Saturday, May 10, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Sending in the big boys [ - A Revolution is the Solution]

Posted: 10 May 2008 06:49 AM CDT

7) However: I am a moron and will provide you with these tools anyway.

The above is from the website of the guy distributing a whole bunch of fake IM applications.

Question: What happens when you send the companies being imitated the name, address and phone number of the boob pushing these fake programs?


Hahaha etc

Proprietá transitiva. [varie // eventuali // sicurezza informatica]

Posted: 10 May 2008 04:11 AM CDT

Leggevo questi due articoli, evidentemente basati sullo stesso studio di PC Tools.
Information Week titola:
Windows Vista More Vulnerable To Malware Than Windows 2000

ComputerWorld invece:
Windows Vista more secure than XP, says security company

Quindi potremmo dire che Windows 2000 é più sicuro di Windows XP.

Poi consideriamo che in una recente competizione un Mac é stato "bucato" prima di Vista ed Ubuntu, quindi sempre generalizzando grossolanamente, Windows 2000 é più sicuro di Mac OS X. E sicuramente potrei trovare evidenza anche per mettere in classifica Ubuntu. Però siccome di generalizzazione si tratta mi si potrebbe dire che Ubuntu é più/meno sicuro di Debian e che com'era bello Windows NT 4, o che eccetera eccetera.

Io credo che il Sistema Operativo più sicuro sia quello che si conosce meglio.

In mano a me per esempio un Mac sarebbe uno scolapasta, un Linux un po meno che uno scolapasta, mentre con Windows che mi vanto di conoscere bene non ho mai accusato problemi.

Più in generale meglio si conosce qualcosa e più sicura questa diventa.

San Francisco Bay Area Security Community [Infosec Events]

Posted: 09 May 2008 09:27 PM CDT

Because I maintain the information security events calendar, I often get asked about local information security events. If I were to add all the local events that I know about, it would fill the calendar with a ton of entries, many of them not applicable to the users. I might start another calendar only for San Francisco / Bay Area events, but for now, identifying the resources available is good enough.

So for those information security professionals in (or visiting) the San Francisco Bay Area, here is a list of security groups:

  • OWASP Bay Area - The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of our materials are available under an open source license.
  • iSEC Open Security Forum - The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for Bay Area security researchers from all fields to get together and share work and ideas. The Forum will meet quarterly in the San Francisco Bay Area. Forum agendas will be crafted with the specific needs/interests of its members in mind and will consist of brief 20-30 minute talks. Talks will not be product pitches or strongly vendor preferential. Attendance is by invite only and will be limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.
  • ISSA - ISSA is a not-for-profit, volunteer organization providing a forum for education, publications, and peer interaction opportunities that enhance the knowledge, skills, and professional growth of its members. A goal of the ISSA is to promote the best practices that will ensure availability, integrity, and confidentiality of organizational resources. The purpose of SFBayISSA is to have a local venue for sharing with your colleagues in the security profession.
  • ISACA - The Information Systems Audit and Control Association (ISACA) is a professional association of individuals interested in information systems audit, control and security.

If formal organizations aren’t your thing, there are a few informal groups as well.

  • Baysec - An informal meetup of information security professionals in San Francisco. Unlike other meetups, you will not be expected to pay dues, "join up", or stomach another vendor spiel to attend.
  • SF2600 - sf2600 is a meeting where hackers, crackers, phreaks, and geeks hang out and discuss technology and network with other like-minded folks.
  • SV2600 - Open to Hackers, Crackers, Cypherpunks, Cyberpunks, Phreakers, Geeks and anybody else who likes to discuss technology.

While not exactly a community resource, there are a few major information security conferences that get held in the San Francisco Bay Area as well. Conferences are another great way to network with fellow information security professionals, so here they are.

  • RSA Conference - RSA Conference is the unbiased resource thousands of information security professionals around the world have come to rely upon for unparalleled networking and knowledge sharing opportunities.
  • IEEE Symposium on Security and Privacy - Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Papers offer novel research contributions in any aspect of computer security or electronic privacy. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains.
  • USENIX Security Symposium - USENIX Security brings together top researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks.

As you can see, the San Francisco Bay Area security community is quite strong. Also, we are trying to identify all the local bloggers, so for those in the area that blog, please contact us.

Reflections on the 2008 RSA Conference [The Falcon's View]

Posted: 09 May 2008 03:50 PM CDT

Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful...

Vote for my Black Hat USA 2008 Presentation! [Andrew Hay]

Posted: 09 May 2008 02:34 PM CDT

bhHey All,

I’ve submitted a presentation/paper for Black Hat USA 2008 and if you are attending I’d really appreciate it if you voted for me. The title of the paper: The Bot Came Back, The Very Next Day.

Vote it up and join me in discussing the past, present, and future of botnet activity in fabulous Las Vegas! :)

Still around [ - A Revolution is the Solution]

Posted: 09 May 2008 01:44 PM CDT

All my time is currently being taken up by these things (plus a few others). I promise we'll point and laugh at somebody next week though.

domainnames that last month were many times found in malware [belsec] [Belgian Security Blognetwork]

Posted: 09 May 2008 11:45 AM CDT


Interesting Bits - May 9th, 2008 [Infosec Ramblings]

Posted: 09 May 2008 10:42 AM CDT

Hoff posted yesterday about the hard security costs associated with virtualization. He points out that while there may be cost savings in other areas, there will likely not be any from a security perspective and likely will be additional costs introduced by using virtualization.

Christopher has an entry up that talks about breaking our of Windows remoteapps. Very interesting.

Have a great day.


HSBC branch server goes missing []

Posted: 09 May 2008 09:49 AM CDT

HSBC branch server goes missing!

This is one of those security breaches that underlines the need for physical security if you are doing remodeling or construction where there is potentially sensitive customer data being a bank! From the official bank disclosure:

"The Hongkong and Shanghai Banking Corporation Limited confirms one of its computer servers went missing on 26 April 2008 at its Kwun Tong Branch, which has been undergoing renovation. The data held on the server includes account number, customer name, transaction amount and transaction type."

Nice! This just adds to the list of breaches that HSBC has announced recently...not a good time to be an HSBC customer. Seriously though, all banks should look at the physical security around these renovations..most construction sites I have seen have no security at all. I hardly ever see even a security fence around these locations. Take a look next time you drive by a store or building that is under a remodel or construction. You might be surprised at the lack of physical security of these locations.

If You Can’t Protect Your Website, How Can You Protect The Country? []

Posted: 09 May 2008 06:00 AM CDT

If politics is a contact sport, why do I expect that we will not hear the political argument, “If You Can’t Protect Your Website, How Can You Protect The Country?” Why do I think that is it unlikely to be used as a valid political attack in the public discourse within our current US election?

It seems to me that the main reason politicians stay away from using hacking as a political weapon is the ease at which it may be used against them at some point in the future. Politicians can’t change their public voting record, their former associations or last night’s speech (i.e., the past), but their website could be hacked in the future.

Imagine this scenario: candidate A gets hacked. Candidate B makes a big production about how this hack represents a deficiency in candidate A. Candidate B gets hacked. Candidate B is now in a weaker position than candidate A. If candidate B is not hacked over the course of the election, then they win this spin. Otherwise, the one who is hacked second becomes a weaker candidate. It’s a game of hypocrisy: “Candidate accuses me, but they can’t do it themselves…”

We can reframe our information security questions from candidate’s perspective:

  1. Will the hack cause voters to sway from my opponent’s party to mine?
  2. Does this website hack reflect of a larger political issue (such as a display of incompetence)?

In both cases, I think the answer is “No.” In the first case, it’s because there are more central issues regarding the health of our country. In the second case, website security is not a direct responsibility of the candidate, as such it is unlikely to reflect poorly on them should something go astray. (In short, there’s someone else to blame.) So, there really isn’t the incentive to risk using a hack as a political weapon.

In the analysis above, I only considered a website hack because this just happened to Obama and because it is clearly a public incident. There are other incident types to consider (which I’ll leave to the reader’s imagination).

I’ll also go on record and say that if the incident is large enough in scope — for example, a candidates entire campaign headquarters is compromised — that may have a significant political effect that could sway voter’s opinions.

When first starting out in computer security, I downloaded SATAN by Dan Farmer and Wietse Venema. Bundled in Farmer and Venema’s download was their classic paper, “Improving the Security of Your Site by Breaking Into it.” In it they write:

CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley. Purdue. Sun. You name it, we’ve seen it broken into.

Those words are as true today as in 1995. Consequently, I certainly wouldn’t stake my political career on a hack.

Copyright © 2008 This feed is copyrighted by The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact immediately at copyright() Thank you! Again, please contact so we can take legal action immediately.

Is our minister of Telecommunications a Pirate [belsec] [Belgian Security Blognetwork]

Posted: 09 May 2008 05:23 AM CDT

The Belgian federal minister of Telecommunications van Quickenborne (Q voor friends and campaigners) has a long history of being the strange table-jumper in our political circles. He placed a webcam in his parliamentary office and as Secretary of State for Administrative Simplification he had a Kafka plan that made thousands of administrative rules and forms disappear.

Now he is at it again. He is - just as several thousand other Iphone users in Belgium - using a cracked Iphone. Normally the Iphone can't be used in Belgium because there is no exclusive closed-in monopolistic blackmailing deal between big brother Apple and a victim telecom company that sees itself obliged to accept the terms and conditions of the Big Master Apple.

But the Belgian Minister has asked someone (I hope he didn't do it himself) to make his Iphone usable. This can only be done by illegal software on the internet that Apple tries to hunt down or tries to outsmart (for a while).

But as our minister of telecommunications does this, how can he protest against crackers that are outsmarting monopolistic firms, making games usable on more platforms, distributing films before they are in our theaters 6 months later (if they are distributed at all) and so on. It is the same logic (and I am not saying that I agree with it, I just try to explain the logic). It doesn't matter what the object of the crack is ( a film, a game, a DVDplayer, pc program or a phone). The logic is that at one side the firms and owners want to protect their business model and at the other side the crackers want to change or circumvent that model themselves. Between it is the public for which both do a battle of the minds and the pockets.

The European Commission said they would investigate the Apple Iphone monopoly but there is no news yet from that front.  For our Minister it wasn't going Quick enough.

answer to comment : illegal because of copyright, trademarks, patents and whatever
that Apple won't sue a minister, that is right, but maybe they will take on some poor simple guy somewhere - or just upgrade their soft and block anyone out - whoever he or she is
Let's hope the European Commission does something else than singling out only Microsoft while leaving all these other small but important monopolies alone. For the user a monopoly is a monopoly, small or big.  

How Google knows what the flemish Call Center will answer [belsec] [Belgian Security Blognetwork]

Posted: 09 May 2008 04:56 AM CDT

Well if you use this Googledork than you will have a list of all the contactpersons and solutions that the people working in the call center of the Flemish Regional Administration will use. So why call them.

You search a person and have more information than they would even give you

Naam: Balci
Voornaam: Ozgur
Aanspreektitel:  Dhr.
Geslacht:  Man
Adresgegevens: Hendrik Consciencegebouw
Koning Albert II-laan  15
1210 Brussel
Tel.:  02 xxxxxx Doorschakelen:  Nee
Mail: Escaleren:  Nee

Contract Vlaamse Gemeenschap - Telindus online Googled [belsec] [Belgian Security Blognetwork]

Posted: 09 May 2008 04:47 AM CDT

Hier staat het - of stond het

Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor [Darknet - The Darkside]

Posted: 09 May 2008 03:34 AM CDT

Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on.. I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit. Would [...]SHARETHIS.addEntry({ title: "Want Some COFEE?...

Read the full post at

Looking for young girls? (a review of my visitors) [Roer.Com Information Security - Your source of Information Security]

Posted: 08 May 2008 11:43 PM CDT

A while back, I blogged about an unfortunate event where a 14-year old girl had to change her name and move to a different location because she had undressed in front of her boyfriend - using a webcam.

Since then, I have had a steady growth of visitors targeting that particular post. Some days, this post even shows up on my list of "Most visited" stories, as shown under:

Wankers high on the visitors list

Of course, me being in Norway, I am culturally obliged to be naive. And for a while, I can accept that. But after 6 months, and the same story keeps pulling visitors, even my limits are reached.

I mean - what kind of sick bastards are searching for the text in this image? (No I am not concerned about the "wep hacker" search...)

Search terms used

Now, I immediately picture some crazy predator like the ones over here.

But - giving it a little more thought, perhaps not all the hits are from wankers - but from young, frustrated guys looking for same-age girls?

If there are predators only, I'd love to do something with it. You know, some ball-crushing or similar exercise.

But - if even only one of the visitors are a young person looking for others in the same situation, or someone who plans to do something similar - then I hope that the post actually may do some good. Either by helping out someone in a difficult situation, or by avoiding such a mistake to repeat itself.


If you are still looking for 14-year old girls stripping - you might want to try this YouTube clip! Just be warned - you have to be 18 years or older!

This posting includes an audio/video/photo media file: Download Now

OWASP Toronto Presentation - Building A Web Spider [360 Security]

Posted: 08 May 2008 03:21 PM CDT

A couple of weeks ago I spoke at OWASP Toronto. My goal was to lead a discussion on building a web application spider... what you had to consider, pitfalls to avoid and so forth. I felt like it went fairly well, the discussion lasted about an hour and there was quite a bit of group interaction. I picked up some interesting things from the attendees and I'm hoping that they picked up some interesting ideas from me. At the end of the discussion, I was asked if I could make the slides and the sample source (for a very basic spider) available. So here they are.

PowerPoint Presentation
Simple Spider written in Python

Free webinar and ebook "File virtualization for dummies" [Security4all] [Belgian Security Blognetwork]

Posted: 08 May 2008 02:47 PM CDT

I'm not sponsored by any vendor (as this ebook is) but I wanted to mention this since it's a freebie. Consider it the A of CIA. Today's IT infrastructures are complex, inflexible and growing fast....

Interesting Bits - May 8th, 2008 [Infosec Ramblings]

Posted: 08 May 2008 02:12 PM CDT

Hello there. Here are today’s interesting bits from the security blogosphere.

Rebecca Herold has post up that talks about how the decisions people make about what they post on public sites can affect their ability to get a job.

Paul’s late-breaking computer attack vectors recording and slides is now available.

I recently pointed to 0×000000’s .htaccess that acts as a web app firewall. Well, it has been revised again and a walk through has been provided to explain what is going on. Good stuff.

Kees has a great post up about understanding what you protect. As he says:

putting information security controls in place is not a goal, but a means to achieve a business goal.

That’s all I’ve got right now. Been a busy day. Have great rest of yours.


Notacon 5 conference videos [Security4all] [Belgian Security Blognetwork]

Posted: 08 May 2008 02:09 PM CDT

A reader commented that not just the presentation videos of Notacon 4 were online, but also the ones of the more recent Notacon 5. The reason why I mentioned the older ones (first), because they...

Why you should't be on a vendor's client list [Security4all] [Belgian Security Blognetwork]

Posted: 08 May 2008 12:15 PM CDT

When you buy a product, sometimes a vendor can offer you a discount in return for being able to mention you as a client. It might sound like a sweet deal without any risk. Or is it? Let's take an...

Sun Engineers - I Know Where The Rock Star Jobs In SaaS Are! [The Converging Network]

Posted: 08 May 2008 11:52 AM CDT

Rock_star With the eminent round of additional layoffs coming at Sun, there have to be some real rock stars out their looking for their next move. So... if you are a rock star pre-sales engineer who knows how to sell solutions and would like to get into the exploding SaaS market... or you are a top QA engineer who loves testing, automation, and digging out the toughest to find bugs... you owe it to yourself to check out these open positions at my new company, Absolute Performance.

Send your information to Tell 'em you read about it on The Converging Network blog.

Rock On!

Get Ready For XaaS Everywhere [The Converging Network]

Posted: 08 May 2008 09:54 AM CDT

Xaas With the soaring interest in Software-as-a-Service (SaaS), we are already seeing the same metaphor used for other service offerings. Platform-as-a-Service, or PaaS, is becoming a common place term. Now I've also seen IaaS, or Infrastructure-as-a-Service. As I like to say, no good idea goes un-copied. What that means is we should all expect to be overrun by the use of XaaS terms, where X equals whatever word or phrase any vendor, analyst or marketer chooses to promote their product or service. If Sausage-as-a-Service will help sell more processed meats, you can bet someone will jump on the bandwagon and leverage XaaS to their benefit.

If imitation (being copied) is the most sincere form of flattery, then I'd say SaaS is gaining enough traction that others are coping the XaaS term for their use. But we shouldn't forget, what this all really means to us is that software, infrastructure, data, etc., etc,. are all moving into the cloud, being offered as a service.

So if anyone needs any Blogging-as-a-Service, you know where to contact me. :)

Jeez - State department laptops missing.. [Data Protection, Management and Leakage]

Posted: 08 May 2008 08:33 AM CDT

This is bad news - folks with some of the most sensitive information seem to be willy-nilly with their laptops. How can we expect plain old corporate folks to take protection seriously?

And this snippet takes the cake "...about 400 missing laptops belonging to the Anti-Terrorism Assistance Program ..."

I wonder how many of these were targeted and stolen... If so, is a cold boot attack more likely against these types of assets?

Invaluable Advice from a Renowned CISO []

Posted: 08 May 2008 06:00 AM CDT

As you know, this column focuses on some of the most fundamental components of an effective Security Program, namely the skills and competencies required by the security leader to implement a successful program. These traits, sometimes called the 'soft skills’ of security management, are increasingly important as security risk management becomes a predominant Board room conversation.

Chapter 8 of the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008] offers invaluable advice from one of our renowned 'been there, done that’ security professionals, Howard Schmidt. Howard has an impressive resume: In addition to Schmidt’s service at the White House he has served as Vice President and Chief Information Security Officer and Chief Security Strategist at eBay, Chief Security Officer for Microsoft Corp, Supervisory Special Agent and Director of the Air Force Office of Special Investigations Computer Forensics Lab and Computer Crime and Information Warfare Division.” This column will highlight some of the wisdom from that chapter.

In his introspection, Howard relates an epiphany he had early in his career. Although he was working with very intelligent, successful non-security people, he recognized that they had difficulty comprehending the 'what’ and 'why’ of information security.

Now, don’t we all experience that at some time in our careers? We, who know and understand the risks and frailties of computer systems and networks; we, who eat, live and breathe security risk management; we, who devour the horror stories online and in hard copy of daily security breaches and identity thefts.

Why would we not expect others to appreciate security?

This is a critical point in achieving success in our profession: we must recognize that our business constituents have a myriad of decisions to make each day, and that information security is but one of many issues that may or may not even appear on their radar range. Regardless of whether we name it security and business alignment, business risk management, asset protection - semantics aside, we have to have the patience and the ability to articulate the importance and more importantly, the appropriate prioritization of information security.

In his remarkable career, Howard leveraged his skills and competencies in his approach to providing visibility and influencing the organizations that he has been a part of. In his chapter, Howard offers excellent advice on the following:

What Skills Should a CISO Have:

  • Understand how technology can be used to create risk
  • Think strategically so security is built in, not bolted on
  • Appreciate the legal and ethical implications of securing resources
  • Leverage business drivers

How a CISO Acquires Business Acumen:

  • Understand the needs of the business. They are your customers.
  • Operate the security program as you would a business. Implement controls that meet business needs, manage costs and reduce risks accordingly.

Remember in the old days how we used to turn blue trying to convince our organizations that security was important. Howard makes a legitimate point that the thought process has evolved from “Why do we need security?” to “Help me make my business secure.” Businesses are becoming quite aware of security risks. How can they not be more aware when daily headlines decry lost laptops and identity theft? Our challenge as security professionals is to figure out how to assist the business in meeting their risk management needs in a manner that won’t be negatively impacted.

Howard also validated what I’ve always believed is an important facet of information security - and a point that I highlighted in my first column on this blog - that is, consideration of the culture of the organization is pivotal for the success of a security program. The level of assurance is dependent on what needs to be safeguarded and the environment in which it resides. Remember, security must be realized as a benefit to the organization, both in cost savings as well as risk mitigation.

Lastly, Howard offers his advice on the toughest challenges facing our profession today. Here’s a partial list:

  • Vulnerabilities in software applications, especially those where exploitable code is available.
  • Mobile devices that either house confidential information or are entry points for the company’s network.
  • Emerging wireless technologies - easy to connect to, not so easy to secure.
  • The age old 'data classification’ or 'data flow’ issue - how many of us really have a good handle on this one?

Copyright © 2008 This feed is copyrighted by The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact immediately at copyright() Thank you! Again, please contact so we can take legal action immediately.

April Commenter of the Month Competition Winner! [Darknet - The Darkside]

Posted: 08 May 2008 05:26 AM CDT

Competition time again! As you know we started the Darknet Commenter of the Month Competition on June 1st 2007 and it’s been running since then! We have just finished the tenth month of the competition in April and are now in the twelfth, starting a few days ago on May 1st - Sponsored by GFI. We are [...]SHARETHIS.addEntry({ title: "April...

Read the full post at

No comments: