Wednesday, May 21, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Ted Kennedy: a lifetime of achievement, regrets for a world that could have been [StillSecure, After All These Years]

Posted: 21 May 2008 07:03 AM CDT

I usually stay away from politics on my blog. As I have said before, it is my blog and I can write what I want, but politics usually is just to controversial for me to write on. Upon hearing the terrible news about Ted Kennedy's malignant brain tumor, I was moved to write something, than thought twice about it and thought yet again. However, Ted Kennedy and his life and times has been such an influence and part of my life, that I am compelled to write. So on this night where it appears that an African-American has won a majority of the pledged delegates of the Democratic Party, while running against a woman, I think it only fitting to remember Ted Kennedy. I do not mean this as a eulogy or obituary and in fact hope against all that I have read and heard that a miracle will grant him many more years of serving in the Senate. But it seems Teddy has a tough road ahead and this is as good as a time as any to speak out.

One of my earliest memories of current events was when Ted's brother John was assassinated. I was a little boy playing catch with my Dad when my Mom came to the door and called us in because something terrible had happened. I didn't really understand, but my parents told me that the President (who I had seen with VP Johnson drive by in a motorcade months before) had been shot. I don't remember a lot more of the details, but do remember Oswald getting shot and some pictures of the funeral. The mind of a young boy is quickly filled with other things though and I moved on past that horrific November day.
Next when I was a bit older, the crazy year of '68 was upon us. I was still fairly young, but I remember riots in the cities, pictures on the news of the war and Bobby Kennedy, the Senator from NY running for President when President Johnson said he would not run. Martin Luther King was shot and killed and so was Bobby shortly after. By now I was old enough to realize the tragedy of these killings. I remember hearing Teddy's eulogy of Bobby and thinking what a terrible thing to have happened to this family, losing two of their sons like this.

For me it was the start of a life long interest in all things Kennedy. I read many books about all of the Kennedy's and lamented what could have been if not for the bullets that killed first John and than Bobby. A key part of my core political beliefs was that if John Kennedy would have served out his first term and been re-elected, how different the world would have been.  If Bobby Kennedy had been elected President instead of Nixon, what would the world look like now? There was always a sense that Teddy, the baby Kennedy brother would rise up and take the mantle and place that seemed to belong to this family. He would restore Camelot. Alas it was not to be. His time just never came. Though he ran a noble race, Chappaquiddick haunted and doomed his candidacy. After that Teddy was the patron of a family that just seemed unable to escape tragedy. One mishap after another befell this family that had been previously granted so much good fortune. It truly did seem as if they were cursed. Teddy himself had his ups and downs with drinking and divorce and the health of his children. Though he asked us to never let the dream die, the legacy of Camelot did seem to pass on.

Through it all Ted Kennedy continued to do good work for this country in the Senate. Looking back Teddy's legislative record has probably had more of an influence on this country than either of his brothers had. His name is attached to many of the greatest laws passed over the last 40 years. Teddy was also a great orator. Many say that his finest speech was as the keynote speaker at the 1980 Democratic Convention, when he mounted his challenge to a sitting President Carter. But for me Teddy's finest moment was in delivering the eulogy for his brother Bobby. The "some man ask why, Bobby dreamed of what could be and asked why not" speech never ceases to move me. I include this You Tube as a tribute to Ted Kennedy and all that he and his brothers meant to me along with my prayers for a recovery from this terrible condition.

This posting includes an audio/video/photo media file: Download Now

Power To The Cloud! [vandeneynde.net] [Belgian Security Blognetwork]

Posted: 21 May 2008 04:59 AM CDT

Cloud-Magritte-Sabena

This week, I got my invite for Google App Engine in the mailbox. If you have not heard of it, Google App Engine is a beta product from Google where you can publish your web apps to Google’s massive infrastructure. Currently only Python is supported as a language but Google intends to add other languages in the future.
It seems (I will try when I have more time) really easy to publish your app to their cloud. As an extra advantage, you can use Google’s API for Authentication so you can for example authenticate your users based on their Google Account. For the moment, it is free although some quotas are enforced but I suspect that after the beta period ends, it will be a paying service.

