Monday, May 26, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Physical Access always means p0wned [vandeneynde.net] [Belgian Security Blognetwork]

Posted: 26 May 2008 02:54 AM CDT

I blogged about it before but every now and then someone finds a new physical ‘hack’ into windows. Here is an example of a recent hack using backtrack to gain access.

This just illustrates one of Microsoft’s 10 Immutable Laws of Security:

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Presentations from the European OWASP Application Security Conference [Security4all] [Belgian Security Blognetwork]

Posted: 25 May 2008 03:33 PM CDT

Last week, the OWASP Security Conference was in Belgium. Unfortunately, I couldn't make the time to go. But the presentations are online. They are not yet all complete but probably will be in the...

Papers from Web 2.0 Security and Privacy Workshop [Security4all] [Belgian Security Blognetwork]

Posted: 25 May 2008 03:24 PM CDT

The papers for the Web 2.0 Security and Privacy workshop are now available, and can be found on the program page. Presentations should be online soon. For a small review, visit the infosec events...

5 Steps to Slide Design for Non-Designers [Security4all] [Belgian Security Blognetwork]

Posted: 25 May 2008 03:08 PM CDT

Ellen Finkelstein has a very interesting article on slideshare.net about 5 Simple steps to improve the design of your presentations and a way to lessen a bit on those bullet points. 1. Create a...

Whiz is overrated. [NP-Incomplete]

Posted: 25 May 2008 02:40 PM CDT

TippingPoint chief architect says embedding security in switches and routers is a fools errand [StillSecure, After All These Years]

Posted: 25 May 2008 10:32 AM CDT

If there was any doubt in your mind about how much the TippingPoint team wants to be part of 3Com, you should listen to this video of Brian Smith, chief architect of Tipping Point talking to SearchSecurity.com.  Brian comes right out and says that the original idea behind the 3Com acquisition was synergies of putting security into switches and routers.  After about a year of trying to do this, he says that he realized it was a "fools errand" because security is evolving so much quicker than networking.  I don't know, but that is probably not the opinion of Cisco, HP ProCurve, Foundry, Extreme, Enterasys and Juniper who all seem to be doing exactly that. Perhaps it had more to with a clash of personalities there than technology?

Later in the interview Brian states that after the expected synergies never materialized it was decided to spin TippingPoint off on its own IPO. Luckily they had retained their own identity which Brian says may not have been possible if they were acquired by Cisco or IBM. He basically says that the merger was a failure and they wanted to go their own separate ways.  Than the Bain deal put everything on hold and now post-Bain deal they are becoming more and more autonomous.  Though he doesn't come out and say it, his body language is screaming that he cannot wait to be spun out from 3Com.

My advice is to be careful what you wish for.  The security industry is not what it was before the acquisition and without someone's deep pockets behind you and the inability to move out successfully beyond anything besides IPS, TippingPoint may not find it as welcoming as they think.

This posting includes an audio/video/photo media file: Download Now

Scottish ecounting report shows that is not what you do but how you do it that counts [belsec] [Belgian Security Blognetwork]

Posted: 24 May 2008 05:23 PM CDT

The Dutch government has decided that it will invest more money in technology to count to votes than in technology to replace the paper ballots by an electronic process. But as we have often said here. It is not about being for or against technology it is about the way that you do it. And you only do it if it is possible to be done on a responsable way. As with other software in other countries or parts of the UK this use of technology didn't lead to any problems.

The ecounting process in the last Scottisch elections had a few problems and one of them (a wrong excel file) even nearly led to proclaiming labor the bigger winner (while they were not). The parliamentary report has a lot of propositions and remarks and some of them may even be interesting for us.

One of the most remarkable is to start counting the day after the election and not during the day itself.

 

What an attacked blogger can do [belsec] [Belgian Security Blognetwork]

Posted: 24 May 2008 04:35 PM CDT

1. First you have to limit the supposed damage by retracting the posting or article. You should make sure that you have screenshots and emailproofs. A posting is not worth the thousands you can lose. I know it seems like blackmail, but that is the world we live in. It is better to just wait a bit because the truth will always come out.

2. You should collect all the proof you have at your hand (or phone or mail) that shows that you have done everything possible to send your information to the responsable persons before publishing it out of desperation. You should keep that information also backupped.

