//Home

So way off topic, but since it was on Encore the other day and I couldn’t resist watching it again (yes, it is a horrible movie) I noticed a few things that were predicted correctly in a movie from 1995. For one, the need for more storage (and data) is written in as Johnny’s need to store the PharamaKom data, which ends up being the cure for “the shakes” or NAS. He doubles his capacity to a whopping 160GB by using a memory doubler, but is somehow able to get 320GB into his head….odd, I tried this with a flash drive once and it didn’t work. Maybe because it wasn’t implanted in my brain, who knows? Also, did you notice the rate at which he can transfer data is about 1000 times faster than USB 3.0 or Thunderbolt? Ironic considering the data is being fed from an optical reader and a small CD-ROM disc. Anyway, larger data sets requires faster transfer mechanisms to removable media. There is also part of the plot centered on the internet and his ability to break into systems to get information, such as the location of the copy shop where the encryption key for the data in his head was sent. Yes, it also covered protection of data at rest with encryption as well. I know this is a stretch, but listen closely when he’s in the computer shop with the bodyguard for the first time. He asked her to get a bunch of stuff, apparently so he can connect to the internet. One of the items is an iPhone…that’s right, although he called it a Thompson iPhone he says it nonetheless. And yes, also that large corporations aren’t happy when they lose control of data, especially competitive data which could be used to ruin revenue streams. Also, since NAS is related to too much technology (as told to us by Henry Rollins), isn’t that the same as ADHD today?

The only part that doesn’t seem to be correctly predicted is the resistance. The “LoTeks”, who live in Newark on an abandoned bridge and are led by Ice-T, are the resistance against the evil corporations. The part that isn’t correct, and I’m drawing a line to Anonymous/LulzSec here, is that the resistance despises technology…their resistance is based on the fact that they refuse to use it. Given that resistance today seems to be very technology heavy my opinion is that this part was incorrectly predicted. Or is this change in resistance from heavy technology to no technology yet to come? You decide. If you’re hedging your bets that the movie is correct start buying land to create a technolgy-less hippy commune today in Montana (sorry Montana). All of that aside, the resistance still does get the data in the end, so they needed to rely on technology, which seems to go against their principals…so maybe you should hold off on that land grab. Then again the movie is set 10 years from now (2021)…so I’m back on the land grab wagon.

Final note, someone find me the laser lasso thumb thingy the Yakuza guy has and I will gladly pay you Tuesday for a laser lasso thingy today…that is all.

While I found the article on your personal thoughts and opinions about the recent LulzSec activity interesting, I can’t quite entirely agree. Is it bad that people’s information got dumped? Sure. Did I find it funny? Somewhat (blame my upbringing on the Internet for that one). Did the attacks get us talking about security again? Yes. Should organizations be doing more to secure their infrastructure and applications in the first place? Absolutely. Was all of this LulzSec’s true intention? Who the hell knows.

All of that aside, the one comment from your posting which I believe is way off is:

“When you attack someone for fun, all you do is contribute to the picture some execs have of security pros as young punks who care more about notoriety than about helping them secure their infrastructure”.

Really? You sincerely believe an executive is sitting in their office right now going…”Hell, I better get down to IT and watch those young punk security folks we hired, they may be up to no good or hacking stuff for notoriety”. Or do you think it is more likely they are sitting there saying, “Damn, we aren’t paying enough attention to them when they bring up issues with our security. How do we make it better?” I’d like to think it is the latter; at least that is what the little practical guy inside my head and real world experience is telling me.

Since the internet is “free” and I’m open to sharing, here are my thoughts:

1. The attacks shed light on the fact that we are, as a whole, fairly insecure even in 2011. We’d like to think that is not the case but the sad reality is that it is true.

2. We’d like to think we just learned about security and are behind because of our late entry into the game, but that is definitely not the case. We’ve been at this since NT4, and RACF before that.

3. Secure application development (oxymoron) has a long way to go. Does anyone else find it ironic that we can’t even say injection anymore and that it has to be shortened to SQLi because we say it so much?

4. These attacks have been going on without our knowledge for some time, by LulzSec or others who don’t have a Twitter account with witty sayings and posts. At least LulzSec released the files so everyone could see what was accessed…which saves a ton of time on the initial incident response from my perspective.

5. How many people does China have dedicated to infosec warfare again? Last time I checked I didn’t see any tweets from them telling me my data was available via torrents.

6. The media will report on anything as “fact”, true facts will be determined later. Must. publish. first.

So, we can write them off as “a bunch of punk kids”…or, we can take a lesson and move on.  I pick option number 9000, I mean 2.

Ok, so this is actually unrelated to what I was planning on posting, which was GPU brute-force password cracking and some stats I pulled using Multiforcer and different nVidia cards I had laying around.  In order to get Multiforcer to run I needed to update my nVidia driver to the latest version, which is 266.58.  The problem is I have a Westinghouse LM2410 monitor that has the good old EDID issue with the nVidia drivers.  No problem, easy fix right?  Modify the inf file with the correct values for my monitor in the OverrideEDIDFlags0 and we are back in business.  Problem is that, with the new driver anyway, adding the binary value for the EDID override via the inf file on Windows 7 64-bit doesn’t seem to actually add the value to the required key.  But, as this approach was simply adding a binary value to the registry during install, and it is just as easy to add it manually post driver install.  If you’re not familiar here are some simple steps to manually add the value:

1. Run regedit, find the Video key under HKLM/System/CurrentControlSet/Control/Video

2. Inside you should see a bunch of GUIDs, open each one until you find the one with two folders, 0000 and 0001, that also have subkeys of Display, Settings, and VolatileSettings.

3. Create a .reg file to add this key, or do it manually.  The binary value you need to add under the 0000 key is going to be specific to your monitor, so if you don’t have a LM2410 then do not use these settings.  Here is what I added (right click in in the pane showing the contents of the 0000 key, choose new -> binary value):

Value name: OverrideEdidFlags0 (that’s a zero)

Value: 5c,85,80,51,00,ff,ff,04,00,00,00,7e,01,00

4. Reboot and your LM2410 should now be recognized as a monitor, not a HDTV, and should look good as new.

If you don’t have the LM2410 monitor then this probably isn’t going to help you.  I know other people have posted this issue and solutions for Acer and Viewsonic monitors on other sites…good luck.  Now I can brute-force those damn NTLM hashes and not strain my eyes doing so.  Hope this works for you.

for those who are unfamiliar, mailinator is a site/service that accepts and temporarily stores any e-mail it receives. that’s right, any e-mail received by the mailinator mail servers is shuffled into the appropriate inbox as if it already existed.  you simply choose which @mailinator.com e-mail address you would like, regardless of whether or not it has been used in the past, and use it as if it were your own.  this makes it extremely useful when, for example, you are required to register for a site in order to download a white-paper.  or, perhaps you would prefer not to use your @gmail.com address when browsing myhotmatez.com.

while recently using the site an idea came to me suddenly — if i were to mine data from mailinator inboxes, could i find anything interesting?  i was curious to find out whether people used this service for legitimate reasons or if it was merely a  dumping ground for spam.  to entice me, i realized mailinator allows you to access an inbox by appending the username to the following url http://www.mailinator.com/maildir.jsp?email=x (where x is the username).

so, i fired up vi and began piecing together a python script to automate the discovery and reporting of messages across multiple inboxes.  the logic was simple:

1. read in a list of words (i.e., usernames).
2. for each word pull down a listing of the current e-mails for that inbox.
3. for each e-mail strip out the ‘from:’ and ‘subject:’ fields.
4. write this information to csv in the format [username, from:, subject:, url] (where url is a link to the full e-mail message).
5. boom, review.

after completing the script, i began by slowly feeding it lists of 5 to 10 usernames — mostly names of actual people (e.g., bob, sarah, frank).  even though i was able to scrape hundreds of e-mails, 99% of them were easily identifiable as spam.  i then proceeded to words that could be associated with a specific task someone was trying to accomplish (e.g., code, temp, password, exchange).  while still mostly spam, i managed to find a few interesting tidbits:

it looks as though lesley lupo was concerned about her wildlife points in zooworld.  ok, maybe this isn’t that interesting but i did find it odd that someone would register a mailinator e-mail address for a service (zooworld) that accepts payments — where they are actively purchasing goods.  the next one struck me as a little concerning:

you’ll notice i blurred sections of the e-mail out.  that’s because it contains Robert’s full contact information including the company he works for.  i can imagine that someone with a bit more time could easily modify the script to look for these types of sections within an e-mail.  jackpot.

i’m continuing to mine for this type of data using various sets of usernames.  i expect to post updates as i find more interesting information.  my main reason for publishing this now is to gather ideas for improvement of the script and mostly because i know if i didn’t post it now, i never would.  here are a few ideas for next steps:

• add logic to filter messages with subject lines including specific words (e.g., free, discount, xanax).
• pull down and store the entire e-mail message locally (messages are regularly pruned on mailinator servers).
• extract the originating mailserver ip to graph the distribution of messages across their source.
• tidy up my python code and define functions for each task.

/edit i forgot to mention the name of the file where usernames are read should be titled ‘words.txt’ and be in the same directory as mailinator.py.

So the tactic has been around for a while.  A quick search found this posting by Neal Schaffer, http://windmillnetworking.com/2009/05/21/fake-linkedin-profile-how-to-spot/, in which the fake profiles use the same method as the profiles I found.  The big difference is that these fake profiles targeted people not in security but those who are “specialists in social media”…which means it is more than likely that “sets” of fake profiles exist to target different groups (i.e. security, IT, marketing, etc.).

Note that this is not the same as the Robin Sage or Marcus Ranum fake profile experiments.

The author brought up a good point here, and a question I posed to LinkedIn directly…why can’t LinkedIn police this?  They have direct access to the data and I’m sure finding similar profiles based on a set of simple logic shouldn’t be that difficult to data mine…right?  So far their response has been: “We don’t have an answer yet.”

Sorry, but my curiosity got the best of me on this one and I dug a little deeper into the fake profile issue and it seems I only hit the tip of the iceberg before.  I originally found 15 fake information security profiles, but that was because I limited my search to a specific job title in New York.  The set of job titles I’ve identified that are associated with the fake profiles are (for the current title, case left as they used it in the title):

• Information Security Manager
• Information Technology and Services Consultant
• Database Security Analyst
• Security Operations Manager
• IT security Manager
• It Risk Manager
• Information Security Senior Consultant
• System Security Manager

Again, all of the profiles show the “Greater New York Area” as the location.  If you’re doing a search on LinkedIn just choose one of the titles above along with a limitation within 50 miles of the 10001 zip code.  I stopped tracking the companies and universities they used in creating the profiles as it became too large of a list to be useful.  The job descriptions are usually enough to give them away as they are weak and don’t make sense.

Let me go back to my assumption this was scripted, and they suck at scripting.  Case in point:

Let’s take a look at my boy Dwayne (http://www.linkedin.com/pub/dwayne-larson/24/799/720).  In addition to his killer profile photo, check out his past positions.  Seems the script was supposed to randomly choose a company name that started with a “V” for his job between 2002 and 2007…hmmm, it seems to have gone a little haywire here.  And how about my boy Alexander’s title (http://www.linkedin.com/pub/alexander-baldwin/20/b43/a9b) of Security Solutions ManaIT Project Managerger.  Don’t know about you, but I wouldn’t hire a guy who couldn’t spell his own title.

One other interesting twist is the use of recommendations, links to the company website, and information in the summary section.  This all goes to make the profile look more legit.  Take for example our guy Gary (http://www.linkedin.com/pub/gary-jacobson/24/398/b04)…that’s funny, looks just like Ross’ summary, which appears legit (http://www.linkedin.com/in/rossboulton).

Let’s look at some recommendations.  Harry (http://www.linkedin.com/pub/harry-bright/23/904/71b) took the time to recommend his buddy Stuart Michael (tp://www.linkedin.com/pub/stuart-michael/24/1bb/440).  What a nice guy…too bad both are fake.

Finally, some numbers.  I’ve identified 123 fake infosec profiles with connection numbers ranging from 52 to 500+, with the average number of connections at 250 for each profile.  So, does LinkedIn even care?

I’m sure we’ve all seen the fake Facebook profiles by now….something along the lines of an invite from an attractive young woman with wall posts related to some “hot new pics” that she just took.  Sure, you have to click on the link to see the pics, which then promptly redirects the browser and attempts to exploit some vulnerability on your machine and install malware.  But what about the profiles that do little else than, 1.) appear to be legit, 2.) ask to be connected to you, and 3.) do nothing else (or so you think)? 

Being a security professional I’m always a bit skeptical when I get an invite to connect with someone on LinkedIn and a few things throw up red flags when I review the profile.  Do you live near me?  Do you work for a client of mine?  Did we go to the same school?  And most importantly, do we have any connections in common?  Being that security is a fairly small community I would find it odd that you know me but don’t know anyone else that I know. 

Last week I received an invite from someone in NY who is working as a senior information security consultant for a big name firm.  Interesting, but we didn’t have any connections in common and I didn’t know the person so I let it sit in my inbox for later review.  This week I received another similar invite from someone in NY, with a similar title working for another big name company.  One thing that caught my eye was the year the person graduated college.  While I have a decent ability to remember names my brain has been wired in such a way that numbers tend to stick.  So when I noticed they both had a MS in Computer Science and graduated in 2000 I became a little suspicious.  Looking back at the previous invite I noticed they had the same title, during the same period of time, and only the company name was different.  A review of these two prompted some further research.  Here is what I found:

The fake profiles, 15 in all, used to mine your connections and probably map the infosec community, may have been generated by a script.  But possibly not as there are some oddities with some of the profiles that make them appear to be created by hand…either way, someone had some time or they suck at scripting.  Regardless, if you get an invite to connect on LinkedIn here are some things to look for:

Location:

• The person is from the Greater New York Area

Current Title:

• Senior IT Security Consultant at * (replace * with the company list below)

College years:

•  Either 1995-2000 (8 of 15) or 1996-2001(7 of 15)

Schools used (all with a major of MsC in Computer Science):

• University of Illinois at Urbana-Champaign
• Cornell
• Purdue
• The University of Texas at Austin
• University of Michigan
• University of Wisconsin-Madison
• University of Maryland College Park

Current position description:

• Too long to post, but it doesn’t make sense as some of it overlaps, includes ISO 27000/270005, and has some random ending information such as “network assessment”.  It was probably lifted from someone’s actual job description.

Job titles (seem to be randomly paired with a company):

• Information Security Manager
• Information Technology and Services Consultant
• Information Security Consultant
• Senior IT Security Consultant
• IT Project Manager
• Database Security Analyst
• System Security Manager
• CISSP (and sometimes lowercase cissp)…maybe some issues with the script?

Organizations/Companies:

• Accenture
• IBM
• Cognizant Technology Solutions
• Sun
• Xerox
• Texas Instruments
• Oracle
• Cisco
• Verizon
• Symantec
• E&Y
• Microsoft
• EMC
• Adobe
• HP
• KPMG
• PWC

Profile Names (** means they used the 1996-2001 grad years):

• John Porter
• John Blum
• Paul Kane
• Ben McBride
• Michael Gardner**
• John Wayne
• Daniel Webster
• John B.
• Neil B.
• Bob D.**
• Bill P.**
• Zachary T.
• John M.**
• Cliff B.**
• John B. **

Yes, you may have noticed I have access to some of the last names…and that is because someone that is connected to me has accepted one of these fake profiles as a connection.  I’m actually upset that I didn’t think of this.  What better way to map the security resources at various companies?  I started wondering a while ago if we could use the API to script a pull of public data and then do some quick analysis to see where everyone ends up once they leave a particular company.  Maybe that is already happening?

Finally, I’ll let you figure the impact out, but these fake profiles have between 80 and 476 connections with an average of 321 per profile.

This post is only meant to shed some light on the data mining issues within LinkedIn specific to the InfoSec community.  I’m sure this is happening in other fields as well…so if you’ve seen this please post in the comments section.