Spliced feed for Security Bloggers Network |
Links for 2008-05-16 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 17 May 2008 12:00 AM CDT | ||
A new blog on the block [StillSecure, After All These Years] Posted: 16 May 2008 11:36 PM CDT This one is not all security related, but is the ScienceLogic Blog. One of my favorite persons in the IT field Dave Link is the CEO and founder of ScienceLogic. Several other friends from Interliant including Louis Dimiglio (sorry if I messed up the spelling Lou!), Richard Chart and Chris Cordray are also part of the team. They have done a great job of creating a network management product and in a hyper-competitive industry carving out a place for themselves. I am running into them more and more at shows, conferences and in the field. Now they have joined the blogging ranks and it looks like there will be several contributers. They are all smart folks and I am sure will have good things to say, so be sure to check out the blog! | ||
In Passing on DLP [Anton Chuvakin Blog - "Security Warrior"] Posted: 16 May 2008 09:08 PM CDT Now, I am not some world-famous DLP analyst, but it doesn't mean that I cannot have an opinion on this "searing-warm" :-) security concept: "data leak 'prevention'" or DLP (notice the double quotes around prevention...) I admit that in the past I poked jokes at DLP for being "ADLP", with "A" standing for "accidental." Indeed, most of the technology approaches I've seen were "good enough" for preventing accidental leaks (e.g. Excel sheet with SSNs being emailed to an external party by mistake) and for preventing truly idiotic "insider" attacks of the same nature. Whether they sniffed or used desktop agents, the tools were good enough to do the above, but not much more (or, they allowed you to do more, but via a truly ginormous effort by your security team). And then a retarded kindergarten kid can bypass them in his sleep without working up a sweat ... In other words, DLP was for keeping honest (but sloppy) people honest and keeping idiots idiotic (but a bit safer). Which is, don't get me wrong, pretty darn useful: after all, overall, employee mistakes still cause more damage than hackers (!) However, whenever I heard about DLP, I always felt some deeper longing for more - maybe for a technology that CAN actually stop some, clearly defined classes of malicious data theft, perpetrated by non-idiots. What such technology might be? Well, IMHO, it should have three things:
Tough to match? Yup, it sure it. But that's not all: I'd like it to defend against theft of structured, unstructured and structured->unstructured (e.g. database contents pasted to email!) information over just about any network channel (not device theft and not USB/portal device download - these are a different story). What's more, I think that to enable #3 above the DLP "box" needs to actually understand what the document is about and to do it in a human-like fashion (Yes, including rephrased (!) content. Yes, I am picky :-)). The above clearly does NOT mean that the technology is not bypassable - there is always an encrypted zip file and gpg, custom encrypted network protocols, or even a screenshot emailed, etc (not even going to device theft, USB xfers or camera phone + screenshot + MMS). It just means that it takes DLP a few big notches up from "anti-retard defense" to blocking a malicious and dedicated non-IT employee from stealing the crown jewels. And, if one is trying to be honest about DLP, he need to define what is out of scope (after all, only narrowly defined problems are actually solvable in this space, not "our MagicBox 6.1 will block ALL data theft," which is absurd - if you believe that, you need your head examined). I was pretty shocked to learn that something like this actually exists today: the next wave of DLP start-ups is about to emerge. For example, NexTierNetworks can detect information traces even in modified and heavily edited documents (I would like to try rephrasing as well; I suspect it will work!). When I saw a demo I was pretty impressed that you can get a financial document, change a few things here and there, paste it to email - and the system will still stop it by saying "uh-uh, this is sensitive info, no can do" :-) Mind you, this is not what current DLP vendors call "fingerprinting," since it actually uses what the document is about i.e. works on a - hate the word! - semantic or meaning level. So, DLP + a bit of NLP (the other NLP) = magic :-) As a disclosure, I have to say that I just joined their Advisory Board, but, as you can guess, I joined because I am impressed (not "impressed because I joined!" :-)) | ||
Posted: 16 May 2008 07:09 PM CDT Posted by Vijai Shankar, Sr. Product Marketing Manager
Don't forget:, if you want to test drive VeriSign Identity Protection Authentication Service and see how easy consumer authentication can be, download the APIs for free and check it out. You can join the growing team of test drivers, which has now exceeded 100 within a few weeks of its inception. ~Vijai | ||
US Military Seeks to Cyber Bomb Digital Combatants [Amrit Williams Blog] Posted: 16 May 2008 05:11 PM CDT The US Military is looking to cyber bomb digital enemy combatants (here) back to using an abacus, a stone tablet and some empty cans with string for calculations and communication.
The DoD’s mission statement is essentially to enable and support the warfighter - they exist for no other purpose. The mission of the warfighter is to deliver sovereign options for the defense of the United States of America and its global interests. It is quite natural for this enablement and support to extend beyond physical domains in a world with an increasing reliance on digital, satellite, and radio communications. This recent RFP for a “Dominant Cyber Offensive Engagement and Supporting Technology” from the US AirFforce (here) details the requirements for a highly-sophisticated, stealthy, botnet with rootkit functionality. I have no doubt that the US military will implement and develop such a system. The question is can the US military effectively fight a cyberwar against a highly-distributed, disorganized, and undefined advesary? One of the major challenges of the US Military in implementing effective offensive computing technologies is the same challenge we face in fighting terrorism today in the physical world. It is extremely difficult to attack a highly distributed enemy with loose or no central command and control structures. An army of independent combatants, connected only through a common ideology, taxes a military that has been optimized to defeat traditionally organized and centrally managed armies. The challenge extends to cyber warfare as well in a even more exaggerated way. Cyber attacks against our national infrastructure are difficult to prove as state-sponsored, additionally the attackers can use spoofed IP addresses or route through compromised machines located in the US . Chinese backed hackers, for example, can work independent of the military and political establishments and in doing so present a radically different set of problems to the US Military which tends to suffer in effectiveness when the enemy is not clearly defined. Additionally this method of decentralized warfare allows our enemies a many to one relationship in attacking the US. The US, on the other hand, is challenged by a one to many relationship with our attackers. Put another way, it is quite simple to develop weapons that can kill an elephant moving slowly through a savanna, but much more difficult to eliminate mosquitoes throughout the jungles of Southeast Asia, while limiting collateral damage to the butterfly population. This forces the US into a continual defensive or reactive posture that keeps us struggling to keep up with our current enemies tactics. You should also read this post from Dancho Danchev (here)
| ||
The discussion about GRC [Security Balance] Posted: 16 May 2008 03:46 PM CDT Good information will always come from discussions between people like Gunnar Peterson, Richard Mogull, Chris Hoff and Alan Shimel. This time’s target are GRC tools. It started with Peterson, was commented by Hoff and Mogull, followed by Shimel. There is space for GRC tools on the market, but it is really risky to change a security product roadmap to rebrand it as GRC. Axur ISMS is a very nice tool to oversee and manage a security program, leading to compliance results. However, it will never work without all the processes and tools that lie beneath the strategic layer. How can a tool like that replace, let’s say, an antivirus or even a firewall? The way that all those tools are being managed and how they are addressing risks is information and it needs to be properly managed. This is were GRC products can help. If you don’t have tools and process to be managed, forget about GRC. Do the basics first. | ||
Posted: 16 May 2008 03:18 PM CDT Posted by Cameron Hotchkies As a research team we come across a variety of interesting articles, papers and links ranging from cutting edge security research to silly web toys. We're constantly sharing information and commentary with one another and thought that it may be interesting for others to join in on the fun. So we have decided to dedicate some time to creating a generic "week in review" blog series. We'll see how it goes and we'll decide on whether or not to keep it up based on the feedback we receive. To kick things off, here are some random recent musings straight from our internal IRC:
http://www.google.com/safebrowsing/diagnostic?site=http://www.example.com
| ||
Rootkit su IOS ? [varie // eventuali // sicurezza informatica] Posted: 16 May 2008 02:56 PM CDT Mi sono arrivate un bel po di email di chiarimenti sul RootKit su IOS di cui si é parlato a EUSecWest. Siccome sono un po' (si vede dal blog poco aggiornato, no?) preso per ora, faccio una risposta cumulativa, anzi la lascio fare alla voce ufficiale Cisco: Cisco Security Response: Rootkits on Cisco IOS Devices | ||
How to become a hacker… [Infosec Ramblings] Posted: 16 May 2008 02:55 PM CDT You may have all seen this already, but I just came across it. It’s been around for a while, but I thought it was interesting. How to Become a Hacker by Eric Steven Raymond. | ||
Why Is ISO2700x Hot in UK, but Not in US? [Anton Chuvakin Blog - "Security Warrior"] Posted: 16 May 2008 01:36 PM CDT First, something hilarious: I was teaching this brief course on logs overseas and touched upon a subject of ISO17799. So, having recently read how many companies in the US were ISO17799 certified, I asked my audience whether they could guess what the number was. One guy volunteered an answer, after some hesitation: "Less then 50%?" That's "percent", folks :-) I said to him: "You are right!" and laughed - "It is indeed less then 50!" 50 as in "count" (I read somewhere at the time that 49 companies were certified US-wide) So, ISO17799 is hot in some countries: UK, Japan, Russia (where it is a basis for a set national standards), many others. But not in the US. I have long been puzzled about this. What's the story? The most likely explanation is that every security manager worth his salt read ISO17799 documents and then used the ideas and material in his own policies, procedures, etc. On the other hand, he sees no motivation whatsoever to invest in certification - since nobody is making him do it (no equivalent of a PCI auditor is standing nearby with a big axe...) Another explanation that due to longer history of security management in the US (compared to other countries), home-grown approaches took root and no external standard will dislodge them? Yet another hypothesis goes like this: in the US, it is more important to do a good job [managing security] than to be "standards-compliant." Is the opposite true in Europe and Asia? I dunno... Or maybe ISO stuff is seen as "that Euro thing?" Exotic like a Hungarian chick, but just as relevant :-) Any ideas? UK scene, any ideas? Do you care for ISO17799 at all? As a useful document to read or a something to be certified in? | ||
Posted: 16 May 2008 01:32 PM CDT Finally, I decide to "liberate" this presentation as well: "What Every Organization Must Log and Monitor" circa 2004. This is still very useful and relevant; also, many people will appreciate my attempt to do the impossible i.e. give a simple answer to a very complex question (BTW, it rarely works :-)) So: | ||
Interesting Information Security Bits for May 16th, 2008 [Infosec Ramblings] Posted: 16 May 2008 01:07 PM CDT Howdy, here are some things to take a look at for today. Dave Aitel writes about automatic exploit generation from patches. According to Dave, it isn’t as easy as it sounds. I agree with him. Go give it a read. GNUCITIZEN has another good post up that takes a look at resident scripts and cross-domain issues using javascript. Kees, as usual, has a thought provoking post up which points out that Perception IS Reality (emphasis added). Go read it. Later folks. Have a great day. Kevin | ||
Hey Nessus, do you do sudo? [Infosec Ramblings] Posted: 16 May 2008 12:42 PM CDT We all know and love Nessus. Well today, Tenable made it even better. Nessus now fully supports su and sudo for audit and patch compliance checks. This is very cool. Next, in response to the ssh key bruhaha this week, there are now a couple of plugins that will check for weak keys in SSH and SSL protected webservers. Caveat: It appears that you need to be Direct Feed/Professional subscriber to use these features. Kevin | ||
The Daily Incite - May 16, 2008 [Security Incite Rants] Posted: 16 May 2008 09:34 AM CDT May 16, 2008 - Volume 3, #47 Good Morning:
Top Security News Is NIPS finally ready? If no, how about intrusion tolerance?
Top Blog Postings Tenable continues to push the open source model | ||
Debian SSL Comic [Random Thoughts from Joel's World] Posted: 16 May 2008 09:26 AM CDT | ||
Lazy Friday Pseudo Link Love [The Falcon's View] Posted: 16 May 2008 08:47 AM CDT | ||
Essential Truths in Information Security: Perception is Reality [Kees Leune] Posted: 16 May 2008 04:19 AM CDT Another post from the train. This time I am on my way from Utrecht to Leiden. Leiden is one of the oldest cities in the Netherlands, and proudly houses one of the most well-known universities in the country. Very often, information security professionals are extreme perfectionists. The nature of our work requires us to be that. Defending against an unknown threat means that we have to be ready for any attack; missing one element or implementing one control in a vulnerable way will expose us to risk that eventually will manifest itself. However, we also need to realize that perfection is not expected from us. Moreover, one might say that the organizations we work for expect that we will not be perfect. Obtaining a high level of assurance that we will not be faced with an attack is extremely costly, and might be more expensive than the organization is willing to pay. After all, if the cost of protection out ways the potential loss, most business will choose not to protect. Perception is reality. As information security professionals, we have to be very careful to strike the right balance between pointing out the risks that we face and becoming a herald of doom. Once an organization has decided what risks it deems acceptable, it is the information security professional's job to design, implement and operate the necessary controls to reach or maintain that level of risk. Unfortunately, it happens too often that an information security officer will continue to announce impeding failure and that he will continue to complain that the organization does not do enough. Do not do it. Nobody is waiting for a person who's very existence will be negative and depressing. Once the organization perceives that it is secure enough, there will be not much more you can do. You may try to influence the perception, but you also have to realize that perception is reality. If the person holding the budgets perceives that your organization is protected well enough, it is your reality that you will not get more funding. Perception is reality. Implementing a thorough and admittedly, somewhat manipulative, information security awareness campaign can be a great way to influence the perception that people in an organization might have. Most awareness campaigns target workers, but targeting senior management with an informative strategy may very well pay off. Senior managers need to be talked to in their own language, and typically in their own offices, in person or in small groups. When talking to senior executives, you have to be prepared very well. They have made it to their positions because they are intelligent, know to ask the correct questions, are not afraid to make decisions, and are willing and able to take responsibility for those choices. Before you make statements like "a lost laptop will cost us $1M, therefore I need $250k to implement a full-disk encryption program", make sure that you can substantiate the numbers, know which legislation will provide you with a safe haven from notification if the laptop is encrypted, and know which other risks are associated with data loss that can be prevented with encryption. Be honest. In addition to pointing out all the good things, also point out some of the bad things. Full-disk encryption is not a silver bullet: how much man power it will take to implement and operate the product, how to handle the laptop when someone forgets credentials and the data on the disk needs to be accessed, etc. By being well prepared, and by carefully choosing your battles, you will change you senior manager's perception, and as a result you will change your reality. Perception is reality. | ||
Xprobe2 - Active OS Fingerprinting Tool [Darknet - The Darkside] Posted: 16 May 2008 01:40 AM CDT Sometimes I wonder to myself have I mentioned a certain tool on the site, usually one of my favourites…often I search the site to find I have never posted about it. It just goes to show how we often overlook some of the more ‘obvious’ choices, and to many people they may not be that obvious. [...]SHARETHIS.addEntry({ title:... Read the full post at darknet.org.uk | ||
Links for 2008-05-15 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 16 May 2008 12:00 AM CDT
| ||
Botnets with SQL Injection tools [Jeremiah Grossman] Posted: 15 May 2008 05:09 PM CDT Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught. Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a copycat of the massive attacks going around. "The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks". Bill Pennington lays out the future of botnet attacks leveraging custom web application vulnerabilities like XSS and CSRF. Bigger potential that SQLi. Get ready everyone! This is going to be an interesting year. | ||
Fun Security Reading - 3 [Anton Chuvakin Blog - "Security Warrior"] Posted: 15 May 2008 05:08 PM CDT Instead of my usual "blogging frenzy" machine gun blast of short posts with links and commentary, I will now combine them into my new blog series "Fun Reading on Security" or "FRoS." Here is an issue #3, dated May 15, 2008.
Enjoy! | ||
Posted: 15 May 2008 04:28 PM CDT | ||
Apple Blogger's Network [Random Thoughts from Joel's World] Posted: 15 May 2008 03:25 PM CDT Hey everyone, if you like/love Apple products and are interested in following a spliced feed from a bunch of different Bloggers who ALSO love Apple, be sure and subscribe to the Apple Blogger's Network. There are all kinds of interesting ideas and posts, all from people who love to use and talk about Apple products. If YOU are a person that is interested in blogging about Apple, if you have an Apple Blog, etc, please email me here, and i'll send you an invitation. All the network is is an aggregate feed for a bunch of blogs, so you will see some non-Apple posts, however, it makes for a great read! | ||
Interesting Information Security bits for May 15th, 2008 [Infosec Ramblings] Posted: 15 May 2008 02:48 PM CDT Man, I just keep falling farther and farther behind on these posts. Anyway, here we go: Jeremiah has a nifty post up about crossdomain.xml. Jeff Jones has a short paper available that compares Windows Vista vulnerabilities compared to Windows XP SP2 vulnerabilities in 2007. Patrick Romero discusses Electronic Medical Records over on Security Catalyst. Nitesh has an interesting article posted about some issues in Safari and Apple’s response. Innismir has posted a helpful guide on how to created new ssh system keys for those of us who are susceptible to the openssl issue on Debian based linux distros. That’s it for today. Have a good one. Kevin | ||
The Top 25 B-to-Z List Blogs [Richi Jennings] Posted: 15 May 2008 01:55 PM CDT My piece at the "new" Industry Standard is finally up, with additional additions from Ian Lamont. "These are the blogs you won't see on the Techmeme Leaderboard, Technorati's Top 100 blogs, or the CruchBase BloggerBoard ... at least not yet. They include VCs, entrepreneurs, coders, experts, and observers, and they bring a delicious mix of insight, experience, and passion to their blogs. While they may not have the right amount of link love, they need to be on your radar screens." | ||
Debian ftw? [Random Thoughts from Joel's World] Posted: 15 May 2008 01:35 PM CDT So, all you Debian users your ssh is ftl. All the other security blogs are covering it at this point, (so I won't, much) however, it is of high concern, so hopefully you are/have regen'ed all your ssh/ssl keys by now. We will probably move the ISC to Yellow at some point today to raise awareness. |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment