Spliced feed for Security Bloggers Network |
| Posted: 22 May 2008 04:06 AM CDT Enigma Software. According to this, they've changed (or are changing) their name from Enigma Software Group Inc, to City Loan, Inc. That's a pretty strange name for someone that makes programs which have previously been flagged on the Rogue Antispyware List, isn't it? With that in mind, check out what my pal Tashi happened to see a few days back on their site. "Scan your entire computer to detect negative credit". ....what? Anybody actually know what's going on over there? This is too weird for half eight in the morning, even by my standards. |
| Top 10 phishers april 2008 according to phishtank.com [belsec] [Belgian Security Blognetwork] Posted: 22 May 2008 03:24 AM CDT |
| How long would it take to find an EANDIS account ? [belsec] [Belgian Security Blognetwork] Posted: 22 May 2008 03:23 AM CDT Winsec published the vulnerability on their website some penetration testers made the calculation based on the published information by winsec. they reckon it would take about 10 minutes to find an active EANDIS account online - if the winsec information is allright. We didn't check anything or didn't try anything of this and we didn't publish this in the first place. It is a winsec post. we didn't contact EANDIS neither because we don't know if they have a responsable disclosure policy and we didn't write the piece in the first place. But as it was out in the open..... and we are being read by police and media, we would like to raise the alert level for this vulnerability. We would like to appeal to the vulnerability testers not to publish more technical info to limit the damage done. We can forward information to our backchannels. |
| Spammers Target Social Networking Sites [Darknet - The Darkside] Posted: 22 May 2008 03:11 AM CDT It makes sense, spammers will follow whatever is popular, wherever the social mass is at and reading they will bombard. In the earlier days Myspace was a big target, now they are moving on to other sites such as Facebook. Social networking sites are an ideal place for spammers as they can exploit the trust between [...]SHARETHIS.addEntry({ title:... Read the full post at darknet.org.uk |
| PCI Compliance and Virtualization [PCI Blog - Compliance Demystified] Posted: 22 May 2008 01:13 AM CDT
Hoff and Siebert both posted this question here and here. People may think that <insert latest technology here> will somehow prevent a company from being PCI DSS compliant, when in reality the compliance program is built around protecting cardholder data. That technology you want to implement is probably fine as long as it doesn’t put cardholder data at risk. But people focus in on that one requirement and thing everything falls apart. PCI DSS Requirement 2.2.1 is like the ‘force’ in Star Wards - it can be used for good or for evil. Unfortunately, it is the single most abused requirement in the standard. Some people, using it for evil, go as far as to say that DNS and WINS cannot reside on the same server. This requirement is meant for situations when companies try to pile every service imaginable onto one computer, causing a situation that actually puts cardholder data at risk. For example, if a retail store manager uses the back office PC that aggregates their credit card transactions as their personal workstation for browsing the Internet. This is a unsafe practice and violates several PCI DSS requirements. Virtualization is an emerging technology that enables companies to securely leverage one physical server to run multiple virtual systems. This is beneficial in areas with limited physical space. If a company can run four virtual systems and only use the physical space of one server they can reduce the cost of housing and maintaining excessive hardware. Additionally, virtualization provides a number of administrative benefits such as centralized data storage and security, centralized configuration and patch management, and a number of other processes. Companies can benefit from using virtualized systems but they must also consider how these systems segment access from one to the next. Just as with PCI DSS Requirement 2.4 (shared hosting environment) and the question of what defines “adequate segmentation” one must examine the security systems that separate one virtual system from another. Any form of segmentation, virtualization, or shared hosting environment is acceptable under PCI DSS as long as it prevents one set of systems or people from negatively impacting the security of other systems or people. The delineation point for what defines “adequate” virtualization is any system that can properly prevent one virtual system from negatively impacting the security of cardholder data on another virtual system. It is the responsibility of the implementor to verify that such controls are in place. Virtualization will continue to grow in popularity and, properly configured, can be used to adhere to PCI DSS compliance. The technology itself is not often the culprit of non-compliance, instead it is how the technology is implemented or installed that can cause both security and regulatory compliance mishaps. |
| Information Centric Security is dead! [Security Thoughts] Posted: 22 May 2008 01:11 AM CDT Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security. So, what do I elect to replace this with? Process-centric Security. I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process. If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess. And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS. |
| Thinking out the box [Security Thoughts] Posted: 22 May 2008 12:50 AM CDT I am going to predict the future of the WWW and how Information Security will have to adapt in the next few years. This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there. This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be. WEB 1.0 This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people. Web 2.0 This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data. Web 3.0 This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed. Web 4.0 Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too. Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe. This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time... The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network. Of course, cloud computing is a walk in the park compared to what will be next: Web 5.0 This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it. |
| I just paid more than $4 bucks a gallon for the first time! [StillSecure, After All These Years] Posted: 22 May 2008 12:38 AM CDT Returning my rent a car here in Denver, I stopped in the gas station to fill up. I paid $4.04.9 for 85 octane gas. First time I have cracked the $4 dollar barrier. I am so excited I can cry. Oil went over $133 a barrel today and I saw an analyst report that it could go as high as $200 a barrel. It seems that when George W became President I remember oil in the 20 to 30 dollar range. There really doesn't seem to be a shortage of oil, supply meets demand. So WTF? Why are prices going up daily like this? I used to think it was due to fears that another war in the Persian Gulf would break out, but I think it is beyond that now. I really feel like the markets are being manipulated and it is time for intervention. If this does not give us as a country the will to do something about our dependence on oil, I don't know what will. Lets see a bold call to action like putting a man on the moon for this country to rally around with a goal of developing alternate energy and soon! |
| Links for 2008-05-21 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 22 May 2008 12:00 AM CDT |
| NoVA Sec Infosec Meetup Event - Thursday, 5/22: IPv6 Security [NovaInfosecPortal.com] Posted: 21 May 2008 09:56 PM CDT |
| Cisco and the Golden shield project [Security4all] [Belgian Security Blognetwork] Posted: 21 May 2008 08:11 PM CDT A few days ago, we had a little discussion about project "Golden Shield", a mass surveillance system. Just yesterday, Wired had an article about Golden shield and a leaked presentation about... |
| Posted: 21 May 2008 07:42 PM CDT Shadowserver posted an interesting list of the domains used in the recent SQL attack. You could just monitor any unauthorized changes to your website if you have change management and monitoring in... |
| 3 Pints and a NAC [StillSecure, After All These Years] Posted: 21 May 2008 07:26 PM CDT
You can watch the video by clicking this link. You might have to register and than look for the 3 pints link to play the video. There is also a video of Jennifer Jabbusch discussing "preparing your network for NAC". The funniest thing about filming this segment was at every break they would refill your beer glass. By the time the filming of this segment was over I probably had downed 3 or 4 pints of beer. I felt kind of like Lucy in the Vitametavegimin commercial episode. All in all it was a lot of fun. |
| Some VTM sites are still hacked at midnight [belsec] [Belgian Security Blognetwork] Posted: 21 May 2008 05:57 PM CDT VTM has announced that it will review its ITsecurity policy after they have become the biggest hack of the last year. Big because of the impact. It has shown some thousands of normal everyday people that would have visited those general sites from commercial radio- and tvstations that life on the internet is not that safe and that even the best could fall if they let down their guard. The best thing to do is to selftest your site or a perfect copy against the hacking tools and to have active patch and update policy of all your sites. and they would still need some monitoring because http://cms.web.vmma.be/ gives this at midnight - now
this is their content system, it is there where they should have looked at in the first place. This is what I also said to the FCCU. Because it is normal that you first try to hack the CMS of the server because this way you can deface many sites at once. This evening at 0.37 it is still online this way. according to VTM and jimmobile.be is also still hacked
|
| I guess it is Shimel video day [StillSecure, After All These Years] Posted: 21 May 2008 05:27 PM CDT Hot on the heels of posting my 3 Pints link, I received a Google Alert on two other videos I appeared in. One is with Andrew Conry-Murray, senior editor of Information Week that I filmed at Interop this year. We spoke about NAC and blogging.
 The second was from this past RSA where I appeared with my good friend Erica Chickowski of Baseline Magazine and we spoke a bit about some recent data breaches.
 Ok, I will admit it, I like doing this video thing. Maybe I am destined to become an actor in my later years. You know Rodney Dangerfield started at about my age. Yeah, yeah I know, NO RESPECT, NO RESPECT. In the meantime if you have any scripts you think I might be perfect for a part just email me! |
| Posted: 21 May 2008 05:23 PM CDT The Belgian lotto wants to launch online gambling next year but has a big problem. Gambling is forbidden in Belgium under 18 years, so it has to control the age of the Belgians before letting them use the service. The first thought was to connect the service with the banks. You have to be 18 years old to have a full-rights bank account so that seemed logic. Only the banks were not stupid. The less services from other services are linked to their user databases the better. So they refused. Up to the next bright idea. In Belgium all the official information (age, parents, address,....) are in a database called Rijksregister and that gives also every user an UID (unique Identifier). It will be difficult for an administration to say no to another, but can you imagine the Lotto service becoming a trojan horse into the most important citizen database in Belgium ? If there is one service that is under permanent attack on the internet than is a gambling or casino service. So letting those services with a high attack level connect freely to your own networks and databases is a risk you have to calculate the costs off. It won't come cheaply if you want to control those risks. |
| How to manipulate the EANDIS gas bill of your neighbor [belsec] [Belgian Security Blognetwork] Posted: 21 May 2008 05:12 PM CDT |
| what do to when you are hacked according to winsec [belsec] [Belgian Security Blognetwork] Posted: 21 May 2008 05:08 PM CDT we quote Oh no, we’ve been hacked, now what? Developing an incident response process Sooner or later, the unimaginable becomes the inevitable: your information security will get breached and your systems will get attacked. It might be a mild brief denial of service or a full-on concerted effort to wipe you off the Internet, but it will happen. There’s only one real question you need to answer: are you ready? Do you have the skills, techniques, tools, and organization to respond and recover? Fact is, most of us fail to plan for such a fateful day—leading to panic, indecision, and mistakes. Our jobs as defenders of information fall into three overarching categories of protection, detection, reaction. Mobilizing an organized team with a well-designed and tested reaction plan is the only effective way to recover from the attack and quickly return to business as usual. Steve Riley will show you how to build such a team and how to prepare it for success. http://identityunderground.spaces.live.com/ :) |
| Nuove forme di Shoulder Surfing [varie // eventuali // sicurezza informatica] Posted: 21 May 2008 03:25 PM CDT NetworkWorld: I spy your PC: Researchers find new ways to steal data In pratica secondo questo studio (link) é possibile leggere ciò che viene scritto su di un PC (esattamente come se si guardasse lo schermo) grazie ad un po di considerazioni di carattere ottico e leggendo il riflesso su piccoli oggetti, fra cui anche l'occhio umano, occhiali da sole, tazze, bottiglie, cucchiai. Nulla di nuovo, ma intelligente. Questo altro studio (link) invece propone un metodo per recuperare l'input fatto su una tastiera in base al video che riprende le mani che digitano. Come dice l'abstract e' facile da fare per un umano, ma automatizzare questo processo e' vagamente più complicato. Intelligenti, anche loro. |
| Adrian Lane Visits The Network Security Podcast [securosis.com] Posted: 21 May 2008 02:46 PM CDT This week we had a special guest on the podcast, Adrian Lane from IPLocks and the Information Centric Security blog. We spend some time talking about the latest security news, then dive deep for a bit into information-centric security, one of our favorite topics. Adrian and I are firm believers, along with a few others, that we need a bit of change in the tradecraft of security to focus more on the information. But if you read this blog, you’ve heard me rant on the topic before. The episode is available here at netsecpodcast.com. |
| Posted: 21 May 2008 02:20 PM CDT This hit all the major newspapers this morning. The sites of VTM and JimTV have been defaced. VTM is the commercial television station in the Flanders of Belgium and JimTV is a music and media... |
| Build it up, build it out [Vitalsecurity.org - A Revolution is the Solution] Posted: 21 May 2008 01:57 PM CDT Slight lack of posts here at the moment, because we've pretty much finished off the Spywareguide Blog redesign, and I'm also spending some time working with the team (which stretches from West Virginia to Bangalore) with regards getting them blogging on the site and stuff. It was never really practical on the old version of the site for a couple of reasons, but I thought with a new blog comes new blood. Or something. Of course, not everybody has blogged before and you gotta start somewhere - and jumping into security blogging isn't quite as straightforward as it might appear to be, because you have to take into account all sorts of factors. 1) Legal shenanigans 2) Other shenanigans 3) Morons I rather enjoy all of the above, but it's not everyones cup of cyanide. At any rate, there's a funky little About page here where you can finally put faces to some of the names that have popped up on many of my previous writeups, and there should be a few more names added to the site soon. Indeed, some of them have already taken their first steps into the wonderful world of blogweb intercybers so hurrah and huzzah. Normal service - okay, abnormal service - will return shortly. |
| MSSP and NAC - True Love [CTO Chronicles] Posted: 21 May 2008 12:33 PM CDT As a company with long-standing relationships in the Managed Security Services space, we've talked a good deal around here not only about how our own product can be leveraged in the MSSP space, but also the general pros and cons of having NAC as a managed service. Our own VP of marketiing has an advertorial here. Where I come down on this is that Managed NAC is a no-brainer for organizations that already subscribe to managed security services, and absolutely worth considering for organizations that leverage managed services for other parts of their IT business (Help Desk, WAN, Internet bandwidth, etc.). Given both the technical and business problems that NAC solves, managed NAC is a natural extension to current managed security offerings, from the perspective of both the MSSP and the business organization. It provides the MSSP the opportunity to bring governance "deeper" into their customers' networks rather than being limited to reacting in the perimeter; and it provides the customer the opportunity to leverage economies of scale and breadth of experience inherent in managed provider offerings. Given the switching and desktop depth of most NAC solutions, managed NAC has synergy (Buzzword Bingo!) with managed LAN environments as well. So, if you're currently with an MSSP who does not offer managed NAC, then you absolutely should ask them what their plans are for adding NAC to their portfolio, as well as what bundling options they're planning to offer their customers. Regional MSSP's are moving rapidly in this space, and I think it's only a matter of time before the larger managed service players add NAC to their portfolio as well. |
| How are you meeting PCI Requirement 6.6? [Network Security Blog] Posted: 21 May 2008 11:27 AM CDT The deadline for meeting requirement 6.6 of the PCI-DSS is quickly coming up, June 30th as a matter of fact. So how is your business meeting with this requirement? Do me a favor and take this quick poll to let me know what you’re up to; it’s as completely anonymous as anything on the Internet can be, but I’m curious how people and companies are taking this requirement. Something to remember, whether you’re a Level 1 merchant or a Level 4 ‘mom and pop’ store, you’re still responsible for meeting this requirement. For more information on meeting PCI 6.6, read the PCI Security Council guidance here. Edit: I’m just having a bad day and the poll doesn’t seem to be working. I’ll try again when I have the time to deal with it. Please leave a comment instead of taking the poll. |
| TSC May 21 2008 | The Right Way to Address the Debian OpenSSL Vulnerability [The Security Catalyst] Posted: 21 May 2008 11:21 AM CDT It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector. Plenty of specific details and analysis can be found in different places, including: http://wiki.debian.org/SSLkeys http://www.us-cert.gov/cas/techalerts/TA08-137A.html http://www.kb.cert.org/vuls/id/925211 http://secunia.com/advisories/30220/ For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the "start of summer") here in the United States. Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi. When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain. During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results. It comes from planning and following a process informed by experience – and we'll share the insights with you in 30 minutes or less! In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/ Tune in next week for the debut of the Pop Culture Security podcast – your monthly "how-to" for Security Awareness Training. This posting includes an audio/video/photo media file: Download Now |
| Posted: 21 May 2008 11:06 AM CDT As part of our on-going coverage on network access control, InformationWeek's NAC Immersion Center was recently updated with new content from recent Las Vegas Interop keynotes and presentations. |
| Network Security Podcast [Information Centric Security] Posted: 21 May 2008 10:30 AM CDT Martin Mckeay and Rich Mogull were kind enough to invite me to their network security podcast. We had a nice discussion on Privacy, Information Centric Security and a few other topics. |
| comments are now allowed [www.remes-it.be] [Belgian Security Blognetwork] Posted: 21 May 2008 09:38 AM CDT I activated the comment option on this blog, so it gets a little more interactive. I have to keep it moderated but you don't need to register to make a comment ... |
| Rich almost made the list [Network Security Blog] Posted: 21 May 2008 09:21 AM CDT Amrit Williams has written up the Top 5 Abused/Misused/Misconstrued Terms in Information Security and Rich Mogull made the list of ‘also rans’. I’m pretty sure Rich’s name is just there as link bait, but it’s amusing none the less. Amrit is a good writer and always sprinkles a large amount of sarcasm and cynicism in his writing, so this is worth taking a few minutes to read. The thing that puzzles me slightly about this list though is that four of his top five have fallen out of general usage, at least in my experience. “Paradigm Shift” got so overused a few years ago that no one I know uses it unless they’re making a joke. Or if they’re in marketing, then the joke’s unintentional. The same goes for “* is dead”; at least I hope people who are still using the term are joking. Maybe not and I should take some of those articles seriously. The one inclusion on the list I have some issue with is “Security ROI”. The term itself is definitely overused, but the concept it’s trying to capture is something we need to pay more attention to, security’s role as a core part of business. ROI is poorly suited to measuring success for security, but we do need to move away from the concept of security as a technology and towards including security as a core part of business. This includes ways of measuring success and failure, though failure is much easier for us to identify. On the other hand, maybe I just proved Amrit’s point, that it’s an overloaded, overused term and we should find something better suited to the concept. Language is fluid and we’re constantly creating new terms and adding new meanings onto old terms. Maybe Amrit can revisit this article and come up with another list next year. Of course, that’d mean he’d actually have to come up with real criteria, rather than just listing the terms that made him grumpiest this morning. |
| Explanation to the poll [www.remes-it.be] [Belgian Security Blognetwork] Posted: 21 May 2008 08:58 AM CDT I personally believe anti-malware software is dying a slow death as an endpoint solution. I see it moving towards a commodity feature in perimeter/network devices and or other appliances now that the bigger players (Cisco, Checkpoint, Juniper) are embracing UTM. |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment