Tuesday, May 6, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Briefing: May 6th [Liquidmatrix Security Digest]

Posted: 06 May 2008 07:57 AM CDT

Have You Seen This Douchebag? [Liquidmatrix Security Digest]

Posted: 06 May 2008 07:32 AM CDT

Interpol has sent out a request for help this morning and we’re only too happy to pass the word along.


INTERPOL is asking for the public's help in identifying a man pictured sexually abusing children in a series of images found on the Internet and retrieved from the computer of a convicted paedophile.

The man, whose name, nationality and location are unknown is featured in approximately 100 images in a series of around 800, which are believed to have been taken in Southeast Asia and depict the sexual abuse of at least three boys aged between six and 10 years old. The first pictures of the man were originally discovered by police in Norway in March 2006.

"The law enforcement community around the world has done all it can to find this man who clearly presents a danger to young children, and we are now asking the public to help identify this predator and protect other potential victims from abuse," said INTERPOL Secretary General Ronald K. Noble.

"When we made a similar appeal last year, it was information provided by the public which helped identify and locate Christopher Paul NEIL, who is now in jail facing child abuse charges. We hope that people around the world will again play a vital role in tracing this man who could otherwise continue to sexually abuse young children."

If you have ANY information on who this jackhole might be please contact your local police department who can refer to INTERPOL.

Pass it on.

Article Link

That didn't take long [StillSecure, After All These Years]

Posted: 06 May 2008 06:33 AM CDT

Over the weekend I wrote an article about what a Yahoo shareholder would do with a copy of Steve Ballmer's letter to Jerry Yang. Well, it didn't take very long for a class action law suit being filed, led by two pension funds. Attorneys for the pension funds said, "The actions taken by Yahoo's CEO this past weekend confirm that the
company's board of directors pursued all manner of value-destructive
third-party deals to fight off Microsoft's bid". The attorneys further claim that Yang never negotiated with Microsoft in good faith.

Not everyone thinks this way about the deal though. Steven Vaughan-Nichols over at ComputerWorld thinks that business textbooks in 2025 will show that Microsoft's slow collapse will be accelerated by Steve Ballmer blowing the Yahoo deal. I think he is wrong. I think business classes will look at Yang's failure to lock this deal up for such a premium over current price will be studied as not only a blunder but a classic case letting ones pride and ego get in the way of what is best for the shareholders. I think in addition to the lawsuits, look for Wall Street to now start punishing the stock as well. I stick with my prediction, Yahoo has no where to go but down. They will wind up getting acquired for significantly less within 24 to 36 months.

VAR does it come from? CISCO Hardware Espionage [BlogInfoSec.com]

Posted: 06 May 2008 06:00 AM CDT

When an organization looks that the threats to their infrastructure, they generally categorize them into two main headers: internal and external. And when they think about the internal threats they generally consider the rogue employee as the highest threat, and outsiders being their competition. I want to discuss another threat that is a combination of the two that is presented to all organizations by one of their trusted sources. This threat is the Nation State, the trusted source is your Value Added Reseller and the method is counterfeit hardware.

I will not get into the motives or justifications as to why a Nation State would have interest in infiltrating a Mom and Pop shop as there is no solid information to report; as this is all speculative. However, the Mom and Pop shop should be just as concerned as the US Government and large corporations are about the problem at hand. There is an unclassified FBI presentation that I confirmed is legitimate that has been released discusses the fear that China is intentionally having counterfeit Cisco hardware sold in the United States. In the presentation, the FBI discusses four cases that they had investigated where this hardware has been discovered even in classified networks.

The more serious statements made in this presentation are on slide 30, where they claim about 10% of the information technology hardware that is sold globally is counterfeit and it is being sold through legitimate channels (KPMG is the cited source) for the past couple of years. In the case of Cisco, this counterfeit hardware is sold through their Cisco Gold and Silver Partners program. Other vendor vetting processes are just as flawed allowing this hardware to enter into your IT infrastructure.

Why should the Mom and Pop shops be concerned? Short of having hardware in your infrastructure that is not working as advertised, there are issues regarding warranties, support and the products lifetime (according to the FBI report, some of these counterfeit devices catch on fire). For the larger organizations, you don't know for sure that the highly secured VPN tunnel you've configured really and truly is what you just configured.

Is the problem limited to Cisco equipment? Of course not as indicated by the report released by KPMG. Even the raw components, such as memory and CPU's, are being copied for inclusion into your infrastructures devices. So though that device really may be from the vendor who is standing behind it, the storage medium within the device is counterfeit. Furthermore, counterfeit equipment is not just coming from China, but it also comes from many other countries as well.

So enough with the FUD, what can you do to protect against this growing threat? Here are a few suggestions that I have been able to gleam:

  1. Pay attention to the failure rate of your equipment along with the batch numbers for it, and log these events. If there is a high rate of failure, this may be a symptom of a counterfeit device.
  2. Inspect the hardware thoroughly; any signs of defects or "sloppy construction" could be reasons to raise a flag.
  3. Make sure your VAR tests all equipment and provides a complete supply chain of the devices for your review.
  4. Join one of the many organizations that will help communicate these risks to you. You already know which ones they are, but for those who don't, here's a quick short list: InfraGard, ECTF, HTCIA, and ISSA.

More Resources:

FBI Criminal Investigation: Cisco Routers – http://www.abovetopsecret.com/forum/thread350381/pg1

KPMG Managing the Risks of Counterfeiting the Information Technology Industry – http://www.agmaglobal.org/press_events/press_docs/Counterfeit_WhitePaper_Final.pdf

Chinese Counterfeit Cisco Network Routers Targeted In North America – http://www.chinatechnews.com/2008/03/03/6443-chinese-counterfeit-cisco-network-routers-targeted-in-north-america/

Fake network gear – http://www.networkworld.com/news/2006/102306counterfeit.html

Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Oregon Offers Tuition Waiver [Room362.com]

Posted: 06 May 2008 01:42 AM CDT

Oregon’s State Legislature passed a law that provides a full-tuition waiver for a bachelor’s or master’s degree at an Oregon University System institution for children or spouses of service members who died on active duty, became 100 percent disabled in connection with military service, or died as a result of a disability sustained on active duty

My home state rocks.

Military.com’s Writeup | digg this story

Whats with all of the new ads? Forbes, business and finance blog network [StillSecure, After All These Years]

Posted: 06 May 2008 12:23 AM CDT

For those who read my blog via feed reader and not on the web site itself, you may not have noticed the new ads and member badge from the Forbes Business and Finance Blog Network. I received an invitation to join an elite list of 400 blogs handpicked by Forbes. They will syndicate content and sell advertising for the site. There are some other cool benefits that go along with the membership. I was very proud to be selected for this, but frankly was worried about too many ads. If you get a chance, check out the site and have a look. I know it means I am going commercial, but am hoping it will lead to a broader audience.

Lucky for NSM — Extracting files from TFTP packets in Wireshark [tssci security]

Posted: 05 May 2008 11:29 PM CDT

So the other day I get a call from the forensics team at work asking for help with some packet analysis. A client’s users had reported phishing activity, so they decided to run a full-content capture using Wireshark on the external and internal network interfaces. Upon doing so, they witnessed suspicious activity; commands such as cmd.exe were triggering alerts on their Snort sensors as well. Oh boy…

After the attack was contained, the client’s internal security team had reconstructed the attack and learned that the attacker had compromised a server, downloaded tools to C:\Windows\system32\, including Foundstone’s SuperScan and Sysinternal’s PsExec, and then uploaded three RAR files via TFTP.

My goal: see what was in those RAR files. Whether it be intellectual property, client information, etc, the most important task was to identify the sensitivity of the data inside. I opened the raw capture in Wireshark and identified the three TFTP streams. I thought I would right-click and select “Follow UDP Stream,” then save the raw data as a RAR file. Unfortunately, when I did this, I could then not extract the contents of the archive. Looking for an alternative, Landon pointed me to tcpxtract (as detailed on Bejtlich’s blog), which at the time sounded good, but I couldn’t get it to compile under Cygwin and I wanted to get this done quickly. Oh well, with a name like tcpxtract, can it even handle UDP streams?

So, looking at the packets again, there were only about 20 per stream, I decided to do this task manually. Who knew if it would work, but I gave it a try. I manually selected each individual TFTP Data Packet (not acknowledgments!) and selected the TFTP Data portion which began at the 47th byte in the packet. I did a Ctrl-H (or select File > Export > Selected Packet Bytes) and saved as block01, block02, block03 for each packet in the stream. I then cat all the files and redirected stdout to file01.rar like so:

$ cat block* > file01.rar

I opened the RAR file and extracted the contents without a problem. I admit I was a bit excited at this point, interested to see its contents. I later spoke with Richard about this, who pointed me to a blog post from last year about TFTPgrab. Remembering this post now, I find it interesting that there was no way to rebuild files transferred through TFTP before TFTPgrab. Yet, I successfully managed to do so here.

Anyways, here are some lessons learned. The attacker was sloppy, amateur at best. To call it amateur would be an insult to amateurs everywhere. For the client, it was sheer luck they ran a full-content capture at the moment of the intrusion and our adversary used a non-encrypted medium to transfer data. Had he encrypted his files or used an SSL tunnel, we wouldn’t have anything. Not to mention, if this is the kind of stuff that gets picked up during a random packet capture, who knows what kinds of malicious activity they have been or are currently subject to. Even more so, why are companies not doing egress filtering of traffic? TFTP should have been blocked at the firewall no ifs, ands or buts.

One last lesson. When you outsource IDS monitoring activities to an MSSP (who probably has one or two analysts per 30-35 clients like yourself), attacks against you will not be treated with the same diligence you would expect of your own staff. They just don’t care as much as you do.

Security First, Requirements Later [Liquidmatrix Security Digest]

Posted: 05 May 2008 09:15 PM CDT

I find it interesting to watch the mad rush to beef up security at the US border points without any real thought to requirements.

Sure, keep out the baddies.

But, how exactly? There is the constantly escalating method or there could some semblance of a plan?

From IDG Norway:

News continues to worsen for business travelers carrying sensitive information. In a troubling ruling by the Ninth U.S. Circuit Court of Appeals, U.S. Customs and Border Protection (CBP) can continue its practice of warrantless searches through computer data held by U.S. citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy or seize data devices carried by anyone returning to the U.S. I’m not convinced that passive compliance is the best response to this situation.

The CBP put its best nonlinear thinkers to work on the case, convincing the court that the doctrine of routine border inspections to “prevent terrorists and terrorist weapons from entering [the U.S.]” can rightly be served by searches for expressive thought and personal communication. In keeping with a common pattern in which privacy rights are eroded, the CBP used a child porn suspect as a test case — in which there was probable cause and reasonable suspicion based on other factors — to justify why probable cause and reasonable suspicion would be unnecessary for the entire traveling populace.

So, by running in circles waving our hands in the air are we providing better security? Or have we played into the ne’er do wells hands?

Article Link

OK, So, Now What Yahoo? [Liquidmatrix Security Digest]

Posted: 05 May 2008 08:10 PM CDT

OK, so the date has ended. Microsoft didn’t get to second base. Yahoo was jilted for being too high maintenance and their stock dropped 15% today. So, what now for Yahoo?

From Internet News:

“With Microsoft’s withdrawal, we’ll be better able to focus our energy on growing our industry leadership and maximizing value for stockholders,” Yang said.

The problem that Yahoo (NASDAQ:YHOO) now faces is the same one it’s had since Microsoft first announced its bid, only two dollars worse: How to find an alternative to selling outright that will bring equivalent value to the $33 per share price Microsoft had offered before talks broke down over the weekend.

Yahoo has already been the target of at least seven shareholder lawsuits charging that its board breached its fiduciary duty to investors in its response to the initial bid. Now that it has walked away from a higher bid, and its stock fell 15 percent to close at $24.37 today, more shareholders will likely bring a new wave of lawsuits, according to IDC analyst Karsten Weide.

Read on.

Article Link

Suggested Blog Reading - Monday May 5th, 2008 [Andrew Hay]

Posted: 05 May 2008 07:52 PM CDT

ReadI went and played my first round of golf yesterday…and boy am I sore. I probably won’t be posting a SBR next weekend as I’ll be busy at SANS Toronto 2008. If you’re there then please pull me aside and say hello.

Here is the list:

Virtual server sprawl highlights security concerns - This is a security risk that management really needs to be made aware of.

Think server sprawl is bad now? Just wait till you experience virtual server sprawl. When users can clone a virtual machine with the click of a mouse, or save versions of applications and operating systems for later use, you’re asking for trouble if IT doesn’t maintain tight control, virtualization management vendor Embotics warned in a session at Interop Las Vegas Tuesday. (Look through our slideshow at other products shown at Interop.)

Interpol: Olympics cyberattack not a major threat - I’m still not convinced. I think that the Olympics would be a prime political target to make a statement.

The main concern for the Olympic Games is the physical security of the visitors who are going to China and to avoid any terrorism attack. Of course, Interpol is involved in the security of the Olympic Games and we are in a close relationship with the authorities. We are going to provide access to our global databases. We will send a team which will be connected to the Interpol network. We have already trained people.

But of the time being, we are providing threat assessment for the Olympic Games and we did not detect a main threat regarding cybercrime. It would maybe be an attack on a small network regarding the tickets.

The Hunt for the Kill Switch - How scary is the thought of this?

Last September, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of a Syrian radar—supposedly state-of-the-art—to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident of electronic warfare—and not just any kind.

Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden "backdoor" inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar.

88,000 Patients at Risk After Computer Theft - Tsk, Tsk…should have protected the data better.

Staten Island University Hospital is alerting patients about a December 07 equipment theft. Thieves made off with a desktop computer and backup hard drive from an administrative office in Rosebank. This equipment contained names, Social Security numbers and health insurance numbers on 88,000 SIUH patients. According to a statement from the hospital, letters are being sent to affected individuals and the hospital is offer one year of free credit monitoring. SIUH spokesperson Arleen Ryback said that the equipment does not contain any medical records but would not comment on why it took SIUH so long to notify patients.

Radio Free Europe hit by DDoS attack - Ironic that a CIA sponsored project, started to prevent the spread of Communism during the cold war, wasn’t better prepared to deal with an attack.

Websites run by Radio Free Europe have been under a fierce cyber attack that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian government.

The distributed denial of service (DDoS) attack initially targeted only the RFE’s Belarus service, which starting on Saturday was inundated with as many as 50,000 fake pings every second, according the this RFE account. On Monday, it continued to be affected. At least seven other RFE sites for Kosovo, Azerbaijan, Tatar-Bashkir, Farda, South Slavic, Russia and Tajikistan, were also attacked but have mostly been brought back online.

UCSF Patient Information Available Online - Tsk, tsk again.

The University of California, San Francisco is alerting patients after personal patient information connected with the university was found online. In October of 2007, UCSF became aware that patient information the university had shared with Target America Inc. to help identify potential donors was available online. The information available included the names, addresses, names of departments where patient received care and in some cases patient medical record numbers and physicians providing care on 6,313 UCSF patients. UCSF took immediate action to remove public access to the data once it was aware of the incident. In addition, UCSF ended the business agreement it had with Trade America shortly after the incident was discovered. UCSF is mailed notification letters to the affected patients in April. It is not known why UCSF waited so long to notify patients about the exposure.

Botnet attacks military systems - I wonder just how much spam you would have to receive before you considered it an “attack”? I get around 300-400 per day right now :)

Security researchers have discovered a complex spamming scheme that hijacks users’ PCs in order to attempt to send junk mail via university and military systems.

Researchers at Romania-based BitDefender said the scheme, based on a backdoor called Edunet, was one of the most complicated and mysterious they’ve come across.

Stepped Up Cyber Role for Spy Agencies - I suspect that this has been going on for years but the government is probably making it public as a token offering to show their “commitment to fighting the great cyber threat”.

America’s spy agencies for the first time would be tasked with gathering intelligence on threats to the nation’s computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community’s offensive capabilities in defense of government and civilian computer systems

Cubans able to shop for PCs - Good for residents of Cuba. I’m glad to see that things are starting to turn around down there.

Personal computers have gone on sale to the general public in Cuba for the first time.

President Raul Castro’s government authorized the sale of computers to average Cubans more than a month ago, but they are only now arriving on store shelves.

Personnel computers are the latest in a growing list of measures the younger brother of long time leader Fidel Castro has taken to make life easier for ordinary Cubans.

China mounts cyber attacks on Indian sites - I’d be interested to see the logs and traffic to determine their capabilities and attack vectors.

China's cyber warfare army is marching on, and India is suffering silently. Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability.

Online Fraud: Start with the "Why" [Online Identity and Trust]

Posted: 05 May 2008 05:37 PM CDT

By Yohai Einav, Senior Fraud Analyst

I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling

Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.

But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."

Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:

"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"

All good questions. But, the first thing we should ask is "why?"

"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"

When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?

A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.


Well, fraudsters constantly look for new hacks in banks' security, and once they find one they attack with full force (by the way, when I say "hack" I don't necessarily mean technological hack, but a "hack" in the bank's security procedures). This means that if you see your bank has a sudden increase in phishing attacks - start looking for loopholes in the bank's perimeter security.

A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.

Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.

Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.

Another new blog over at NSS Labs [tssci security]

Posted: 05 May 2008 05:32 PM CDT

Not to be outdone by Neohapsis Labs, NSS Labs also enters the fray with their blog, Security Product Testing.  Again, I think that NSS Labs (like Neohapsis Labs) has been blogging for awhile, but it has picked up more pace lately.

In the past, the TS/SCI Security blog staff were invited as guests by Martin McKeay for the Network Security PodcastRick Moy of NSS Labs got the opportunity to speak his mind with Martin while at the RSA Conference.  Rick was additionally interviewed by the Bank Information Security Podcasts on Product Testing.  Both of these might be worth a listen for the discerning security professional.

Last week, NSS Labs approved the Radware DefensePro 1020 for attack mitigation purposes.   They claim that, “The DefensePro 1020 blocked 100 percent of attacks while passing 100 percent of legitimate traffic without need for user intervention”.  I really like what NSS Labs wrote on Security Products & PCI Compliance, where they state that:

Fact: No product will make you compliant. But having an inadequate or misconfigured product can prevent you from achieving compliance.

We’re hoping to see/hear more from NSS Labs in the future!

Information-Centric Security Tip: Know Your Users and Infrastructure [securosis.com]

Posted: 05 May 2008 04:51 PM CDT

I was on a client reference today learning about someone’s DLP deployment, and it highlighted one of the biggest issues we often face when moving to an information-centric model. No, it’s not a failure of content analysis techniques, data classification, or over-hyped tools, it’s that we often don’t even know who owns what, who’s supposed to have access to what, or our own infrastructure.

I often start my data security/information-centric rants by mentioning you need to have good identity management in place, but I don’t normally spend a whole lot of time talking about the details.

The truth is, this comes up all the time when I’m talking with end users who are implementing this stuff. Oftenthey don’t have a good directory infrastructure, or one that reflects the org chart, and thus they can’t do everything they want with their DLP, DAM, or other tools. Sometimes they don’t even know where all their assets/servers are, or how to access them for scanning.

Thus the tip- if you have a good directory infrastructure that accurately reflects your organizational structure, you’ll be in much better shape for any of these projects. Many of these tools can directly integrate with AD/LDAP, allowing you to build role-based policies.

You can’t inform someone’s manager they’re sending customer lists home or running weird DB queries if you don’t know who they work for.

Dirty secret #2 - the perimeter is dead! [Data Protection, Management and Leakage]

Posted: 05 May 2008 11:51 AM CDT

Just came across an interesting article in Network World on the dirty secrets of security vendors. While I agree with some, disagree with a few, it was #2 that caught my eye.

The author, Joshua Corman, claims, "There is no perimeter". Paraphrasing him -

Vendors say that the network perimeter must be defended, but most data that is actually lost doesn't go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. "If you still believe in perimeters, you may as well believe in Santa Claus," he says.

Not sure I believe in Santa Claus, but that's not the reason I agree with Mr Corman. I do believe that a data-centric or information-centric approach to security is the right one. Protecting devices, ports, networks, perimeters might become a thing of the past. Security vendors will evolve towards offering protection at the data level..

When? Now that's a completely separate discussion, though some are further along in reaching this goal than others....

Cyberwar: PRC vs. India? [The Dark Visitor]

Posted: 05 May 2008 11:14 AM CDT

flag of India

Someone passed on an article on the Times of India website this morning regarding ongoing attacks from the PRC to various government and private entities in India.  From the article:


There are three main weapons in use against Indian networks — BOTS, key loggers and mapping of networks. According to sources in the government, Chinese hackers are acknowledged experts in setting up BOTS.

The article is short on technical details but is interesting anyway.  Comments (especially from Indian readers) welcome.

Article link.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Hiring Fraudsters? [Emergent Chaos]

Posted: 05 May 2008 11:00 AM CDT

PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm.

Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee at Lemaire Consultants & Associates, which specializes in computer security and system development, a spokesman for the former trader, Christophe Reille, confirmed on Friday. (" After Trading Scandal, Banker Gets I.T. Job," The New York Times.)

First let me say that I'm fond of the phrase "paid his debt to society." It's out of fashion, but it used to mean that someone, after their sentence was carried out, was done. That they ought to be allowed to get on with their lives. I've publicly commented on Frank Abagnale being in this class.

Kerviel clearly understands how to get around IT controls. I expect that there's a great deal which he might be able to teach people about what's important in security design, and some about what isn't. (His ability to generalize his approach hasn't been tested yet.)

At the same time, he hasn't yet been tried for his actions. What would be the right framework for making a hiring decision like this?

Photo: REUTERS/Benoit Tessier

Interesting Bits - May 5th, 2008 [Infosec Ramblings]

Posted: 05 May 2008 09:03 AM CDT

Well, I didn’t check my feeds this weekend, so we have quite the list of interesting bits to check out today. Happy reading.

Q1 Labs’ Andrew Hay Named Industry Thought Leader for Log Management by the SANS Technology Institute

» Product Maturation and your business

Vuze, TCP RSTs, and Educated Guesswork · Security to the Core | Arbor Networks Security

IT Security: The view from here: A position of power

Don’t even bother investing in Network Admission Control | NetworkWorld.com Community

WhiteHat Luncheon | Infosec Events

React Faster, And Better, With The A B Cs | securosis.com

StillSecure, After All These Years: Stiennon says NAC is dead - I must be in heaven!

Security4all: What is Black PR? A tour of the black arts.

» “Illegal” is still illegal

IT Security: The view from here: Encryption does what?

Credit card thieves target small merchants, flawed POS systems, study finds

Robert Penz Blog » Insecurity of Virtual Appliances and some thoughts on 7-zip compression

Rational Survivability: Welcome To the Information Survivability/Sustainability/Centricity Circus…

Rational Survivability: Asset Focused, Not Auditor Focused

1 Raindrop: GRC - To Be or To Do

Rational Survivability: The Five Laws Of Virtualization - Not Immutable Any More?

JJ’s Security Uncorked - Security Uncorked - 802.1X Terminology- Port ‘Closed’

JJ’s Security Uncorked - Security Uncorked - Layered Security: Solving the Cube

Security4all: Website Security Strategies that work

JJ’s Security Uncorked - Security Uncorked - Grasping Security thru Visualization

Rory.Blog: Are we Secure yet? (Part 1)

Live Mesh - Good or Bad Idea? | GNUCITIZEN

Digital Soapbox - Security, Risk & Data Protection Blog: Airport Security: Should This Worry Me?

Airport evacuated!! Found handgrenade in luggage! | Roer.Com Information Security

Reconciliation Of You

Simple Pharming

Proposed SEC Rules Broaden Scope of InfoSec Compliance Responsibilities | BlogInfoSec.com

PortSwigger.net - web application security: Null byte attacks are alive and well

Computerworld - Do you have what it takes to be a converged CSO?

RSA president shares risk management secrets - News - SC Magazine Australia

Have a great day!


Desparate for attendees [Network Security Blog]

Posted: 05 May 2008 08:48 AM CDT

I’ve attended my fair share of conventions, but this is a first: CTST 2008 is offering up a free night’s stay if you’ll attend their conference. Their event is next week and I’m pretty sure the offer isn’t transferable, but I find it very interesting that they feel like they need attendees badly enough that they’re willing to make this offer at all. Add this to the fact that my name showed up on the list of last year’s attendees and I think we have a convention that’s truly suffering and may not make the 2009 season.

I receive a lot of phone calls from vendors, but in general only from vendors who have access to the lists of events I’ve actually attended. This year I’m showing up on the list of people who attended CTST, despite the fact that I’ve never attended and have never been to Florida, where the event is held. It makes me wonder how much of the list of attendees is based on people who actually attended last year or if it’s based on the people who were invited. I may be a statistical outrider, but from what I know of the convention biz, I also won’t be surprised if I find out I’m not the only one.

CTST looks like a convention I’d be interested in; it’s all about payment cards and the ways in which different credit and debit cards can be secured. It’s a natural fit for just about anyone in the PCI arena. But right now I don’t have the time to attend, nor the energy to fly cross country even if I did. But listing me as an attendee for something I never showed up at is annoying, and if it happens again this year, I’m going to be more than annoyed; I might have to blog about it in an snarky, sarcastic manner.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Chinese Hackers Attack Indian Sites [Liquidmatrix Security Digest]

Posted: 05 May 2008 08:37 AM CDT

The Chinese army’s hackers continue to grab headlines.

From The Times of India:

China's cyber warfare army is marching on, and India is suffering silently. Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability. ( Watch: 'China’s cyber intrusion a threat' )

The sustained assault almost coincides with the history of the present political disquiet between the two countries.

According to senior government officials, these attacks are not isolated incidents of something so generic or basic as “hacking” — they are far more sophisticated and complete — and there is a method behind the madness.

Publicly, senior government officials, when questioned, take refuge under the argument that “hacking” is a routine activity and happens from many areas around the world. But privately, they acknowledge that the cyber warfare threat from China is more real than from other countries.

Now I would have chalked this up to media FUD at one point. With every passing day it appears that this is in fact more real than I thought.

Don’t get me wrong. I’m not naive enough to think that it doesn’t happen. I just thought that Bush and Co. were using China in an attempt to divert attention from their own failings as an administration.

Article Link

Security Briefing: May 5th [Liquidmatrix Security Digest]

Posted: 05 May 2008 07:24 AM CDT


Monday of my last week at work. I can see that the realization is beginning to set in with my co-workers. Well, I hope that I can share all I can before I’m off to carousel.

I’d also like to say thanks to the folks who discovered the “donate” button on the next column over to the right. We really appreciate the donations!

And now, the news…

  1. Do you have what it takes to be a converged CSO?
  2. 7 dirty secrets of the security industry
  3. With all the Web2.0 something bad will happen!
  4. Kraken bot dissected and some related tools
  5. One last thing before you leave. . .
  6. A new way to think about data encryption: two-level keys
  7. Possible Denial of Service vulnerability in Solaris
  8. Editorial: Unmasking P2P secrets on campuses
  9. RSA president shares risk management secrets

Click here to subscribe to Liquidmatrix Security Digest!

Tags: , , , ,

BaySec Wednesday, May 7th [NP-Incomplete]

Posted: 04 May 2008 11:50 PM CDT

Girls drinking a beer
Originally uploaded by surfstyle
BaySec is this Wednesday, May 7th at Pete's Tavern. As usual, you can find us by looking for the crowd of socially inept nerds to the left side of the bar.

Personal Data Anyone? [Liquidmatrix Security Digest]

Posted: 04 May 2008 07:51 PM CDT

Morning mail call.

I may already be a winner, check.

$10,000 from Publishers Clearing House, indeed.

Ah, tax forms…with the social security number on the label. WTF?

From Tulsa World:

Tax forms were sent out to thousands of people in Wisconsin with their Social Security numbers on the mailing labels. A vendor hired by the state of Georgia lost a computer disk with the names and Social Security numbers of 2.9 million people. A disk with similar information disappeared in Rhode Island.

While some of the biggest and most spectacular privacy breaches in recent years have happened at large corporations, state governments have also mishandled or failed to protect some of the sensitive information entrusted to them — data that identity thieves would love to get their hands on.

Yet most states don’t have statewide privacy officers in charge of safeguarding data, statewide policies on protecting sensitive material, or standing procedures for responding to breaches.

Sloooowly things improve. Yet, still not fast enough.

Article Link

New Security Tools [Infosec Events]

Posted: 04 May 2008 03:02 PM CDT

Over the last week, here are some of the new security tools released.

While there are other sites that track tools on a daily basis, these are tools that I actually use. Is this list of any use to you? Would you like to see this on a weekly basis or not at all?

Spending to Protect Assets [Emergent Chaos]

Posted: 04 May 2008 01:02 PM CDT

smartbike.jpgThere's a story in the New York Times about a bike rental program in Washington DC. It's targeted at residents, not tourists, and has a subscription-based model.
Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting privileges. Bicycles gone for more than 48 hours will be deemed lost, with the last user charged a $200 replacement fee.

That technology comes with a price, which is one reason cities and advertisers started joining forces to offer bike-sharing. The European programs would cost cities about $4,500 per bike if sponsors did not step in, Mr. DeMaio said. "Bicycle-Sharing Program to Be First of Kind in U.S."

$4,500 is 22.5 bikes. Put another way, they could buy 2,500 bikes, rather than the 120 they're buying. That would require a lot more space if you bought them all at once, but you might just buy them as bikes are stolen. Looking at it another way, if you took the $500,000 being spent on technology, and invested it at 5%, you would make $25,000 per year, enough to completely replace the fleet annually.

This is (obviously) an incomplete analysis. But the cost of protection jumped out at me. Maybe it's typical for how people in Washington think about asset protection.

Spam is now 30. [NP-Incomplete]

Posted: 04 May 2008 01:17 AM CDT

Spam is now 30. Frankly, if spam still bothers you after all this time, buy a better filter.

No comments: