Sunday, April 27, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

How do you solve a problem like EMEA? [IT Security: The view from here]

Posted: 27 Apr 2008 08:03 AM CDT

If you were at InfoSec this week you will have noticed a few of the larger stands. For me, seeing companies like Juniper and F5 filling the show floor is comforting in some ways, but in others it indicates where there is work to be done.

If I was the CEO of a tech company looking at the successes of these guys I might think: "The way to tackle EMEA is to put in an office near London, staff it with sales guys and flood the market." Indeed, that is a tried and tested method, but not very successful. I mention these 2 companies specifically because I was lucky enough to work with them both when working in pre-sales at Equip Technology, their UK distributor a couple of years back.

Juniper of course built their success on their NetScreen firewall, and the reason for that success was its simplicity of administration. It sold in lorry-loads and was easily supported by the channel. I know probably 15-20 engineers who are qualified to support Juniper products, and as the company has grown, so has their product arsenal, their training capabilities, and their worth. I think they have a great model for the channel, which was the result of a lot of hard work, but not inconsiderable luck. They hit the market at the right time, and the product was simple enough to keep going locally.

F5 built their success on the fabulous BigIP and the family of products that can reside on one, the LTM, GTM, ATM, Link Controller and probably loads of others by now. When I left the channel they had just bought 4 new companies to fill their portfolio. I was a big fan, simply because they made the GUIs easy for administrators to understand and explain to others. The boxes usually worked and there were few things not possible with the help of iRules and iControls. Success here was down to the need to monitor and re-use infrastructure internally without messing too much with the front end. A bit more complex than the firewall, but easy to explain and justify the costs, this was a sales success more than a technical success, but sales success forces the technical side to keep up. As can be seen from the Juniper example above, the guys who put the work in are now very valuable engineers.

The sales for these pieces of kit were much fewer than with Juniper, but often much much larger. The last deal I was involved in for F5 kit was quoted at over £350k, for a number of devices. The margin on a deal like that is not inconsiderable, when you weigh up the fact that distributors are typically looking for 40% when they take on a new vendor.

So where does that leave everyone else? What about very technical products, or products where sales cycles are long and boxes aren't just shifted along like these guys have managed to achieve? If you've done the sales job in the US, the market doesn't automatically pick up on it over here. In fact, the whole sales job has to be done again, regardless of early adopters and good press. Relying on the channel is still possible, but without regular sales the salesmen soon get frustrated, and the technical guys forget what they have learned. For very technical products, encryption being my experience, this creates a problem which has to be managed very closely. Sales and technical people representing the vendor have to be available to go onsite on a weekly basis, just to keep the product in the minds of those pushing it out there.

This is hard to achieve from San Francisco, so very often an RSM is hired in the UK, they are of course given targets, usually unrealistic ones. They do not have technical skills, so an SE is hired, of variable quality. These 2 have to sell direct AND sell through the channel, 2 very different jobs which can spread them both too thinly, even if they are in constant communication. It is also very stressful, and involves a huge amount of travel, whether you feel like it or not, and whether it gains you anything or not. Selling direct for these long cycles is nerve racking and a thankless task, especially when it fails. However, if you hire someone to just cover the channel, what are they going to do for the other 3 days a week you are employing them?

At SecurEMEA we are helping technical companies address this gap cheaply and effeciently. Communication is key to our survival and success. Once we have helped develop a successful channel to market for a technology, we then aim to help build that company until it can stand on its own in the region. Maybe then you'll see a few more highly technical vendors on stands at InfoSec in the coming years.

Setting account expiration in Windows XP [Kees Leune]

Posted: 27 Apr 2008 07:42 AM CDT

I ran into a problem yesterday with my Windows installation. Since this is a laptop that is not part of an Active Directory Domain, has the Administrator account disabled and only has one other local account with Local Admin privileges, I ran into a problem when Windows informed me that my account had expired.

The problem is that I had a whole bunch of EFS-encrypted files in that account, without having backed up the EFS-certificate. The only option that I thought would provide me with a quick fix was to reboot from a Backtrack CD to re-enable the Administrator account and blow out the password on the Administrator account. Removing the account of the other user would not have worked, but even worse, it would have made all my EFS-encrypted files unavailable.

After having regained access to the Administrator account, I started messing around with clicking on all kinds of stuff, and even playing with some wmic-voodoo.

All to no avail.

As with most operating systems, Windows separates account expiration from password expiration. Resetting the password expiration was easy, but resetting the account expiration on a stand-alone Windows machine does not seem to be possible with out-of-the-box Windows tools. Even a tweet for attention did not yield the result I was looking for.

After doing quite some head-banging and even more research, I found a command-line tool called AccExp. AccExp can set or reset the account expiration of a local windows user, or a user in an Active Directory.

Lesson 1: If using EFS. backup your certificate. Instructions.
Lesson 2: Account expiration cannot be reset using and out-of-the-box Windows. Additional tools, such as AccExp are required.
Lesson 3: Windows will not expire an account while you are logged in; even going to standby/hibernate does not include an account expiration check. Windows will only check when you log on to an account.

PS: Yes, I know this Windows laptop is configured pretty much as far removed from best-practices as possible.

Heading to Interop [StillSecure, After All These Years]

Posted: 27 Apr 2008 06:45 AM CDT

Getting ready to head out to Interop tomorrow. I have a bunch of interviews and meetings scheduled, but if you are going to be at the show, stop by the StillSecure booth and say hello or drop me a note or twitter to get together. Interop is always a blast and I am looking forward to see what is new this year.

On Schneier, the RSA Conference's Swan Song and the Rise Of the Non-Con... [Rational Survivability]

Posted: 26 Apr 2008 09:33 PM CDT

Bruce Schneier has artfully committed electrons to decay in an article he recently "penned" for Wired in which he has once again trumpeted the impending death of Information Security as we know it and illustrating the changing why's, how's, when's and who's that define the security industry singularity that is sure to occur.

While I thoroughly enjoyed Bruce's opinion on the matter and will address it in a follow-on post dedicated to the meme, the real gem that sparkled for me in this article was his use of how the behemoth RSA Security conference is actually a bellweather for the security industry:

Last week was the RSA Conference, easily the largest information security conference in the world. More than 17,000 people descended on San Francisco's Moscone Center to hear some of the more than 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

...

The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.

What attracted me to the last paragraph and a rather profound point draped in subtlety that I think Bruce missed was reinforced by my recent experiences in Boston and Munich which framed RSA, which quite honestly I could almost care less about attending ever again...

Specifically, I recently attended and spoke at both SourceBoston (in Boston) and Troopers08 (in Munich, Germany.)  These are boutique security conferences with attendee counts in approximately the 200 person range.  They are intimate gatherings of a blended and balanced selection of security practitioners, academics, technologists, researchers and end-users who get together and communicate.

These events offer a glimpse into the future of what security conferences can and should provide: collaborative, open, educational, enlightening and fun events without the pretentiousness or edge of confabs trying too hard to be either too "professional" or "alternative" in their appear and nature.

Further, these events lack the marketing circle-jerk and vendor-centric detritus that Bruce alluded to.  What you get is a fantastic balance of high-level as well as in-the-weeds presentations on all manner of things security: politics, culture, technology, futurism, hacking, etc.  It's an amazing balance with a refreshing change of pace.  People go to all the presentations because they know they are going to learn something.

These sorts of events have really been springing to life for years, yet we've seen them morph and become abstracted from the reason we attended them in the first place.  Some of them like BlackHat, DefCon, and ShmooCon have all "grown up" and lost that intimacy, becoming just another excuse to get together and socialize in one place with people you haven't seen in a while. 

Some like HITB, CanSecWest, and ToorCon might appear too gritty or technical to attract a balanced crowd and the expectations for presenters is the one-upmanship associated with an overly-sensationalized exploit or the next move in the fanboy-fanned flaming game of vendor 0day whack-a-mole.  Others are simply shows that are small or regional in nature that folks just don't know about but remain spectacular in their lineups.

My challenge to you is to discover these shows -- these "Non-Cons" as I call them.  They offer fantastic networking, collaborative and learning opportunities and you'll be absolutely blown away with some of the big names presenting at them.

Don't turn up your nose simply because of locale and use the excuse that you're saving your budget for RSA or InfoSec.  When is the last time you actually *learned* anything at those shows?  It costs thousands to attend RSA.  Many of the Non-Cons cost a measly couple of hundred dollars.

Take a close look at where your favorite InfoSec folks are presenting.  If five of them happen to be converging on, say, Ohio <wink, wink> for 2-3 days at a security conference you've never heard of, it's probably not because of the beaches...

/Hoff

links for 2008-04-27 [Raffy's Computer Security Blog]

Posted: 26 Apr 2008 09:31 PM CDT

University of Miami: Good for the body, bad for the soul? [Emergent Chaos]

Posted: 26 Apr 2008 03:51 PM CDT

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there's no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There's some analysis of how hard it would be to read the tapes. I'm skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In "University of Miami reports stolen tapes affecting patients," he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a "complex and proprietary format," which seems to be "Tivoli Storage Management" from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I'm curious why that wasn't in use.

Also, looking around, I found this quote at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.
Until I hear more, I'm skeptical of the University's claims. I don't believe, and I have not believed for a long time, that breach notices are about identity theft. They're about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

Point Break, Live [Emergent Chaos]

Posted: 26 Apr 2008 12:45 PM CDT

The starring role of Johnny Utah is selected from the audience each night, and reads their entire script off of cue-cards. This method manages to capture the rawness of a Keanu Reeves performance even from those who generally think themselves incapable of acting. The fun starts immediately with the "screen test" wherein the volunteer Keanus (usually 5-15 men and women vie for the role) go through a grueling audition process. The part is then cast via applaus-o-meter.
Point Break Live. So very attitudinally mis-adjusted.. Via JWZ.

E-Commerce Ripe Victims for Cyberterrorism [The IT Security Guy]

Posted: 26 Apr 2008 11:05 AM CDT

A group of hackers that met in London last week warned that major retail chains could be next on the cyberterror hit list, according the venerable old BBC.

They said the same techniques would be used as thos in the attacks against Estonia last year, that basically brought the government and infrastructure to its knees.

Infosec 2008 - Day 1 AM [IT Security: The view from here]

Posted: 26 Apr 2008 08:21 AM CDT

As always, Olympia is like a greenhouse in the middle of April, so I've dashed back to the hotel for some fresh air (inside the hotel obviously, London is outside). Whilst I'm here, I thought I'd get some stuff down so I don't have to ramble too much later.

I came in this morning and made a bee-line for the PKWare stand to see how they were setup. They have many sales people staffing the stand, and to be honest I'd be rather superfluous standing there as well. I'm still talking about them around the showfloor though as that's a much more satisfactory way of covering the show and picking up leads.

A quick stop to chat with Bobby Conway from NuBridges, put a face to the name and find out what they're up to. They were an Ingrian partner until early last year, but there were some problems there which I still don't know the truth behind and have no opinion on (yeah, right!). Suffice to say, they have a great i-series product, which we used to default to until the partnership disappeared. I hope they will talk to SafeNet again after the acquisition, as it would be a strong place for them to focus and could get far better coverage that way, for both parties.

As I passed back via the Secerno area, I stopped by to say hi to Steve Moyle, the CTO, who looked blankly at me when I said my name, and then smiled broadly and sat me down at the table to talk. I'm still impressed with these guys, they have taken a complex product that I thought did something great and turned it into something a lot simpler that seems to do just one thing well. At this stage I'm not sure if they haven't over-simplified it, but that may be just the thing to break into this market space right now.

The basic premise is that they will look dynamically for SQL injection type of activity, rather than using signatures or static files like a web-app firewall. I like this because it is more application focused and closer to the data. They also have a much more comprehensible GUI now, which is a relief, and good reporting, which is a necessity.

Back to the show for some lunch, then a quick poke around at some of the bigger boys this afternoon I think.

What a crazy week [An Information Security Place]

Posted: 26 Apr 2008 07:34 AM CDT

Monday was meetings.  Then spent Tuesday and Wednesday in New Orleans doing an eval install for Bluesocket (actually, the SE for Bluesocket did the install - I was there to learn).  Then I spent all day Thursday driving around one of our sales people from Dallas since she has a few clients down here in Houston (we had some good meetings, so it is worth it).  THEN Friday was spent driving roughly 6 hours (round trip) to Austin for ONE meeting (I also picked up one of our sales guys at the Austin airport - I love being a chauffeur).

That is often the life of a sales engineer.  Driving, flying, installing evals, driving, flying, talking to clients, flying, driving, driving, flying… You get the picture.  Just seems horribly inefficient sometimes.  But all part of the gig.

Vet

Are your Skype username and password completely exposed if you use iSkoot? [Voice of VOIPSA]

Posted: 26 Apr 2008 05:41 AM CDT

UPDATE #1: Ironically, email to “security@iskoot.com” bounced. I did send it to several other addresses, though.

UPDATE #2: The iSkoot FAQ indicates that passwords are encrypted using SSL. So either the FAQ is now wrong or Dameon’s capture is wrong.

UPDATE #3: Dameon has now posted a packet trace clearly showing a Skype user name (”insecure-user”) and a password (”insecure-password”).

UPDATE #4: iSkoot CEO Mark Jacobstein has commented on this post stating unequivocally that they always encrypt with SSL.


——–

iskootlogo.jpgIf you use iSkoot to put Skype on your mobile phone, could it be that your Skype credentials (username, password) are transmitted in the clear? Based on some disturbing news from Dameon Welch-Abernathy, a.k.a. “PhoneBoy”, it certainly looks that way. In his post late last night, “iSkoot Transmits Your Data In The Clear“, he discusses his tests of capturing network traffic from both the new Skype for Mobile client and also from iSkoot. The difference is disturbing:

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob–exactly what I expected to see.

iSkoot uses TCP port 80–the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages–and lots of other interesting information, including your Skype credentials–is being transmitted in the clear. That's right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

If true (and I have no reason to doubt Dameon), this is obviously of great concern. Someone using iSkoot from their mobile over WiFi is effectively allowing their Skype credentials to be seen by anyone who can intercept their traffic (i.e. is either on the local WiFi network or is between them and iSkoot’s servers). Yes, Skype chats can also be intercepted (but that’s been a known issue with iSkoot) and while that is of concern, especially because users may assume the chats are encrypted as they are with Skype, the larger concern is interception of credentials… if someone gets your Skype username and password they can obviously login to Skype.

I am a bit surprised by the exposure of credentials (and did email Dameon back to confirm he could definitely see them) because when I raised my concerns about iSkoot last July, Jacqueline Van Meter from iSkoot Product Management responded to my concerns in a comment (left, actually, to a subsequent post I made about iSkoot) and stated this:

Of course, we take the issue of password security very seriously. Login and password information are always encrypted. The information is stored on the handset only—never the server—and only in cases where the user selects the auto sign-in option. The communication from the client to our server is also encrypted and secured, using https.

Jim CourtneyPhil Wolff, in his excellent review of iSkoot last October when it was announced that it would be used in the 3 Skypephone also says this about Skype chats over iSkoot:

Downside 5: Because Skype hasn’t shared their encryption algorithms with iSkoot, your Skype chats aren’t encrypted, although your login is.

If Skype credentials are now exposed, this is indeed a serious matter that iSkoot needs to address, especially given the millions of users of the 3 Skypephone which uses the iSkoot client. Did something change during one of the releases and the protection referenced above was inadvertantly removed? If HTTPS was used for encryption why didn’t Dameon see that? (Or did Dameon see the unencrypted chats but miss that the login was encrypted?)

Before we jump to conclusions, though, it strikes me that we need to do a couple of things:

  1. Verify again with a packet trace that the Skype username and password are visible during the iSkoot login (or subsequent message exchange). This is what I’ve asked of Dameon but with time differences, he is asleep right now. If anyone else has the capacity to test this, it would be good to have that confirmation. Unfortunately, I can’t personally as I don’t have any WiFi devices on which to run iSkoot.

  2. Understand how often the Skype credentials are sent by the iSkoot client. Is it only at the very first login? Or are they sent with every transaction?
  3. Contact iSkoot to see what they say. (I’ve just sent an email.)

After all of that, we can understand what risk is here right now.

Regardless of the outcome (and I hope that the credentials are not in the clear), this whole experience does show a stark difference between Skype’s new Mobile version and the iSkoot client. Skype, obviously, can secure all of the chats and communication in general. iSkoot, being a third-party app, can’t. Will that matter in the market place? Or does iSkoot have a friendlier model for carriers?

Meanwhile, let’s do some testing… I’ll update this post with more info as we can get it.


Technorati Tags:
, , , , ,

autocomplete=off, yes… it’s really that simple. [.:Computer Defense:.]

Posted: 26 Apr 2008 01:50 AM CDT

One of my favourite things is Autocomplete. I'm sure plenty of security folks are cringing right now, but I enjoy it. It saves me a crapload of data entry every time I want to place an order (Name, Address, Phone number) or post a blog comment (Name, Email, Website)...

Anyways... what really bothers me is web developers that don't know about, or refuse to acknowledge the existence of, autocomplete. Let's compare two online ordering systems that I use frequently.

One contains a check box asking if you'd like it to remember your information (excluding credit card information). The entire order form is set to autocomplete=off and if I check the check box, my info is stored in a cookie with a very long expiry date.

The other doesn't save my info, I have to fill it out every time... This is where autocomplete is nice. Name, Address, Apartment Number, Buzzer Code, City, Postal Code, Phone, Email, etc.... Lots of info to provide but for me it's just first letter + tab. I like this feature... My problem is when I get to credit card information. This website hasn't seen the need to set the credit card related fields to autocomplete=off. Now I know that after I order I have to clear saved form data... this was once an issue though.

I ordered from this company via credit card, but then I moved over to cash orders... months later I happened to order via credit card again... this was when I discovered that the data was autocompleted. I find this very frightening for a number of reasons.

So I want to know... do web developers really have a hard time with autocomplete? I want to point out how important and how vital it is to your online form development. That's all... nothing really here, just a bit of a rant that I wanted to get out. Enjoy.

Links for 2008-04-25 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Apr 2008 12:00 AM CDT

Infected Web Page Every Five Seconds [The IT Security Guy]

Posted: 25 Apr 2008 09:17 PM CDT

According to anti-virus and security company Sophos, it discovers an infected web page every five seconds. That's up from 14 seconds for all of last year.

The results were part of the company's security threat report for the first quarter of this year.

Some interesting reading in only four pages.

iFrame Attack Surge [The IT Security Guy]

Posted: 25 Apr 2008 09:12 PM CDT

Panda Security is reporting a surge in iFrame attacks against Microsoft IIS servers. Details of the injection attack were in Network World yesterday.

Panda is recommending that network managers check their web sites for the malicious code. Panda isn't sure which vulnerability is being exploited but suspects it might be related to a Microsoft advisory from April 17.

Anton on BAD Logs Next Week [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Apr 2008 08:03 PM CDT

Want to see me talk about how bad logs really are? :-)

Come see me present at OWASP in Connecticut next week. It is on April 30 at 6PM

Thanks to James McGovern for inviting me!

Log Haiku #4 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Apr 2008 07:58 PM CDT

Think syslog is a standard?
A standard of what?
What were they smoking?

Killing Security, Piece by Piece [The Falcon's View]

Posted: 25 Apr 2008 10:13 AM CDT

Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now:...

No comments: