The Electric Onion

Trust Me I’m A Security Consultant

I was at the mall the other day and I saw a kid on a leash. I think if I ever have a kid, it’s gonna be cordless. But that’s just me. That’s the way I look at things and I have an opinion about everything. I guess I have that in common with Dan Egerstad.

Last month, Dan felt strongly that there’s just too much gosh darn privacy on the internet these days so he went and installed some open-source freeware on 5 key servers in 5 key data centres around this crazy world and then posted the results. The results were email logins, passwords and IP addresses of sensitive government, inter-governmental and non-government organisations as well as “high-value” corporate users (translation: oil companies). Oh, did I mention that Dan is a 22 year old Swedish “security consultant”? Funny that yah?

The freeware called “Tor” is ironically used to mask IP addresses on the web and is essentially designed to prevent intelligence agencies, corporations and hackers from determining the virtual - and physical - location of the people who use it. Kind of like caller ID blocking – only for your IP address. But what Tor may cloaketh - Tor may uncloaketh.

Tor (which coincidentally was the name of my first hamster) was originally developed by the US Navy (the same organisation that created both the snorkel and shore leave – but not in that order) to allow personnel to conceal their locations from websites and online services they access while overseas. Eventually the Squids realised that the only people using it on the web were Squids trying to hide the fact that they were overseas - which of course made them stand out even more than that white ice cream salesman uniform - so Tor was cast into the public domain. It’s now maintained and distributed by a registered charity as an open-source tool that anyone can freely download and install - so anyone does.

Who uses Tor besides paranoid corporate and government types? Paranoid citizen types! Just ask yourself: who else would want to mask their internet activity? If you answered either paedophiles and or porn addicts – you are correct (give yourself extra points if you answered David Cameron).

Anyway Dan apparently felt it was his personal responsibility to flush all these types out of the shadows and posted the results of his Tor node sniffing on his blog. Still not getting the attention he thought he so richly deserved, he then contacted the affected governments directly with his findings and asked them if they wanted to see it. “O.K. everyone, raise your hand if you have something to hide!” He did get one punter though - Iran. Hmmmm.

I remember two things my mom told me never to forget. First, “Never marry a tennis player. Love means nothing to them” and second: “Son the term ‘security consultant’ is an oxymoron”.

I miss you mom.

Top 10 Reasons To Go To Work Naked

The Monkey is naked. Be afraid.

10. No one will steal your chair.

9. Gives “bad hair day” a whole new meaning.

8. Diverts attention from the fact that you also came to work drunk

7. People stop stealing your pens after they've seen where you keep them.

6. You want to see if it's like the dream

5. To stop those creepy guys in Marketing from looking down your blouse

4. “I'd love to chip in, but I left my wallet in my pants.”

3. Inventive way to finally meet that special person in Human Resources

2. Can take advantage of computer monitor radiation to work on your tan

1. Your boss is always yelling “I wanna see your ass in here by 8:00!”


Trust Me I Used To Be A Security Consultant

Walking past a metaphysics book store on Charing Cross Road recently, I saw a sign in the window that said “A seminar on time travel will be held 2 weeks ago”. I had this funny feeling like I knew what was coming next but didn’t know it yet. Kind of the same way I felt when I read this next story.

A few weeks ago, in Los Angeles, California, John Kenneth Schiefer pled guilty to four (not 3, not 5 but 4) felony charges of setting up a “botnet” army to carry out credit card fraud and identity theft. John now faces up to 60 years in prison and a $1.75 million fine. I know, I know, California has its faults (old joke I heard in seismology school). But the real problem was John’s profession. John was a “security consultant”.

Saw that coming did you? Not me and I’m both cross-eyed and dyslexic and so should be able to see these things perfectly. Seems this professional consultant of the security persuasion who went by the handles “acidstorm,” “acid” and “storm,” was the first person charged under the new US federal wiretapping law of operating a botnet army. Apparently, Schiefer stole user names and passwords for EBay’s PayPal service from his victims to make purchases in their names. He also sold the stolen account information on the web and was paid by a Dutch Internet advertising company to install its programs on victim’s machines earning more than $19,000 in commissions.

Schiefer carried out the crimes using computers at both his home and office at the Los Angeles based firm 3G Communications, where he worked as an IT Security Consultant. 3G!? Yikes! I think they did our pen test last month! “John Schiefer was an information security professional who betrayed the trust that both his employer and society placed in him,” Assistant U.S. Attorney Mark Krause said. Translation: “The security consultant gene pool could use a little chlorine”.

Anywho, I was walking down that same street last week when the prescription in my glasses ran out in front of that same book store and as I stood there blinking I remember thinking that “letting the cat out of the bag is a whole lot easier than putting it in”.

Heard Around the Office

Easy on those bunions

“Hypochondria is the only disease I haven’t got.”

