Full Disclosure mailing list archives
FW: SMS Banking
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Wed, 10 Feb 2010 19:20:22 +0000
Keep it on the list, buddy. Why exactly are we still talking about the 100 packages? To assist you in changing the "model" to "predict code vulnerabilities" as opposed to "calculating the risk of compromise?" You are the only one who came back with the "code vulnerabilities are just one part of risk" backstroke. Go through my replies, and my initial challenge to you. You said "risk of compromise." Propensity of code vulnerabilities means nothing here, so stop trying to weasel into that. Contract. $100,000. Your reputation is on the line, sir. t
-----Original Message----- From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Wednesday, February 10, 2010 11:14 AM To: Thor (Hammer of God) Subject: RE: [Full-disclosure] SMS Banking I will find someone. You still have 100 software products to select and this is a starting point. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Thor (Hammer of God) [mailto:Thor () hammerofgod com] Sent: Thursday, 11 February 2010 6:02 AM To: 'full-disclosure' Cc: craig.wright () Information-Defense com Subject: FW: [Full-disclosure] SMS Banking So, looks like SANS has dumped you Craig. Anyone else you want to get to set the system up for you? t-----Original Message----- From: Stephen Northcutt [mailto:stephen () sans edu] Sent: Wednesday, February 10, 2010 10:56 AM To: craig.wright () Information-Defense com; Thor (Hammer of God) Subject: RE: [Full-disclosure] SMS Banking Sorry, I do not have time for this, please do not let this spill over into our advisory board list either. Stephen Northcutt, President The SANS Technology Institute (www.sans.edu) 808.823.1375 Register today! Over 30 infosec courses at SANS 2010 - March 6-15, Orlando FL http://www.sans.org/info/51269 "This is the way you need to learn: roll up your sleeves, dig in tothefundamentals and the nitty-gritty technical details, and then go 'hands-on' to practice and reinforce what you've been taught." - Joseph Price,DoD-----Original Message----- From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Wednesday, February 10, 2010 1:54 PM To: 'Thor (Hammer of God)'; 'full-disclosure' Cc: pen-test () securityfocus com; security-basics () securityfocus com; stephen () sans edu; 'Jeff Frisk'; 'Ben Wright' Subject: RE: [Full-disclosure] SMS Banking " You are changing the bet in mid-stream " Not at all. This was and is the bet. The initially proposed 2 tasks remain unchanged. The statement on SMS was that this is a time degrading risk function. That is, the proposed SMS solution would become less secure over time. The longer it ran, the more attacks. It would also be a function of users, the more users, the less secure. In case you cannot understand what the SMS quote you have means, it simply means that adding an independent 2nd factor lowers the inherently high risk of a purely SMS based system. "The risk of deploying any given solution takes into account FAR too many real-world elements than any formula can address. " The SMS formula is not the be all - it was a simple extrapolationbasedon a highly insecure proposal. My model as I have put it is an expert system. The risk associated with each application on a system is derived as with dependence and path. Please as stated, choose the 100 software applications. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Thor (Hammer of God) [mailto:Thor () hammerofgod com] Sent: Thursday, 11 February 2010 2:54 AM To: craig.wright () Information-Defense com; 'full-disclosure' Cc: pen-test () securityfocus com; security-basics () securityfocus com; stephen () sans edu; 'Jeff Frisk'; advisory-board-open () lists sans org; 'Ben Wright' Subject: RE: [Full-disclosure] SMS Banking Outstanding. Things to take into account while drafting thecontract:First and foremost, the most important question, followed by a subsequent statement addresses this:Code vulnerabilities is but a single risk measure (see below forwherethis > fits). My Question to Tim is are you implying that youcannotdo this?Knowing the likelihood of code vulnerabilities and the rate comestopatching and hence implementation issues. I am stating that I canmodelthis. I will put my reputation etc on the line (as well as a large quantity of cash) on the assertion that I can model the risk ofsoftware withina set > confidence bound given the a prior information on theproduct, userbase and such other information against a qualitativedetermination.You are changing the bet in mid-stream. You are now saying you can model likelihood of code vulnerabilities based on past discoveries.Severalpoints: Code vulnerabilities does not equal risk. They are code vulnerabilities. You said you could predict the "risk" of an SMS banking solution with your formula. I say that you, unequivocally, cannot, and that such a statement is ridiculous. Hence the bet. The risk of deploying any given solution takes into account FAR too many real-world elements than any formula can address. For instance - Let's take a system; any system that allows unencrypted login via the internet. Your formula cannot determine "risk" in any way. If the system is storing the names of the Seven Dwarfs, then there is not muchrisk.If the same system allows one to shut of grid power to NYC, then theriskis increased. To the point of you being able to "predict" what future code vulnerabilities are, I'm even dubious on that. You can indeed createamodel, but will it be accurate? No - you have no idea what vulnerabilities lie in wait. Will it be statistically accurate based on math? Idon'tknow, and more importantly, I don't care. Whatever "number" you come up with will be worthless in its application to risk without other factors. My $100,000 bet, that I accept, is based on the fact that yourresults,whatever they are, will be WRONG when ascertaining true risk, which this is all about. I am extremely gratified that this has gotten theattentionthat I desired it would, because it brings to light the true dangers of having people with your mindset involved in critical infrastructureprotection- the OTHER reason I got involved with this. If you are so eager togiveaway (which you will) $100,000 of your money to support such a foolhardy stance such as calculating risk based on past software vulnerabilities, what would you do when making the same decisions that protect water and power systems? To that end, I am happy to see not just your money, but your "reputation" as you put it, at stake here. The results I generate will have nothing to do with whatever numbers your model spits out. The bet is not if you can come up with a formulathatproduces numbers. The bet is that THOSE NUMBERS will be provenwrong.You cannot gauge risk with the "simple formula" you posted on your site. Period. THAT sir, is the bet, and that is the bet that you already accepted, in writing. Breaching the system that you put up further has nothing to do withyoucalculating risk. But that's fine with me. A few questions to the board on SANS before I get into that. I'm assuming that Craig's enlistment of your input is sanctioned? Craig speaks for you in regard to having your students be the ones that set up a system that gets hacked into and $100,000 lost? Am I to understand that SANS endorses Craig's Magic Risk Formula, and that this is something you recommend your clients/customers use todeterminerisk? I need to know this in order to ensure that all the partiesareproperly referenced in my acceptance speech. I further suppose it would be rude not to extend invitations to the parties involved to the party following. Since SANS is involved, at least by proxy and extension, shall Iassumethat you (Craig) will embrace SANS' raison d'ĂȘtre when building thissystem?I ask because this is where the "Thor can do whatever he wants" again, that is already in writing, comes in. SANS's exists to help companies determine risk and analyze the security of systems in the "real world." If people didn't configure systems incorrectly, deploy unpatched systems, and write poor code, SANS wouldn't exist. I'm assuming that the historicaldatayou presume to include in your Magic Number will be extended to this installation? Meaning, one can expect to see the typical vulnerabilities found in deployments present in this system? Or do you intend to create an uber-hack-proof system to substantiate your reputation, thusobviatingthe usefulness that SANS as an organization provides? Clearly, if all systems in the world were set up how one might assume you will set up yours, there would not be a need for SANS anymore (if that idea is taken to the extreme). In fact, the need to calculate risk would be obviated. But Isupposedthat is another story. Not only will I take your money, and ruin your reputation in thisbet,but I'll tell you how I will do it UP FRONT. Will that be fair enough?Goahead. Set up your system. If I have someone show up at the doorwitha shotgun and ask for the hardware, do I win? Or will you cry "Hey, that's not fair. Do over!" Do you not think the criminals of the world do things like that? Where in your formula do you plug that in? Do you even know what the majority of the breaches in the world are from? What about when I call a student and say "Hey dude. There's $25,000 cash in it for you if you give me the admin password." Would you cry foul? Where in your formula do you plug that eventuality in? Don't forget that you said "Thor candowhatever he wants." We don't need to bother with the 100 packages. Bring in your SANS students, assuming you speak for SANS since you looped them in on the Full Disclosure list, and presumably trust you enough to weather the backlash oftheirstudents being the ones to configure the system that will be hacked, configure your system, and put it up. Hell, Craig - I don't evencareif you turn it on; just leave the check taped to the hard drive (I'mbeingfacetious of course on that part - I just can't help but have funwiththis.) To keep it even more simple, and so everyone here sees, this is whatIwill disprove beyond a shadow of a doubt. I quote you directly: "Where a system uses an SMS response with a separate system (such asaweb page), the probability that the banking user is compromised and afraudis committed, P(Compromise), can be calculated as: P(Compromise) = P(C.SMS) x P(C.PIN) Where: P(C.SMS) is the probability of compromising the SMS functionandP(C.PIN) is the compromise of the user authentication method" That is the "probability of compromise." COMPROMISE. Not "modelthatjust might predict software code vulnerabilities." I will PROVE that your figure is WRONG and in the process, PROVE that your formula cannot be usedinany meaningful way, Period. Please let me know when you've got the contract ready. T-----Original Message----- From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Wednesday, February 10, 2010 12:22 AM To: Thor (Hammer of God) Cc: pen-test () securityfocus com; 'full-disclosure'; security- basics () securityfocus com; stephen () sans edu; 'Jeff Frisk'; advisory- board-open () lists sans org; 'Ben Wright' Subject: RE: [Full-disclosure] SMS