Spliced feed for Security Bloggers Network |
The best way to get customer service? Blog or Twit them [StillSecure, After All These Years] Posted: 24 May 2008 07:40 AM CDT I was reading an article in the Orlando Sentinel newspaper this morning (I know who reads newspapers anymore) about how so many companies are tracking unhappy customers by monitoring blogs and even twitter messages. It reminded me a story that Chris Hoff had a while back about Southwest Airlines monitoring his Twitter message |
No one ever gets fired for buying Cisco ... [StillSecure, After All These Years] Posted: 24 May 2008 06:33 AM CDT ... but I am not sure anyone ever gets promoted either. Andy IT Guy had a good article up today called "You can use any vendor you want as long as it's Cisco", that talks about people who choose a Cisco solution without really considering if it is the best solution for your own unique needs. Andy was inspired by an article by John Maxwell talking about Henry Ford's reluctance to build any car that was not black. This refusal to change ultimately cost Ford business. Andy has some great quotes in the article, here are a few: 1. Evaluate them and make a choice based on what works best for you. If you don't answer these questions and just pick a solution based on who the vendor is, what it cost, it's the "industry standard", or how easy it is to deploy and maintain then you are not solving a problem, you're just wasting money. 2. It's our job and responsibility to make decisions based on what is best for the company. ... Just because it's considered 'industry standard' or it's made by a big company doesn't mean it's good for us. and perhaps best of all: 3. So if you've fallen into this trap step back and take a long, hard look at your selection process and refine it to best meet your needs. If it turns out that you still choose Cisco or whoever you would have chosen by "default" then that's great. However, if you discover that there are other vendors who can meet you needs better then you have a feather to put in your hat. Amen Andy! I wish that more people would have the insight to practice this. But the fact is that picking Cisco or IBM or what have you is the easy no risk choice. However, I also believe that picking the "safe choice" will come back to bite you now and again. I don't think it shows any initiative or concern about doing what is best for your company. I think the fast track to promotion and success is not choosing what the safe bet is, but what is the best bet for your needs. |
The fallout of the Debian OpenSSL security problem [Robert Penz Blog] Posted: 24 May 2008 04:32 AM CDT Today I don’t want to write about how the Debian security problem occurred, if it was the fault of the Debian maintainer or the OpenSSL guys. We’re all human so errors can occur, but this shows a much bigger problem we have. Our SSL infrastructure!! I’m quit sure you read about the weak SSL whitehouse.gov had and that the white house does not handle their SSL stuff by them self, instead the use Akamai for this. If you don’t know Akamai, it is a major content distribution network. They have tens of thousands servers distributed all over the world and the content is served by the closest server to provide higher download speeds for the customs and make a DDOS attack much harder if not impossible. Their customer list includes Microsoft, the New York Times and so on. So basically the SSL keys of the Akamai servers where weak, and it was possible to get their public keys (it is sent as part of the SSL handshake), and calculate the private ones out of it (there are only 32k possible keys). I know that at least one did it and sent the keys to the CCC, which verify the authenticity of the keys. Sure Akamai replaced their keys immediately. BUT. There is no way to revoke the SSL keys!! What most people don’t seem to understand so far is that these keys are signed by a CA which is in any browser. This means that a man in the middle attack can easily performed with this. As ATI is also a customer of Akamai, someone could send you a Trojan horse instead of the newest ATI you wanted. SSL has in theory two defenses against this:
So we’re out in the open for this key until this fall, but that won’t be the end, as e.g. godaddy at least allows to the sign keys for a longer period of time. e.g. 3 years. And the same problem occurs if a private key is leak by other means. The whole foundation of our web security infraction is build on sand. We need something new!! PS: I want to stress that Akamai did nothing wrong here. They did everything right and still have a problem! |
Colemak Keyboard Layout [Jon's Network] Posted: 24 May 2008 02:18 AM CDT I actually think I’m going to take the leap and learn a different typing layout. Doing things better with less effort always appeals to me. I thought originally I would try Dvorak but that layout looked too foreign and I heard it took weeks to learn. I also read that it is difficult to switch back to QWERTY, which will happen often I believe, so I decided against the Dvorak layout. I learned about the Colemak layout and took this 2 minute typing test. The typing test lets you type some text for 2 minutes, then replay your key strokes in QWERTY, Colemak and Dvorak layouts to see how much effort you would have saved. It turns out that your fingers move 2.2x more using QWERTY compared to Colemak. What’s more, there are many users reporting the ability to use both Colemak and QWERTY interchangeably as the task requires. |
Links for 2008-05-23 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 24 May 2008 12:00 AM CDT
|
The Ghost Of Future's Past: VirtSec Innovation Circa 2002 [Rational Survivability] Posted: 23 May 2008 11:19 PM CDT One of the things I try to do when looking forward for inspiration in solving problems is to ensure that I spend enough time looking back to gain perspective. I've been thinking a lot about models for virtualization security lately. As I surveyed the options (or lack thereof) splayed about before me in terms of deployment options and available technology to solve some of the problems I've been researching, I was struck by what I can only describe as a ghost of future's past. It shouldn't really surprise me like it does, but I always giggle when reminded of my own favorite saying: "Security is like bellbottoms -- every 20 years or so, the same funny-looking kit comes back into style." As it is with jeans, it is with security solutions. I dredged up some of my collected research from moon's ago on the topic and dusted off a PDF that I had completely forgotten about as I was trying to piece together some vague semblance of something that strangely reminded me of VMware's VMsafe. I cracked a gigantic smile when I saw the authors -- Tal Garfinkel and some guy named Mendel Rosenblum (now co-founder and chief scientist at VMware.) The PDF in question is titled Virtual Machine Introspection ("productized" as LiveWire) and presents the following case:
I got to thinking about the relevance of this approach because of some of the arguments that Simon Crosby made in our debate recently. I wanted to spend some more time thinking about the architectural differences between VMware and Xen so I could try an appreciate the genesis of Simon's comments in context. This paper and the Livewire prototype was created circa 2002. It's six years later and we're just now starting to see products and technology being announced as "new and fresh" that is basically just like Livewire. While it's certainly not the first and only research on this topic, it's interesting to see that sometimes the wisdom of the past just takes just a little longer to cook before it's fully baked, ready for icing and ready to be consumed. If VMsafe is an example of the evolution of prior art like Livewire, what else do we have to look forward to that's buried somewhere waiting to come back to life? Oh wait, those mainframes are coming back, aren't they? What's old is new again. /Hoff {Update: I also found some cool related stuff from Tim Fraser called Virtual Machine Introspection for Cognitive Immunity (kernel rootkit mitigation using VM Introspection) from Komoku which was acquired about a month ago by, gasp, Microsoft...} |
Fun Reading on Security - 3 [Anton Chuvakin Blog - "Security Warrior"] Posted: 23 May 2008 07:23 PM CDT Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #3, dated May 22, 2008. So my next iteration of fun reading on security, logging and other topics.
Enough for now! |
More Log Management Questions - Answered! [Anton Chuvakin Blog - "Security Warrior"] Posted: 23 May 2008 06:04 PM CDT I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers. BTW, LogLogic product-specific questions can be found on LogLogic website; I am not answering them here.
Q1: Is a preferred log management program to consolidate the log data and then allow us to review them? A1: The answer is "Yes!" for a vast majority of use cases consolidating logs work better than the silo'ed approach. Also, this will be answered in longer dedicated post within a few days (link TBA).
Q2: Is it feasible to use a log management tool to try to determine whether application events / failures are being caused by infrastructure issues? A2:Wow, fantastic! The answer to this is "Yes, if you have the right logs collected." In most cases, to get to the bottom of such issues requires having BOTH application (e.g. PeopleSoft or Oracle) and infrastructure logs (e.g. Windows or Solaris).
Q3: What the typical retention schedule for logs which might be required logs for compliance issues? A3: I wish I can give a simple answer for this, but there is none. Well, PCI DSS makes it simple: 1 year for logs from in-scope systems. Other regulations are not as clear and the numbers, or - more often! - guesses at such number range from 90 days to 7 years and more. 90 days to 1 year is a common retention policy for security (on the longer side of this range) and operationally (on the shorted side of this time range) useful logs. Check this out for a few ideas for long long you might need the logs.