3. Everything you will say afterwards can and will be used against you. You should for this reason limit your communications to the strict minimum and stick to the facts. You should also stick to your storyline.

5. You should not panick or be impressed. Just keep your head cool and work yourself through the procedure as described above.

Malicious marketing in the anti-malware industry. [www.remes-it.be] [Belgian Security Blognetwork]

Posted: 24 May 2008 04:34 PM CDT

I was doing some research for a presentation I might give in a few weeks (more details to follow if it goes through) and something struck me.

I'm familiar with http://www.av-comparatives.org/ and I visit their site regularly. So I went down to http://www.kaspersky.com and ended up on this page : http://www.kaspersky.com/comparative_tests?id=207575621 ... Great, apparently they're doing well :-) but ! Yes, there is a but ...

a) the av-comparatives website strictly prohibits using the online tables and or reports to be used in part or in whole. (yes, I will report it)

read more

What firms with vulnerable networks should do [belsec] [Belgian Security Blognetwork]

Posted: 24 May 2008 04:28 PM CDT

You should send an army of lawyers when it is published to the publisher and try to get him or her to shut up. The endresult will be that it will go around even more and that in the end some other information will be published that isn't really conforting. If at the main time you arrive at making some other activists angry you are sure to attract a lot of interest and real sympathy.

You should think that your ITstaff is the best in the world and knows everything and that external security checks by advanced knowledge people with no loyality to whoever of your staff is absolutely not necessary. You are sure that you are only attacked by script kiddies and that professional hackers will not bring you down or compromise your services.

You should buy a seal that you aren't hackable and you should pay a lot to audit firms that have minimized your risks. You should be near a norm that has a list of things to do as thick as a book. On paper everything looks okay, so why would there be any problem, isn't the world not exactly like it should be if you live by the book ? If the book says there is no vulnerability or problem, than why should you worry ?

An advice security groups should listen to [belsec] [Belgian Security Blognetwork]

Posted: 24 May 2008 03:58 PM CDT

Last week a Belgian security group got its forum hacked - as are so many others if you read the names of the hacked websites in zone-h.org and that made it its laughing stock for some.

We know that some other Belgian security groups are also hostings old and hackable versions of community software and are just waiting time-bombs to go off.

The problem is that you can't claim to be a securitygroup at one side and try to convince people to install patches and upgrades as they come out and at the same time run these on a hackable old version of a sometimes opensource communitysoftware.

We have also thought that you should leave the hosting and programming to professionals who do that all the time every day and that content editors should concentrate on the content, not the programming. I know it seems fun to be playing with code and making the thing work yourself, but what is more fun (chosing your names, colours, functions and promotion and content) or trying for the xth time to upgrade your adapted version of the software without losing all the customisation.

A bigger difference between Belsec and Belgian Security Bloggers [belsec] [Belgian Security Blognetwork]

Posted: 24 May 2008 03:39 PM CDT

The Belgian Security Bloggers Network is a coordinated integrated newsfeed of several Belgian security blogs which we contacted. Each of those blogs is solely individual responsable for its own writings and has at no time the duty to coordinate or ask something about the things they may or may not publish.

If one of the Belgian security bloggers has information of which they aren't sure if publishing would be inside the law or would be responsable to publish, they can ask the opinion of belsec. But Belsec takes no responsability if this is not done or not followed. It may also take time to make such an opinion and Belsec may also decide that the information needs to be sent to backchannels as fast as possible because of its critical nature.

While the network of Belgian security bloggers is growing steadily we will think about how to formalize this in procedures and agreements. For this we need to do some more work with our backchannels to be sure that the information we send is not lost.

Belsec is a collectif Itsecurity blog that tries to give a relative anonimity by mixing information from different emailed resources and from different posters. Each poster is responsable for his or her postings and those posts can and will be removed if there are legal problems with them. We hope we avoided these the last days for some people.

You can ask an account by sending an email.

Meanwhile belsec is also a network of people, contacts, knowledge and thousands of resources online. There is also backchannel political work in preparing things or looking up things.

We are open to any professional that respects the rules and that wants to work together in an open and professional way.

But to make some things clear. Belsec is not the Belgian security Bloggers network but Belsec is only part of this network. And in the Belgian security bloggers is each blogger responsable for his own blog, but if he or she is attacked in a way that is unacceptable, we will try to organise a response and help him or her get through that.

DNS based revoke lists [Robert Penz Blog]

Posted: 24 May 2008 08:53 AM CDT

I just thought about the scaling problem of the SSL revoke lists, I wrote in my last blog post.  The first two solutions that came into mind where peer-to-peer or DNS based ones. Peer-to-peer would be not that good for enterprise users so I took a short look at DNS based revoke list. I just entered it into google and got RFC 2538 back as answer. Thats a full solution for storing certificates in the DNS (and yes also a revoke list). Maybe we could use the revoke list part of this RFC for the SSL revoke lists. This solution would scale without problems and with DNSSEC it would get even more secure.

So why is that not implemented? Just one browser vendor and one CA need to go forward and the rest will follow. They could do that instead of the “green” https stuff which is only there to generate more money. What are your thoughts about this?

so that's why you didn't vote :-) [www.remes-it.be] [Belgian Security Blognetwork]

Posted: 24 May 2008 07:30 AM CDT

ok ... I secured it a little too much and prevented you from voting on the poll ... it's open now, please cast your votes.

The fallout of the Debian OpenSSL security problem [Robert Penz Blog]

Posted: 24 May 2008 04:32 AM CDT

Today I don’t want to write about how the Debian security problem occurred, if it was the fault of the Debian maintainer or the OpenSSL guys. We’re all human so errors can occur, but this shows a much bigger problem we have. Our SSL infrastructure!!

I’m quit sure you read about the weak SSL whitehouse.gov had and that the white house does not handle their SSL stuff by them self, instead the use Akamai for this. If you don’t know Akamai, it is a major content distribution network. They have tens of thousands servers distributed all over the world and the content is served by the closest server to provide higher download speeds for the customs and make a DDOS attack much harder if not impossible. Their customer list includes Microsoft, the New York Times and so on.

So basically the SSL keys of the Akamai servers where weak, and it was possible to get their public keys (it is sent as part of the SSL handshake), and calculate the private ones out of it (there are only 32k possible keys). I know that at least one did it and sent the keys to the CCC, which verify the authenticity of the keys. Sure Akamai replaced their keys immediately. BUT. There is no way to revoke the SSL keys!!

What most people don’t seem to understand so far is that these keys are signed by a CA which is in any browser. This means that a man in the middle attack can easily performed with this. As ATI is also a customer of Akamai, someone could send you a Trojan horse instead of the newest ATI you wanted. SSL has in theory two defenses against this:

  • Keys expire, the Akamai key in October 2008
  • Originally SSL had the idea that CAs publish a list of compromised keys (revoke list) and as part of the SSL handshake the browser should check if a key is on the list. The problem with it was that this does not scale and is a privacy problem too. Browsers don’t implement this or have not activated it by default.

So we’re out in the open for this key until this fall, but that won’t be the end, as e.g. godaddy at least allows to the sign keys for a longer period of time. e.g. 3 years. And the same problem occurs if a private key is leak by other means. The whole foundation of our web security infraction is build on sand. We need something new!!

PS: I want to stress that Akamai did nothing wrong here. They did everything right and still have a problem!

5 Tips for beginning security bloggers [belsec] [Belgian Security Blognetwork]

Posted: 23 May 2008 04:52 PM CDT

First you should decide for yourself if you wanne use your real name or just a pseudonyme. It is very dangerous to use your real name because in Belgium the IT business has no culture of discussion, debate and openness to comments and correction. It seems sometimes that every consultant has to be a Leonardo Da vinci what is not possible even for a specialist. The other danger is that as there is no culture of discussion the first response you receive is an attack on the messenger. Silly, but the reality.

Secondly you should decide if you would inform your boss that you are blogging. Whatever you do, you better not blog or write about your boss or your clients or enemies. It will always come back to you. You can inform your boss and he has no right to refuse you the right to blog - surely not if you keep yourself strict to the rule that you don't blog about all the things connected to his firm. But if you use your real name and you can be found on the internet as linked to your boss you should inform your boss and you should ask if there is a  blogpolicy. It would be wise for some firms to have that.

Thirdly you should decide if you let people comment on the blog or not. First of all you shouldn't give those comments a high visibility on your blog as it is something you don't control. And in most blogsystems you can put them out when needed.

Fourth you should search for a hosted system and not try to host or implement yourself a blogging or website system. You may do it but you will lose a lot of time trying to keep up with the pace of attacks and bugs. And when you get hacked it is your credibility that is up in smoke.

Fifth you should remember that Belgium has a very stringent cybercriminality law and you really should think twice before publishing stuff that could be used to attack a system. You should also think twice as a securitytester before doing the testing yourself. If we publish technical analysis it has been done by professional securitytesters and not by individuals.

Haroon from Sensepost proves his leetness yet again [Jeremiah Grossman]

Posted: 23 May 2008 04:01 PM CDT

Check out this ActiveX attack on a Juniper SSL-VPN. Extremely clever and yet so simple when you really step back and take a look at how things work. A little bit of everything is involved. Some web app, predictable resource location, command execution, etc. Sheesh, what more to do you want!? :)

PCI 6.6 Countdown Clock [Jeremiah Grossman]

Posted: 23 May 2008 03:35 PM CDT

On the right side column I built a PCI-DSS 6.6. countdown clock. If you want to use it, and dare trust my JavaScript, here's the line:

<* script src="http://www.webappsec.org/inc/js/pci6.6_countdown.js"><* /script>

Incidentally, you have 38 days left to sort things out.

Brain Rules, The presentationzen slides [Security4all] [Belgian Security Blognetwork]

Posted: 23 May 2008 01:36 PM CDT

The Author of Brain rules has his own blog. I noticed that Garr Reynolds from Presentationzen had a lot of praise about his book and made a similar slideshow as he did for Johnny Bunko - a Career...

Bay to Breakers == Success [NP-Incomplete]

Posted: 23 May 2008 12:12 PM CDT

I finished in 1:09:28. Proof here and here. My bib number is 6530.
My goal for next year is to beat Oliver Friedrichs, who whooped me by a good eight and a half minutes.

Heading to a Long Weekend of Dance [Security Uncorked]

Posted: 23 May 2008 09:37 AM CDT

After many days, weeks and months of working on various customer and company projects, I’m taking the weekend off! (Yes, I usually work weekends and use the time to read, review and catch up.)

Most of my dance peeps have already trekked down to Atlanta for the 2008 USA Grand Nationals  Dance Comp- a professional show of Shag and West Coast Swing dancers from across the country. I’ll be heading out in just a few hours with one of my friends to join the flock.

In case you haven’t kept up with previous posts, I used to compete in Shag (looong ago), then American Ballroom and, most recently, West Coast Swing. This event is the perfect spot to see fellow friends and dancers from today and yesteryear.

Because of my work schedule, I’ve taken a bit of a hiatus for the past couple of years. I won’t be competing here, but it’s a great competition to watch and the best group of people around!

I’m excited and I hope to get back on the photo-taking bus and have lots of fun and goofy shots to share next week.

# # #

 

An Interesting Firefox Flaw [Sunnet Beskerming Security Advisories]

Posted: 23 May 2008 08:53 AM CDT

Ronald van den Heetkamp has published information about an interesting heap corruption in Firefox.

Put simply, it has been discovered that merely running document.open, document.write and document.close in close succession can sometimes lead to code not being executed prior to the document being closed (the obviously named document.close method) and some inconsistent behaviour from Firefox. The interesting aspect of what Ronald has discovered is that if he uses an empty applet then it leads to a fairly predictable denial of service after a couple of minutes after attempting to load the initial code element. Based on the information provided, it is predictable from the point of view that it can be assumed the browser will be unresponsive within a few minutes of loading the code, even if the underlying mechanism of just how the code is causing the failure is not understood.

Although Ronald has not developed his example to the point of executing code, the sample gives an easy starting point for further investigation and develeopment. It is true that every heap corruption isn't going to end in arbitrary code execution, but on initial view it does seem possible with this particular vulnerability. At the moment it is an interesting and simple denial of service vulnerability.

No comments: