Stealing Guests…For a Free Hard Drive

Posted in Conferences, Events, ShmooCon on February 2, 2010 by Tony Flick

During the Stealing Guests…The VMware Way presentation at ShmooCon this weekend, FYRM will be holding a contest to give away an external hard drive. The first person to exploit the discussed vulnerability on the target virtual machine and yell out the hidden phrase will win the hard drive.

In the presentation, a Perl script will be released to easily exploit the vulnerability. The to-be-released tool runs on Mac OS X (with MacPorts) and most Linux distros. Currently, the tool requires the following Perl dependencies:

  • LWP::Simple
  • XML::Simple
  • Data::Dumper
  • Crypt::SSLeay

Bring your laptops and netbooks to the presentation to try the tool and win the hard drive. Check back often for any updates.

    Leave A Comment »

    XAB Presentation @ USF Whitehatters Club

    Posted in Application Security, Events on January 27, 2010 by Tony Flick

    Matt and I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!

    Leave A Comment »

    Security Awareness for Fourth Graders

    Posted in Events, Security Awareness on January 24, 2010 by Tony Flick

    Back in November, I had the opportunity to take part in the Great American Teach In. This event takes place at schools around the Tampa, FL area and invites local volunteers to come into the classrooms to teach kids about their job. The objective is to familiarize kids with differing careers and hopefully get them excited so that they do well in school. For my experience, I spoke to a group of 4th graders regarding online safety and security. I figured a lesson in online safety would be more beneficial than teaching them the latest social engineering techniques or how to execute a cross-site scripting attack that pops up an alert box with their friend’s name in it. I can only imagine what would happen with the kids going home and telling their parents that Mr. Flick taught me the best way to break into data centers. For full-disclosure purposes, my hidden agenda in this blog entry is to convince you to volunteer next year and potentially provide some tips if you do volunteer. While this event was in the Tampa, FL area, most schools have a similar type of event.

    I tried to keep the powerpoint slides to a minimum and cover only relevant topics for fourth graders like cyber-bullying, acceptable/appropriate use, adult supervision, not believing everything that you read online, protecting their sensitive information, not meeting people that you met online,…and of course answer tons of questions from the kids. Considering most adults consider presentations to be a Death-by-PowerPoint event, fourth graders probably won’t be too excited to look at slides either.

    I was completely surprised at how much the class was a microcosm of a company/organization. While there were too many examples to list, I would like to go over a few. First, how many of you have used food to bribe people in attending your meetings or security awareness classes? This is usually a pretty common technique and I took full advantage of it. Now, I of course didn’t have to worry about attendance, since it was school, but it came in handy for other reasons. Before I dove into the extensive 7-slide PowerPoint presentation, I asked the class if they had any questions. No one raised their hand, so I informed them that anyone who asks a question would get a piece of candy. In a strange coincidence, every single student immediately raised their hand to ask questions.

    The potential to get candy got most of them to pay attention, but shockingly not every student gave me their complete attention. Apparently, gossip and trying to get me to tell them how to hack their friend’s computers were more important to fourth graders. Just like water-cooler gossip at a company, some of the kids were more interested in whether I was dating the teacher than my comments on cyber-bullying. If any of the students who were whispering about it do happen by this blog post, yes I did hear you and no I am still not confirming or denying it.

    While some of the questions I received were fairly predictable (ex: is it safe to put pictures of my dog online?), some took me by surprise. I don’t have any kids, so I wasn’t exactly sure how to answer questions like “how do you use Club Penguin safely”, since I had no clue what Club Penguin was. Thankfully, one of the teachers informed me it was basically a kid’s chat room, so I was able to answer it. The kids did ask several serious questions though, including:

    • If someone is cyber-bullying me, I should tell an adult, but what do I do if a family member is cyber-bullying me?
    • If someone I don’t know tries to talk to me in Club Penguin, what should I do? At what point should I call the police?
    • If I go to an inappropriate Web site on my parent’s work laptop, will they get in trouble?
    • Will a firewall protect me from the bad Web sites?

    The last question is particularly interesting considering it is very similar to a question I get asked all the time “does a firewall mitigate web application attacks?” So in my effort to convince you to volunteer your time, here is a list of some of the benefits of volunteering your time:

    • Good way to get rid of your excess Halloween candy
    • The hand-drawn thank you cards from the students will be very entertaining
    • Great reminder that your job makes a huge impact

    All in all, I had a lot of fun talking to the class. Most importantly though, I was able to help the kids understand how to deal with the dangerous situations they face when they go online. While it would obviously be preferable that they never have to face those dangerous situations, it is most likely inevitable. Which is why I highly encourage you to get involved and volunteer your time as a security expert.

    2 Comments »

    ShmooCon 2010 Sponsor

    Posted in Conferences on January 24, 2010 by Tony Flick

    ShmooCon 2010 will be taking place in a few weeks and I am excited to make the annual trek up to D.C. to co-present the “Stealing Guests… The VMware Way” talk. I am also pretty excited about the activities and contest setup at our booth. Make sure you stop by before you start drinking.

    Leave A Comment »

    Introducing AppTrust

    Posted in Application Security on November 12, 2009 by Matthew Flick

    FYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in a timely and cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.

    The AppTrust Assessment, Training, and Certification solutions break this mold with a strategy that enables your organization to implement applications that are secure as soon as they enter production.

    You can read more about FYRM Associates’ new AppTrust offering at our Web site, http://apptrust.fyrmassociates.com, or contact FYRM Associates at http://scr.im/fyrmsales or (877) 752-7170 for more information.

    Leave A Comment »

    XAB – Cross Site Scripting Anonymous Browser updated and seeking help

    Posted in Application Security on November 10, 2009 by Matthew Flick

    A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: xab.sourceforge.net.

    We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.

    Leave A Comment »

    XAB Presentation @ OWASP DC Chapter Meeting on 9/2

    Posted in Application Security, Conferences, Events, OWASP with tags , , on August 25, 2009 by Matthew Flick

    I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found here. See you there!

    Leave A Comment »

    OWASP AppSec DC 2009 Sponsor

    Posted in Application Security, Conferences on August 20, 2009 by Matthew Flick

    OWASP just launched the official AppSec DC 2009 site @ http://appsecdc.org. We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!

    Leave A Comment »

    Follow us on Twitter (getFYRM)…and RSVP Deadline Passsed

    Posted in Black Hat, Conferences, DEFCON, Events with tags , , , , on July 30, 2009 by Tim

    You can follow us on Twitter under getFYRM. We’ll be tweeting updates this weekend for the happy hour tonight (see below) and for the netbook winners.

    The RSVP deadline for the happy hour tonight has passed. See Tony or Matt if you still want in. Also catch them for swag and a chance to win one of two Asus netbooks.

    Leave A Comment »

    U.S. needs to attract more Cybersecurity Ninjas

    Posted in Government, Jobs on July 27, 2009 by Matthew Flick

    I’m not sure why I continue to keep a close eye on this administration and the Federal Government, but I guess someone needs to step up to do it. Hannity & Colmes, Limbaugh, and Jon Stewart might know the government but they sure don’t know security ;) I also think being so close proximity wise to the nation’s capital I’m constantly inundated with news clips, stories, and critiques that it’s hard not to form some opinion.

    A report released by Partnership for Public Service, a nonprofit organization devoted to building a better federal work force and Booz Allen Hamilton, a management consulting firm, finds the Federal Government is at risk of being unable to fight off attacks on the nation’s computer networks unless it strengthens its cyber-security work force. The report identified the four main challenges “as uncoordinated leadership of cybersecurity workers; a cumbersome hiring process that discourages people from seeking government jobs and fails to provide a career path for those who do; and hiring managers and human resource specialists who disagree on the quality of IT candidates.”

    The report contained several recommendations for actions to help resolve some of the issues right now. One point that is strongly suggested is that agencies should put someone in charge of hiring cybersecurity talent now and not waiting for instruction from the White House’s new cybersecurity coordinator. The report also included a checklist for cybersecurity talent management agencies can use as a reference point.

    I think its fair to say the public sector continues to lag behind in most things information security related. The lack of budget, resources, training and awareness is not too different than what we see in the private sector. However, the disparity in those areas especially with some of the “most critical” agencies can be disturbing. I hope President Obama and his cybersecurity appointed folks move fast to address the raised issues in this latest report. I totally agree each agency should move forward independently but at the same time coordinated strategic efforts and sensible guidelines/frameworks are going to be critical across our government. I hate to admit it, but I do think a major roadblock is going to be the pay scale for government positions. Security folks are at the top of the IT pay scales and right now don’t translate well on the government’s GS scale. A bit cliché but money talks.

    Please President Obama, please get your cybersecurity A-team put together quickly, get advice with cybersecurity thought leaders and representatives in the private sector, and give the agencies serious security budgets to get things accomplished. We need more ninjas on our side, protecting our “cyber-borders”.

    Leave A Comment »

    Next Entries »