Spliced feed for Security Bloggers Network |
Interesting Bits - May 1st, 2008 [Infosec Ramblings] Posted: 01 May 2008 09:57 AM CDT Happy May day all And now for something completely different….okay, not really. Here are today’s interesting bits: Pragmatic CSO Newsletter #53 | Security Incite: Analysis on Information Security Rational Survivability: Poetic Virtual Security Farfromr00tin: Azureus Web UI XSS Carnal0wnage Blog: Penetration Testing Scheduling PortSwigger.net - web application security: Can you hit a moving target? Coding Horror: The Great Dub-Dub-Dub Debate Andy, ITGuy: I hack Johnny Long Random Thoughts from Joel’s World: ISC Podcast Episode 3 spylogic.net - Winlockpwn: More then a Partytrick Declassified NSA Document Reveals the Secret History of TEMPEST | Threat Level from Wired.com Have a great day! Kevin | ||
I can haz typoz? [Vitalsecurity.org - A Revolution is the Solution] Posted: 01 May 2008 09:36 AM CDT Comedy spelling galore here. You'd think with all the money they have, these malware writers could afford dictionaries... | ||
Influencing our user community…. [Infosec Ramblings] Posted: 01 May 2008 09:20 AM CDT Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations. I left the following comment and now am going to reuse it as a post
Kevin Riggins | ||
Is Interop about inter-operational anymore? [StillSecure, After All These Years] Posted: 01 May 2008 05:43 AM CDT Here in Atlanta waiting for the red eye connection home to Florida and wanted to quickly jot down some reflections on Interop. The show seems to have settled in nicely at the Mandalay Bay venue. It seems the right size and not too crowded. In fact Vegas itself was not very crowded this year. I guess the economy is hurting the town. It used to be said that Vegas was rescission proof. The worse the economy got, the more people gambled. But with so much of Vegas not about gambling, I guess the economy has a big effect. Anyway, back to Interop. At one time this show was called Networld+Interop. The Interop portion was very much about how different networking technologies inter-operated with each other and how you could use products from disparate vendors to run and manage your network. The labs and noc at Internet was full of engineers from different companies having their products working together. I don't think that is what the show is about anymore. It is all about network infrastructure for sure, but the vendors care less how their products work together and more about why you want to buy them. Even the NAC vendors don't seem to be as focused on it anymore. Yes, Joel Snyder and his Interop labs NAC team do a nice job of showing how the frameworks work well, but frankly that is a small percentage of the NAC vendors. Juniper and Microsoft, Microsoft and Cisco and than a bunch of other vendors who try to show how their equipment can fit into the NAC equation. Some like the switch vendors who are integral to the process and some like Arc Sight how are trying to move beyond SIM and think SSH'ing into switches is a scalable way to perform NAC enforcement, but really don't fit. Most of the other NAC vendors frankly don't even give much lip service to interoperability. The same is true for many of the networking vendors as well. What is the shiny new box from Foundry or HP ProCurve. Who has a bigger booth, whose booth is smaller than last year? How many people has this company laid off and how much run way do they have left? Who is giving away the best stuff and where is the cool party to go to tonight. These are the questions of the show. BTW, the Network World folks threw a great party at the Ghost Bar at the Palms Hotel. Anyway, Interop has become a great show, but I seriously question how much of it is about interoperability anymore. There is nothing a matter with it not being so interoperability focused by the way, I think it is just the evolution of this show taking on a life of its own. Now if it were just not so close in time to RSA. One thing about this show versus RSA, is that a lot of the attendees are buyers. End users who come looking for solutions. They have projects and budgets and want to find the best solutions for their needs. This is in contrast to adult trick or treaters and business development meetings that have become standard at many other shows. We saw a marked increase of people with NAC projects stopping by the booth this year, which is encouraging to say the least. Anyway, I have had my fill of Vegas, at least until Black Hat this summer. Will be interesting to see if the casinos are more crowded then. | ||
Log Haiku #4 [Anton Chuvakin Blog - "Security Warrior"] Posted: 01 May 2008 01:34 AM CDT | ||
Links for 2008-04-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 01 May 2008 12:00 AM CDT | ||
What hardware will the "God Box" run on? [StillSecure, After All These Years] Posted: 30 Apr 2008 11:56 PM CDT The folks over at Cisco Subnet (not sure if this is still my friend Brad Reese writing this over there) had an interesting blog yesterday about an announcement we made here at Interop. We announced that we will throw our support behind Cisco's AXP. That is the blade extension to turn a Cisco ISR into a Linux app server. You may remember that I blogged on this earlier here and here in relation to an article by Don Marti on LinuxWorld. Well this announcement, as the Cisco subnet article points out, put our money where our mouth is on this one. | ||
Mid-Week Spywareguide Roundup [Vitalsecurity.org - A Revolution is the Solution] Posted: 30 Apr 2008 05:16 PM CDT Haven't had one of these for a while, so here goes. * Here Phishy, Phishy and Booze & Binders: Some leet hax script kiddy applications currently in circulation. I'd throw in a picture here, but amazingly the Blogger image upload tool is broken. Again. Blogger is full of so much win and awesome, and by win and awesome, I mean crap and fail. * Locking down Facebook Chat: Nothing particularly revelatory, but a little delve into the wonderful world of Facebook Chat, or (to be more accurate) how to get rid of the damn thing if (like me) you had no clue what you were supposed to click on when confronted by hundreds of people saying HELLO LOL. Once more, no pictures. Blogger. Fail. Epic fail. * Myspace - Who is Watching the Detectives Part 3: Did Myspace ever fix their "system error" that allowed people to view exactly who had been snooping round their profile pages? Click this and find out. Ooh, the suspense. * Off-Topic Fun: Videogames are Awesome: Spurred on by my post about the Dreamcast phishing incident a few weeks ago, I decided to go deep into off-topic country and post up a bunch of my old videogame systems. Due to the magic of me using Flickr for the posted images, nothing now stops me from slapping you with pictures of things!
Bam, take that Blogger! Take that right in the tailpipe of your poorly designed and implemented image publishing system! I encourage anyone remotely interested in old game systems to post up some screenies of their collections. I had planned for people to post their links directly on Spywareguide, but it appears the comments fixing has fuxored once more. With that in mind, post your links here and when (if) the comments start working again on SPG, I'll port everything over there. | ||
The Daily Incite - May 1, 2008 [Security Incite Rants] Posted: 30 Apr 2008 03:24 PM CDT May 1, 2008 - Volume 3, #42 Good Morning: So we'll see how it goes. I'm kind of excited by the possibility of becoming the master of my domain again. I don't expect to need to unplug very often, but it will be nice to know that I can.
Top Security News DEFCONs just want to have fu-un. DEFCONs just want to have fun.
Top Blog Postings PCI: DOA in UK? | ||
On Travel and Airlines [Anton Chuvakin Blog - "Security Warrior"] Posted: 30 Apr 2008 03:23 PM CDT Inspired by this, of course. So, I am sitting here in San Jose Airport even though I am supposed to be flying to Hartford, CT to speak at OWASP. Why am I sitting here? Well, 'cause the NWA plane got a flat tire (literally, I actually noticed the flat while "deplaning") and the nearest replacement tire is in San Francisco. A three hour delay -> missed connection -> missing my conference presentation (which sucks hard!) I do travel a lot (especially lately), but I am still amazed when smart people follow the logic of "weather delay + wet luggage = airline sucks." Admittedly, I had fun travel stories (here and overall here), but I never bitch about airlines. I guess I am funny that way. To top it off, I like US Airways (gasp!), which definitely makes me a weirdo among the "high-travel cognocenti" :-) What is the reason for this "phenomenon"? Here it is: I am used to expecting A LOT from an airline and, so far, I have always gotten it. ALWAYS! Specifically, I expect "not dying at the hands of the airline that is transporting me." That means A LOT to me, it really does :-) And, so far, it worked marvelously! So, anything else is an awesome perk! For example, I was flying United (with which I don't have any Elite status) from JFK to SFO and right after my attempt to stand-by for an earlier flight failed and I was about to stick my wireless card in and do some work, the gate agent called my name. I approached the gate thinking they bumped me or took away my coveted exit row seat. On the opposite, the gate agent said "Mr Chuvakin, would you mind if we upgrade you?" - "No, not at all." So I got my comfy United p.s. business class seat and a good breakfast (as well as some sleep)... Some would say that I have "lowered my expectations", but I beg to differ: I do expect a lot. And I get it, which is, some say, a key to [travel] happiness :-) Finally, apologies to my OWASP CT chapter audience: sorry, next time! | ||
Snarf those CDP packets…. [Infosec Ramblings] Posted: 30 Apr 2008 02:31 PM CDT Once again I find a nifty tool via Darknet. CDPSnarf lets you passively capture CDP packets and see the yummy goodness inside. For those who don’t know, CDP stands for Cisco Discovery Protocol. It can be used to discover information about neighboring devices. For example, if I am on a Cisco router that has several interfaces and I want to know what is connected on each interface, I can execute ’show cdp neighbors detail.’ This lovely command will tell me all about those neighboring devices with the following caveats:
Here is a good overview of CDP. As the saying goes, “Knowledge is power.” The more we know about the target network, the easier it is to get past the crunchy outer shell and snack on the chewy center. Kevin | ||
Poetic Virtual Security [Rational Survivability] Posted: 30 Apr 2008 01:48 PM CDT I was at Starbucks with my four year old. She was laying down the Dr. Seuss I swear to $diety that upon hearing this she rolled her eyes and said something like "Dad, you had me at 'virtualization.' " At that point she quickly pointed to my iPhone and asked if I would purchase the latest Hannah Montana song on iTunes...<sigh> You can see more of my poetic ramblings here (scroll down after the jump.) When debating the future of secure virtualization
Can an admin whose mad skillz focus on the OS,
Our current security solutions don't cope
Get a grip on the basics and work up from there That's it boys and girls till I rhyme once again | ||
[Chinese]网络信息安全的度量和考核指标体系(cont) [Telecom,Security & P2P] Posted: 30 Apr 2008 09:36 AM CDT 继续整理关于安全考核指标体系的一些想法和大家的反馈。 # 安全考核指标体系有什么意义?有什么价值? 第一, 从各种视角反映出当前组织的安全保护和运行状态,向管理层提供战略和战术层面的反馈,以及趋势分析 # 在设计安全指标体系时应该注意的要点,同时也可以说是好的指标体系的特点:
指标中的一部分会成为KPI,即关键绩效指数。这时通常有两种类型,其一是当前可以达成,但是需要一直保持,例如设备利用率;其二是通过努力在一定时间内达成,例如当前的每百设备高危漏洞数量是10个,设立的目标是降至每百设备1个。 # 设立安全考核指标时的考虑事项 第一 指标类型、描述、设立原因 呵呵,上面这些东西似乎和安全还没有挂上钩,基本上还是比较普通的东西。再接下来就该是安全的指标体系了。热烈欢迎大家分享自己的心得和看法! | ||
Posted: 30 Apr 2008 09:25 AM CDT The big news at Interop yesterday was the new IF-MAP specification and standard announced by the Trusted Computing Group/ TNC group. Some may call it TCG NAC 2.0 but it actually goes way beyond just NAC. IF-MAP represents a method that allows disparate security technologies to talk to each other and leverage the information gathered from multiple sources to make better and more secure decisions about network devices, users and traffic. It has huge implications for not only NAC, but IDS/IPS, vulnerability management, SIMs, etc. Also, it represents a real opportunity for the TCG/TNC to move out beyond the shadow of NAP and really become a dominant standard for the network and security industry to rally around. This posting includes an audio/video/photo media file: Download Now | ||
Its a trade show in Vegas, you know the booth babes are out [StillSecure, After All These Years] Posted: 30 Apr 2008 09:23 AM CDT I know it is Vegas, but overall the booth babes were not out in force at Interop. The biggest defender was Blue Cat networks, who once again had a frat boy set up with girls dressed in very skimpy skirts and leggings inviting giddy geeks in to play some virtual golf. Of course this follows past years where Blue Cat had girls dressed in skin tight jump suits putting you in flight simulators. Of course the girls scanned your information while they strapped you in. This sort of exploitive behavior from Blue Cat has become expected. I don't know if I were a woman, if I would want to work at that company. For the most part, the booth babes are employed by companies looking to put fannies in seats at presentations. These woman are usually good looking but not dressed to crazy and try to to get you to sit down, listen to a presentation and maybe win a prize. I don't have a problem with this, depending on how they are dressed. In the you never know category though is my experience with this potential booth babe from D-Link. A quick look at the picture to the right would indicate, yes a booth babe for sure. However, I had a chance to speak with this young lady and was surprised to find out that she was an expert on 802.1x. She knew all of the potential radius attributes supported by every single Cisco switch. She also was able to set up the DHCP server on the D-Link Routers and to top it off explained to me exactly how D-Link was using the data stored in a MAP server to provide greater security utilizing the new TCG IF-MAP standard. Of course you believe all this right and know she was not just a booth babe. What do you think? | ||
Interesting Bits - April 30th, 2008 [Infosec Ramblings] Posted: 30 Apr 2008 09:06 AM CDT Howdy everybody. Once again we have some really good stuff that has been put out on the Intarweb in the last 24 hours or so. So here we go: Pricing Consulting Services &gt; davidmaister.com &gt; Passion, People and Principles CERT on Securing your web browser | tssci security An update on Protocol hopping covert channels | tssci security IT Security: The view from here: nihaorr1 attack explained Up or Out: Solving the IT Turnover Crisis - The Daily WTF Best Practices For DLP Content Discovery: Part 4 | securosis.com Best Practices for DLP Content Discovery: Part 5 | securosis.com Security Thoughts: Because Hackers Don’t Care… (Why Metrics Don’t Work) Matasano Chargen » Retsaot is Toaster, Reversed: Quick 'n Dirty Firmware Reversing Security Is Simple: Only Use Perfect Software : UAC: Desert Topping, or Floor Wax? Rational Survivability: All Your Virtualized PCI Compliance Are Belong To Us… Wireless modem considerations - Malta Info Security Thoughts of a Technocrat: Humor: CIA Coffee Mug There ya go. Have fun and have a great day! Kevin | ||
Pragmatic CSO Newsletter #53 [Security Incite Rants] Posted: 30 Apr 2008 07:58 AM CDT April 30, 2008 - #53 Mike's Pep Talk: A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver. Let's get one thing straight. You are not the Lone Ranger. This is not about good and evil. This is about dealing with the lesser of two evils. The reality is that your environment will be compromised, and you have been entrusted by your organization to stop it. In a nutshell, you are in a lose-lose situation. We all are. That is the cold harsh reality of practicing security. Whether it's physical security, cyber-security, or any other type of security - ultimately this is not a game we play to "win." It's a game we play to survive. At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere. Every time I start to feel this way, I need to purge a bit. I need to rant and I need to get it out of my system. Here's the deal: Our customers don't know who is good and who is evil. They can't tell the difference. If they are intentionally going around our controls, then WE ARE SCREWING UP. We are at a fork in the proverbial road, and we need to figure out how to get more relevant and work better within the context of our business. It's as simple as that. I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless? Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground. Photo credit: Buggs Thinking out loud: A new type of IR practiceSometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not). Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing. So I suggest we show them, in a way they haven't seen before. You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan. What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies. Of course, the breach didn't really happen. It would be staged. But that would seem to me to be a very powerful means to get the point across to the employees about WHY they need to follow the policies. The odds are long that this kind of thing would work, but something tells me this idea may have some legs. Let me know if the comments section about my "thinking out loud." | ||
Hannaford Recap- the Big Questions and Impacts [Compliance Focus - Blogs] Posted: 29 Apr 2008 11:00 PM CDT I was out on vacation (and then at RSA) when much of the interesting detail about the Hannaford breach emerged. Security professionals and probably the general public are growing a little desensitized to security breach news, particularly of the type “company XYZ lost a laptop, and NN,NNN individuals NPI is now at risk”. This stuff is so commonplace that it gets tuned out. I guess it means that the markets for endpoint security technologies, full disk encryption, etc. will be robust for a long time, but beyond this, not much of a big deal. Then there are the big, cataclysmic security events like TJX, Societe General, or Hannaford. With highly impactful security breaches like Hannaford, it sometimes takes a while to understand not only the “how-what-where-when-why” detail aspects of the breach, but more importantly the likely future impacts. The future impacts and likely consequences as a result of the Hannaford can be expected to be significant. Consequences to Hannaford will no doubt include fines and a lengthy mandated security program (with external security audit and review) from the FTC. In terms of PCI compliance, it isn’t entirely clear if penalties can be imposed by the credit card payment chain. After all, Hannaford claimed PCI compliance. The bigger long-term impacts will likely be to the future of the PCI standard- once the attack vector and vulnerabilities, whether technical or administrative, are better understood, the PCI standard will have to ratchet up the controls specified so as to prevent these attacks in the future. To the general IT world, this latest big breach adds more fuel to the fire for a US national law on consumer data privacy. This was a sophisticated attack that should rightfully scare the heck out of IT security execs in all sectors and industries. It is also a reminder that compliance does not equal security. | ||
High School IT-Adventures Cyber Defense Competition [Infosec Ramblings] Posted: 29 Apr 2008 08:11 PM CDT A few weeks ago I wrote about participating in Cyber Defense Competitions as a Red Team member. This weekend I had the opportunity to do so again. This time with a bunch of High School students. This weekend was the annual IT Olympics event that is put on by Iowa State. The event is an opportunity for the High School students who participate in the IT-Adventures program to get together and compete. There are three competitions:
While the robotics and game design competitions were very interesting, I was there for the CDC. The Red Team didn’t actually get to start attacking until Saturday morning, so I volunteered to show up on Friday and help the students with anything they might need during the setup period. These kids are amazing. Twenty-fourish teams showed up and we had about 20 Red Team members. In my previous post I mentioned three ways in which you can provide value to the students when participating in this type of event:
I am happy to say that we accomplished all three goals. Probably the best decision made was to setup a Wiki with pages for each team where we could all keep notes as the contest progressed. These notes then became the outline for our talks with the teams in the debrief. If you have never had the opportunity to work with kids that are interested in IT, I highly recommend you find a way to do so. It is truly a rewarding experience. Kevin | ||
Have You Noticed Less Spam? [The IT Security Guy] Posted: 29 Apr 2008 07:53 PM CDT Call me crazy, but I sure have. There has been a lot less spam in my e-mail inbox over the last few months. Could it be the crushing of the Storm botnet? It's hard to say. Microsoft took credit for deep sixing the infamous botnet, though, as usual with any Microsoft claim, there's a lot of controversy around it. In any case, Microsoft does have an interesting botnet hunting tool worth taking a peek at. | ||
Managed (Security) Services: Still the Underdog [Alert Logic] Posted: 29 Apr 2008 06:41 PM CDT This week, I've seen a few really interesting articles about IT spending that almost contradict themselves. An eWeek Channel email newsletter I received had links to two interesting articles (one placed directly on top of the other) "IT Distributors Say Economy is Hurting" and "MSP Sales Getting Easier" which made me laugh, given the placement [...] | ||
Interesting Bits - April 29th, 2008 [Infosec Ramblings] Posted: 29 Apr 2008 09:25 AM CDT Good morning. Another busy day in the blogosphere. We have another good batch of interesting missives today. Risk and Understanding All the Variables « Neohapsis Labs spylogic.net - New versions of fgdump and pwdump released Risk Management and Car Talk | securosis.com iPhone Security Tip: Never Memorize Wireless Networks | securosis.com Robert Penz Blog » Plausibility checks Gin, Television, and Social Surplus - Here Comes Everybody P2P Security Study Released - Realtime IT Compliance TippingPoint | DVLabs | Owning Kraken Zombies, a Detailed Dissection Napera Networks » 1st Pacific Rim Regional Collegiate Cyber Defense Competition Hack in the Box: Dubai | Infosec Events Black Hat Europe 2008 | Infosec Events Random Thoughts from Joel’s World: Focus PDF, Let Me Count the Ways… « Didier Stevens Security Thoughts: Security Catalyst Forums Service Level Automation in the Datacenter: Yahoo goes Social with Paas Offering Don’t Read Books — But You Should Intentional Security Blindness | BlogInfoSec.com Yup, a bunch of stuff. Happy reading and have a great day! Kevin | ||
Digital Forensic Evidence Collector [Matt Flynn's Identity Management Blog] Posted: 29 Apr 2008 09:07 AM CDT I want to get me one of these. Microsoft provides law enforcement with a digital forensic evidence collector in the form of a USB thumb drive. And it's free. Maybe I'm out of touch, but I haven't heard of this before. Pretty cool. |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment