesn't disappoint:

"This is Steve Jobs. You think I'm an arrogant [expletive] who thinks he's above the law, and I think you're a slime bucket who gets most of his facts wrong." (Quoted from NY Times article located here)

The vulnerability is real, and the risk is high. Patch your stuff.

I'm currently sitting in on the Dan Kaminsky Blackhat Webinar. There was not a whole lot of interesting technical details revealed that aren't already public facing. The majority of the discussion was begging and pleading people to implement the patches for this problem.

Dan made a point to state that the leak of the vulnerability details is not an issue at this point. Instead, rightfully so, focusing the discussion on getting the world to patch.

What's my take on it?

One thing that the entire debacle reinforces is that responsible disclosure does work (to a degree). The major issue with the process as executed was that too much self promotion, by many different hands, was involved thus causing other researchers to jump all over it and eventually leak the details to the world. The circle was made too big with no accountability for people who didn't keep things secret. When money is involved nothing will be kept secret. All a researcher can do is his/her best to get things secure before releasing the details of the vulnerability to the general public. Dan did what he could and I applaud him for for the good faith effort that he made.

Would it have been safer to just have Dan K suck it up and let people think he was full of crap instead of bringing in a trusted circle of researchers to confirm his findings? Possibly.

Would people have patched without having additional third party independent researchers confirm Dan's findings? Possibly Not.

Would full disclosure have made the Internet more secure at a faster rate? Absolutely not.

In a future blog post we'll debate the validity of weaponizing this vulnerabaility within days of disclosure. Was this good, bad, or indifferent? Criminal? Good for the world? What are you thoughts?

The big show is rapidly approaching. Once again, yours truly did not prepare anything to speak about, instead choosing to spend the entire week socializing and doing very little work of technical value. I'm arriving on Tuesday Aug 5th, and staying until Sunday Aug 10th all at Caesar's Palace Hotel and Casino. I've planned out my two days of Blackhat talks here (in an easy to read calendar) and hope to be twittering and blogging throughout each day. I usually fail miserably at the live blogging thing due to my high enjoyment factor of Las Vegas, but I'll do what I can.

I'm always available for impromptu gatherings and libations so if you plan on being at Blackhat this year drop me a line via email and we'll plan a time/place to meet. If you think there are better talks than what I plan to see, let's hear about it in the comments. I can easily be swayed. See you at the show.

Our favorite quote machine, Linus Torvalds, in a recent email to a linux kernel developers mailing list had this to say:

On Tue, 15 Jul 2008, Linus Torvalds wrote:

> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's the "look at the source" approach.

Well here's to you Linus! Three cheers and a wonderful dirty picture!

Inspiring and life changing. Rarely can you say that a book is these things, but this book (and the associated lecture I already blogged about) could be considered both. Randy Pausch is a computer science professor at CMU who is terminally ill. This book accompanies the Last Lecture that has been an Internet phenomenon. I won't go into much detail here, instead telling you to watch the lecture that I have linked in a previous blog post, and if you find that inspirational, buy this book. 5 out of 5 donkeys!

HUGE! That's the first thing that comes to mind when you pick up the book Einstein: His Life and Universe. This 2+ pound monster has over 700 pages detailing the history and life of one of the greatest scientific minds in history. The book recounts the man from his youthful days as a German child through his death while residing in the United States. Einstein's adversity towards authority and the accepted norm lead him to imagine and create some of the most revolutionary physics theories of all time. From his personal life to his life philosophies, this portrait of Einstein gives insight into the details of a man that was so complex we can only hope to understand his basic models of thought.

I highly recommend this book for someone that has a month worth of free time to delve into the minute details of history. A high level understanding of physics is important but not mandatory to enjoying the text. "Einstein: His Life and Universe" receives 4/5 donkeys, only losing points due to the month plus it took me to digest it.

The jury is still out on Twitter. Micro-Blogging is for the times between face to face meetings, major blog posts, emails, instant messages, and phone calls. As if we don't have enough ways to communicate already, it appears as if we needed a way to publish every 10 seconds "what we are doing".

My first thought is "why?!". Do we really need to update everyone out there every time we eat a meal or take a shower? I'm doing my best to keep an open mind and I'm trying to give it a fair go, but I'm just not ready to see the benefit of this new technology. At best Twitter can be used to update people with regards to your current location so they can meet up with you at a local pub. To me it seems like a broadcast based IM system with mappings to SMS phone technologies. Maybe I'm just missing the point of it all.

I'm not even going to get into the privacy issues that are apparent with technologies like this. If people don't keep in mind what they are posting about they are likely to give away far too much information to the world. This is a much bigger problem than just Twitter (Facebook, Myspace, blogs in general, etc).

If you use and actually like micro-blogging technologies like Twitter, please leave a comment and explain why. Help me get into the year 2008.

This just in from the land of "Beenthere", a city in the great state of "Donethat". Scrawlr is a new tool that can "detect" SQL injection flaws in web sites. Well... sort of. It doesn't detect blind injection points, it doesn't support authentication, it has a limitation on the number of pages it will crawl, and it won't even execute POSTS. That's about as useless as a no armed man playing basketball. Unless his name is Pele, he's pretty worthless.

While I can't fault HP and the SpiDynamics team for releasing the tool for free, I can certainly say it's all been done before, and done better by others. I just did a quick Google search for "SQL Injection Tools" and the very first link contains no less than 10 tools that claim to both find and exploit SQL injection flaws. I know for a fact that at least one of these tools exploits blind injections and supports most authentication and POSTs (I helped debug it, so I speak first hand).

To summarize, this tool release just sounds like a half-assed attempt to capitalize on the recent "Mass SQL Injection" attacks that have occurred on the Internet. Come on HP, get your stuff together. This is at best a marketing effort wrapped in technical freebie clothing. Everyone should feel free to use the tool if it will help them, but know that there are better free solutions out there.