Alan Whitfield: Orthus Sales Monkey & Pedicurist in Training


Just Trust Me

I tell ya - some days its just not worth chewing through the straps. Did you notice the recent moves to merge the U.K.'s General Register Office, which oversees the registration of births and deaths, into the nation's Identity and Passport Service? No? Good you weren’t suppose to. Coincidence? You’re so naïve.

IPS chief executive James Hall said the move would “allow us to explore the possibility of integrating passport, identity card and life event registration processes.”

“Life event registration processes”!? What!? Ever notice how some people have a way with words, others not have way?

This is important stuff. The UK government plans to give IPS access to all of our births and deaths data to be cross checked with ID card or passport application data. The deal was given a legal blessing this summer by an order made under section 38 of the Identity Cards Act and not a peep was heard.

I smell the future. This isn’t so much feature creep as a blatant land-grab of personal identity. That an agency which until a little over a year ago was limited to issuing passports is now taking control of citizen data from cradle to grave, and openly talks about 'registration of life events,' confirms that it's not about ID cards, but the creation of a detailed, lifelong government dossier on you and me.

Is it just me? I mean I used to be a schizophrenic but we’re all right now.

We’re Looking for a Few Good Geeks

Looking for a challenge? Orthus Ltd. a leading provider of innovative and independent information security services and solutions firm located in London is currently recruiting talented anoraks to fill information security engineering and consulting positions.

We are currently interviewing:

-Application Security Penetration Testers
-Security Threat Assessors & Risk Analysts

If you're interested in working with the most socially challenged professionals in the market, please send your CV in confidence to: opportunities@orthus.com or call us today at: +44 (0) 20 3170 8955.



Another Brick In The Wall

Did you see where ten school children in the UK are now being tracked by RFID chips in their school uniforms as part of a pilot program? No? Well they’re coming to a browser near you.

Parent’s in the pilot programme can log on to the web and locate their kids through a GPS application. Personally, I find this a bit odd since most parents wouldn’t know a Firefox browser if it bit them in the application.

The chipped children are enrolled at Hungerhill School in Edenthorpe, a secondary school for ages 11 to 16. Apparently, they have a problem keeping track of their kids up in Edenthorpe. I mean my school was tough (in my sophomore year I was voted most likely to take a life) but my parents didn’t need a satellite to keep track of me.

With schools already fingerprinting kids and now this, is it any wonder they’re turning into the criminals we’re treating them like? Am I the only one singing “Hey teacher! Leave those kids alone”.

You Feeling Lucky Punk?

As always, the winner of our monthly quiz will receive a .001% cotton Orthus Sales Monkey - Witness Relocation Programme T-Shirt (terms and conditions apply):

Question:Which Bruce Stringbean songs features the 2 gangs the Skulls and the Pythons?Its Bruce! Hi Bruce!

A Zero & Blind Terry
B. Tenth Avenue Freeze Out
C. Jungleland
D. The Promise
E. Growin Up

Answers to quiz@electric-onion.com

Quiz Rules:
1) You can hide neath the covers and study your pain
2) Make crosses from your lovers, throw roses in the rain
3) Waste your summers praying in vain for a saviour to rise from these streets

Answer to last Onion quiz: Which one of the following Stooges was a High School basketball star? Correct Answer: Curly. (although extra points were given for the answer “Jade”). Winner of last month’s quiz: Congrats TNT!


The Finest Print We Can Afford

Glowing Onion

Any way you cut it, the eOnion is still copyrighted to Orthus Ltd. so may not be used to mock, ridicule, tease, scorn, scoff, deride, disrespect or disparage other ICT security service or product vendors unless of course when it’s in our best commercial interest to do so or when it’s done in good clean fun. Either way, it’s our call so suck it up.

The eOnion may cause arrogance or involuntary spasms of smug self righteousness which may lead to public smirking or prolonged bouts of condescending behaviour (sort of like being a Royal). Symptoms include unexplained disdain for information security product vendor marketing managers and an itchy flaking on the scalp. If drowsiness or nausea occurs, try reading SC Magazine. If symptoms persist, you try writing something funny for a cheesy monthly newsletter because it’s the only job you can get after 20 years of formal education. Not laughing now are you funny boy?

To unsubscribe go to the nearest window, stick your head out and yell “I’m not going to take it anymore”. Alternatively, send an e-mail to security-unsubscribe@electric-onion.com. All Information provided shall be processed in accordance with the Data Protection Act 1998 (and we don’t say that just because we have to - but yes, we have to).


Feeling Insecure?

The Electric Onion is an Orthus publication. If you're feeling a little lonely, vulnerable, exposed or insecure, tell us about it. Contact us at: +44 (0) 20 3170 8955 for information security consulting services, therapy, advice or assistance. Thoughts, feedback, comments, questions, veiled or unveiled threats? Send an e-mail to getalife@electric-onion.com

Orthus

"Where we take everything in moderation - including moderation.”

©2007 Orthus Ltd. All Rights Reserved