Saturday, May 17, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Links for 2008-05-16 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 17 May 2008 12:00 AM CDT

A new blog on the block [StillSecure, After All These Years]

Posted: 16 May 2008 11:36 PM CDT

This one is not all security related, but is the ScienceLogic Blog. One of my favorite persons in the IT field Dave Link is the CEO and founder of ScienceLogic. Several other friends from Interliant including Louis Dimiglio (sorry if I messed up the spelling Lou!), Richard Chart and Chris Cordray are also part of the team. They have done a great job of creating a network management product and in a hyper-competitive industry carving out a place for themselves. I am running into them more and more at shows, conferences and in the field. Now they have joined the blogging ranks and it looks like there will be several contributers. They are all smart folks and I am sure will have good things to say, so be sure to check out the blog!

In one article responding to a post I did about where is the interoperational in interop, Dave says that he and the ScienceLogic team had a very different experience at Interop this year. Due to their participation in the InteropNet and ILabs project, ScienceLogic was very involved in making sure the network at Interop was up and running and showing off the many different products and vendors working together. Certainly the work of the many people at Interop Labs and Interop Net show how heterogeneous equipment and technology can work together, but where those labs and network used to be the center of the show, I am not so sure that is the case any more. Many folks walk by the NOC at Interop, peak inside at the folks at the stations, smile and move on. How many actually take the tour compared to how many walk the floor or sit in on presentations. I think in Dave's view it is a case of when you are a hammer, everything looks like a nail.

More importantly though Dave challenges me to answer his questions of what StillSecure has done to promote interoperability with other vendors that we can promote. Great question and it deserves an answer. So at the risk of giving StillSecure a shameless plug, let me give you the three foundations that we have built our products on that allow us to excel at interoperability:

1. Using open standard software and hardware - All StillSecure products run on off the shelf x86 hardware or in VMware virtual machines. Additionally, our products all run on top of the StillSecure OS which is a hardened and stripped version of Linux, but still provides that standard command line programs and interoperability that the Linux OS allows. Additionally, we use standard and open databases such as MySQL and PostgresSQL that are SQL and ODBC compliant. Additionally, we have open data base schema's. Also, we use Java webservers and similar types of open standard software that makes it easier for us to work with other products and for our customers to feel comfortable with what is under the hood.

2. Support of industry frameworks and standards - Whether it be TCG/TNC or NAP in the NAC world or CVE and FDCC in vulnerability management, we support industry wide standards and frameworks which allow products to work with each other. SNMP traps, SMTP email alerts are all standard in StillSecure products.

3. Enterprise Integration Frameworks- StillSecure products all ship with our enterprise integration frameworks. These are a complete set of fully documented and functional APIs in XML and Java that allow for the bi-directional exchange of data with many 3rd party products. This is perhaps our greatest means of interoperabitility and integration.

Dave, I hope that answered the question for you. Now that we know about the blog, we will be reading. Good Luck!

In Passing on DLP [Anton Chuvakin Blog - "Security Warrior"]

Posted: 16 May 2008 09:08 PM CDT

Now, I am not some world-famous DLP analyst, but it doesn't mean that I cannot have an opinion on this "searing-warm"  :-) security concept: "data leak 'prevention'" or DLP (notice the double quotes around prevention...)

I admit that in the past I poked jokes at DLP for being "ADLP", with "A" standing for "accidental." Indeed, most of the technology approaches I've seen were "good enough" for preventing accidental leaks (e.g. Excel sheet with SSNs being emailed to an external party by mistake)  and for preventing truly idiotic "insider" attacks of the same nature. Whether they sniffed or used desktop agents, the tools were good enough to do the above, but not much more (or, they allowed you to do more, but via a truly ginormous effort by your security team). And then a retarded kindergarten kid can bypass them in his sleep without working up a sweat ...

In other words, DLP was for keeping honest (but sloppy) people honest and keeping idiots idiotic (but a bit safer). Which is, don't get me wrong, pretty darn useful: after all, overall, employee mistakes still cause more damage than hackers (!)

However, whenever I heard about DLP, I always felt some deeper longing for more - maybe for a technology that CAN actually stop some, clearly defined classes of malicious data theft, perpetrated by non-idiots.

What such technology might be? Well, IMHO,  it should have three things:

  1. Easy on the end user (=information owner) - thus no manual information tagging needed (don't you know, its dead!)
  2. Easy on the tool operator (=security team) - thus no super-granular policy-writing  needed (and please - spare me the regexes!)
  3. Effective enough to stop malicious insider of reasonable skill  over specific information channels- thus, some new technology for accurate detection of possibly modified documents across channels (e.g. common network)

Tough to match? Yup, it sure it. But that's not all: I'd like it to defend against theft of  structured, unstructured and structured->unstructured (e.g. database contents pasted to email!) information over just about any network channel (not device theft and not USB/portal device download - these are a different story).  What's more, I think that to enable #3 above the DLP "box" needs to actually understand what the document is about and to do it in a human-like fashion (Yes, including rephrased (!) content. Yes, I am picky :-)).

The above clearly does NOT mean that the technology is  not bypassable - there is always an encrypted zip file and gpg, custom encrypted network protocols, or even a screenshot emailed, etc (not even going to device theft, USB xfers or camera phone + screenshot + MMS). It just means that it takes DLP a few big notches up from "anti-retard defense"  to blocking a malicious and dedicated non-IT employee from stealing the crown jewels.

And, if one is trying to be honest about DLP, he need to define what is out of scope (after all, only narrowly defined problems are actually solvable in this space, not "our MagicBox  6.1 will block ALL data theft," which is absurd - if you believe that, you need your head examined).

I was pretty shocked to learn that something like this actually exists today: the next wave of DLP start-ups is about to emerge. For example, NexTierNetworks can detect information traces even in modified and heavily edited documents (I would like to try rephrasing as well; I suspect it will work!). When I saw a demo I was pretty impressed that you can get a financial document, change a few things here and there, paste it to email - and the system will still stop it by saying "uh-uh, this is sensitive info, no can do" :-) Mind you, this is not what current DLP vendors call "fingerprinting," since it actually uses what the document is about i.e. works on a - hate the word! - semantic or meaning level. So, DLP + a bit of NLP (the other NLP) = magic :-)

As a disclosure, I have to say that I just joined their Advisory Board, but, as you can guess, I joined because I am impressed (not "impressed because I joined!" :-))

Technorati tags: , ,

5 Winning Strategies to reduce cost of Consumer Authentication from a Winner in Consumer Authentication [Online Identity and Trust]

Posted: 16 May 2008 07:09 PM CDT

Posted by Vijai Shankar, Sr. Product Marketing Manager


Consumer Authentication has been around for over 10 years in other countries, but here in the USA, adoption has been slow due to a myriad of reasons... the main one seems to be the perceived high cost. As you've probably gathered by now, we don't think it has to be that costly, so we developed a new whitepaper on "5 strategies to reduce the cost of consumer authentication". I know you're thinking this has to be pure marketing fluff, but I think you'll find some nuggets of info in there that are worth exploring. After all, we must be doing something right, we just won the Network Products Guide 2008 Product Innovation Award.

Don't forget:, if you want to test drive VeriSign Identity Protection Authentication Service and see how easy consumer authentication can be, download the APIs for free and check it out. You can join the growing team of test drivers, which has now exceeded 100 within a few weeks of its inception.

~Vijai

US Military Seeks to Cyber Bomb Digital Combatants [Amrit Williams Blog]

Posted: 16 May 2008 05:11 PM CDT


The US Military is looking to cyber bomb digital enemy combatants (here) back to using an abacus, a stone tablet and some empty cans with string for calculations and communication.

The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.

The DoD’s mission statement is essentially to enable and support the warfighter - they exist for no other purpose. The mission of the warfighter is to deliver sovereign options for the defense of the United States of America and its global interests. It is quite natural for this enablement and support to extend beyond physical domains in a world with an increasing reliance on digital, satellite, and radio communications.

This recent RFP for a “Dominant Cyber Offensive Engagement and Supporting Technology” from the US AirFforce (here) details the requirements for a highly-sophisticated, stealthy, botnet with rootkit functionality. I have no doubt that the US military will implement and develop such a system. The question is can the US military effectively fight a cyberwar against a highly-distributed, disorganized, and undefined advesary?

One of the major challenges of the US Military in implementing effective offensive computing technologies is the same challenge we face in fighting terrorism today in the physical world. It is extremely difficult to attack a highly distributed enemy with loose or no central command and control structures. An army of independent combatants, connected only through a common ideology, taxes a military that has been optimized to defeat traditionally organized and centrally managed armies.

The challenge extends to cyber warfare as well in a even more exaggerated way. Cyber attacks against our national infrastructure are difficult to prove as state-sponsored, additionally the attackers can use spoofed IP addresses or route through compromised machines located in the US . Chinese backed hackers, for example, can work independent of the military and political establishments and in doing so present a radically different set of problems to the US Military which tends to suffer in effectiveness when the enemy is not clearly defined.

Additionally this method of decentralized warfare allows our enemies a many to one relationship in attacking the US. The US, on the other hand, is challenged by a one to many relationship with our attackers. Put another way, it is quite simple to develop weapons that can kill an elephant moving slowly through a savanna, but much more difficult to eliminate mosquitoes throughout the jungles of Southeast Asia, while limiting collateral damage to the butterfly population. This forces the US into a continual defensive or reactive posture that keeps us struggling to keep up with our current enemies tactics.

You should also read this post from Dancho Danchev (here)

The bottom line - why put efforts into building something that would generate a lot of negative publicity and might never materialize, when you can basically outsource the process and have the capability provided on demand? Just like the bad guys who do not have access to botnets do by using botnets as a service?

The discussion about GRC [Security Balance]

Posted: 16 May 2008 03:46 PM CDT

Good information will always come from discussions between people like Gunnar Peterson, Richard Mogull, Chris Hoff and Alan Shimel. This time’s target are GRC tools. It started with Peterson, was commented by Hoff and Mogull, followed by Shimel.

There is space for GRC tools on the market, but it is really risky to change a security product roadmap to rebrand it as GRC. Axur ISMS is a very nice tool to oversee and manage a security program, leading to compliance results. However, it will never work without all the processes and tools that lie beneath the strategic layer. How can a tool like that replace, let’s say, an antivirus or even a firewall?

The way that all those tools are being managed and how they are addressing risks is information and it needs to be properly managed. This is were GRC products can help. If you don’t have tools and process to be managed, forget about GRC. Do the basics first.

Line Noise [DVLabs: Blogs]

Posted: 16 May 2008 03:18 PM CDT

Posted by Cameron Hotchkies

As a research team we come across a variety of interesting articles, papers and links ranging from cutting edge security research to silly web toys. We're constantly sharing information and commentary with one another and thought that it may be interesting for others to join in on the fun. So we have decided to dedicate some time to creating a generic "week in review" blog series. We'll see how it goes and we'll decide on whether or not to keep it up based on the feedback we receive. To kick things off, here are some random recent musings straight from our internal IRC:

  • googleDrive is a fun little toy. Cody thought it would be interesting to snag the code and make a networked multiplayer racing game out of it. Looks like the author of googleDrive is already planning googleRacer which will allow you to plot a course and race against the clock.
  • Automated Patch-Based Exploit Generation. This interesting and recently published paper has stirred up all sorts of noise in the security specialized media arena and various mailing lists and boards.
  • Aaron found this link to a military sponsored rootkit and botnet research call for papers.

  • The pokerbot writeup and one of the ualberta papers it references. These made the rounds last weekend, with a decent application of DLL injection. It's supposed to be part of a series, so the second part may possibly be up by the time you read this.
  • Debian. That not random enough key generation vulnerability that everyone has been talking about. Ben Laurie has an interesting post on his blog, HD Moore generated the whole keyspace. XKCD made a comic about it and as expected we made a detailed write up of our own here.
  • Recently Google opened up a diagnostic page allowing users to check the malicious status of specific sites. To try this for yourself plug a target domain into: 
http://www.google.com/safebrowsing/diagnostic?site=http://www.example.com

Rootkit su IOS ? [varie // eventuali // sicurezza informatica]

Posted: 16 May 2008 02:56 PM CDT

Mi sono arrivate un bel po di email di chiarimenti sul RootKit su IOS di cui si é parlato a EUSecWest. Siccome sono un po' (si vede dal blog poco aggiornato, no?) preso per ora, faccio una risposta cumulativa, anzi la lascio fare alla voce ufficiale Cisco:

Cisco Security Response: Rootkits on Cisco IOS Devices

How to become a hacker… [Infosec Ramblings]

Posted: 16 May 2008 02:55 PM CDT


You may have all seen this already, but I just came across it. It’s been around for a while, but I thought it was interesting. How to Become a Hacker by Eric Steven Raymond.

Why Is ISO2700x Hot in UK, but Not in US? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 16 May 2008 01:36 PM CDT

First, something hilarious: I was teaching this brief course on logs overseas and touched upon  a  subject of ISO17799. So, having recently read how many companies in the US were ISO17799 certified, I asked my audience whether they could guess what the number was. One guy volunteered an answer, after some hesitation: "Less then 50%?"

That's "percent", folks :-)

I said to him: "You are right!" and laughed - "It is indeed less then 50!" 50 as in "count" (I read somewhere at the time that 49 companies were certified US-wide)

So, ISO17799 is hot in some countries: UK, Japan, Russia (where it is a basis for a set national standards), many others. But not in the US.

I have long been puzzled about this. What's the story?

The most likely explanation is that every security manager worth his salt read ISO17799 documents and then used the ideas and material in his own policies, procedures, etc. On the other hand, he sees no motivation whatsoever to invest in certification - since nobody is making him do it (no equivalent of a PCI auditor is standing nearby with a big axe...)

Another explanation that due to longer history of security management in the US (compared to other countries), home-grown approaches took root and no external standard will dislodge them?

Yet another hypothesis goes like this: in the US, it is more important to do a good job [managing security] than to be "standards-compliant." Is the opposite true in Europe and Asia? I dunno...

Or maybe ISO stuff is seen as "that Euro thing?" Exotic like a Hungarian chick, but just as relevant :-)

Any ideas? UK scene, any ideas? Do you care for ISO17799 at all? As a useful document to read or a something to be certified in?

Another Old Presentation: What Every Organization Must Log and Monitor [Anton Chuvakin Blog - "Security Warrior"]

Posted: 16 May 2008 01:32 PM CDT

Finally, I decide to "liberate" this presentation as well: "What Every Organization Must Log and Monitor" circa 2004.

This is still very useful and relevant; also, many people will appreciate my attempt to do the impossible i.e. give a simple answer to a very complex question (BTW, it rarely works :-))

So:


Interesting Information Security Bits for May 16th, 2008 [Infosec Ramblings]

Posted: 16 May 2008 01:07 PM CDT


Howdy, here are some things to take a look at for today.

Dave Aitel writes about automatic exploit generation from patches. According to Dave, it isn’t as easy as it sounds. I agree with him. Go give it a read.

GNUCITIZEN has another good post up that takes a look at resident scripts and cross-domain issues using javascript.

Kees, as usual, has a thought provoking post up which points out that Perception IS Reality (emphasis added). Go read it.

Later folks. Have a great day.

Kevin

Hey Nessus, do you do sudo? [Infosec Ramblings]

Posted: 16 May 2008 12:42 PM CDT


We all know and love Nessus. Well today, Tenable made it even better. Nessus now fully supports su and sudo for audit and patch compliance checks. This is very cool.

Next, in response to the ssh key bruhaha this week, there are now a couple of plugins that will check for weak keys in SSH and SSL protected webservers.

Caveat: It appears that you need to be Direct Feed/Professional subscriber to use these features.

Kevin

The Daily Incite - May 16, 2008 [Security Incite Rants]

Posted: 16 May 2008 09:34 AM CDT

Today's Daily Incite

May 16, 2008 - Volume 3, #47

Good Morning:
It's that time of year again. We're almost at the end of the school year, and that means it's dance recital time. The girls have been working hard (OK, maybe working not so hard) at dance class for the past 10 months, and it's time to show off their stuff. This year, both girls were performing since Lindsay (my younger daughter) started dance also.

Ballet shoesI have to admit, the girls looked really cute in their dance outfits with their hair up in that crazy bun. I wear my hair pretty short, so I guess I'm always sporting a bun - but evidently it's a lot of work to get the Gordon Gekko look on 4 and 7 year olds.

I'll also come clean that for me, a dance recital is like going to a foreign country. I don't know if it's good or bad, but it's different. Since besides being forced to watch "So You Think You Can Dance" each summer and maybe a few Justin Timberlake videos, I've seen very little dance. I know it's probably shocking, but I don't go to the ballet or any kind of interpretive dance shows.

If I'm going to see someone perform, they better be playing some kick ass music or making fun of the guy in the front row, so I can laugh my ass off. But being the good Dad that I try to be, we loaded up 13 of us (two sets of grandparents, uncle/aunt and first cousins, and some family friends) to the community center to see the show. Of course, Murphy's Law came to visit and the video camera didn't hold the charge, but being the contingency planner I was able to take some video on the digital camera. I've got nothing on Spielberg - but I can't wait to show the girls that video when they are 25.

I have to say that both of my girls are performers. I don't know if they can dance, but they sure do have some fun in front of a couple of hundred people. Since my boy doesn't play ball yet, I don't know how seeing the girls do their dance numbers will compare the him knocking one out of the park or sacking the QB - but it was really great to see them enjoy themselves in front of the crowd. Yes, one very proud Dad was in the house.

After the big show, we gave the girls some flowers (evidently you are supposed to do that) and they all got ring pops to celebrate. I guess I'll need to budget in some dental fillings, in addition to the endless supply of ballet, jazz and tap shoes and recital outfits for the girls.

Have a great weekend.

Photo: "On Your Toes" originally uploaded by vidguy

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Is NIPS finally ready? If no, how about intrusion tolerance?
So what? - It's funny how technologies capture the imagination of the market for years and then they don't. Yet, in the real world, especially the mid-market, where budgets and deployments are years behind the media and hype cycles - these technologies keep clicking along. Clearly we don't think too much about network IPS anymore, besides when one vendor makes a wild claim about speed over another vendor. Yet are these things safe for your network? Mike Chapple's SearchSecurity tip tackles that issue and he has some good guidance. Basically use it as an IDS for a little while, so you can tune the rules and only block a small subset of things you KNOW are bad. How about this new idea called network tolerance? I'm all for tolerance because the approach focuses on containment, not necessary eliminating all attacks. Though this academic approach seems to be applicable only to the biggest shops (and ISPs) that can afford to pull devices down to reimage them every so often. Though this kind of perpetual new suit approach is starting to appear in things like virtualized desktops (where a new image is assembled and streamed every time you "boot" the device), so why not with network servers? It's not today, but it may be something to think about - especially for the big shops - though this is kind of the anti-virtualization technology since it requires a lot more computing cycles (since you are intentionally taking a portion of the engine offline).
Link to this

Companies will miss the PCI deadline? Shocker!
So what? - So PCI DSS Requirement 6 kicks in over the next 6 weeks. Whoop de do. Now merchants are expected to have protected their applications. I mentioned this when the standards council issued a clarification on what Requirement 6 actually means. Yet what's the impact if they get their web app firewalls deployed by July 15. Or that software code review done by September 12? Not a damn thing. That's right. Maybe they'll flub their assessment, but in practice - will they? You don't think many of the QSA will give a waiver, if the plans are in motion already. Especially given the late clarification and the imminent release of the PCI DSS 1.2 specs (planned for October). Of course, there is a situation where it does matter. If there is another high profile breach - then whether the merchant got their by June 30 is very relevant. Especially when the card issuers go for the throat and demand their settlements. For merchants? Keep on keeping on. And hope your day doesn't come between June 30 and until you get on target with Requirement 6.
Link to this

Security bailout?
So what? - I get that my bud Kevin Beaver is venting a bit on his new blog, Security on Wheels. And the billions the US will spend to bail out the bad actors, who have been profiting handsomely for the last 3 years in the mortgage debacle, is nauseating. But is it plausible that the Feds would make it right for consumers that are continually victimized by poor controls and bad information security? I know Kevin is joking here, but let's take a more thoughtful look at the question. Could we fix the issue with a $300 billion investment? I don't think so. You can buy off stupidity and the reality is that many (if not most) security breaches are a direct result of stupidity. A firewall and new laptop for everyone isn't an answer. But it's not like they won't try, the US Feds will allegedly spend $30 BILLION on security stuff over the next 5 years. That's a really big number and I don't think they can digest that much technology and services over that time period. It's like when you eat two ears of corn at your BBQ and your body can't process all the food. You know what happens. You see the corn again in like 16-24 hours. Yuck. But all the same, the Feds may actually spend the money, but I hope they have a lot of shelves for all the shelf-ware that will result.  
Link to this

The Laundry List

  1. CSOs and CEOs at the same table? Mich Kabay covers a new book that talks about why this is important. It's great to see this kind of discussion and topic continuing. We aren't close to it becoming reality, but at least we are talking about it. - NetworkWorld newsletter
  2. Sourcefire blocks the Patch Tuesday attacks. Does anyone care about these stupid monthly releases? Besides their BusinessWire rep? And FIRE isn't the only company that does this, they are just the one I found first... - Sourcefire release
  3. Proofpoint says FU to FTP and targets secure file transfer. Looks like a bit more competition for Tumbleweed. - Proofpoint release
  4. Marshal pinpoints the largest botnet. Srizbi sends 60 billion a day. Hormel is still trying to get their .01 royalty on all those messages. - Marshal release

Top Blog Postings

Tenable continues to push the open source model
You have to hand it to Ron Gula. He has consistently pushed to more effectively monetize Tenable's open source scanner, the ubiquitous Nessus, and yet there hasn't been the predictable backlash that a lot of other "monetization" efforts tend to suffer. First, to be clear, Ron should be monetizing Nessus as effectively as possible. The reality is it's his company's intellectual property and at the end of the day he needs to make some kind of return on that asset. So what's new about the changed licensing model? Basically Tenable has collapsed the 7 day "free" feed, in favor of a new HomeFeed - that gets the scanner updates in real time. Of course, you can't use this (legally anyway) in your business. Then you need to buy the "ProfessionalFeed" for the same $1200/year that the direct feed used to cost. Ron and Renaud posted a letter to clarify why they are doing this. You can also check out the FAQ to get more details. Basically this is a licensing play and Ron is hoping that more of the folks using Nessus will pay because it's the right thing to do. Even colleges and non-profits, although some charities may be able to get a free ProfessionalFeed. That PO from Mother Theresa is hitting the fax right now. Customers do get some additional capabilities (like compliance checks and support), but ultimately it seems that the model is about customers doing the right thing and for $1200 a year - they really should.
http://blog.tenablesecurity.com/2008/05/tenable-updates.html
Link to this

GRC war, what is it good for?
Absolutely nothin' - say it again! That's right, the Mogull and Shimmy shimmy cocoa puff got into it this week about GRC. Of course, Alan is a lawyer - which means he's picking apart words and looking for nuance. Rich started it with a call that GRC is dead. Alan then needs to poke about Rich just copying Stiennon to try to generate some press. Then Rich pokes back and actually makes a pretty well-reasoned argument. So this cooler head (and when have I ever been a cooler head in a blog fight?) basically says Rich is talking about the compliance work flow engines that a lot of vendors are pushing and calling them GRC silver bullets. I'm in total agreement, and even wrote a piece in SearchFinancialSecurity.com about it. The basic gist is that really big companies can get value from GRC software because they've got a lot of moving pieces and coordination is a pain in the backside. Smaller companies, probably not so much. Shrdlu weighs in as well to really clarify things as well calling these GRC products "compliance-with-a-dashboard." Awesome. But her point is exactly right, in that risk is variable and credibility is king. If you aren't helping the process, you are hurting it and thus your life expectancy (as top security pro anyway) is limited...
http://layer8.itsecuritygeek.com/layer8/r-before-c-especially-after-g/
Link to this

Despair, futility and the right question to ask
It's tough to ask the hard questions, especially of yourself. What happens if the answer comes back and it's not what you want, or what you need? What if it turns your entire world view upside down? Is that a good thing or a bad thing? Since I'm a fan of constantly questioning everything, I figure it won't be long before the answer becomes clear. You can choose to see the writing on the wall or wait for the train to run you over. That rambling preamble is really about Jeremiah asking whether secure software matters anyway? Hmmm. Should we even try, since secure coding really only ensures we don't get nailed by the stuff we know about. Double hmmm. Basically, it's about low hanging fruit and containment. Jeremiah is exactly right that you can't catch everything. But most of the attackers out there are looking for the low hanging fruit. Easy SQL*Injection or XSS vulnerabilities, and there are hundreds of thousands of vulnerable sites to choose from. Make sure yours are not on that list and you should be OK. Until you aren't, and that's where containment comes into play. It will happen to you, so you should be ready. If anything asking this kind of question reinforces my world view. So I'm glad it was asked.
http://jeremiahgrossman.blogspot.com/2008/05/does-secure-software-really-matter.html
Link to this

Debian SSL Comic [Random Thoughts from Joel's World]

Posted: 16 May 2008 09:26 AM CDT

Classic!

Lazy Friday Pseudo Link Love [The Falcon's View]

Posted: 16 May 2008 08:47 AM CDT

It's Friday, I'm beat, and, well, I'm just feeling a bit lazy, to be quite honest. So, here are a scant few links to interesting stories from today, of all times. If you're curious about what I find most interesting...

Essential Truths in Information Security: Perception is Reality [Kees Leune]

Posted: 16 May 2008 04:19 AM CDT

Another post from the train. This time I am on my way from Utrecht to Leiden. Leiden is one of the oldest cities in the Netherlands, and proudly houses one of the most well-known universities in the country.

Very often, information security professionals are extreme perfectionists. The nature of our work requires us to be that. Defending against an unknown threat means that we have to be ready for any attack; missing one element or implementing one control in a vulnerable way will expose us to risk that eventually will manifest itself.

However, we also need to realize that perfection is not expected from us. Moreover, one might say that the organizations we work for expect that we will not be perfect. Obtaining a high level of assurance that we will not be faced with an attack is extremely costly, and might be more expensive than the organization is willing to pay. After all, if the cost of protection out ways the potential loss, most business will choose not to protect.

Perception is reality.
As information security professionals, we have to be very careful to strike the right balance between pointing out the risks that we face and becoming a herald of doom. Once an organization has decided what risks it deems acceptable, it is the information security professional's job to design, implement and operate the necessary controls to reach or maintain that level of risk. Unfortunately, it happens too often that an information security officer will continue to announce impeding failure and that he will continue to complain that the organization does not do enough.

Do not do it.

Nobody is waiting for a person who's very existence will be negative and depressing. Once the organization perceives that it is secure enough, there will be not much more you can do. You may try to influence the perception, but you also have to realize that perception is reality. If the person holding the budgets perceives that your organization is protected well enough, it is your reality that you will not get more funding.

Perception is reality.

Implementing a thorough and admittedly, somewhat manipulative, information security awareness campaign can be a great way to influence the perception that people in an organization might have. Most awareness campaigns target workers, but targeting senior management with an informative strategy may very well pay off. Senior managers need to be talked to in their own language, and typically in their own offices, in person or in small groups.

When talking to senior executives, you have to be prepared very well. They have made it to their positions because they are intelligent, know to ask the correct questions, are not afraid to make decisions, and are willing and able to take responsibility for those choices.

Before you make statements like "a lost laptop will cost us $1M, therefore I need $250k to implement a full-disk encryption program", make sure that you can substantiate the numbers, know which legislation will provide you with a safe haven from notification if the laptop is encrypted, and know which other risks are associated with data loss that can be prevented with encryption.

Be honest.

In addition to pointing out all the good things, also point out some of the bad things. Full-disk encryption is not a silver bullet: how much man power it will take to implement and operate the product, how to handle the laptop when someone forgets credentials and the data on the disk needs to be accessed, etc.

By being well prepared, and by carefully choosing your battles, you will change you senior manager's perception, and as a result you will change your reality.

Perception is reality.

Xprobe2 - Active OS Fingerprinting Tool [Darknet - The Darkside]

Posted: 16 May 2008 01:40 AM CDT

Sometimes I wonder to myself have I mentioned a certain tool on the site, usually one of my favourites…often I search the site to find I have never posted about it. It just goes to show how we often overlook some of the more ‘obvious’ choices, and to many people they may not be that obvious. [...]SHARETHIS.addEntry({ title:...

Read the full post at darknet.org.uk

Links for 2008-05-15 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 16 May 2008 12:00 AM CDT

Botnets with SQL Injection tools [Jeremiah Grossman]

Posted: 15 May 2008 05:09 PM CDT

Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.

Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a copycat of the massive attacks going around. "The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks". Bill Pennington lays out the future of botnet attacks leveraging custom web application vulnerabilities like XSS and CSRF. Bigger potential that SQLi. Get ready everyone! This is going to be an interesting year.

Fun Security Reading - 3 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 15 May 2008 05:08 PM CDT

Instead of my usual "blogging frenzy" machine gun blast of short posts with links and commentary, I will now combine them into my new blog series "Fun Reading on Security" or "FRoS." Here is an issue #3, dated May 15, 2008.

  • First, watch Dave Aitel beats the dead horse of academic security "research." Quote: "people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory." (other examples)
  • I work for a vendor, but I am not "vendor scum." What is the difference? If you write a paper about a fake trend or about a non-existent phenomenon (that your marketing department created) with the sole intention of selling your product while masquerading your piece as "objective content", you will probably be called "vendor scum." Example: do you know why insiders are dangerous? Because of telnet and modems (no shit!) :-)
  • Rich Mogul drop-kicks GRC. Then kicks it in the balls. Then steps on it. Fun read, for sure.
  • Did somebody just utter "ROI"? Yeah - and that means katana blades sharpened, flamethrowers charged, pet trolls enraged :-) Yes, the beast is back - with a vengeance. Bruce Schneier hits it with +5 Flaming Blade, it doesn't die, it bites back ... again. If you love/hate ROI, read these. And Mike R comment here. Can we just replace the "R"-word with "economic measure of security" or "security efficiency?"
  • Does anybody with at most half a brain believes that "almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident" (source here and more commentary here)? Well, same people who believe FBI/CSI surveys, I guess :-) UFO? Spoon bending? Santa Claus anyone?
  • NEWSFLASH!!!! Employees needs to be monitored!!! Wow!!! Reeeeally? Well, it is news to some people. Mike R makes good fun of them here.
  • Harebrained paper about PCI and using cards (credit and debit), which serves as a perfect illustration of how some people perceive risk. Repeat after me: you are not liable for mis-use of your credit card, your bank is. Debit card? Very different story!
  • So, risk, yes. A really good piece about risk is here. Then again, it is RiskAnalys.is? :-) More on risks of compliance stuff (also good) is here.
  • Richard clearly, succinctly, brilliantly explains the "security chasm" here by commenting on Greg's article (featured in my previous FRoS): "The first camp spends more time talking about "enabling business" and "elevating the infosec conversation" while the second camp deals with the mess caused by the first world's ignorance of security problems."
  • Security reading? Nah, fun security listening (that is, unless you are sick of hearing about RSA 2008 again), where we discuss - yes, you guessed right! - past RSA 2008 show.

Enjoy!

Debian [Security Balance]

Posted: 15 May 2008 04:28 PM CDT

Debian: transforming public key in shared key encryption.

Apple Blogger's Network [Random Thoughts from Joel's World]

Posted: 15 May 2008 03:25 PM CDT

Hey everyone, if you like/love Apple products and are interested in following a spliced feed from a bunch of different Bloggers who ALSO love Apple, be sure and subscribe to the Apple Blogger's Network.  There are all kinds of interesting ideas and posts, all from people who love to use and talk about Apple products.

If YOU are a person that is interested in blogging about Apple, if you have an Apple Blog, etc, please email me here, and i'll send you an invitation.  All the network is is an aggregate feed for a bunch of blogs, so you will see some non-Apple posts, however, it makes for a great read!

 Subscribe in a reader

Interesting Information Security bits for May 15th, 2008 [Infosec Ramblings]

Posted: 15 May 2008 02:48 PM CDT


Man, I just keep falling farther and farther behind on these posts. Anyway, here we go:

Jeremiah has a nifty post up about crossdomain.xml.

Jeff Jones has a short paper available that compares Windows Vista vulnerabilities compared to Windows XP SP2 vulnerabilities in 2007.

Patrick Romero discusses Electronic Medical Records over on Security Catalyst.

Nitesh has an interesting article posted about some issues in Safari and Apple’s response.

Innismir has posted a helpful guide on how to created new ssh system keys for those of us who are susceptible to the openssl issue on Debian based linux distros.

That’s it for today. Have a good one.

Kevin

The Top 25 B-to-Z List Blogs [Richi Jennings]

Posted: 15 May 2008 01:55 PM CDT

My piece at the "new" Industry Standard is finally up, with additional additions from Ian Lamont.

"These are the blogs you won't see on the Techmeme Leaderboard, Technorati's Top 100 blogs, or the CruchBase BloggerBoard ... at least not yet. They include VCs, entrepreneurs, coders, experts, and observers, and they bring a delicious mix of insight, experience, and passion to their blogs. While they may not have the right amount of link love, they need to be on your radar screens."

Debian ftw? [Random Thoughts from Joel's World]

Posted: 15 May 2008 01:35 PM CDT

So, all you Debian users your ssh is ftl.

All the other security blogs are covering it at this point, (so I won't, much) however, it is of high concern, so hopefully you are/have regen'ed all your ssh/ssl keys by now.  

We will probably move the ISC to Yellow at some point today to raise awareness.

 Subscribe in a reader

No comments: