Thursday, May 19, 2011

Sony think I'm a customer, apparently

This morning I opened my gmail inbox to find quite an unusual email - one from Sony apologizing for the recent hack, and requesting me to reset my password.

That would be all well and good with one small issue. I'm not a Sony customer. Never have been, not really intending to be anytime soon. I've never owned a Playstation, or any of their online titles that might make me a "customer". The only thing that I can possibly think of is that I have bought some LucasArts titles in the past - which Sony also have an interest in - regardless of that though, I have never had an account on their site.

My initial thought was that this was a scam - but all of the links in the email seem to check out, as does the email headers. Perhaps I'm missing something though - so I'm posting the original email below. If you can tell me whats going on here - I'd love to hear your opinion

I also went to the site and asked them to send me my username, and reset my old password. With that done I gained access to "my" account. There is not history of me buying anything for them, and under subscriptions I have 3 inactive ones for Free Realms, Star Wars Clone Wars, and Pirates of the Burning Sea - none of which I have ever played or purchased.

My best guess is that my account details for some other service where passed onto Sony at some point in the past. Nice to know that even though I have never ventured near their site, they were nice enough to allow my email and an associated password to be compromised. Now obviously I used completely different passwords for every site, so that not an issue but still its a bit creepy (good old Ironkey - even I can't remember my passwords - one of my forum passwords is Ge0Q&f8VH#g7%Z4wqOB9s~2W*6EId$F5^CN1@SYx!3vn$Kkp~4MD~oLR9mJX0aUA4@PTuj@1rhR&7l^QW5cUF3!ZZ5!ZDib8!E0 apparently :) )

Heres the email - opinions welcome (comment or just tweet me on @bobmcardle)

Saturday, May 14, 2011

Maltego talk at ISSA

Hi Folks - its been a while (mostly because I've been tweeting instead, or posting over on

Last week I ran a workshop on the awesome Maltego tool from Paterva at the ISSA Conference in Dublin. Overall a great conference, and really enjoyed delivering my 2 hour session. Also a big thank you to the folks in Paterva for letting us run this.

I promised to stick up my notes and graphs afterwards so here they are. If you have any questions or comments, tweet me

If you have not had a chance to try out Maltego I seriously recommend downloading it and giving it a go - it is hands down the best Open Source Intelligence tool you will come across. I've also included plenty of resources for creating your own transforms - and if you do, please wander by the Paterva forums and share them with the community

- Maltego Presentation
- Maltego Graphs
- Check Trend Micro SiteSafety Transform


Wednesday, June 9, 2010

SANS Dublin 2010 Reminder

Hi everyone

I'll be teaching SANS GCIH course in Dublin in September - if you are interested in anymore information, just let me know.

The official SANS announcement is below


SANS is pleased to return to Dublin for another Community SANS event with two courses. Please join us 20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling and 27 September - 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.

SEC504: Hacker Techniques, Exploits & Incident Handling
20-25 September
Instructor: Robert McArdle

Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling
team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

SEC542: Web App Penetration Testing & Ethical Hacking
27 September - 2 October
Instructor: Owen Connolly

In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise's Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step
process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you
will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization's Web applications to find some of the most common and damaging Web application vulnerabilities today.

For more details and to register please visit:

About the Community SANS EMEA Program -
The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

Tuesday, April 27, 2010

Ebays Captchas appear to be broken

Anyone else noticed this issue with Ebays Captchas - I hate Captcha as much as everyone else, but after 6 failed attempts in a row I started to think some thing was up.

Check this one out:

Now I think most people would agree that I should enter 707037 into the text field, right - wrong.

So after the aforementioned 6 attempts, I decided to try the audio option ("Listen to the verification Code") - and lo and behold, the audio read out a completely different number. In the case above the number was 150633 . I go back to my field and enter this number:

And bingo - Ebay allows me to send the message.

I reckon that someone in the Security department has messed up the capthca code so that the Images and numbers are out of sync with each other. Either way I don't think it will be long before this gets picked.

Maybe the guys over at have an interesting idea after all with their Captcha alternative. For some more details (not a lot) read the last few pages of

Wednesday, March 31, 2010

Modern Malware Explained

John sat down at this pc, and placed his coffee beside the keyboard. It was that crappy instant stuff - the good coffee had been one of the first things to go in the latest company cost-cutting blitz. Grimacing, he took a sip, and started the daily chore of going through his 100's of emails. Was the world more productive before we invented email he wondered? One email in particular caught his eye - looks like he had recieved a Tax refund. Finding it unusual for the government to actually GIVE him back money, John opened the attached PDF...

What follows next happens all around the world, every day, 1000s of times every minute. The PDF contained code that allowed it to take complete control of the machine, due to some faulty coding on the part of the PDF reader program. The actual malware name in this is Bredolab. Seconds after John had clicked the attachment the code was already pulling down updates from a URL on different compromised machine in China. These updates in turn downloaded more components - a rootkit called TDSS which made the malware invisible on the machine, a Zeus malware which connected John's machine to a botnet of several million other infected machines, and, in an ironic twise - John was now spewing out hundreds of emails per minute via the Cutwail malware, each helping to spread the same PDF attack he had just fallen for.

So what was John infected with - was it Zeus? Cutwail? Bredolab? TDSS? Something else entirely.

Well there are two answers to that question - the first is "All of the above". The second (and more accurate) answer is - "Who cares?"

Fact is John and the other thousands of people who get infected every day could not give a monkeys what the malware is actually called - they just want it stopped from ever running (or if worst come to the worst, at least removing it from the machine).

So remember that the next time you read through a PC magazine review all of the latest and greatest AV products - it does not matter how many files they correctly detect, or how many URLs they block, or how many emails they will drop. Look at the bigger picture - and pick the one that that offers the most complete solution. The more layers between you and the malware getting a chance to run the better. AV is not dead, as some people would tell you, but the days of file-scanning protecting you on it own are well gone - and they are never coming back.

Robert McArdle

Monday, March 29, 2010

SANS Dublin 2010

Hi Everyone,

I will be running a 6-Day training course in Hacker Techniques, Exploits & Incident Handling in September - so I wanted to get some advance notice out there.

This is an excellent course - I first studied it myself back in 2006 and can honestly say it has been the most useful security course I have completed by far. Some other courses are all good in theory, but this couse from SANS really is a reflection of what happens in the real world every day (with lots of hands on exercises). If you want to get involved in IT Security (or are already involved and want to round out your skills) - this is course to attend.

All of the details of the course are up on but I'll go through some of the high level details here. If you have any other questions - just comment below or email me at RobertMcArdle[very obvious sign goes here][googles well known email service]

Day 1: Incident Handling - A simple effective step-by-step guide to Incident Handling
Day 2: Reconnaissance & Scanning - The first 2 steps of any attack (using tools like Nmap, Nessus)
Day 3: Network Level attacks - Netcat, Sniffers, Backdoors, etc
Day 4: Gaining Access - Password cracking, SQL injection, XSS, DOS
Day 5: Covering your tracks and putting it all together
Day 6: Capture the Flag :) Full day of trying to gain access to a number of machines - lots of fun, the highlight of the course!

Overall its a blast - I just wanted to give everyone plenty of time to add it to their calendars (its also up on the Security Calendar already)



Monday, February 1, 2010

3D Movies != Death of Piracy. Oppurtunity for malware

Hollywood see 3D as a critical weapon against piracy, which I just don't understand. If we fast forward a year and early adopters have their 3D ready TV, 3D Blu-ray player etc - ultimately Hollywood needs to get the 3D movie to this person in a digital format, most likely on a Blu-Ray disk. The actual digital content is probably going to be close to 100GB.

What stops someone ripping this Blu-Ray and putting it on the internet for everyone to download? Sure there are some technical problems (encryption to break etc) but that has not stopped any other form of entertainment media in the last 10 years.

Hollywood seem to think this will stop the "Camera in the cinema" form of Piracy, but most piracy is carried out directly on Screeners. Interesting blog:

In the mean time, there are social engineering angles attackers can take here.

- Advertising downloads that make a Laptop 3D ready so that you watch 3D movies (spot the trojan)

- Torrents of 3D movies including malware

- Links to sites that contain exploits, claiming to have torrents of 3D movies

- Site selling cheap 3D movies (please insert your credit card details here)

- Scams to win a 3D TV (text this number to win. Then we take $50 dollars from your account every month)

And a lot of others. Be on the watch out for these in the next couple of months, I'll be stunned if all of those 5 predictions to not come to pass