Google is not the first to offer these kind of services. Amazon currently already has a stable cloud platform. They even go further by offering a real computing platform instead of ‘just’ the web application framework.
The advantages of Cloud Computing for businesses are obvious. You get instant scalability and high availability for your application and you pay only for how much you use it without investing heavily in your own hosting infrastructure.

However, security is more than availability alone. There are obvious concerns about the confidentiality and integrity of your data while it lives in the cloud. Is your data private in the cloud? Could it become corrupt? The answers are that you don’t know and that you trust the cloud provider.

Potential vulnerabilities should also be a concern. Google has disabled most of the ‘unsafe’ functions in Python but there are bound to be bugs (and security vulnerabilities) in the applications that developers push to the cloud. Will these affect other applications? Again, you trust the provider.

Or what about abuse of the cloud as such. I noticed Google offers a mail API to send out e-mail. Google is quite a trusty sender of mail so this would be ideal for spammers to abuse. Imagine littering the cloud with web apps which can send e-mail and writing a front-end spam app which sends round-robin spam to all these apps, who deliver mail through the trusted Google smtp engine.

Will these and other security concerns stop the trend to Cloud Computing? I don’t think so. As with all new technologies, there are concerns but when there is a business driver (cheap high availability) you might be able to slow it down but it will not disappear. This is something which not only goes for IT but for most technologies.
The real challenge will not be to list all possible risks to scare people but will be to think about how we will handle this technology securely and how security can be embedded in the cloud. Interesting times I think.

Biggest hack this year VTM and all their sites are gone [belsec] [Belgian Security Blognetwork]

Posted: 21 May 2008 04:08 AM CDT

for our international readers : this is the biggest flemish commercial tv station. 

See for yourself

http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7481271/

http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7481270/

http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7481269/

http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7481243/

http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,160/id,7481237/

more

We think that maybe their CMS is the core of the problem as it also seems hacked. Upgrading your CMS is essential. 

We thank zone-H.org for being still there

We will add them to our archive in the coming hours.

and those that were angry that we reported their hacked websites, well you seem to be in good 'family'.

the curse of the selfsigned certificate (update) [www.remes-it.be] [Belgian Security Blognetwork]

Posted: 21 May 2008 03:56 AM CDT

what is it with companies that badly want to open an application to online users, choosing not to purchase a certificate from a trusted certificate authority. I say it's a clear sign they don't have security
in their SDLC and it makes me very weary about the quality and the amount of trust I have to put in their application.

My point of view :
a) SSL is based on trust and the ability of ME to verify whether I can trust you or not. It's not because I pay for your service, that I TRUST you and will accept your CA certificate to be installed on each and any PC in my infrastructure.

read more

Presentation and film about the US elections in 2000 that started the rethinking about evoting [belsec] [Belgian Security Blognetwork]

Posted: 21 May 2008 02:34 AM CDT

HBO made a film about the recounting scandal in 2000. Bush won the backroom fight, but did he win the election or was it just that Gore give up too fast at High Noon - in the interest of the State and the institutions. 4 years later in Ohio it was the same problem and again the Democrats didn't go all the way to dispute the way the election was handled.

This is a very beautiful slideshow of messed up technology that is being used in an important electoral process and can be responsable for drama and bring the country on the brink of a constitutional crisis. You can't redo elections just like that or because some machines broke down. Elections are organised at a particular moment in a particular mindset and redoing an election doesn't guarantee that this would give the same results. You can't ask the people to vote exactly as they did during the election that was declared void.

This is why it is very very important to be very prudent about the choice of technology, the controls of the technology before the election and the controls during the elections and when the results are being tallied and verified (between mechanic and paper results).

It is not because we are against anything electronic or because we don't know what to do with our time or just like being critical and being criticized all the time. It is only because democracy is too important to give it to the engineers and technobelievers without any controls.

About the Estonian 2007 Cyber War [/dev/random] [Belgian Security Blognetwork]

Posted: 21 May 2008 12:09 AM CDT

Estonia Map
An interesting article about the cyber was which hit Estonia in 2007:
http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf

Top 5 Abused/Misused/Miscontrued Terms in Information Security [Amrit Williams Blog]

Posted: 20 May 2008 11:58 PM CDT


You have all heard them posted from atop the Internets in the form of a blog posting, white paper or marketing collateral; references to theoretical physics, military strategy and Dilbert cartoons. Memes splashed with a dollop of self-aggrandizing and a pinch of navel lint. They are the top 5 abused, misused and misconstrued terms in information Security…

1. Paradigm Shift: Used by every marketing person to convey the revolutionary pendulum shift created by their companies latest widget - Foucault would be proud (here), mostly because he loves pendulums, Kuhn (here), however, would not be, since he specifically bounded the term to hard sciences. Information security is not a hard science, hell we can’t even measure it (here)

2. Game Theory: Security folks love games, they also love theories, so it seems obvious that they would love game theory. There is nothing inherently wrong with the use of game theory to describe computer security, it’s just that it assumes less variability than actually occurs in the dark places between the keyboard and the chair. Speaking of games there is a worm that targets Grand Theft Auto 4 (here), or more accurately targets GTA4 fans who use peer-to-peer networks to share pirate steal distribute files.

3. l337 5p34k: Slang jumped the shark decades ago when organized street gangs took prison lingo to a new level of communication as part of their criminal enterprise. Computers introduced a new shark. l337 speak (here) has become one of the more annoying side effects of the collision between illiterate hackers, uneducated security professionals and text messaging. Whether you are 12, 22 or 42 if you use leet speak then ur teh suk.

4. * is dead: Killing products or markets is one of the more liberating aspects of being an analyst - paid and armchair alike - from PKI is dead, to IDS is dead, to AV is dead, to GRC is dead, to security itself is dead, it seems like every time you turn around someone is killing something in security. Unfortunately no one seems to be focused on killing the threats themselves. Interestingly enough all of the technologies that are pierced through the heart with the mighty pen of analytical bravado seem to be thriving at some level. The reality is that technologies rarely die, Windows Vista aside, the majority of technologies evolve. So it is far more appropriate to say IDS evolves, or AV evolves, or security evolves but that is far less controversial and no one wants less controversial in a world screaming for cage match analysis and bare knuckle blogging.

5. Security ROI: Security ROI is the white whale of the security industry. Some have been tracking the beast for decades, convinced that once achieved it will spring forth a fountain of incontrovertible proof that security can in fact save you money or more appropriately that vendors can sell you more stuff. Yes we all know that security costs money and bad security can costs lots of money but making an economic case for security investment will only leave you cold and alone in the best case and standing next to a freeway onramp with a “Will secure your WAP for food” sign in the worst.

Other terms that were considered for inclusion on the list but didn’t meet the judges exhaustive criteria for the top 5 included; FUD, DLP, CMF, IDS, IPS, PFW, AV, AS, SCAP, FDCC, CVE, CVSS, CPE, CCE, OVAL, XCCDF, PCI, SOX, HIPAA, GLBA, FISMA, COSO, COBIT, CISSP, ITIL, ITSM, CMDB, NAC, GRC, Rich Mogull, infomation centric security, data centric security, twitter, virtualization, virtualization security, virtualized securty, secure virtualization, security of virtualized environments, business alignment, business enablement, metrics, risk management, in the cloud, security as a service, vulnerability disclosure, black hat, white hat, grey hat, zero day, SCADA, hacking, cracking, freaking, phreaking, phracking, security awareness, Sun Tzu, and of course quantum anything…if you feel the judges neglected a term please let us know so we can include the entry in next years contest.

Network Security Podcast, Episode 105 [Network Security Blog]

Posted: 20 May 2008 09:14 PM CDT

Rich and I were joined tonight by a Phoenix local and fellow security blogger, Adrian Lane. Adrian is the CTO at IPLocks and blogs about data security at Information Centric Security. We had a lot of topics to talk about tonight and wrapped up by spending a few minutes discussing security at the information level. Go figure. Adrian brought two decades worth of security experience (and ‘network hair’) to tonight’s podcast. And to no one’s surprise, we had a privacy issue that we spent more time on than we probably should have.

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

The problem about stored procedures and SQL injections [Security4all] [Belgian Security Blognetwork]

Posted: 20 May 2008 07:26 PM CDT

With all the SQL injection attacks, it might be interesting to cover a bit more in this topic. The Security Development Lifecycle blog has a nice post by Michael Howard on a couple simple steps to...

The discussion about the Hackersafe logo [Security4all] [Belgian Security Blognetwork]

Posted: 20 May 2008 05:55 PM CDT

Nate McFeters kicks the discussion into gear over at Zdnet: the hackersafe certification. There are some more interesting links over...

Risky business; podcast covering the AusCERT 08 conference [Security4all] [Belgian Security Blognetwork]

Posted: 20 May 2008 05:14 PM CDT

Check out the Risky business AusCERT '08 podcast covering this conference. Subscribe via RSS/Podcatcher. Some examples: PRESENTATION: Shadowserver Foundation INTERVIEW: Microsoft's Security...

WebAppSec meets the NFL [Jeremiah Grossman]

Posted: 20 May 2008 03:15 PM CDT

Ryan Barnett of Breach Security has a great post up on how to think about outcome-based metrics in a web application security world, instead of always being input-centric.

"We are focusing too much on whether a web application's code was either manually or automatically reviewed or if it was scanned with vendor X's scanner, rather than focusing on what is really important - did these activities actually prevent someone from breaking into the web application? If the answer is No, then who really cares what process you followed. More specifically, the fact that your site was PCI compliant at the time of the hack is going to be of little consequence."

Spoken like a man who's actually had to defend a website before, the U.S. federal ATF website incidentally. I bet he has some great stories he can never tell either. :) Ryan's NFL analogies are borrowed from Richard Bejtlich, but I loved how he expounded upon them with his own.

"…vulnerability scanning in dev environments is akin to running an Intra-squad scrimmage."


"Running actual zero-knowledge penetration tests is like Pre-season games in the NFL."


"Web application firewalls, that are running in Detection Only modes, are like trying to have a real football game but only doing two-hand touch."


LOL. Brilliant!

Spammers in Love [Commtouch Café]

Posted: 20 May 2008 02:58 PM CDT

I just got back from a long, hot but very enjoyable day trip with the Israeli team to the Sea of Galilee, so I’ll keep this brief (and will post the pics from the trip tomorrow). Commtouch spam analysts informed me about a new outbreak of “love” malware which began around 18:00 UK time yesterday, [...]

GRC is NOT dead and it also NOT a Tool. [Andy, ITGuy]

Posted: 20 May 2008 02:32 PM CDT

There is a debate going on involving the validity of GRC and whether it's living, dead or was every around. You can find some of the discussions here, here, here, here and here. I'm here to tell you that GRC isn't dead. It's alive and well and living in a business near you. At the same time it also was never a viable option for a business to buy. If we look at GRC as a tool then we are missing the point of GRC.

One of the biggest problems in Information Security is that we try to throw a tool at everything. Being technology geek's we seems to think that the answer to everything is technology oriented. There is no technology that can do any of these things for you. Technology can assist you in maintaining a secure and compliant environment but they can't do it for you.

Let's look at each of the three pieces of GRC individually and talk about how we can make them work within the business. This is not intended to be an exhaustive look at GRC or any one part of it. It's a common sense look at how each piece can work for you.

Governance basically means that IT is not driving the business but is working in conjunction with the business to meet the needs. How does process help out here? It starts with an understanding throughout the business that IT has to be involved in the process of finding a solution to a problem or need. That means that IT doesn't tell the business what the solution will be but it also means that the business doesn't drop something in IT's lap and then say "Make it work and keep it running". The process involves an understanding between all parties that they have to work together to reach a solution that meets the needs of the business while fitting into the infrastructure and design of the IT program. That is the easy part. The hard part is convincing the business that this is the best way to work. I can't help you with that much. That's a fight you have to fight on your own. I've got my own battles to win. :)

Risk is looking at your environment, the threats to it and how likely you are to have some of the threats realized. This involves knowing what you have, where it's at, what's wrong with it (vulnerabilities), who has access to it, who may be able to gain access to it, do they want it and what you can do to keep your risk at bay. Now there are all kinds of technologies that will help you with this but the key to it is having the right policies in place and the ability to enforce them. Knowing your environment is vital to maintaining a successful risk program. I can't tell you the number of companies that I've worked at, seen or talked to that don't have a clue as to what they really have nor where it's at. I'm not only referring to data but even technology and systems. Servers that were deployed without being added to the server management matrix, new switches that were put in but never noted. Changes to the flow of information that doesn't get documented. Get the point? You can't manage your risk if you don't know what the risks are. The technology required to manage this is expensive to buy and can be complex to maintain so that puts it out of range for lots of companies. So having policy and process in place is necessary to try and keep control over this.

Compliance is meeting the requirements set forth by various rules, regulations and laws. People will try to sell you all sorts of tools and technologies to make you compliant. The problem there is that none of them will make you compliant. I won't spend much time on this because it's been blogged to death. The key to compliance is just good security. When you have a good security program in place then you will only have to make minor changes to ensure that you are compliant with most of the regulations that affect you. There are few regulations that get so involved that they will require you to make major changes to a good security program.

So GRC isn't dead we just have to look at it from the right perspective. If we focus on it being a technology solution then if it's not dead we need to kill it. If we look at it from a policy, process and common sense perspective then it is alive and well and will thrive for years to come.

what to do if someone hacked a website [belsec] [Belgian Security Blognetwork]

Posted: 20 May 2008 01:42 PM CDT

Well you can try to contact the responsable person. Who would that be ? The hoster - he will say that it is the administrator - who will say it was the hoster or another firm or will say that he can't do anything without the approval of the owner who will say that it is the mistake of the hoster, the admin of whoever he can think off.

They may even think that you are responsable.

It seems like the right thing to do, but it solves nothing. The only thing that helped when it was really important was calling the ecops and oops in less than an hour the site was reset - if it was fixed is another thing.

But for the rest leave them alone. They are so desperate that they would yell at anybody in sight

While the only person responsable is themselves.

The beauty of the thing is that as they were hacked once they would get attacked on a permanent basis and be rehacked from the moment they forget a patch. And they even don't listen to advice like that as they continue to re-appear in the hacked sites index.

So we publish the indexes of hacked sites, phished sites and broken sites and other stupid things online. And then it is up to whoever is concerned to do whatever he thinks is necessary.

Untill the governement or industry gets an office together that cleans up the web or votes a law that defines clear responsabilities.

Twitter madness: NetSecPodcast [Network Security Blog]

Posted: 20 May 2008 01:19 PM CDT

Rich and I have created a new Twitter account: NetSecPodcast. We won’t be updating it all that often, but it’ll be there and it’ll give you an idea of some of the things we have planned for the show. We are talking about possibly doing some live streaming of the podcast recording and other stuff, but nothing solid yet. We’ll let you know through the Twitter stream when we do though.

While I’m at it, you can subscribe to my twitter stream at mckeay and Rich’s at rmogull. Easy as pie, at least when Twitter is stable that is. And I hope I haven’t just opened us up to a steady stream of spam twitter friends by posting this.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

PCI 6.6 Webinar *TOMORROW* [Trey Ford - Security Spin Control]

Posted: 20 May 2008 12:25 PM CDT

For those interested- I will be speaking in a webinar tomorrow on PCI Requirement 6.6.  My portion will be agnostic, focused on what 6.6 seeks, what activities will be required, and how to prove your process is working.  The second half will be an unapologetic discussion on how WhiteHat Sentinel Service simplifies PCI Requirement 6.6. If [...]

Back from EICAR ... [Wavci] [Belgian Security Blognetwork]

Posted: 20 May 2008 11:57 AM CDT

I'm back from EICAR for a week now and it seems that I'm so terribly busy that I could not do a nice writeup about the EICAR conference ... well be patient and have a look at Virus Bulletin magazine June issue where I will publish a conference report. Just a this moment my Belgian friend blogger Didier Stevens was blogging about our EICAR test file. He really likes to play with it in a lot of ways. Now he seems to be publishing a PDF document with an embedded EICAR test file (eicar.txt). This PDF document has also an annotation with a JavaScript action linked to it. Clicking the annotation will export the embedded eicar.txt file to a temporary folder and launch the default editor for .txt files.
eicar.pdf contains only ASCII characters, so you can use Notepad to see what he did. He asks you also to guess what he did... read more at
http://blog.didierstevens.com/2008/05/20/quickpost-eicarpdf/ .

Reading this blog is dangerous according to websense [belsec] [Belgian Security Blognetwork]

Posted: 20 May 2008 09:05 AM CDT

We already knew it was dangerous for the health and humor of some of our officials and IT-representatives, but that we are that dangerous that it would be blocked by webfilter Websense just means that someone with websense in its network doesn't want you to read this stuff - or will warn you that reading this stuff is being monitored and not appreciated by him.

just a tip to bypass that stuff  go to google, type as searchterm the name of the blog and read the cache. Works most of the time. We will also publish a list of proxies to help our friends that may not be allowed to read this stuff if their network has been hacked, broken, compromised, spoken about....

the nature of things [Jeremiah Grossman]

Posted: 20 May 2008 08:49 AM CDT

I agree with RSnake. It seems the inescapable curse that the more successful one becomes in the infosec industry the more interesting information they may access and the less they can share about it. It's terribly frustrating and unfortunate because so much is lost as a result. When my blog started it was simply a place where I could speak openly about personal webappsec interests, meet others in the community, and converse on a wide variety of technologically cutting-edge and conceptual topics. I had no idea if anyone would even care to read it. Still I've always tried to be completely open with what I believe and whom I'm work for because bias will surely creep in.

Almost tens years in the industry, some two years of blogging, and 500 posts later never did I dream that I'd get to meet so many great people whom I learn a lot from and receive such a tremendous readership. For that I'm grateful and have always been committed to giving back by sharing what I know and assisting others where I can. During the same time professionally I get access to way more highly sensitive and sought after information than ever. Knowledge that'd make you laugh, cringe, worry, think, excited, and upset. Much of which is locked up in NDAs, intellectual property, and business relationships but that also help me see what's coming 2-3 years out.

This brings me to the second thing I agree with RSnake on. Things are bad, much worse than they appear, worse now than when I started, and probably because we've learned a great deal about the existing problem as have the bad guys. Top down are endless mountains of critical vulnerabilities we're incapable of fixing the conventional way (through code), built on platforms of technology suboptimal security-wise, and we can't simple start over from scratch. Bottoms up incidents taking place daily, some waiting to take place rarely spoken of, especially by me, and almost never in detail by anyone. I only get to hint at the specifics and what lessons we may learn. Heck I can't even share a lot of it with RSnake for the same reasons he can't share back.

This means the bad guys have an edge. They aren't bound by the same rules as we are, as a result are more nimble than us, and the third thing I agree with RSnake about. Readers here and on his blog have the clearest path to reveal the things we can't directly. That's why we support them the best we can and perhaps this is a healthy progression that keeps the industry fresh with new people and ideas. This is not to say I won't be doing everything in my power to provide the information people need to protect themselves online should they want to. That's essentially what I do for a living and I have no desire to make a living writing books. :) So with that I disagree that my blog at least will be watered down. I still got lots of cool stuff talk about, look forward to hearing what others think, and thank you to everyone who takes the time to read.

Version Blah Blah?? [Network Security Blog]

Posted: 20 May 2008 12:44 AM CDT

I’ve been playing City of Heroes/City of Villains since Day One. Actually, I was part of the beta testers and participated in the ‘three day head start’ they gave people who preordered the original game. That was just over four years ago and I’ve loved playing the game the whole time. Yes, I’m an roleplaying game geek, and superheroes are my genre of choice.

For the last several weeks I’ve been anticipating the latest upgrade to the franchise, Episode 12. When my system started downloading a patch this morning, I didn’t think it was a big deal, but I wanted to check out the patch notes to see what had changed and been updated. Imagine my surprise when instead of the normal patch notes, the notes were empty and the version was listed as ‘Version Blah Blah’.

Now this is probably part of the scheduled downtime indicated on the Server Status page, but it still made me pause for more than a few minutes and wonder if there wasn’t something more serious wrong with my favorite game. Had someone infiltrated the game and set up a malicious patch? Was it just an administrator who had more important things to do than update the patch page? Or was this a conscious decision to attempt to be funny? Since the patch and the downtime were anticipated, I’m voting for the last, but as a security professional, it makes me more than a little uncomfortable to see this.

It’s too early in the morning to read too much into this, but I still worry when a vendor, whether a game vendor or a security product vendor, doesn’t take their patching seriously. We have too many security issues out in the wild to joke about the patching products. Or maybe I just need to go back to sleep for a couple of hours and come back when the server updates have been finished.

Update: Yup, it was just a placeholder while the other work was being done. Now the real patch notes are up and the servers are all in the process of being restarted.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Academia vs. professional researchers [Jeremiah Grossman]

Posted: 19 May 2008 10:23 PM CDT

Dave Aitel recently posted "Thinking Beyond the Ivory Towers", an article I found really interesting. Dave has earned a reputation for being wicked smart, ninja level at zero-day vulnerability identification/exploitation, and unapologetic in his views on various controversial infosec subjects. I've had the pleasure of getting to hang out with him on occasion over the years and have always found his opinions to be extremely thought provoking. Most of all Dave's a person that when he speaks, whether you tend to agree or disagree, you listen. So when Dave starts discussing the true practicality of automatic exploit generation from patches, I'm all ears.

The lead in and the ending kinda give you the tone of the middle. :)

"In the information-security industry, there are clear and vast gaps in the way academia interacts with professional researchers. While these gaps will be filled in due time, their existence means that security professionals outside the hallowed halls of colleges and universities need to be aware of the differences in how researchers and professionals think."


...

"That's why people who write papers in LaTeX two-column format end up saying the sky has a high negative trajectory, while the rest of us wish they'd stop living in the clouds."

Adapt and overcome [Jeremiah Grossman]

Posted: 19 May 2008 04:13 PM CDT

Most of us understand and accept that Web application vulnerability scanning tools (black and white box analysis) don't find everything, but that's its OK since they add value to SDLC processes regardless. Consistency and efficiency is good wherever we can get it. The problem is heated (aggressive/defensive) ideological debates often transpire anytime people who don't get that come contact with those discussing scanner capabilities. Sometimes though we manage to get past all that to have open and collaborative conversations isolating various technical limitations, theorizing ways to overcome obstacles or improve processes to compensate, and generally move the state of the art forward. This after all is what security is all about, process or not product. That's where Rafal Los two-part posts come in.

Static Code Analysis Failures
Hybrid Analysis - The Answer to Static Code Analysis Shortcomings

Don't let the titles fool you into thinking these posts are anti-stactic-analysis. Rafal points out certain scanner shortcomings as premise to put forth ideas on how to improve the technology by combining capabilities. Of course we're all free to agree or disagree, that's kind of the point. Hopefully he'll add a third installment that'll dig in deeper into how Hybrid Analysis might function. Seems like an interesting line of research.

No comments: