Monday, May 19, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

New Strategy, Blame The Users [Liquidmatrix Security Digest]

Posted: 18 May 2008 09:02 PM CDT

blame

Ah, Microsoft. You’ve been relatively good lately. Then, I read this passage over on ZDNet UK.

Software giant Microsoft has claimed user “complacency” is to blame for malware infections, and denied that its Vista operating system is less secure than Windows 2000.

While I would agree that user education leaves a LOT to be desired this is hardly a way out. And a quote from Simon Clausen,

“Ironically, the new operating system has been hailed by Microsoft as the most secure version of Windows to date,” said Simon Clausen, the chief executive of PC Tools last week. “However, recent research conducted with statistics from over 1.4 million computers within the ThreatFire community has shown that Windows Vista is more susceptible to malware than the eight-year-old Windows 2000 operating system, and only 37 percent more secure than Windows XP,” Clausen said.

Of course Microsoft had to hit back at that one. They’d be remiss if they didn’t react. But, to lay the blame on the users? Sure they help the spread but, not the initial infection. That would be bad code no? Then of course the article has the routine “he said, he said” exchange. We the people will stipulate that every OS has its share of problems. Agreed. The greater the distribution a platform, the greater the bull’s eye painted on it.

It’s not rocket science.

Then again the average monthly percentage of Vista users that we have here on Liquidmatrix is 6%. Coming in squarely behind XP, Mac and Linux.

The article puts Windows 2000 security ahead of Vista. Ouch, that’s gotta sting for a “work in progress“. So, how long until Microsoft does itself a favour and gives Ballmer his walking papers? His comments and bluster remind me of…of…

Oh yeah.

This guy.

Bush eating a kitten

Article Link

Something in the latest Windows update is hosing my laptop [StillSecure, After All These Years]

Posted: 18 May 2008 07:25 PM CDT

Readers of this blog know that I am not a Microsoft basher. So when I complain about something regarding Microsoft I am not doing it to just kick dirt on them. But something in the latest Windows update is killing my laptop. I downloaded the latest update as part of the automated update a few days ago. It said I had to restart the computer for the updates to take effect. I waited to restart since I was on the road and just hibernating my computer.

Since coming home this weekend I rebooted and the problems have started. First of all when I have Outlook running at the same time as IE they seem to be interfering with each other and the computer just freezes with "not responding" messages in both title bars. As much as that sucks, eventually it seems to work its way out and the page refreshes. However, another fatal error happens consistently now where the cursor just freezes, the screen locks and there is nothing I can do to shake it lose without powering down by holding the power button. Then of course on reboot I have to go through dreaded Outlook "check the file for problems" check which chews up another 15 minutes.

This is getting really tired now. Thankfully I am out in Colorado tomorrow and will have our IT folks have a look. But having my computer lock up is not fun. If it is indeed due to the latest hotfix I am going to be really upset. There is just no excuse for this. Those Power Macs are starting to look might good!

Website Defacement Group Arrested After Going too far [Sunnet Beskerming Security Advisories]

Posted: 18 May 2008 08:47 AM CDT

Most website defacement groups are regarded as more of a nuisance than a major threat. While they cost site operators and maintainers valuable time and resources to recover damaged sections of their sites and patch the entry points, generally the only damage done is to place a page on the site to proclaim the technical prowess of the group, before they run off and self-report to the World's largest online defacement archive, at Zone-H.

Sometimes the groups go too far for comfort for authorities. Defacements of sites belonging to government agencies or bodies have their own special place in the Zone-H archive, but most of the time these defacements are treated exactly the same as for non-government sites - as a nuisance.

For one Spanish group, hacking a Spanish political site was the one step too far for comfort, eventually resulting in their arrest. Spanish sites weren't the only sites that they defaced, with numerous US sites, including NASA sites, on their list of defacements recorded at Zone-H.

May Security Patch Release Shows few Surprises [Sunnet Beskerming Security Advisories]

Posted: 18 May 2008 08:33 AM CDT

Microsoft's May Security Patch Release came with very few surprises, a welcome break from the other problems that cropped up during the week.

As promised with the pre-release notification, four patches were released, dealing with Office, Windows, and the Windows Malware Protection Engine. One historical patch (MS06-069) was re-released, to account for the vulnerability extending to Windows XP SP 3, which was recently released.

Of the released patches, three were Critical, relating to remote code execution vulnerabilities, with the Malware Protection Engine vulnerability being a Denial of Service type vulnerability.

The only real surprise was the patch for the Jet Database Engine, as it is something that Microsoft had said in the past that they would not be patching. As the only vulnerability being actively exploited at the time of patching, it is a welcome relief to see Microsoft providing a fix for this issue.

GRC is dead (not) [Compliance Focus - Blogs]

Posted: 17 May 2008 11:00 PM CDT

Great, a food fight erupts on one of my favorite topics, and I’m the last guy to reach for the mashed potatoes. Rich Mogul decides that GRC is dead, and Alan Shimel points out some IT security realities (compliance is a big driver) here. Chris Hoff makes a few points as well here.

By way of introduction, I worked for one of the early IT-GRC product vendors (before the analysts decided that IT-GRC was different from enterprise GRC). I have also done consulting work for another vendor in this area, and I have authored a course on IT Risk Management. I have had enough exposure to large end users that I would like to think that I understand where these products provide value and utility, and where there are holes.

First, I think it’s important to draw a distinction between the enterprise GRC crowd (Pasisley, Open Pages, Axentis, and others), and the IT-GRC crowd (I would put Agiliance, Brabeion, ControlPath, Avior, Compliance Spectrum, Relational Security, Modulo, and Archer in this category). The enterprise GRC products tend to be all about workflow, with little depth in the area of IT risk assessment, analysis, and management, and little depth in the IT security-centric compliance regulations and standards (HIPAA, GLBA/FFIEC, NERC/FERC, PCI, ISO27000, BITS, FISMA). By contrast, the IT-GRC products tend to have a lot of depth in terms of very specific controls and requirements that relate directly to these regulations and standards. These two categories are different products, solving different problems, being sold to different audiences.

My 2 cents on the IT-GRC products- they provide a lot of functionality that highly regulated (read financial services) organizations need. They structure security management, providing the means to assess compliance to an external regulation, or to an internal, best practices framework. They also structure the workflow of security and compliance- in one analyst briefing I did a few years ago, the analyst remarked that the IT-GRC product in question was sort of for security & compliance managers like Peoplesoft was to HR managers. In a large organization, managing security and compliance can be overwhelming, and these tools give the manager a better way to manage the overall effort. And there is value for the business units and their management in these tools.

They are not without fault- as I have blogged previously here, few of them do much in the way of true analysis of risk. Most of them stop at helping to gather data about risk, or they use some proprietary method to try and calculate risk, as I have also blogged about previously. But to characterize these products as dead is wrong.

There’s also the familiar dynamic at work here that the analysts have decided that this category will be called IT-GRC, and therefore the vendors will all have to rush to provide more and hopefully better "R”, and even some “G”, irrespective of what their users are asking for, lest the vendors get left off the MQ, Wave, or whatever.

To Chris Hoff's contention that GRC products are "audit driven compliance all tarted up", I think you have to tell us if you're talking about enterprise GRC, or IT-GRC. Many of the IT-GRC products are *highly* asset focused. There is a direction in some of these tools to create direct linkages to data from other security tools- vulnerability management systems, configuration management, etc..

I will agree with Rich on this point- security vendors putting a little GRC lipstick on their favorite pig probably isn’t a great strategy.

The best random generator since Schrödinger's cat [Birchtree Blog]

Posted: 17 May 2008 07:02 PM CDT

The Whirlygig RNG. If Felix von Leitner considers building a batch (in German language) then there must be value in it.

Read the complete article at IT Security Link.

Researchers: Obfuscate patches. [Birchtree Blog]

Posted: 17 May 2008 06:39 PM CDT

Researchers from Carnegie Mellon have developed a way to semi-automatically develop exploits from patches (cf. story on SecurityFocus).

Read the complete article at IT Security Link.

Debian and Ubuntu OpenSSL Vulnerability [spylogic.net]

Posted: 17 May 2008 10:30 AM CDT

Debian Girl

I won't go into all the details since every other security blogger on earth is covering it....however, as a reminder this issue is pretty serious if you had generated any keys on affected Debian or Ubuntu systems. The best summary I have found of the issue with links to all the "toys" that have come out to attack this vulnerability are on HD Moore's web site. Here is a summary from HD:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Ugly vulnerability is right for an OS that changes you....

Microsoft BlueHat + Seattle [Nitesh Dhanjani]

Posted: 17 May 2008 03:59 AM CDT

I presented "Bad Sushi: Beating Phishers at their Own Game" with Billy at the Microsoft Blue Hat 2008 conference. It was a great opportunity to get to know the Microsoft security and product teams. I'd like to thank Billy Rios, Andrew Cushman, Katie Moussouris, Sarah Blankinship, Celene Temkin, Dana Hehl, and the rest of the Blue Hat team for inviting me. Speaking of Microsoft, I'm moving to Seattle tomorrow. I'm looking forward to getting in touch with a lot of old friends there so that should be good. If you are in the area, just let me know - it will be good to catch up.

New School Information Gathering Talk at ChicagoCon [Carnal0wnage Blog]

Posted: 16 May 2008 10:20 PM CDT


Gave my New School Information Gathering talk at ChicagoCon. I think it went pretty well and I got some good feedback on it afterwards.

here was the agenda:

Open Source Intelligence Gathering (OSINT)‏
FierceDNS
SEAT/Goolag
Google Mail Harvesters
Metagoofil
Online Tools
Netcraft/ServerSniff/DomainTools/CentralOps/Clez.net/Robtex
Maltego

I was pretty surprised that most people had not heard of the tools and only like 3 people had heard of Maltego. I should have a Maltego v2 review getting pushed out on EthicalHacker.net soon.

slides and audio should be out next week on the ChicagoCon site. If you are really anxious you can email me and I will probably send them to you.

ChicagoCon Day 1 wrap-up [Carnal0wnage Blog]

Posted: 16 May 2008 10:16 PM CDT

The first round of talks was on Friday nite and they went well. By far the best talk was Luke McOmie and Chris Nickerson's talk on "The Art of Espionage" They talked about why red team style pentesting is working and why you should want your organization to have those types of tests conducted. They also gave out a good basic methodology on conduction those kind of assessments. It was a really good talk and I am looking forward to their workshop tomorrow.

2nd up was my talk on "New School Information Gathering". took me a bit to get warmed up but I think it went well after I got going.

The talk was basically about information gathering beyond just using whois lookups without sending non-standard traffic or scanning to the target domain.

End Result?
Organization's net blocks, external servers IPs and domain names, internal IP ranges, emails to send phishing attacks to, phone numbers to call, trust relationships with other organizations, & other relevant information for your audit and hopefully identifying exploitable flaws in the target's network without scanning or sending non-standard traffic at the organization.

3rd was Matt Luallen of Sph3r3 LLC. He talked about "Simple Principles to Protect Information and Control Now and Tomorrow." He rolled out 22 principles to protect information. Definitely worth taking another look at when the slides come out.

Last up was Kelly Housman of Microsoft talking about "A look into Defense In Depth Security." I missed the first part because i was snagging free food. What I did catch was about Microsoft's Network Access Protection (NAP) initiative. Basically NAC implemented in windows software, where if your agent doesn't check in with the server and you aren't patched up you wont get network access tickets and you'll be segmented off and ignored by other clients. I'm old school and I like network gear doing my layer 2/3 protection instead of it being implemented by a server and some client software. I'm also leery of how a client will start to "ignore" an unauthenticated host on a LAN as well. He also went into some IPSec stuff, very MS centric and if you are running OSX or *nix you may be out of luck. Of course the whole trick to NAC is just figuring out how to tell the "checking software" what it wants to hear.

I'm excited for day 2, hopefully I'll get out an update on day 2 tomorrow.

US Military Seeks to Cyber Bomb Digital Combatants [Amrit Williams Blog]

Posted: 16 May 2008 05:11 PM CDT


The US Military is looking to cyber bomb digital enemy combatants (here) back to using an abacus, a stone tablet and some empty cans with string for calculations and communication.

The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.

The DoD’s mission statement is essentially to enable and support the warfighter - they exist for no other purpose. The mission of the warfighter is to deliver sovereign options for the defense of the United States of America and its global interests. It is quite natural for this enablement and support to extend beyond physical domains in a world with an increasing reliance on digital, satellite, and radio communications.

This recent RFP for a “Dominant Cyber Offensive Engagement and Supporting Technology” from the US AirFforce (here) details the requirements for a highly-sophisticated, stealthy, botnet with rootkit functionality. I have no doubt that the US military will implement and develop such a system. The question is can the US military effectively fight a cyberwar against a highly-distributed, disorganized, and undefined advesary?

One of the major challenges of the US Military in implementing effective offensive computing technologies is the same challenge we face in fighting terrorism today in the physical world. It is extremely difficult to attack a highly distributed enemy with loose or no central command and control structures. An army of independent combatants, connected only through a common ideology, taxes a military that has been optimized to defeat traditionally organized and centrally managed armies.

The challenge extends to cyber warfare as well in a even more exaggerated way. Cyber attacks against our national infrastructure are difficult to prove as state-sponsored, additionally the attackers can use spoofed IP addresses or route through compromised machines located in the US . Chinese backed hackers, for example, can work independent of the military and political establishments and in doing so present a radically different set of problems to the US Military which tends to suffer in effectiveness when the enemy is not clearly defined.

Additionally this method of decentralized warfare allows our enemies a many to one relationship in attacking the US. The US, on the other hand, is challenged by a one to many relationship with our attackers. Put another way, it is quite simple to develop weapons that can kill an elephant moving slowly through a savanna, but much more difficult to eliminate mosquitoes throughout the jungles of Southeast Asia, while limiting collateral damage to the butterfly population. This forces the US into a continual defensive or reactive posture that keeps us struggling to keep up with our current enemies tactics.

You should also read this post from Dancho Danchev (here)

The bottom line - why put efforts into building something that would generate a lot of negative publicity and might never materialize, when you can basically outsource the process and have the capability provided on demand? Just like the bad guys who do not have access to botnets do by using botnets as a service?

Wordpress.com Feed Glitch? [Infosec Events]

Posted: 16 May 2008 01:56 PM CDT

Today I noticed a ton of duplicate content on various blogs. My first thought was they were all hacked, but the content pages weren’t malicious at all. I then noticed that all the blogs that were effected were hosted blogs at wordpress.com!

Somehow, all the feeds were now pointing to http://en.blog.wordpress.com/feed/. Below are a couple screenshots on what I was seeing.

The RSS reader that I use is FeedDemon, and I’m wondering if the issue was at wordpress.com, or an application issue. I had to re-subscribe to about 30 feeds because of the issue. Has anyone else seen this activity?

Twitter Boycott Defeats its Own Purpose [Mediaphyter - A Communications Cocktail]

Posted: 16 May 2008 01:53 PM CDT


Apparently some disgruntled Twitter users are organizing what they are calling a Twit-Out (aka a Twitter boycott) this coming Wednesday, May 21. The thinking is that we need to prove to Twitter that its success is powered by the community that participates in it and would be nothing without us. I think this is a fabulous idea. Especially given all of the success we’ve had in terms of boycotting gas on certain days of the week to get those pesky oil companies to drop their prices. /me being sarcastic

A few people, including Warren Whitlock, have already made the “you get what you pay for” statement. I absolutely agree. We get what we pay for. Unless those boycotting have made significant financial contributions to the server upkeep of Twitter I really don’t want to hear it from them. Whitlock also made a great point in his comment on the Twit-Out blog post about how sometimes his car breaks down or appliances go out but it happens. And those are much more frustrating situations because it is our financial investment at risk. Finally, he goes onto highlight that Twitter has rarely ever, if not never, been down for a full day.

So is this boycott really about teaching Twitter a lesson or is it a group tantrum?

My main concern about these Twitter boycotts and “us against Twitter” mentality is this: you cannot continue to build and drive community by purposefully disbanding community to make a point. It’s not as if they are going to march upon Twitter’s San Francisco office and make a stand. No. They are simply going to prove to Twitter that they can, indeed, live without it for a day. Can someone explain to me how this solves anything?

Twitter keeps breaking. We keep going back. We use Pownce and Jaiku sometimes but they pale in comparison. Brightkite is now available but most people use it to feed into Twitter and it’s not near ready as a replacement. The new rage of Twitterfone would be useless without Twitter itself (note: I really like Twitterfone thus far; waiting for improvements on transcription, however).

Sit back kids, grab a blankie and some cocoa and read a story:

A couple years back I was a pretty active member of the now-defunct Consumating.com - a “a social network for geeks” and one of the first that incorporated social tagging. We loved it. We would communicate primarily through topic boards and tags. Then it started to crash. A lot. Some protested, some wrote letters and complained. The drama that was created ultimately led to many of Consumating.com’s power users - myself included - deleting their profiles and forgetting about the site. The community divided and therefore dwindled. And while CNET had purchased Consumating from Ben Brown long before and there was always a rumor that it would shut down, it eventually just did. Part was big corporation power but another key part is that there was just no one left who even cared. It’s now been replaced by Help.com. Who? Exactly.

It’s unlikely that Twitter would go the way of Consumating.com as it’s more than a social network; its become a business tool, a customer service platform, and important networking medium, a blog feeder and a “where are you” connector for major events (Mac World, RSA Conference, and now the upcoming EMC World). But the community divide is just as dangerous as Consumating’s. Let’s not be foolish and bite the hand that feeds us. Sure, we may be an army of powerful voices now, but if we scream too loud eventually we’ll do nothing more than drown out each other.

Don’t boycott. If you want to leave, leave. But if you want to stay, put your energy into something effective. Urge the third-party apps that ping the Twitter API and cause more strain on the network to instill limits (as Shannon Whitley so wisely did with MyTweeple). Reach out to Twitter and see what you can do to help. The Twitter staff knows it has network issues and that their user base is growing faster than it can handle. Or, continue down this route and stop using Twitter - and save the server space for those of us who truly do want to build community rather than aid in its demise.

No comments: