Saturday, May 31, 2008

The DNA Network

The DNA Network

Monogamy and Eusociality [Yann Klimentidis' Weblog]

Posted: 31 May 2008 12:58 PM CDT

Is high relatedness a cause or effect of eusociality? In this paper that just came out in Science, they find through some phylogenetic analyses and mating data among social insects that monogamy (which maximizes relatedness) is ancestral for all lineages, meaning that kin selection is likely a cause of eusociality (I have no idea of the details of how they did this). It's somewhat disappointing and surprising that they make no mention of humans or the paper by Bowles which hints at the relationship between monogamy (reproductive leveling), relatedness and kin selection and group selection, although in a different way.

Ancestral Monogamy Shows Kin Selection Is Key to the Evolution of Eusociality
William O. H. Hughes, Benjamin P. Oldroyd, Madeleine Beekman, Francis L. W. Ratnieks
Science 30 May 2008: Vol. 320. no. 5880, pp. 1213 - 1216
Abstract: Close relatedness has long been considered crucial to the evolution of eusociality. However, it has recently been suggested that close relatedness may be a consequence, rather than a cause, of eusociality. We tested this idea with a comparative analysis of female mating frequencies in 267 species of eusocial bees, wasps, and ants. We found that mating with a single male, which maximizes relatedness, is ancestral for all eight independent eusocial lineages that we investigated. Mating with multiple males is always derived. Furthermore, we found that high polyandry (>2 effective mates) occurs only in lineages whose workers have lost reproductive totipotency. These results provide the first evidence that monogamy was critical in the evolution of eusociality, strongly supporting the prediction of inclusive fitness theory.

The Best Predictive Health Ethics Blogs - May 2008 [PredictER Blog]

Posted: 31 May 2008 10:36 AM CDT

It was a busy month for predictive health news: the president signed GINA, Francis Collins announced his eminent retirement, bloggers reported from important conferences at Case Western and Cold Spring Harbor, and Google announced the debut of Google Health. These events, and others, are reflected in this month's edition of the best blogs on the ethical issues of predictive health.

Are you diseased? Pre-diseased? Potentially diseased? Greg Dahlmann, blog.bioethics.net. 6 May 2008.
In this insightful post, Dahlmann examines how predictive health is changing our concept of disease. When, exactly, does increased risk = illness? Dahlmann writes:

So we're moving from the concept of disease as a state of impaired function to it representing particular sets of probabilities. In the past you were sick when you had a heart attack. Today, you're sick -- or pre-sick, perhaps -- when you have high cholesterol. What about when it's possible to identify constellations of genes that significantly increase your chances of having high cholesterol, or a heart attack. Would that be considered a disease?

Also see Dahlmann's follow up post on "previvors": Blood Matters. Greg Dahlmann, blog.bioethics.net. 11 May 2008.

NHGRI Director Francis Collins to Step Down on August 1. Hsien-Hsien Lei, Eye on DNA. 28 May 2008.
Lei shares the news the Francis Collins will retire from his post this summer and that Alan E. Guttmacher will become acting director. Lei also some thoughts on Collins' book The Language of God.

In All Fairness. Fred Trotter, Fred Trotter: My life and thoughts, often about FOSS in medicine. 23 May 2008.
Following the news coverage on the release of Google Health, Fred Trotter weighs in on the privacy questions. Trotter argues that Google is not a health care provider and is, therefore, not covered by HIPAA. He writes:

Both Google Health and HealthVault are designed to make the process of dissemination of your health information to people you want them to be disseminated to easier. Are they doing that in a secure, privacy respecting way? Excellent question; fodder for further posts. Should they be covered by the same laws that cover your healthcare providers? No.

Workman's Compensation, Stereotypes and GATTACA. Steve Murphy, Gene Sherpas: Personalized Medicine and You. 10 May 2008.
Murphy addresses a few of the potential social consequences of predictive medicine, by examining the following scenario:

Young person goes to 23andME/Navigenics/ETC (They just may add this immediately)....gets predictive testing indicating that he is at a 300 fold increased risk of herniating a disc in his back. Avoids manual labor (plays video games all day) never herniates the disc. Did we do society a service?

23andMe, deCODEme and Navigenics at Cold Spring Harbor. Daniel MacArthur, Genetic Future. 9 May 2008.
MacArthur reports, first hand, from the "Biology of Genomes" meeting at Cold Spring Harbor. In addition to the big players in the consumer genomics movement, the speakers at the event included some ethics and policy experts, like Kathy Hudson from Johns Hopkins. Hudson, MacArthur notes, "responded to the problem of patients being given data of very limited predictive value with a very sensible solution: 'In the absence of demonstrable harm, the default should be to provide the information.'"

Genetic testing ethics - consent forms becoming incomprehensible. Elaine Warburton, Genetics and Health. 7 May 2008.
Warburton covers the Translating ELSI, Ethical Legal Social Implications of Human Genetics Research conference at Case Western University in Cleveland. In this entry she reports on Laura Beskow's comments regarding informed consent and the attitudes and concerns of research participants. Also see Warburton's related coverage of pediatric research ethics discussions at the conference in her post: Genetic Ethics - testing and storing our kids' DNA. Genetics and Health. 7 May 2008.

The FDA ditches the Declaration of Helsinki. Stuart Rennie, Global Bioethics Blog. 6 May 2008.
Stuart Rennie of Global Bioethics Blog examines the implications of the FDA's decision to abandon the Declaration of Helsinki. While Rennie focuses on the potential impact of this decision on US research overseas, and not specifically on predictive health research, this decision may have far reaching consequences on clinical trials of any sort. Rennie concludes with the following verdict: "the decision would seem to encourage pharmaceutical companies to cut ethical corners when working abroad".

GINA Series: Irrational Bureaucratic Risk Abhorrence [Page 1]. Andrew Yates, Think Gene. 24 May 2008.
This is the first post of a (thus far) four part series on GINA. Each post begins with the introduction:

Recently, President Bush signed GINA, the Genetic Information Nondiscrimination Act, into law. GINA makes it illegal for employers or health insurers to discriminate based on genetics. Virtually the entire genetics community has lauds this legislation, yet few have written why it's wrong that employers and services review objective facts to make decisions. … "It's not fair…" but why?

The Puzzling Consensus in Favor of the Genetic Information Nondiscrimination Act. Eric Posner, The University of Chicago Law School Faculty Blog. 6 May 2008.
In what may be the most influential post covered in this addition of the best predictive health ethics blogs, Chicago Law professor Eric Posner examines the GINA and asks some compelling questions:

Should the insurance company be permitted to offer the cheap insurance policy only to people who obtain a doctor's certification that a genetic test shows that they belong to the low-risk group? If you think that insurers should be able to discriminate on the basis of visible markers and on the basis of simple doctors' tests for the presence of dangerous diseases, then you should think they should be able to discriminate on the basis of genetic tests. There is no morally relevant distinction between looking at a person's blood for the evidence of infection and looking at his DNA for evidence of susceptibility to a disease. ... The only explanation for the enthusiasm for GINA is that there is an inchoate feeling among people that there is something wrong with the way the insurance market operates.

Medical Genetics Is Not Eugenics. Gabriella Coleman ("biella"), What Sorts of People. 16 May 2008.
Coleman responds to Ruth Cowan's article in The Chronicle of Higher Education, "Medical Genetics Is Not Eugenics". Although Cowan sees little value in thinking about the similarities of modern medical genetics and the mid-century eugenics movement, Coleman cautions:

Even if, as [Cowan] rightly states that genetic testing is oriented primarily toward easing human suffering, genetic testing is still entangled with fraught ethical questions about what types of life we value, what is acceptable human life, and what is not—the very sorts of questions central to eugenics.

Starting to add up to some real money [Omics! Omics!]

Posted: 31 May 2008 09:56 AM CDT

Last week's Globe carried an item that a real estate firm is planning a 5-year, $1 billion dollar, 1.5M square foot biotech complex in Cambridge. Given all the recent news about Gov. Patrick's $1 billion biotech initiative, perhaps Sen Dirksen was right. Predictably, one letter to the editor proposed that the private money obviates the need for the public mone.

Of course, they're addressing two different things, well, mostly. The original biotech proposal was going to be heavily research oriented, but now there is the earmarks for education & earmarks for local infrastructure. The real estate development is going to provide space for future growth, space that the company is hoping will exist.

Real estate in general & biotech specifically are a boom-and-bust phenomenon in Cambridge, though the trend is clearly weighted a bit towards boom. Even before the genomics boom there was a shortage of space & all sorts of old factory space was converted -- one MLNM site was known as the "Box Factory", as it had previously manufactured heart-shaped candy boxes for Valentine's Day. New buildings went up, such as the cluster of current & former MLNM buildings and the Cambridge beachhead for Partners Healthcare's research empire. The really big daddy's were the conversion of a candy factory to the Novartis site & Genzyme's beautiful building. When the tech boom crashed, space intended for companies such as Akamai was hastily converted.

Then the genomics era came crashing down, and suddenly MLNM wasn't gobbling up space but instead dumping it. Sites such as 640 Memorial Drive sat largely vacant, along with many smaller ones. Signs for 'Biotech Space Available'.

The pendulum is apparently closer to boom again, and several biotechs are heading to the suburbs for cheaper rents or more space. Cambridge will never be cheap, that's for sure.

A billion dollars is no pocket change. One unintentionally humorous element in the story was that no clients had been lined up yet -- like anybody in this business can plan 5 years ahead! MLNM got burnt multiple times on shorter term planning -- stuck in a long lease at 640, buildings configured for the wrong mix of chemistry & biology labs, etc.

Biotech buildings have all sorts of additional requirements, many of which I've only recently become aware of. Heavy-duty floors are needed to support equipment. Complicated ventilation infrastructure. Systems to pH neutralize waste water. Some companies have systems to move waste solvents downstairs; Cambridge's fire department has strict limits which grow tighter the higher the floor. Trying to get leeway there is a non-starter; a year and a half ago a non-biotech solvent explosion blew apart a neighborhood in a town north of Boston.

The location is very good; close to a lot of existing biotech, major road routes, and two mass transit lines -- one of which will probably be extended by the middle of the next decade. The area is already congested, but where isn't?

In the image, the Charles River is the dark slash in the lower right corner, and the Genzyme building anchors the lower left corner.
View Larger Map The big parking lot in the center would be a key site, and has begged for redevelopment for a while. The parking lot above it and to the right would also be included -- but also the low rise buildings going diagonally up to the upper left. These are apparently currently low-rent startup space, a useful commodity, but the new buildings will be much taller -- critical in the increasingly crowded biotech zone. A little bit of the space will be restaurant/retail, but with Kendall Square & the Cambridge Galleria nearby, it won't be lacking for eating & errands.

DNA Video: History of the Species [Eye on DNA]

Posted: 31 May 2008 03:06 AM CDT

Work by the MRG at Goldsmiths.
Including: William Latham, Stephen Todd, Frederic Fol Leymarie, Miki Shaw, Ben Jefferys, Lawrence Kelley.

At the core of this work is the idea of feeding DNA data sequences into a rich 3D form generator called FormGrow, to generate organic-looking 3D growth structures, creating an equivalence of the DNA mapped into an alternative multi-dimensional space.

via Kevin Kelly

Simpsons Evolution Video [The Tree of Life]

Posted: 31 May 2008 02:13 AM CDT

Just a little post showing this Simpsons Evolution Video from YouTube

Around the Blogs [Bitesize Bio]

Posted: 31 May 2008 12:11 AM CDT

While I generally am a lurker on other people’s blogs (I admit it), I have a long list of blogs that I subscribe to in my Google Reader feed. And since it’s Friday, I thought it time again to share some of the postings from around the blogs that caught my eye.

On the Five Stages of Proposal Writing - Professors, for the most part, are writers. Grant proposal writers, especially. One prof describes the stages behind her writing.

Life Science Ph.D.s as Industrial Strength Technicians? - Sandra discusses some of the issues for PhDs trying to find jobs, and the biotech companies who find them overqualified.

Walking the Line Between Grades and Experience: My Life as an Undergraduate Researcher (Part 2) - Continued from Part 1, Tim discusses the struggles between getting laboratory experience and earning high marks in his coursework.

The Future of Cell Biology: Organellar Shape - Alex shares some insights regarding what we don’t (yet) fully comprehend, with commentary.

Bacteria on Rocks - A recent paper in Nature reveals that microbes have been found thriving on fresh volcanic basalt on the ocean seafloor, implying that our understanding of carbon cycling and deep-sea systems is missing an entire food source and web.

And from last month:

Serial Endosymbiosis and Intelligent Design - Allen makes an excellent case how science progresses and that while science may resist change, the only way to change science is to do hard work, research and show how your ideas form scientifically relevant contributions.

Avoding the Lure of The Internet [Bitesize Bio]

Posted: 31 May 2008 12:10 AM CDT

There is no doubt that the internet has revolutionised science by making information freely available. But when it comes to actually getting work done, the internet can be a problem.

With all of that lovely information available right at your fingertips it’s easy to get sucked into surfing when you are trying to work.

Here are 5 ways to avoid the lure of the internet and stay efficient

1. Leechblock is a Firefox extension that will block access to any website for any period you specify. So you can block all of those sites that suck up your time, or schedule a set time each day where you can view them. You could allow access to your favorite news sites only during your lunch hour, for example.

2. Temptation blocker is a bit more of a blunt instrument than Leechblock. It allows you to lock yourself out of applications for a set amount of time - so you could use it to block your browser, games, email or whatever is distracting you. If you need to get back into the application before the time is up you can, but the program makes you type in a 32-digit alphanumeric code as a disincentive before unblocking the program.

3. Deleting all bookmarks to websites that eat up your time is a simple way to make it more difficult to navigate to your favorite time-consuming site. But that can be a bit drastic as sometimes you might just want to surf. Alternatively you could use Firefox’s multiple profile capabilities to create one profile for work and one for play.

4. Mozilla’s Prism, is an intriguing piece of software that allows you to run web applications you use/need often as if they were on your desktop. So there is no need to actually open a browser, meaning less opportunity for distractions.

5. Lo-tech options include unplugging/switching your wireless off while working, using pen and paper instead of a computer and exercising some sell control!

How do you avoid online distractions? Let us know in the comments.

Feynman Shows Us How To Be A Scientist [adaptivecomplexity's column]

Posted: 30 May 2008 11:17 PM CDT

Can one ever hear too many stories about Richard Feynman? Cosmic Variance brought my attention to a great piece from Physics Today by Daniel Hillis (who worked with Feynman in the 80's to build a pioneering computer) that shows us how a great scientist continued to tackle interesting problems well into his 60's. How did Feynman do it - how did he keep finding interesting problems to work on?

A global informatics collaboratory [business|bytes|genes|molecules]

Posted: 30 May 2008 09:36 PM CDT

Thinking about BioBarCamp, listening to Chris Messina talking about DiSo, Barcamp and open projects in general and all consumed by the cloud and web services. Over the past year, we’ve built a fairly cool group of bio and data geeks distributed all over the world. We have different skills, different backgrounds and different knowledge bases. Question is, are there enough of us to achieve the kind of bursty success that has driven efforts like OpenID, OAuth, DiSo, Wordpress, etc in the tech/web world? Can we come up with simple tools and protocols that have the same impact on bioinformatics, cheminformatics, molecular modeling and perhaps life science discovery in general?

It is Friday evening, and I am allowed to dream!!!

Technorati Tags: , , , ,

ShareThis

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Are you going to the Gartner IT Security Summit? [StillSecure, After All These Years]

Posted: 30 May 2008 11:14 PM CDT

Monday is the start of the annual Gartner Security Summit in Washington, DC. Actually at the Gaylord National Hotel this year.  Besides the obvious presentations by the Gartner analyst staff, it is usually a good chance to catch up with the security industry.  I will be there from Monday morning through Wed afternoon.  StillSecure is not presenting or exhibiting at the show this year, so I will be in lots of meetings and listening in on some tracks myself.

If you are going to be at the show and want to get together for a coffee or other beverage, drop me a line at podcast@stillsecure.com with a suggested time and place at the show.  Hope to see some new and old faces at there and will be blogging from the show as well.

Not 'who you gonna run to" but "who you gonna call"? [StillSecure, After All These Years]

Posted: 30 May 2008 08:50 PM CDT

You could try ghostbusters, but don't bother calling the PCI council. So says Mike Fratto and Martin McKeay in response to my earlier article about when you have an obligation to go public. Of course I was responding to Martin's earlier post on the TJX employee getting fired. What all three of us agreed on though is that there is no place or person that an employee or any other person frankly can call to report a company that is not in compliance with the PCI.

ToothlessMike Fratto says "PCI has no teeth because VISA/Mastercard doesn't want to bite the hands that feed it." Martin says the PCI council has established a way for people to report violations because "that'd make the Council responsible for acting on those reports. And that's something they really, really don't want." So are the PCI regs toothless. I wouldn't exactly go that far. I think we have to draw a distinction about having the power to act versus actually exercising that power. Mike is right, so far the PCI council has to exercised the powers they were granted to impose sanctions and penalties. That doesn't mean they won't in the future though. I think they will have to make some "examples" otherwise people are going to begin to ignore the requirements all together.

Without some process to report violations the credit card companies are inviting the government to step in. This is exactly the reason as Mike Fratto points out that they imposed the PCI regs to begin with, that is to keep the government out. Until they do though, I think going public and the court of public opinion may be the only recourse.

A Change in content and purpose [Jim's Bloggyness]

Posted: 30 May 2008 06:00 PM CDT

So as several of you have figured out I’ve been A) incredibly busy at work, B) still busy at work, and C) a bit slow on updating here or D) All of the above.

Well the answer is abit more complicated in that i’ve YES been extremely busy, but also was asked to censor how much i wrote about work and related topics by my Employer…So in fareness to them (I have no problem with it), I’ve held off on writing things.

Going forward, I plan on changing up the blog and being a bit more open topiced.  Basically not going to be as focused on the Security stuff (though it will come up) but in all likelyness I’m going to make this more of a personal blog.

So feel free to stick around and let see where things take us.

"Revolutionary" VirtSec Startup Emerges From Stealth [Rational Survivability]

Posted: 30 May 2008 01:59 PM CDT

If Barracuda attempting to gobble up SourceFire today wasn't interesting enough, check this out...

WALTHAM, Mass., May 30 /PRNewswire/ -- Hyperbole, Inc., the the pioneer and leader in virtualization security solutions today announced it has emerged from stealth mode and raised $14 million in a Series A funding which it will use to expand its R&D efforts and grow its sales and distribution teams.

Hyperbole's flagship product, HyperTension, provides a zero footprint and forensically tight paradigm-shift in the emerging virtualization security (VirtSec) market by automatically protecting all virtual infrastructure against known or unknown attacks without the need for expensive and clumsy IDS, firewall and IPS technology. 

With no agent software and no hardware requirements save for a specially-constructed tamper-proof USB device called the HyperDrive, HyperTension is able to secure any virtualization platform automatically within seconds and with no downtime required.

HyperTension provides an undetectable ring compression insertion technology that injects itself into memory space transparently and utilizes the flash memory space available in PCI cards present in the system to load, thereby not corrupting the main heap and rendering itself undetectable. 

Further, HyperTension will probe for the presence of parallelized graphics processing units (GPU) from leading graphics card providers and if found, will utilize them to provide the compute cycles necessary for operation thereby not impacting the on-board main CPU or cache, further lessening the impact of the solution running in virtualized environments. 

This allows for massive computation capabilities used to provide real-time memory-space attack detection functionality which can be manually or automatically adjusted using our patented HyperSensitivity comb filter technology.

Hyperbole's patented HyperVentilation technology utilizes quantum cryptography and open source algorithms to create "holes" in memory to dynamically encrypt/decrypt the entire memory space of a virtualized host and upon register access, leverage commodity TPM solutions to authenticate and decrypt memory on the fly when used in conjunction with any of Hyperbole's partner-supplied whitelisting solutions.

Once accessed, HyperTension automatically performs an ASLR operation for pointer obfuscation and then re-encrypts the memory space using a newly-generated quantum key derived from the unique properties of the hashed cache entries from the rotating cipher.

This provides unbreakable security since only authorized applications can attempt to gain access to HyperVentilated memory space which is also encrypted to prevent unauthorized access.

...

Speechless. 

/Hoff

Mobility Changes (Almost) Everything! [Kees Leune]

Posted: 30 May 2008 12:35 PM CDT

Today is a nice day. It is 78 °F (25 °C) and sunny here in Garden City, NY. Today, I decided to actually take a lunch break and stroll over to Subway for a bite. On my way out, I snatched the latest copy of ISACA's Information Systems Control Journal. Although I did not get much past the guest editorial by William C. Boni, titled Mobility Changes (Almost) Everything! (membership required) it was worth a good read. Mr. Boni writes:

"The notion of treating an organization's network as if it is a discrete environment and developing security solutions to guard against the threat of outsiders is dangerously outmoded and an incomplete concept. We need to understand that this pernicious and outdated concept still affects our approach to protection, and many people continue to operate as if physical location is a reliable measure for protecting organizations against risks of information theft or loss."

ISACA Information Systems Control Journal, Volume 3, 2008
Very few active practitioners of the information security trade will disagree that the perimeter is fading, and that we are facing an increasingly mobile workforce. I blogged about this before, and I doubt that this will be my last post on the topic.
What I have always left unsaid, but what Mr. Boni clearly points out, is that we must realize that only very few people really understand the consequences of this development. Most of our (implicit) thinking still revolves around the old fortress metaphor; as long as you are on the inside, you are safe. The way that most of us architect the locations firewalls and Intrusion Detection/Prevention Systems, etc. are all lively illustrations of this way of thinking.

Unfortunately, the view of an organization as an entity with clearly deliniated IT boundaries is no longer true (if it ever has been); modern organizations are not castles or strongholds, they are open entities with a very large number of interdependencies to business partners, clients, suppliers, governments, financial institutions, etc. Our global economy depends on organizations working together and adding value at each link in the value chain. Information security professionals need to be aware of that.

Mr. Boni also writes:

Increasingly, new products, services and solutions require near-constant innovation. Innovation in a global community--the creative spark that envisions new experiences, products or services creation--comes as often from the ad hoc, unstructured, interpersonal and interorganizational discussion, as it does from formal research initiatives.
That observation is spot-on, and it is something we must listen to very well. Information security efforts must be aligned with business needs (essential truths: never say no), and most businesses need to constantly adapt to changes in their environment.

Sometimes that adaptation will be facilitated through innovation, but more often it is through communication. Both processes relay heavily on information procesing, and as information security professionals, it is our job to facilitate these procesess to happen efficiently, effectively, and securely.

Cyberterror! Cyberterror! Pfffft..Sputter…Gak!! [securosis.com]

Posted: 30 May 2008 11:15 AM CDT

Kevin Poulson over at Wired reports that a new National Journal report claims that Chinese hackers may have been responsible for a recent power outage in Florida and the big 2003 northeast blackout.

Kevin does a good job of ripping this report a new one, and I even learned about a SCADA bug I didn’t know about the contributed to the 2003 event.

I’m not going to get into the Chinese paranoia. Truth is, I have no doubt they both have advanced offensive cyber capabilities they use for intelligence gathering, and encourage the local hacking community to target us. Why not? Countries have been spying on each other ever since the creation of nations; no reason to think it will stop now because we’re too tied up watching American Idol to deal with it.

I sure as heck hope we’re doing the same to them; that’s what I pay taxes for.

But “cyberterrorism” and the 2003 blackout? Not so much. Unlike some I do consider cyberterrorism a legitimate concern for a nation-state, but I also consider the bar to be higher than any cyber event we’ve seen. If there isn’t serious loss of life or property that creates fear in a population for political or social goals, it ain’t terrorism. Sorry Estonia, we haven’t seen this yet, and I won’t be the idiot to predict it will happen in any given year. Bombs are a heck of a lot more effective at creating fear.

As for the blackouts, the various people I’ve talked with in the energy/utilities sector indicate that the Blaster virus may have played a part in slowing down control and communication systems, exacerbating the event. It’s not that Blaster brought down the power systems, but that it infected the Windows control workstations, messing up email, alerting, and control software (because it hosed the OS, not because it infected those bits). That drops everything to a more manual process and the automated SCADA safeties, which combined with everything else going on weren’t enough.

Could I be wrong? Absolutely; but it makes a lot more sense than Chinese hackers deliberately and successfully targeting our power grid. Not that I don’t think they aren’t capable, but there’s no evidence to indicate that occurred.

You can always tell when it’s budget and election season in Washington, especially in these days of national FUD.

Those wild and crazy guys are back! - SSAATY #54 [StillSecure, After All These Years]

Posted: 30 May 2008 11:04 AM CDT

PodcastMitchell and I are back!  It has been a few months, but the stars finally lined up to allow us to record a show.  It was great being back behind the microphone again.  Mitchell and I discussed a number of topics:

1. Recent penetration of the FBI
2. TJX fires an employee for disclosing lax security
3. Barracuda makes an offer for Sourcefire
4. G.hos.st

Along with the usual back and forth. Hopefully it will spur us on to do more of podcasts!.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

Icon_enclosure_music_7mp3 

This posting includes an audio/video/photo media file: Download Now

Re: Collaboration Is Still a Singular, Personal Experience [The InfoSec Blog]

Posted: 30 May 2008 10:51 AM CDT

On 30-May-08, at 11:14 , Anton Aylward wrote: > > But it has to take a business change. And that’s coming slowly. One interesting possibility for this is the Facebook system. It has been so successful because it allows an interaction system that resembles real life social interactions. One can control somewhat who gets to see what detail of one’s [...]

Collaboration Is Still a Singular, Personal Experience [The InfoSec Blog]

Posted: 30 May 2008 10:14 AM CDT

http://www.baselinemag.com/c/a/Messaging-and-Collaboration/Collabortion-Is-Still-a-Singular-Personal-Experience/?kc=BLBLBEMNL052908STR3 The primary collaboration tool today is still what it was 10 years ago: sending an e-mail attachment with a PowerPoint deck or Word document back and forth between two or more parties. It is a serial form of collaboration: I put together my work product, send it to you, and you send back your thoughts or changes. It is [...]

Alternative to Exchange? [BumpInTheWire.com]

Posted: 30 May 2008 08:37 AM CDT

This article over at Network World had some relativity this week.  Its about an email system, PostPath Server, that is an Exchange clone.  Based on what the article says it sounds like a decent option especially when cost is considered.

The relativity it had was that we have started, for the third time, a migration to Exchange 2007 in our virtual environment.  A problem arose that could not be solved by us so a ticket with Microsoft was opened.  The support rep at Microsoft bailed on support as soon as he saw that VMware tools were installed.  The problem, a service not starting, was obviously not VMware related.  So a physical server had to be built with Exchange 2007 installed on it with all of the Service Packs and Update Rollups applied.  The same service not starting issue was reproduced after Update Rollup 2 was installed.  Microsoft got it fixed but I bet PostPath Server support would have supported it in a non-Microsoft virtual environment.

The Simulator Was Hung O'er the Doorway with Care... [The Falcon's View]

Posted: 29 May 2008 02:27 PM CDT

One of my dreams for at least a couple years has been to purchase a Metolius Simulator. It's a training board for climbing that you can use for hanging and pull-ups to build arm and hand strength. I'm proud to...

Essential Truths in Information Security: Better is worse than good enough [Kees Leune]

Posted: 29 May 2008 10:24 AM CDT

The essential truth that dictates most of my working day is better is worse than good enough.I had become aware of this phrase back in my college days, when one of my professors used it often; usually in the context of some form of process modeling or data modeling exercise.

The real value of this phrase is in understanding what you need and what you do not need. Implementing unnecessary controls is bad; try to become better is worse than accepting a situation that is good enough.

Making that determination is very hard; as security professionals we are intimately familiar with the concept of layered security, which revolves around the idea that more controls are generally better than less controls.

I disagree with that to a certain extent; controls should only be applied when the risk of a successful exploitation is large enough, and when the cost of that exploitation warrant the investment.

Of course, maintaining a minimal set of controls is generally advisable, but for every new layer of defense that is added after that, the question must be asked: is it really necessary? Will adding a control, including all the cost associated with it (hardware, software licenses, training, maintenance, staff, etc.) really improve the overall level of security? Or is better worse than good enough?

However, when the determination is made that the current situation is not yet good enough, and a new control will be added, another another essential truth must be respected: execute with precision and excellence.

Pushing Virtual Buttons... [Rational Survivability]

Posted: 28 May 2008 11:46 PM CDT

Launchbutton

My last couple of VirtSec posts have caused quite a stir in certain circles.

The "debate" between who "owns" VirtSec that originated as part of my response to Simon Crosby of Citrix regarding the same has been picked up and amplified on multiple fronts.

Greg Ness from BlueLane wrote a piece referencing it that was cross-posted on virtualization.com and that even made its way up to VC/investment blogs such as seekingalpha.com (Citrix vs. Chris Hoff ;) and has had my mobile ringing/vibrating itself off my desk over the last week or so.

It's hard to believe sometimes just how many people -- and who -- reads my steaming pile of blogginess.

The second post of interest was in regard to the provenance of VMware's VMsafe and my reflection on prior art (Livewire) by VMware's Rosenblum & Garfinkel which seems as though it could be the progenitor of the upcoming technology.

The very tail-end update of that post referenced another piece of research produced by Komoku based upon similar work focused on rootkit defense. As I pointed out, Komoku was recently acquired by Microsoft.

I added those comments deliberately as a parenthetical -- almost like a bookmark -- because what I intended to do next was directly compare and contrast the technology architectures and approaches of VMware, Citrix and Microsoft as it relates to security integration.

It seems a bunch of really bright folks caught onto that because a slew of links (such as this one) followed -- driven mostly by Alessandro's (virtualization.info) post titled "Is Microsoft Working On VMsafe-like Framework"

I think that's an excellent question ;)

It's pretty clear where Citrix's CTO stands on the matter -- as flawed as I see his shortsighted market approach (note I didn't say *technical approach*) -- but Microsoft stands to gain an interesting foothold in regards to security should they play this game correctly.

I found it interesting that others are starting to recognize that the virtualization battle isn't going to be won by a shoot-out and the hypervisor-version of the OK corral. It's the effectiveness of the ecosystem and the ability for the channel to serve it up and the customers to implement it.

People are sick of sweeping up the decaying corpses of good technical solutions that suck in terms of integration, implementation, operationalization and accountable support -- especially when they have to keep paying for it. Ah the "best-in-breed" versus "good-enough" debate again?

Not to further pick on Citrix (or Xen specifically) but here's a great post from Schley Andrew Kutz from the searchservervirtualization.com blog titled "Xen: An endangered species in the virtualization ecosystem?":

While Citrix Systems' Xen's ubiquity may help the technology earn a legacy as the invisible hypervisor, it may also prove the most challenging next step for IT administrators and developers who want to find or develop software that leverages, supports or extends the Xen hypervisor.

...

While ultimately it may not prove difficult to develop cutting-edge technology compatible with the Xen hypervisor, it may prove so to market it. If you are in the business of selling virtualization add-on products, you want to ensure that your product is compatible with VMware Infrastructure, because that is where the sales are.

...

As Xen's legacy may be to become the ubiquitous, embedded hypervisor for all to use, its strength may also be its greatest detriment to Xen-based virtualization platforms. Xen's strength is its practical application as the invisible, reused, resold, embedded hypervisor, but invisibility just hasn't worked in Citrix's favor. Instead, it shields partners from building ecosystems around Xen and has marginalized the brand name.

Amen to that.

Take heed, Citrix. I maintain your CTO is blinded by what can only be described as a denial of market realities and an undying (arrogant) allegiance to what some might consider to be an architecturally superior product on some fronts, but a lacking solution on many others.

Securing the hypervisor is definitely important. However, securing both the hypervisor and the assets that sit on top of it by providing the most extensible, effective and manageable means of doing so is really what's important to customers. Sometimes, it has to be about more than where you came from. Sometimes it's about where you're going.

I'll be finishing up my post on where I think Microsoft ought to go shortly.

/Hoff

Trip Report: PH-Neutral [Zero in a bit]

Posted: 28 May 2008 03:56 PM CDT

I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I’ve attended and I found it quite different from any North American security gathering I’ve been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard about European conferences but hadn’t experienced until now (even EUSecWest is held in a club whereas CanSecWest is in a Marriott).

PH-Neutral Bridge

The event was held at Die Insel, on a tiny island a few kilometers outside of Berlin’s city center, near Treptower Park. The venue is mostly used for live music so basically it feels like a dark, somewhat dingy club (certainly the bathrooms are reminiscent of a club). The presentations were on the 3rd floor in a room that probably held about 60 people in close quarters; to handle overflow, a closed-circuit feed was being simulcast on the 4th floor, which was a bit less crowded and, more importantly, opened out onto a rooftop deck which meant better ventilation. The bottom floor led out to a Biergarten with tables, beach chairs, and a stage which was used for DJing. The layout was actually pretty efficient for allowing around 200 people to mill about and socialize/network while not having to stray too far from where the talks were presented.

Bridge to Die Insel

As far as the event itself, when I said “laid back” earlier, don’t interpret that to mean disorganized or watered down in any way. It was run with stereotypical German efficiency, from badging to presentations to the after-hours parties. The presentations were just as technical and relevant as any of the more “corporate” conferences. Unfortunately for me, I don’t know that many people in European security circles, and most of the ones I do know weren’t in attendance. Those I did meet, however, were impressively smart and well-versed. Nobody was trying to conduct business transactions or slip away for meetings, which is inevitably what happens when only technical folks are present!

PH-Neutral Registration

For me, a few talks stood out. Fukami and BeF’s talk on SWF and the Malware Tragedy discussed methods for automated static detection of malware in Flash movies. Much of it centered on heuristics related to inconsistencies in the file format or tag structure, abnormal concentrations of strings in the constant pool, or the existence of various obfuscation techniques. Ultimately, there are false positive issues to be addressed but that is just a fact of life with static analysis, and it will be an iterative process to refine those heuristics as the attack vectors evolve. I thought this talk was particularly timely given the increasing prevalence of Flash as a conduit for exploits/malware, such as the most recent Flash 0day that made the news (granted, this was an exploit against Flash itself, not just using Flash as a delivery mechanism, but close enough).

I also enjoyed pierre’s talk on counterintelligence, basically a mélange of wiretapping and other bugging devices discovered in the wild. War stories are always interesting, particularly when it comes to the realm of physical security. One of the x-ray images he showed of a bugged pen was identical to a pen that I own (minus the bugging device of course… I hope). The feel of the talk reminded me a bit of James Atkinson’s talk at SOURCE, “Telephone Defenses Against the Dark Arts” (video: Part 1 and Part 2), which also got rave reviews.

Mike Eddington’s presentation on the Peach 2 fuzzing framework was also quite interesting. Peach 2 was released several months back but I haven’t really been paying much attention to it or any other fuzzing tool for some time. In fact the last time I really had to implement a protocol fuzzer, I was using SPIKE 2.9, so that gives you some indication of how long it’s been. Peach 2 includes some powerful built-in capabilities such as node relationships (e.g. field 1 represents the length of field 2; field 10 is a CRC-32 of fields 1 through 9), data transforms (those with battle scars from ASN.1 will be happy), state machines (packets 1 and 2 have to be normal in order to fuzz packet 3), monitoring agents (detecting when a crash happens and under what conditions), and much more. I am itching to go fuzz something now just so I can tinker with Peach.

All in all, it was a good trip and I enjoyed the opportunity to see how things are done across the pond, and to do a little sightseeing in a historic and beautiful city.

When To Layer Encryption [securosis.com]

Posted: 28 May 2008 03:39 PM CDT

Sorry for the general lack of updates the past few days, but I managed to get sick while down in Mexico for a friend’s wedding. No, not that kind of sick, just some flu I picked up from one of the many children running around. Aside from setting me back at work, it makes me a bit sad since my copy of Wii Fit showed up while we were gone and I’ve been too out of it to start my Nintendo-inspired workout regimen. Yeah, I’m just that geeky.

Enough of my personal life, let’s talk encryption.

I used to joke about the client who once told me their management mandated “double encryption” on all financial information after a breach. In their case, they were encrypting their database and backup tapes. Not that there isn’t a valid reason to encrypt databases and backup tapes, but the way they were implementing provided no additional security. Once those card numbers were encrypted in the DB, re-encrypting at the tape level added no value (this wasn’t a case where they were encrypting the tapes to protect information not already encrypted).

But if we go back to the Three Laws of Encryption, there are circumstances where you might consider multiple layers. The most common case is encrypting for media protection, and simultaneously for separation of duties.

Full disk encryption is your best bet to protect yourself from information loss due to a lost or stolen laptop, but there are situations where FDE is not enough. It doesn’t protect content from multiple users on a system- say the sensitive financials on the CFO’s laptop from the lowly system administrator; nor does it protect content as it moves- say to a USB drive. File level encryption allows more granular control and protection in a wider range of circumstances. But since users are unreliable, and there are places (like virtual memory) where sensitive data can hide, file encryption doesn’t obviate the need for FDE (or an FDE equivalent).

Thus file encryption is complementary to full drive encryption; each solves a different part of the data protection puzzle. With file encryption you can protect content as you move it off the laptop, protect it from other users (especially administrative users) on the same system, and encrypt data that’s shared across a team using group keys.

Long term, file encryption will become more interesting as it combines with DLP. We are starting to see products that encrypt files based on their content, managed by central policies. Have something with a credit card number in it? It’s automatically encrypted using a corporate key. While FDE doesn’t need to pick and choose what to protect, over the long term file encryption (and DRM) will need to use content and context awareness to reduce the burden on users, comply with corporate policies, and improve the practicality of encryption.

A Virtual Advantage [360 Security]

Posted: 28 May 2008 01:24 PM CDT

First, the article.

Second, the salient quote so that you don't really have to read said article:

"If you are getting any benefit from Microsoft's software, you need to have a license, whether that benefit is for physical machines or virtual machines," Voce said in a session titled "Microsoft Licensing in a Virtual World." "You cannot engineer your way around licensing requirements. You can't use the technology as a way to cut corners around licensing."

The question I find myself asking is whether virtualization diminishes the perceived value of the operating system. As I deploy more virtual servers to do more specialized tasks, along with the very useful MTTR benefits of full VM snapshots, the relative value of the OS in that asset decreases. In fact, if I could have a purpose built OS that's completely built around executing the application function I require. Wouldn't that be far better than loading up a full, bloated, operating environment? In this equation, the value of that virtual appliance model far outweighs the value of the separate OS+Application model of the past. In fact, you might even be willing to pay more for the cost of ownership benefits of the virtual appliance (more for less, so to speak).

That's all well and good to think about, but what's the security angle (I hear you saying). Well, ubiquity breeds risk. A larger pool of targets is more attractive. 100,000 Windows based VMs is just as attractive a target as 100,000 physical servers. Purpose built virtual appliances, however, would increase the diversity of the target population. Further, they're purpose built, and we all know that increased complexity results in more bugs (aka, vulnerabilities). What I'm suggesting here, I suppose, is that the open-source community should figure this out before Microsoft because right now there's a clear financial advantage to using a free (as in beer) OS for your multitude of virtual images.

Apple posts Mac OS X 10.5.3 Update [Random Thoughts from Joel's World]

Posted: 28 May 2008 01:12 PM CDT

Apple has released the 10.5.3 update for OSX Leopard.  I'll install it and let you know my feedback, however, in the meantime, here is a list of issues that have been fixed.

  • General

Fixes a font issue that could result in Helvetica Narrow being used in applications instead of Helvetica.
Addresses an issue with stuttering video and audio playback in certain USB devices.
Resolves stability issues with Word of the Day, iTunes Artwork, and Slideshow screen savers.
Fixes an issue in which certain attached hard drives may not show up in the Finder.
Addresses an issue with .Mac syncing of Dashboard widgets over multiple Macs that use different screen resolutions.
Includes additional RAW image support for several cameras.
Improves the accuracy of the Software Update progress bar indicator.
Addresses an issue in which Finder may not be available if the computer name is blank in Sharing preferences.
Improves Active Directory binding and login.
Eliminates a delay when logging in as an Active Directory user in a .local domain.
Improves Spotlight searches on a AFP file server volumes.
Clients can now change their password at the login window when bound to a Mac OS X 10.4 Open Directory server.
Improves Safari reliability when connecting to the Internet through a Microsoft ISA proxy.

  • Address Book

Addresses reliability issues when searching for contacts using built-in search.
Resolves issues with mapping addresses that contain an ampersand character (&).

  • AirPort

Improves 802.1X behavior and reliability.
Improves reliability when using Time Capsule.

  • Automator

Addresses an issue in which some actions may not work with the "Show When Run" option enabled.
Resolves an issue in which the "New iCal Event" action may not work.
Resolves an issue that prevents workflows from being saved in the Finder's contextual menu.
Fixes reliability issues for Automator scripts that search for files by date.
Resolves an issue that prevents workflows from being saved in the Finder's contextual menu.
Addresses an issue in which Automator workflows as Finder plugins do not work when the workflow begins with the "Get Selected Finder Items" action.
Fixes an issue in which the "Copy Files" action does not reliably work when added from Automator's warning dialog.

  • iCal

Addresses potential privacy issues by allowing events to be marked as private.
Resolves an issue in which the inspector does not show capacity and availability info for conference rooms within a building.
Addresses an issue in which the current day could appear in the left-most column of the weekly view.
Addresses reliability issues with meeting alarms, invitations and attachments.
Resolves issues with reliability when restoring from iCal backups.
Fixes accuracy issues with auto-completion, availability data and location names.
Resolves an issue in which iCal may send cancellation notices for events in the past after a calendar is deleted.
Fixes reliability issues with iCal syncing.

  • iChat

Addresses reliability issues with screen sharing.
Resolves an issue in which saved chat transcripts may reported as "still in use" after opening and closing them in iChat.
Resolves an issue with group chats not being indexed in Spotlight.
Only the last 250 messages of an active chat are saved. Fixed to save unlimited number of lines.
Addresses issues with echo cancellation that may occur on portable Macs.

  • Mail

Resolves an issue in which Mail may prevent idle sleep when set to automatically check for new messages every minute.
Addresses stability issues that may be encountered when dragging large attachments into an email message.
Fixes an issue that could occur if two compose windows are open when dragging a file to the Mail icon in the Dock.
Addresses reliability issues when changes are made to a mailbox while offline.
Resolves wrapping issues that may be found with consecutive spaces in plain text.
Fixes issues with certain web pages appearing garbled when emailed from Safari.
Fixes an issue in which the Sent, Drafts, and Outbox mailboxes incorrectly list the "cc" recipients in the "To" column.
Addresses reliability issues with attachments added to plain text notes.
Fixes reliability issues with authenticated RSS feeds.
Resolves an issue in which attaching an alias to an email message may not send the actual file.

  • Parental Controls

Addresses reliability issues with application logging and time limits.
Resolves an issue in which Parental Controls may prevent forced sleep.
Addresses performance issues with web content filters.
Fixes an issue with managed accounts in which iChat transcripts may not be created.
Addresses issues with 4-byte files and whitelist.

  • Spaces

Resolves an issue in which switching to a different space and returning back to the original space may reorder the application windows with a different active window.
Resolves an issue in which activating an application from the Dock switches to a different space, even if there is a window for that application in the current space.
Fixes an issue in which Command-Tab may incorrectly switch to a new space.
Addresses reliability issues with Spaces when syncing preferences over .Mac.

  • Time Machine

Includes fixes for Time Machine compatibility with Time Capsule.
Resolves certain issues when backing up a portable Mac that is on battery power.
Addresses compatibility issues with Aperture 2.
Addresses reliability issues when performing a full restore from a Time Machine backup.
Fixes an issue in which certain function keys may be disabled after using Time Machine.
Fixes a possible alert message that incorrectly states a backup volume does not have enough space.
Updates Time Machine to reliably restore attachments and messages in Mail.

  • VoiceOver

Includes Braille Update 1.0 which enables GW Micro, HandyTech, HIMS, Nippon, and Papenmeier Refreshable Braille displays.
Addresses an issue with Braille dot 7 and 8 underlining.
Fixes an issue in which HTML page anchors may be ignored by the VoiceOver cursor.
Fixes an issue that prevented Hot Spots from being used in text areas.
Resolves an issue with spell checking in which VoiceOver may only announce the first misspelled word if there are multiple words spelled incorrectly.

 Subscribe in a reader

Moving, Moved, On the Move [The Falcon's View]

Posted: 28 May 2008 12:14 PM CDT

Just a quick note... we moved (locally) last weekend... quite the experience! Thank you a ton to Hanna's parents and friends Eddie, Yura, and Paul for lending a huge helping hand. Getting out of our 4th floor apartment (no elevators!)...

Women in IT - Be A Change Agent (Part One) [Mediaphyter - A Communications Cocktail]

Posted: 28 May 2008 10:29 AM CDT


I once worked at a company that had its own quarterly women’s consortium. At the start of the first meeting one of our senior male executives made the joke, “I like the odds,” in reference to the female to male attendance ratio. After about 30 minutes of rah-rah-sis-boom-bah, we were handed company-branded hair brushes and sent on our way. I was unimpressed.

I felt as if the effort was for corporate show more than for substance. There was no action. There sure as heck was irony, but there was no action. I walked away still craving the tools to truly make change and wanting to see our female leaders step up and help the rest of us be heard. It never happened. And that’s when it occurred to me that I might have to make it happen myself.

One of the organizations I’ve recently learned a lot about is the National Center for Women & Information Technology. Founded by Lucinda Sanders, an amazing woman, NCWIT is a different kind of women’s organization in that it “encourages its members to undertake institutional change within their organizations.” It has specific alliances or corporations and organizations — academic, workforce, entrepreneurial, K-12 and social sciences — that are focused on active sharing of resources and successful programs from a national community of practitioners dedicated to fostering the paths of technical women of all ages and giving them a booming voice in the industry.

I recently had a chance to speak with Lucy, as well as Brad Feld, chairman of NCWIT and founder of Foundry Group. In two separate conversations, I was able to voice my biggest concerns:

  • There aren’t enough voices; so many women in my demographic (middle management) tend to believe that organizations are only designed to mentor younger entrants into the field, and that those organizations must be led by senior executives or entrepreneurs
  • There’s a lot of “in-stereotyping;” for example, while I am somewhat technical my background is in journalism and marketing, but I’ve had women technologists diminish my role for that reason; we need to support each other regardless of our technical prowess
  • Some women’s organizations do little else than communicate with each other and are not active in the industry at large — at least not in ways that can fuel wide-spread change. While social groups are great, my personal desire is to get outside and do more.

While I am passionate about all of these points, right now I want to focus primarily on the first one. So I ask myself and I ask my readers: Who are your female leaders? Who within your organization do you think represents how most women should be perceived? Who has the strength to make change?

Is it you?

The first time someone asked me those types of questions my reaction was, “Well, I could be one of them, but I am only a ______.” I went along believing that in order to have strong visibility within the IT community one needed to be an executive or founder. Look at all of the technology publications with award programs for women — 95 percent of them are focused on entrepreneurs or executives. In security there are several well-known female researchers who are highly technical and also set a great example, but that is also a small percentage. What about the rest of us?

I discussed this with Brad about which he made a critical statement:

“The most impactful people tend to be the doers in the organization. We can’t rely solely on entrepreneurs, who may have very little time, to make change happen. Anyone with a strong voice can be a role model. It’s easier to get started when you’re a leader but real change happens when you build momentum across a much broader spectrum.”

Do you hear that, ladies? There is room for us. We “doers” who sit in our cubes or in front of our laptops for 12+ hours a day can be those change agents. But first we need to determine what we want to change.

Here’s my list:

  • More in-corporation programs for mentoring younger female entrants into the workforce, including expanded or revised internship programs that require a certain amount of hands-on tech hours
  • Technical-to-non-technical “buddy programs” where women in engineering team with women in sales or marketing to learn about the value and the intricacies of each others job, therefore growing respect and improved communications
  • Incentive for women (and men, for that matter) to get involved in hero or role model programs for younger technologists; a lot of Fortune 1000 companies have these types of volunteer incentive programs, but the majority of smaller ones do not
  • Teach women in technology of all levels on the importance of getting involved in lobbying campaigns and organizations that push for education and improvement; even if its to volunteer at a fundraiser here and there, do it. Do SOMETHING. Remember the work that was done to lay out the path before us and help to lay out a path for those who follow.

That’s about as far as I’ve gotten so far. I have the ideas and now I need to lay out the how. I need to determine how I can break these ideas down into simple action items supported by fundraising and communications efforts in order to make them happen. If I can do this with NCWIT, fantastic, but if not I will find some way to achieve my goal. This blog post represents not only part one in a series of writings, but part one in my exploration to lead from the middle and impact positive change.

What are YOU going to do?

Lack of posts [Random Thoughts from Joel's World]

Posted: 28 May 2008 09:56 AM CDT

Sorry about the recent lack of posts, wife, daughter, mother-in-law, and I were at Disney world all last week, so I didn't have any posts while on the road. My brain is currently fried as I've read about 2000 emails in the past two days. So I'll get back into blogging here in a day or so.

Subscribe in a reader

Podcast Episode Five has been released! [Random Thoughts from Joel's World]

Posted: 28 May 2008 09:33 AM CDT

Morning everyone,

Just a quick note to let everyone know that we put out Podcast Episode 5 this morning. We had a special guest with us! Larry Pesce of PaulDotCom Security Weekly! The guys over at PaulDotCom do a great job, and we loved having Larry on the show! Congradulations to Paul, as he is home with a new baby!

Don't forget the Live Podcast that we are doing at SANSFIRE on July 23rd at 8pm.

iTunes users, go here to subscribe.

Non-iTunes users, go here to download.

Thanks!

Real VoIPsploits: Helping to Introduce Your Local SWAT Team [BlogInfoSec.com]

Posted: 28 May 2008 06:00 AM CDT

Voice over IP is one of the many fast growing IT products and services field, as such this has laid the seeds for a new security industry. And as predicted, attackers are one step ahead of us in exploiting the vulnerabilities that are easily abused with this new infrastructure. We're not going to cover sniffing your packets as not too many people are interested in listening to your private phone calls… most of the time. The real threat is with the integration of VoIP into the rest of the telecommunications infrastructure.

In particular, we're interested in Caller ID spoofing. This isn't new stuff; traditional PBX's have been spoofing phone numbers for a very long time. This is evident in when you get a phone call from most organizations and the number comes up as a 1800, or the like. However, there are services out on the Internet that sell caller ID spoofing to anyone who is willing to pay.

So what? What's the worse that can happen? You can ask the people who were victimized by the latest mischievous pranks, often called SWATing. If you guess that this social engineering hack involves law enforcement, you're right. Recently, a ring of phone hackers (phreakers) used services that allow you change your caller ID over the Internet to terrorize some of their peers and total strangers. They would call the police and emergency communications centers with a spoofed caller ID pretending to be a crazed person who has hostages. As you can imagine the result is the local SWAT team ready to siege and apprehend the suspect. Fortunately, no one seems to have been hurt and the most of the perpetrators were apprehended, but this is still ongoing.

What else can be done with Caller ID spoofing? Lots of businesses trust Caller ID information for their call centers and customer interaction based systems. Financial Services, Telecommunications (ironic?), Emergency Services, and many more all blindly trust Caller ID information. So, if an attacker were to call your bank or alarm system service provider they can bypass a lot of authentication steps needed for social engineering. A quick test is to call your service provider from a phone number they have on file, and then to call them on another number that they don't have on file. Pay attention to the questions they ask to authenticate you.

The fundamental problem is that this is a feature, not a bug of the telecommunications infrastructure. As explained previously, this is a function used by many legitimate PBX's in the world; the difference is that the barrier that previously prevented this abuse has been removed with the integration of VoIP into the legacy telecom infrastructure. An old solution, the call back, has started showing up in various call centers as an option opposed to staying on hold.

Further Reading:

Don't Make the Call : http://www.fbi.gov/page2/feb08/swatting020408.html

Couple Swarmed by SWAT Team After 911 'Hack' : http://www.pcworld.com/article/id,138591-c,hackers/article.html

Guilty please from SWAT prank Callers : http://www.cleburnetimesreview.com/local/local_story_348181522.html


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.