Maricopa County Sheriff’s office vs. Maricopa County ongoing

I haven’t heard much since last week about the armed raid promoted my the Maricopa County Sheriff’s office against a County held IT facility. I know about this because it actually managed to make it onto Slashdot, a news site for the IT and computer oriented. Basically making a laughingstock out of Maricopa County and our sheriff’s office.

I am not sure if Joe Arpaio happened a direct hand in this, but the actions of his subordinates in this case does not reflect well upon him.

Last week, a judge cited a restraining order against the MCSO and possible contempt charges coming down for an MCSO lieutenant if he did not turn over the new password of the systems. The officers who raided the facility did so in order to take control of the computers for the time necessary to change the password and lock the civilian operators out of the system.

The sheriff’s office claims this was done because they felt an intrusion as imminent. However, this either displays a gross ignorance of exactly how computer security works or is a cover for another action. Changing the password does nothing to defend the servers from civilian operators who already have physical access to the machines in question—in fact, nobody needs a password when they can physically remove the hard drive from a computer if they want to read or tamper with data.

Political ramifications aside for the sheriffmen’s actions; the excuse they’ve given themselves for what basically amounts to a powerplay coup doesn’t hold up to basic scrutiny.

Elaine Mercer from Black Hat Magick Detective Agency is currently writing up her own thoughts on the mater, but insofar news on the subject is extremely sparse.

http://www.azcentral.com/arizonarepublic/local/articles/2009/08/13/20090813computer0813.html

A case for encryption: Adrienne Bailon has nude photos stolen

I don’t even know how I stumbled across this one, but I think it created for me a different evanescent thought than most people. Singer Adrienne Bailon of the Cheetah Girls (she's the one with the light brown hair) has had some “practically nude” photographs of herself taken from a stolen laptop and used as blackmail against her.

 

The post from tmz.com:

Several practically nude photos have been stolen from Adrienne's laptop, and sources tell us the scumbag who took 'em is trying to shop them around to the highest bidder.

It all started when Bailon was at JFK airport in late October, and noticed her laptop computer was missing from her bell cart. She filed a report with the Port Authority -- but later that day her record label received an anonymous phone call from a man saying he had her laptop and would return it for $1000.

If thou secure information that thou’d rather the public didn't readily get their hands on—say, by encrypting it—this sort of event could be dramatically reduced.

Think on this for a moment now. All of us have private things nowadays in forms that we carry around with us every day. We sometimes put them on thumbdrives, into our phones, onto our laptops. If I had nude photos of my little self I would certainly not keep them anywhere unsecured. If someone wanted to grab my photos and blackmail me, they'd first have to be extremely determined.

I suppose that working for Elaine at Black Hat Magick Detective Agency has changed my outlook on how to protect my more personal thoughts.

The gossip aggregator over at fashion.ie says, “Either way, the lesson is don't leave your stuff unattended at the airport, kids. Someone might just steal your private, naked pics and blackmail you over them.”

Or, how about protect it with something like PGP.

SQL Injection Worms of War

There is a worm on the loose. A SQL injection worm. A vicious little mealy mouthed slobbering parasite that opportunistically infects certain exploits in web software. And it hit one of my projects and this makes me a very unhappy. It is that today I spent a lot of time prowling the database with a flamethrower and machete doing in every malicious byte of its gruesome progeny.

For those who haven’t met this particularly pernicious bug, a word of caution: it will ruin thy day.

If thou happen to run an Apache server, I suggest heading on over to 0x000000.com and taking a look at the .htaccess suggestions there. I certainly took a few more to add to my defense script and it has done well to prevent the furtherance of this nuisance.

In particular this line will stop this beast in its tracks:

RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

The malicious worm (which was insanely active on August 9^th, 2008) depends on a SQL DECLARE, SET, and CAST statement all of which occur after some URL encoding and other tricks, which this line does an excellent job of ferreting out.

Onwards to battle. Onwards to a cleaner web experience.

Link