Banking Hi Again Thor/Tim and now others, I have added a few people to this email. As a summary to thosejoining,"Thor" (really Tim) has the notion that you cannot quantitatively measure information system risk and thinks Bayesian statistics,computationalchaos and heteroscedastics (my fields) cannot measure risk. From the "discussion" that has ensued, Tim and I have ended in agamblewhere I shall be using the my skills in math and those of both practical experience and importantly all I have learnt from SANS over themanyyears against anything he wishes to being to the table. There is some information included below, but as a summary, myselfandanother party will measure the risk of software and systems. Thiswillbe 100 software products and 50 systems to be independently deployed. Code vulnerabilities is but a single risk measure (see below forwherethis fits). My Question to Tim is are you implying that you cannot dothis?Knowing the likelihood of code vulnerabilities and the rate comestopatching and hence implementation issues. I am stating that I canmodelthis. I will put my reputation etc on the line (as well as a large quantity of cash) on the assertion that I can model the risk of softwarewithina set confidence bound given the a prior information on the product, user base and such other information against a qualitative determination. I have stated an independent third party will configure systems. Neither Tim nor I will set the systems up. This will be done correctly without bias. I have added Stephen to this discussion as I will be proposing an exercise for SANS Students. I will elaborate this later. The basic gist is thatSANSconference attendees and students generally could be involved. Theideais that neither party to the test will have an insight or knowledgethatexceeds the others from any unfair means. I will up the bet to the 100k amount if this is Tim's desire. Wewillset this as an escrow. That is, an independent party (merchant bank)willhold the money. We each pay in advance. The money will be held earning interest until this exercise is complete. Ben is included in this email asheisone of the most IT savvy and security knowledgably attorneys around. HeisNOT my attorney, but he knows more than enough to (for validconsiderationthat I will fund) set the escrow conditions. Tim states below, "they will be 100% vulnerable to immediate "exploitation" My question to him is are you stating that the systems will be 100% vulnerable? Is this your response or would you like to actuallytestthe system? I will give Tim an out or at least an advantage if he wishes. Iwillstill do all I have stated, but I will also give him an additionaloption.This is, I will configure a server running a BI (Business Intelligence) application and Database accessed over the web with an SSH serverforadmin access and management. If either I fail to predict risk within a95%confidence interval OR you breach this system in the time period (a whole 6 months), I lose the bet. As stated, the money will be escrowed. Once started, we each putourmoney where our mouth is so to speak. If you EITHER predict correctly OR compromise a single system - you (Thor/Tim) win. Otherwise - Timhastoadmit error. This has escalated to a US$ 100,000 bet. The contract will be formalised, but this is an offer (in fact, the other offers are also acceptedatlower values, but we each have too much testosterone). There are two components; 1 A selection of software products are tested using bothprocesses,that is I use a model for the risk of these products, and "Thor"canmake up whatever guesses he wishes. We model (or "Thor" guesses, pulls fromahat...) the vulnerabilities over a time period. The number of bugsinsoftware as well as the risk are to be presented as a monthlyestimate.2 We model a few systems (say 50). We can use Honeypots (real systems set to log all activity without interference) run by an independent party to each of us. I use probabilistic models to calculate the risk."Thor"does whatever he wants to test these, audit them etc and predict risk.Thesesystems are to be logged and all the data recorded. The full rulesandrestrictions, setup processes etc will be incorporated into the contract. I put my knowledge from Bayesian Statistics, Computational Chaos, financial modelling and heteroscedastics that is coupled with around 30 SANS courses/certifications and all the other bits against Tim'sarsenal.Part 1 Tim has to select 100 commonly deployed software products. I willnotintervene, but I will have these challenged if they are NOTcommonlydeployed. Hence CC'ing the SANS Advisory Board. I propose these individuals as the people who can veto a choice if the software is obscure. I shall be listing these in the contract that we will each sign asadeed. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd From: Thor (Hammer of God) [mailto:Thor () hammerofgod com] Sent: Wednesday, 10 February 2010 5:42 PM To: craig.wright () Information-Defense com; Valdis.Kletnieks () vt edu Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking See my follow up email first. Are you asserting that your entire basis for what "risk" iscomprisedof is the number of new vulnerabilities found in code? Risk=code vulnerabilities? Please tell me you know more about this industrythanthat. Actually, DON'T tell me that. I don't want to start tofeelmore sorry for you than I already do. We don't need six months. Pick whatever 100 you want. Come upwithyour risk factor. I'll deploy them, and they will be 100% vulnerable to immediate "exploitation" and I'll laugh at your "risk figures" alltheway to the bank. This is getting better by the minute. Care to up your bet? I'll wager 4:1 for you. Let's make it my$100kto your $25k, even though you've already set the terms and the amountinwriting previously. I'm happy to amend this. t From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Tuesday, February 09, 2010 10:28 PM To: Thor (Hammer of God); Valdis.Kletnieks () vt edu Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking I will happily do this. "That it can be hacked, or will be hacked" Anything CAN be hacked. Software first. Choose 100 common software products. I will define scale here first. This will be number of vulnerabilities (new) that arefoundin each piece of software each month. This will also be related to the common metrics for the level of the vulnerability. This will be for 6months.Choose the number of vulnerabilities and the impact of each ofthesefor 6 months. It has to be commonly run software with a user base that I cannot count on one hand. My predictions will be for these products and will have aconfidencebound set at 95% (or alpha=5%). "I further assume that the "loser" will be financially responsibleforthe "audits" done my way." Are you saying that you will pay MY fees when you lose? "won't look at the software code" When you can get MS to give me their code this may be an issue, butitis not as yet. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd From: Thor (Hammer of God) [mailto:Thor () hammerofgod com] Sent: Wednesday, 10 February 2010 3:59 PM To: craig.wright () Information-Defense com; Valdis.Kletnieks () vt edu Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking Now you're talking. But first let's work up an actual contract. Neither of your components define anything. When you say that you are goingtopredict "risk" with your magic formula, do you mean if the software has vulnerabilities? That it can be hacked, or will be hacked? Be sure to define this properly and definitively - if you end upsayingthat a system has a 1% change of being hacked, and I (or my auditors)hackit, would you claim you were "right"? I question if you can evendefinethe parameters of this bet, much less apply your formulas, but we'llsee.I also want to know what "scale" you plan to use. So far, eventhoughI've asked, you've not provided what the "answer" to your formula is, orhowit will be applied. I'm assuming, unless you are going to changeyourtune which I wouldn't doubt, that you won't look at the software code or threat models, but rather apply your formulas. I further assume that the "loser" will be financially responsible for the "audits" done my way. I'm more than happy to take your money, and I look forward to doing so. Since one of your masters degrees is in law, I'm assuming you can clearly define the terms of the contract. I will, of course, insist uponacontract, and I hope you won't mind that I have my own attorneylookitover. I'm not immediately trusting of the competence of one withadoctorate degree and multiple masters degrees who can't spell "technology" or "experience" correctly on his on-line CV. You are officially "on." And I'm looking forward to it. t From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Tuesday, February 09, 2010 7:41 PM To: Valdis.Kletnieks () vt edu; Thor (Hammer of God) Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking I have a simple answer to this. Forget the debate, rhetoric is notascientific method of determining truth. "Thor" wants a challenge, let's have one - a real one and not onebasedon verbalisations, abuse and unfounded assertions. I suggest two components; 1 A selection of software products are tested using both processes, that is I use a model for the risk of these products, and "Thor"canmake up whatever guesses he wishes. We model (or "Thor" guesses, pulls fromahat...) the vulnerabilities over a time period. The number of bugsinsoftware as well as the risk are to be presented as a monthlyestimate.2 We model a few systems (say 50). We can use Honeypots (real systems set to log all activity without interference) run by an independent party to each of us. I use probabilistic models to calculate the risk."Thor"does whatever he wants. Each of the predictions is published by all parties. The one who is most accurate wins. Fairly simple? I will even give a handicap to "Thor", I will offer to predictwithina95% confidence interval and that for me to win, at least 90 of the 100 software products and 45 of the 50 systems have to lie within my predictedrangethat I calculate and release. "Thor" has to simply guess better than Idonomatter how far out he is. I will put up $10,000 Au for my side. Let's see if "Thor" hassomethingreal to offer. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd _____________________________________________ From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Wednesday, 10 February 2010 7:03 AM To: Thor (Hammer of God) Cc: pen-test () securityfocus com; full-disclosure; craig.wright () Information-Defense com Subject: Re: [Full-disclosure] SMS Banking * PGP Signed by an unknown key On Tue, 09 Feb 2010 17:39:39 GMT, "Thor (Hammer of God)" said:how about accepting a challenge to an open debate on the subjectatDefcon? "Alright folks just make yourself at home, Have a snow cone andenjoythe show" -- Webb Wilder * Unknown Key * 0xB4D3D7B0
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Risk measurements, (continued)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: SMS Banking Christian Sciberras (Feb 11)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Craig S. Wright (Feb 10)