Q4: Once you have logged the events, what do you do with them? A4: Well, I was about to laugh it off since it truly opens up a Universe of questions, issues, challenges, etc. But here is my attempt at a short answer (like, less than a book :-)): a) you collect the logs and now you can search thru them in case you need to b) you summarize them and notice the trends - overall know what is going in your environment c) you analyze them in real time to trigger alerts on "critical" log messages - failures, attacks, etc. See this slide deck for some useful pointers.
Q5: Why do I create a log policy? A5: Log policy is a clear and simple document that show what you log on each system (and why): it helps you to configure logging across all the systems as well as helps to know what information you have in your environment (should an auditor ask, for example). A log policy also defines log retention, log review practices, etc. NIST 800-92 Guide to Security Log Management [PDF] is a good source of info on this subject. Enjoy! Technorati tags: log management, logging |
5 Tips for beginning security bloggers [belsec] [Belgian Security Blognetwork] Posted: 23 May 2008 04:52 PM CDT First you should decide for yourself if you wanne use your real name or just a pseudonyme. It is very dangerous to use your real name because in our country the IT business has no culture of discussion, debate and openness to comments and correction. It seems sometimes that every consultant has to be a Leonardo Da vinci what even in as a specialists ain't easy or even possible. The other danger is that as there is no culture of discussion the first response they have is to attack the messenger. Silly, but the reality. Secondly you should decide if you would inform your boss that you are blogging. whatever you do you better not blog or write about his boss or his clients or ennemies. It will always come back to you. You can inform your boss and he has no right to refuse you the right to blog - surely not if you keep yourself strict to the rule that you don't blog about all those things connected around his firm. But if you use your real name and you can be found on the internet linked to your boss you should inform your boss and you should ask if there is a communication or blogpolicy. It would be wise for some firms to have that. Thirdly you should decide if you let people comment on the blog or not. First of all you shouldn't give those comments a high visibility as it something you don't control. And in most blogsystems you can put them out when needed. Fourth you should search for a hosted system and not try to host or implement yourself a blogging or website system. You may do it but you will lose a lot of time trying to keep up with the pace of attacks and bugs. And when you get hacked it is your credibility that is up in smoke. Fifth you should remember that belgium has a very stringent cybercriminality law and you really should think twice before publishing stuff that could be used to attack a system. You should also think twice a a securitytester to do the testing yourself. |
Haroon from Sensepost proves his leetness yet again [Jeremiah Grossman] Posted: 23 May 2008 04:01 PM CDT Check out this ActiveX attack on a Juniper SSL-VPN. Extremely clever and yet so simple when you really step back and take a look at how things work. A little bit of everything is involved. Some web app, predictable resource location, command execution, etc. Sheesh, what more to do you want!? :) |
PCI 6.6 Countdown Clock [Jeremiah Grossman] Posted: 23 May 2008 03:35 PM CDT |
Cutting-Edge Networking in a Medieval Setting [Got the NAC] Posted: 23 May 2008 03:11 PM CDT I was in Belgium this week for the tenth annual TERENA Networking Conference. This meeting gathers networking and security experts from research and education networks throughout Europe and around the world. My talk (titled “Network Access Control and Beyond”) was one of many at the conference that focused on the theme of pushing beyond the ordinary. The medieval town of Bruges provided a lovely setting for this cutting-edge networking conference, causing me to reflect on the balance between stability and innovation. Research and education networkers operate on the edge between practice and theory, always balancing the dual goals of keeping their networks stable and pushing the envelope to develop next-generation services. This is not so different from corporate IT or anything else in life. There’s always a tension between stasis and change. Should we stick with the old reliable ways or move to the new? Of course, we must mix both. Without change, our networks and businesses will become obsolete. Yet uncontrolled change will make our networks unreliable. What can we learn from the TERENA researchers about living with change? Here are some of their techniques, which I think we can apply well to our own networks and organizations:
All of this comes down to creating a culture that encourages innovation while managing risk. TERENA has mastered this lesson and it’s a great one for IT organizations. Innovation is the lifeblood of any enterprise. IT is a natural source of innovation. Master the lessons above and you’ll make sure that your network is reliable but not obsolete. Tags: General, Appearances, Terena |
Security Update For Foxit Reader [Infosec Events] Posted: 23 May 2008 02:52 PM CDT Foxit Software just released an update to their PDF reader to fix a security flaw. Secunia rated the util.printf() buffer overflow vulnerability as highly critical, so download and install the latest version now. The latest version is now 2.3 build 2923. Their download servers are very slow right now, but I was able to get it on the first try. |
Big Yellow going on a diet? [StillSecure, After All These Years] Posted: 23 May 2008 02:15 PM CDT I guess someone at Symantec was listening all this time about people talking about bloatware and the overhead required to run some of their uber-agent stuff. This article in Computer Active interviews Con Mallon, Symantec product marketing director, who lays out the ambitious goals of the next generation of Symantec products:
Funny thing is I remember when Norton and similar products actually fit that profile. For now call me doubting Thomas, but I will believe it when I see it! |
Essential Truths in Information Security: Never say "no" [Kees Leune] Posted: 23 May 2008 01:38 PM CDT The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality. Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so. When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself. The person saying no should not be the information security professional. Our job is to identify risk, and have someone else decide if that risk is acceptable. Once that assessment has been made, we will design, implement, and operate security controls that are designed to help people do their jobs better. We do not say no. Business representatives do. By constantly reminding everyone in the organization that we are not there to make their lives harder by blocking them from doing things a certain way, but that we are there to make their lives easier by providing them with reliable information and with reliable information systems, we will be looked at much more favorably. Once we get the reputation that we are there to help make things better (remember, perception is reality!) People might even come to us early on in projects to ask for our input when a project is still young. |
Essential Truths in Information Security: Execute with precision and excellence [Kees Leune] Posted: 23 May 2008 01:32 PM CDT This post's title hardly needs any clarification, and I'll try to keep this post brief. As information security professionals, we generally play a defensive role. Very few of us are given the opportunity and the means to play the game as an attacker. Those of us who do generally enjoy it tremendously and learn a great deal from it. Being a defender is hard; after all, as a defender you need to anticipate all possible attack vectors that an attacker might deploy against you. An attacker, on the other hand, can take the time to do reconnaissance, scan our environment, and analyze his findings. Our defenses are visible before they are put in play, an attack is not. Then, based on the analysis, the attacker can focus his attack on what he identified to be the weakest spot in our defensive controls. As a result, we need to strive to implement our controls (preventive, detective and corrective) as effectively as we can: we must execute with precision and excellence. The same is true for incident response. Once an incident has been declared, we need to ensure that our containment and eradication efforts do not make the situation worse than it already is, and we need to do so quickly. We again need to execute with precision and excellence. If there ever is a place for perfectionists, it is in designing a defensive position. |
Bay to Breakers == Success [NP-Incomplete] Posted: 23 May 2008 12:12 PM CDT I finished in 1:09:28. Proof here and here. My bib number is 6530. My goal for next year is to beat Oliver Friedrichs, who whooped me by a good eight and a half minutes. |
Posted: 23 May 2008 09:29 AM CDT Some belgian blogger posted a message today that called for a night of riots and "burn baby burn" near the football stadion of Anderlecht. The reason is that sunday there were some fights between some youths who live around the stadion (where also live many if not mostly immigrants) and some footballfans or hooligans/skinheads (depending the version). Just some thoughts The national media is putting this on the first page of their newssites and is so exploding the impact of that blog creating a feeling of tension and interest and anxiety that wasn't there before. Every incident - even the smallest one - will now be called a riot and will be filmed and showed on national television. If nothing happens the picture that will stay on our eyes will be the massive presence of police in riot gear showing off their force and presence. The comments under those articles from the national press - even the most progressive ones - are sometimes of such an aggressive and sometimes even racist tune that this can't appease the tensions. The extremists in fact like and need each other and prefer emotions to run high at both sides. It should be the role of the national media to make sure that there is still place for a rational and logical debate and exchange of ideas and propositions. It is clear that their comments under such articles (as with the articles about the flemish and the walloons) are the bad that are drowning the rational in a flood of irrationality and even calls for military intervention. Some articles even use old pictures or pictures from riots in other countries to make their articles look better. Unresponsable. We have I think a law and some services that can intervene against such hatespeech and radicalism on the internet. We have already used that law a few times to bring down some sites in Belgium. Based on this experience the responsable people should invest more in monitoring the internet and getting fast into action if things like that begin to appear. |
The Backup Song [/dev/random] [Belgian Security Blognetwork] Posted: 23 May 2008 08:13 AM CDT Yesterday — The Backup Song based on: The Beatles - Yesterday Yesterday, Suddenly, I pushed something wrong Now all my data’s gone Yesterday, Source: http://www.iks-jena.de/mitarb/lutz/usenet/yesterday.html |
Security Threat of Orphaned Accounts [The IT Security Guy] Posted: 23 May 2008 07:51 AM CDT This is an obvious security hole, let alone a compliance issue for every regulation under the sun -- SOX, HIPAA and PCI -- you name it. Many companies aren't careful about pruning out old accounts of users long gone -- voluntary and otherwise -- from their systems. This was a nice summary on Redmond Channel Partner Online. |
New PCI Standard Available in October [The IT Security Guy] Posted: 23 May 2008 07:47 AM CDT PCI 1.2, the updated version of the credit card industry security standard, is expected out in October, according to SC Magazine. This is the first revision of the Payment Card Industry Data Security Standard (PCI DSS) since 2006. Apparently some overlapping items will be fixed, reporting protocols will be clarified and the glossary will be expanded. Now, let's try to stay calm and not all jump for joy, at once. I know the enthusiasm will be contagious. |
Second Edition of Little Black Book on Amazon [The IT Security Guy] Posted: 23 May 2008 07:42 AM CDT The second edition of my book, The Little Black Book of Computer Security, is now available on Amazon. A photo of the cover is on the right, just below the photo of me in my fashionable sunglasses. |
Long List of UTM devices [Jon's Network] Posted: 23 May 2008 02:35 AM CDT Whenever I learn about a new UTM device (or next generation firewall, secure network gateway, etc.), I’m amazed that there is yet another one. Some of these are well known, but others I’ve never seen in the wild. How many of these companies are making money right now? Here is a first stab at listing every UTM company or device out there. If you have others, email them to me or leave a comment. I’ll be adding to this list as I learn about new ones. If you have any experience or opinions about any of them, I would be interested in hearing that too. In (pretty much) random order: Secure Computing’s Secure Firewall and SnapGear Checkpoint UTM (These are really Crossbeam boxes) Calyptix AccessEnforcer (thank you Jamie) |
China telco re-org schema announced. [Telecom,Security & P2P] Posted: 23 May 2008 01:08 AM CDT After years of rumors, the final picture of China telco re-org got announced today. It’s somewhat the same as the gossip inside the circle. The executives of the new companies are also mentioned:
This re-grouping is interlocked with the 3G licenses. It’s said that the new CMCC will get TD-SCDMA, while new CUC will get WCDMA, and CT will get CDMA2000. It’s interesting to watch back to what I summarized the evolvement of China telecommunication industry in the past 10 years. |
Web 2.0 Security and Privacy Workshop [Infosec Events] Posted: 23 May 2008 12:50 AM CDT Today at the Claremont Resort in Berkeley California, I attended the Web 2.0 Security and Privacy workshop. It was was sponsored by IEEE, whom just finished their Symposium on Security and Privacy yesterday. The papers for the Web 2.0 Security and Privacy workshop are now available, and can be found on the program page. Presentations should be online soon. Like the USENIX UPSEC and LEET workshops, most of the presentations came from academia. At least this time the crowd was more balanced. Of the fifty or so people that attended, about twenty were from universities, and the rest were from companies. I enjoyed many of the talks, especially Collin Jackson and Adam Barth’s Beware of Finer-Grained Origins presentation, and of course Niels Provos’ All Your iFrames Are Point to Us keynote. So were there any cool tools or resources announced at the workshop? I’m not sure about new releases, but there were a couple neat things.
|
Expression Engine 2.0 Preview [Jon's Network] Posted: 23 May 2008 12:38 AM CDT EllisLab is releasing Expression Engine 2.0 with lots of new bells and whistles this summer. Check out the quick video showing off the back end: Expression Engine 2.0 Preview. |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment