Tuesday, June 10, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

If you are going to be late, at least call [StillSecure, After All These Years]

Posted: 10 Jun 2008 07:48 AM CDT

How many times did your parents tell you that when you were growing up?  Well it looks like someone at United was listening.  I was scheduled to fly out of Ft Lauderdale today on a 8am flight to Denver.  Last night around midnight (OK, they woke me up as I went to bed early to get up for flight) they called to tell me that the flight was late and would not be leaving until about 11:10.  Well knowing that I didn't wake up at 5:00am and insteady slept a little later.

Hey it doesn't make up for the fact that I wanted to be in Denver early and get work done, but it was certainly better than getting up in the dark and going to airport only to find out I had a 3 hour wait.

Zemanta Pixie

Major ISPs step up to curb child porn [StillSecure, After All These Years]

Posted: 10 Jun 2008 05:50 AM CDT

Andrew Cuomo

Image via Wikipedia

Actually they were forced to step up. Steven Musil reports that according to this NY Times article, NY State Attorney General, Andrew Cuomo has forced several of the largest ISPs including Verizon, Sprint and Time Warner Cable to institute blocking of web sites and usenet groups that traffic in child pornography. I say what took so long. For years now the ISPs have wrapped themselves in first amendment issues and claimed that they had no responsibilities for individuals communicating with other individuals. But as Musil reports, Cuomo said that at some point if they knowingly allow such illegal activity they do bear responsibility. Cuomo's office had to threaten legal action before the ISPs would agree to get involved though.

The I don't have responsibility defense used by the ISPs has been frustrating for a long time. When I was in the hosting business, some web hosts said the same thing about hosting web sites with illegal content (porn, warez, etc.). Law enforcement was quickly able to pierce that veil and get web hosts to take down illegal sites. Cuomo I think said it best, "No one is saying you're supposed to be the policemen on the Internet, but there has to be a paradigm where you cooperate with law enforcement, or if you have notice of a potentially criminal act, we deem you responsible to an extent".

Of course the question is: who picks what is objectionable. Child porn is easy, but what about other types of porn, gambling sites, etc. Once we put the power to filter content in a private companies hands, we entrust them to filter only what is illegal. But it would be naive to think they won't filter for their own best interests either.

While I applaud this step and give Andrew Cuomo credit for bringing the ISPs to heel, I think you have to put some process in place to make sure that legitimate and protected communications and freedom of speech is not suppressed.

In any event now the security folks can blame the ISP for why certain executives web browsing to quesitonable sites is being blocked ;-)

Zemanta Pixie

[Chinese]网站上的webshell [Telecom,Security & P2P]

Posted: 10 Jun 2008 04:52 AM CDT

今天在检查sbin.cn上面的文件时,偶然间发现了网站被植入了一个webshell,看了一下时间大概是一个星期前的事情了。一边心中有些郁闷,一边做一些清理工作,把密码都换了一遍,希望没有入侵得很深。
大家知道sbin.cn是个在Bluehost上面的虚拟主机,于是我就想搜索一下关于bluehost的安全性问题。结果让人喜忧参半。
其中一则新闻称Bluehost的CEO Matt Heaton的博客(http://mattheaton.com/)在二月份两度被黑,文章的作者还安慰性的同时举例说美国副总统戈尔的网站也被人黑过。如此看来,或者Bluehost的安全性不够理想,或者Bluehost的IT Security Team把VIP们的网站给忽略了,没有特别保护。
另一个网络帖子是一个国外网友的,他论述了他的安全观点,如何保护信用卡信息,给出了一些忠告,同时他提出Bluehost是PCI符合的,换句话说Bluehost在信用卡信息保护方面达到了PCI的安全要求。这样,或许我的信用卡信息还没有被人在买卖。

Virus Variant Extorts You by Encrypting Your Files [Darknet - The Darkside]

Posted: 10 Jun 2008 04:10 AM CDT

Malware authors are getting sneaky again, in the latest turn of events they have started encrypting your files and holding them at ransom! You have to pay up to get the ‘decryptor’ and get access to your files again. This is pretty dangerous…and cunning too. It’s not easily broken either, they are using RSA 1024-bit...

Read the full post at darknet.org.uk

E-Trade Goes Mobile [Infosecurity.US]

Posted: 10 Jun 2008 12:44 AM CDT

E*Trade (Nasdaq: ETFC), is reportedly going mobile on the BlackBerry platform. The information security implications are, shall we say, rather E*Normous! Writing for Ecommerce Times, Keith Regan brings up disconcerting news regarding the application: ” Mobile accounts will be password-protected, with the accounts set to automatically shut a user out after five minutes of inactivity, E*Trade [...]

SearchSecurity.com - Guide to information security certifications [Vincent Arnold]

Posted: 09 Jun 2008 11:45 PM CDT

Source

Ed Tittel and Kim Lindros
05.08.2008
Rating: -4.83- (out of 5)

For this update to our survey we added only one new vendor-neutral certification, the GIAC Certified Incident Manager, or GCIM. On the other side of the table, numerous items were deleted or removed. 12 full-blown vendor-neutral credentials were dropped for reasons that vary from no information available, to no visible signs of life, to a virus lurking on the program’s home Web page. We can’t take a security program seriously if its operator lets its website attempt to download viruses to its visitors. We also decided to drop individual Brainbench security exams, because they don’t lead to certification in and of themselves, which drops the vendor-neutral count by another 5 items. We also did away with coverage of the GIAC certificate and specialist items to drop another 23 items.

IMDB, Amazon Fall Victim To DDoS [Infosecurity.US]

Posted: 09 Jun 2008 11:13 PM CDT

The weekend’s news brings yet another Distributed Denial of Service Attack (DDoS) this time at the Internet Movie Database (IMDB), reports Supranamaya Ranjana technical analyst with network services company Narus, in Dr. Antonio Nucci’s (the NARUS CTO) company blog. Also reported by CNET. Ranjana also implies that the IMDB site is hosted on the AWS [...]

I’m a Slacker [BumpInTheWire.com]

Posted: 09 Jun 2008 10:59 PM CDT

I’ve been a real slacker when it comes to BITW lately.  I guess when I finally get an hour or two at the end of the day to sit down I don’t have much fuel left in the tank to type something up.  I can barely remember what I did today.  We did get the logo for our BBQ team today which I think is the “balls.”  Unfortunately every time I look at it it haunts the hell out of me.  She’s watching, judging.  Saying look at the baby, look at the baby.  My “angry” is the one on the left.

I actually do have a little NAC business to talk about.  Thursday night we put a switch that all of our internet links connect to in front of our LANenforcer 2024 (or we put the LANenforcer 2024 behind the switch).  In this set up the LE 2024 isn’t the deflection point as there is a firewall sitting between the internet links and LE 2024.  So far we have not had any problems by doing this.  We now have two different LE 2024s in two different locations in relation to internet links.  We have one at our second site as the deflection point that is sitting in front of a firewall and the one I just wrote about that sits behind the firewall.  Neither have caused a single issue thus far.  The only problem I see by doing this is during firmware/software upgrades.  An upgrade of the LANenforcer takes a few minutes and that will result in a few minutes of internet outage unless we bypass the LE before an upgrade.  I think this is the route we will end up taking.

We had an situation last week where a new vlan was created, configured, etc, etc and the dhcp scope was not giving out DHCP addresses.  It turned out that it wasn’t a switch problem or a dhcp problem.  The vlan had not been added to the LE 2024.  This led to a short conversation on how easy it is to forget about the LE 2024s.  They just work.  We’ve removed them in a couple of troubleshooting scenarios but they’ve never been the cause of a problem.  We hadn’t added a vlan to our network in months.  When El Sidekick did it last week and it didn’t work the LE 2024 popped into my head after looking at two or three other things first.  Easy to forget about.

links for 2008-06-10 [Raffy's Computer Security Blog]

Posted: 09 Jun 2008 09:31 PM CDT

Unencrypted AT&T Laptop with Employee Data Stolen [Liquidmatrix Security Digest]

Posted: 09 Jun 2008 09:31 PM CDT

Um, whoops.

From Consumer Affairs:

A laptop containing personal information on AT&T employees and management was stolen from an employee’s vehicle last month, the company said.

The laptop, which had no encryption or security protection beyond a password lock, contained names, Social Security numbers, and salary information for an undisclosed number of workers.

Employees were notified of the theft on May 22, seven days after the theft, according to privacy watchdog PogoWasRight.org, which first reported the story. In a letter to employees, AT&T said that, “The measures and precautions we put in place to protect the security of company-owned property and our employees’ personal information were not followed.”

AT&T said that the responsible employee “has been disciplined.”

Disciplined you say?

Dungeon

Muawhaha!

Article Link

Dynamic vulnerability assessment [StillSecure, After All These Years]

Posted: 09 Jun 2008 07:59 PM CDT

A few weekes ago I wrote about the current state of vulnerability assessment being like a parody of an Obama/Hillary commerical.  Who answers the phone at 3am?  For vulnerability assessment, the results are only as good as who answers the scan.  This has been a problem for security managers and vulnerability assessors for some time.  Balancing scanning during prime time and impacting network performance versus scanning during down times when the devices you need to scan may not be available.

Today StillSecure announced our reponse to ending this problem. We call it Dynamic Vulnerability Assessment (DVA).  With DVA you will have vulnerability and compliance data as of at least the last time a device logged on the network.  This closes the loophole and gives organizations a much more comprehensive and secure assessment of who is on the network and what they look like.

To accomplish this we are using some of our NAC technology from Safe Access. This allows us to detect devices as they come on the network. We can also use the purpose built Safe Access testing engine to deep compliance checks to supplement the tradtional vulnerability checks.  We think this is a big step up in vulnerability assessment and management.  Am interested in what others think.

Zemanta Pixie

Another TSA move that doesn't make sense [StillSecure, After All These Years]

Posted: 09 Jun 2008 07:58 PM CDT

Seal of the United States Transportation Security Administration when it was still a part of the Department of Transportation (it was moved to the Department of Homeland Security when the latter department was formed).

Image via Wikipedia

Everyone has a story to illustrate that the TSA may not be the brightest bulbs on Broadway.  I read a blog on C/Net today that once again proved to me that they are either incredibly naive or don't really think things through. Almost since 9/11 you could still fly on US airlines without showing ID. It would subject you to increased scrutiny and a pat down search, but if you did not have ID you could still fly.  I found about this because once while flying with Dave Greenstein of StillSecure he forgot his ID and was still able to get home.

Now the TSA is saying that if you willfully refuse to product ID you cannot fly at all.  However, if you forget or don't have ID you can still fly as long as you are cooperative.  This is after several lawsuits were brought that said showing ID was an unconstitutional inhibition on the right to travel between the states. The courts have said that as long as you have extra security, that is fine.

Now the TSA has published a memo that as of June 21, 2008 passengers who willfully refuse to produce ID will not be allowed to fly.  If a passenger just forgot or doesn't have ID as long as they are cooperative, they can still fly with the usual extra searches and so forth.  Now maybe on its face, that sounds OK, but lets think about it.  Who is really going to be subject to this? 

Do you think a real life terrorist is going to say that he or she refuses to produce ID? Of course not.  They are going to say they forgot it and go through security.  The only people who are going to refuse to produce ID are those people who are seeking to exert and protect their constitutionally protected rights. So these are the people the TSA will punish while patting down and sending on the real threats.  So what does this do to make us safer?  Just another case in my mind of our privacy rights taking a back seat for no good reason. 

Zemanta Pixie

iPhone creates mobile malware tipping point [Amrit Williams Blog]

Posted: 09 Jun 2008 04:57 PM CDT


Apple’s Worldwide Developers Conference is the premiere showcase for new, shiny apple gadgetry. Regardless of your feelings about the company or the MacBook Pro, the iPod, or the iPhone, you can’t dispute the elegance of these devices. Apple has cornered the market on smart design.

The announcements from this year's WWDC may not excite the masses as much as in the past, but they will have a profound impact on enterprise IT and will help completely revolutionize mobile computing in the enterprise. On the downside, the iPhone also presents the tipping point that will trigger both an explosion slow trickle of mobile malware, and an increase in Mac OSX malware. Not many can say they are the catalyst for good and bad megatrends—so all hail Steve Jobs for setting the foundation for a revolution in malware as well.

The moves to support office applications, broadband connectivity, GPS, and releasing a common development platform for both iPhone and Mac OS X, Apple has created the perfect storm for an explosion of slow trickle of mobile malware, data theft incidents and IT management headaches. Let's review the more important WWDC announcements and their impact on enterprise security:

Enterprise Support (including Microsoft Exchange Integration and Office Applications) The point at which mobile and handheld devices become real issues for enterprise IT is the point at which data can be viewed and manipulated in the same way it can be on a desktop or laptop. The ability to store, forward, read, and write Microsoft Office applications eliminates the need to use a conventional computer to do real work, but creates a nightmare scenario for organizations who are still challenged by securing data on the devices for which they are responsible.

3G Support Fast Internet access will only increase the use of the iPhone for web browsing, on-line banking, commerce, and enterprise SaaS applications like salesforce.com. Handheld salesforce.com access, for example, will be a boon to field sales people, but opens the door to increasing the number of browser-based attacks.

GPS Support Although this may seem innocuous from a security perspective, it is clear that targeted malware is on the rise. Imagine being able to tailor a message to not only include information about the recipient but to include or reference their location.

iPhone Development Environment In my opinion the most significant WWDC announcement has been the introduction of the iPhone as a development platform that shares APIs and tools with Mac OSX. Couple this ability to cross-pollinate malware between the iPhone and Mac OSX, with a rich media layer and an easy-to-use development environment, and you create endless fun for the legions of malware authors looking to profit from the proliferation of iPhone and Mac OS X.

This is not a problem for tomorrow, but a problem of today and if we have any hope of taking control of our environments against the backdrop of an increasingly sophisticated user population, advancing technology, and hostile threats, we must learn to adopt new approaches to enterprise security that go beyond static object defense.

The top three things that IT must do today to deal with mobile computing devices are:

1. Attain Visibility Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for resolving the mobile assets problem. After all, how can you manage what you don't see? Visibility must extend to mobile assets' configurations and their actions on the network. It's not enough to know that Bob in accounting owns an iPhone. You also need to know what software the iPhone runs, whether it is really Bob who is currently accessing confidential data, if he has rights to see this data, and whether he is doing it in a safe way.

2. Set Usage Policy As IT managers lose influence over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a platform-agnostic policy-driven approach to information security management that encompasses both conditions and actions.

3. Enforce Policies and Controls Policies without means to enforce them have all lasting effect of New Year's resolutions. To be effective in a world of mobile devices that come and go from the enterprise network, enforcement cannot be a matter or centralized command and control, but rules embedded in, and enforced, by the devices themselves.

The majority of organizations are ill-prepared to deal with managing devices they own, let alone managing devices brought in the organization by employees. This consumerization of IT is already straining organizations to manage the unmanageable. The workforce entry of a new generation of tech-savvy youth is forcing once draconian policies around the use of corporate owned devices to be rethought. Smart organizations realize that consumerized IT is not only inevitable, but important in keeping younger workers and successful early adopters motivated and productive. Mobile devices are on the march and there's no stopping them. If you can't beat 'em, join 'em, and establish the visibility and policy frameworks to enable their productive, safe contributions to achieving enterprise missions.

Social Networking e Gruppi d'interesse [varie // eventuali // sicurezza informatica]

Posted: 09 Jun 2008 12:37 PM CDT

Ho passato un po' di tempo durante il fine settimana a giocare con i siti di Social Networking. In particolare LinkedIn e Facebook, il primo più professionale, il secondo più come passatempo.

Sul primo ho creato un gruppo con l'ambizioso obiettivo di creare una comunità italiana dei Certificati CISSP. Se sei certificato CISSP, ti potrà interessare iscriverti al gruppo CISSP Italia, ecco il link.

Per chi ha semplicemente la passione per la sicurezza, o bazzica l'ambiente ed è iscritto a Facebook, ho fatto il gruppo Sicurezza Informatica, con iscrizione libera. Magari per metterci le foto di eventi, pizzate, fiere, convegni, eccetera...

Commenti, proposte? Vi aspetto!

New Identity Theft Stats [securosis.com]

Posted: 09 Jun 2008 12:30 PM CDT

One of my biggest annoyances in the industry is the lack of good metrics for making informed decisions, and the overuse of crappy metrics (like ROI) that drive poor decisions. Of those valid metrics that wistfully dance with rainbows, unicorns, and pony-unicorns in my happiest dreams, those that correlate real-world fraud with real-world incidents stand alone on the peak of the rainbow bridge to metrics nirvana. I’ve written about our need for fraud statistics, not breach statistics, but often feel like I’m just banging my head against the hard, thick walls of big money.

Thanks to Debix, today there’s a bit of rainbow light at the end of the tunnel (have I killed that analogy yet? Really? Even with the unicorns?). As many of you know, since they sponsored a contest here at Securosis, Debix is an identity theft prevention company. They place credit locks with the credit agencies for you, and route all new account requests through their call center for routing to you for approval or disapproval.

Today they released some very interesting statistics. Since they pass a lot of credit query traffic through their call center, they closely track new account fraud attempts against their client base. Many of their clients enroll as a protective measure after data breaches, so for those customers they an also track at least of the breach origins (nothing says that’s the only time they’ve been a victim). Some of this information is based on my briefing with them, and is not available in the report.

  • According to this report from the Identity Theft Resource Center, new credit account fraud is 57% of financial identity theft.
  • Many of the 259,761 accounts included in the study were the result of major incidents involving lost backup tapes.
  • There were 30,618 authorization attempts for new credit lines.
  • Of those, 380 were fraudulent (and stopped).
  • There were 4 incidents of new account creation that circumvented the Debix controls (all detailed in the report).

This gives us a bit of meat to work with. The fraud rate is about 1.25% of new accounts, which is about the average. Since most of the participants were exposed due to lost backup tapes, it shows either that those losses are not resulting in increased fraud, or that the bad guys are holding onto the information for greater than the (public) 1 year of protection.

Debix also added a new feature recently that may lead to more interesting results. When you decline to open a new account, you have the option to immediately route your case to a private investigator on their staff, who collects the information and engages law enforcement. While I doubt we’ll get hard numbers out of that, we might get some good anecdotes on the fraud origins.

On our call Debix committed to providing more statistics down the road (all anonymized of course). We gave them a few suggestions, including some ways to add controls to their analysis, and I’m really looking forward to seeing what numbers pop out in the coming years. Ideally we’ll see more stats like this coming out of the credit agencies and financial institutions, but I’m not holding my breath.

(Full disclosure: I have no business relationship with Debix, but am currently enrolled with them with a free press/pundit account).

Is Rootkit Detection Worth It? [securosis.com]

Posted: 09 Jun 2008 11:20 AM CDT

An interesting debate/panel over at Matasano with perspectives from a pundit, researcher, and honest-to-goodness in the trenches security pro.

Flickr and YouTube Memories [RSA Conference - Blog]

Posted: 09 Jun 2008 10:21 AM CDT

Monday Potpourri [StillSecure, After All These Years]

Posted: 09 Jun 2008 10:04 AM CDT

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

Pgp_mac  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

Roi 4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

Zemanta Pixie

Multi-vendor support vs. Vendor neutrality [Security Incite Rants]

Posted: 09 Jun 2008 09:43 AM CDT

After my "Special Incite" on MSS last week, I got some good feedback. Most of it said my analogy to the banking industry was spot on. Of course, there are always those vendors that send me notes wingeing about how I've got them mis-categorized and how I don't understand their business.

Whatever. But one of the comments bears digging a bit deeper into. And that was the idea of a managed security service provider, who is part of a product vendor, claiming to be "vendor neutral." You've heard it before. In fact, all the big IT providers, who have big IT service engines, claim to be vendor neutral.

I posit that these folks provide MULTI-VENDOR SUPPORT. That means they can manage and support products from their competition. But they are not neutral. Not by any stretch of the imagination.

They aren't. In fact, they can't be. And just so I'm not being my general cynical self, I'll actually put in place a few hurdles for these vendors to prove they are truly VENDOR NEUTRAL.

  1. Separate sales force - This is really the first hurdle and it's usually the hardest one to overcome for a lot of the vendors. Basically, services is a value-add they sell to their existing product customers. But to really be vendor neutral, then they have to have a separate sales force, who only sell services.
  2. No services comp for product reps - Let's say a vendor actually does have a separate sales force for services. Great. Do their product reps get compensated when a services engagement is sold to that customer? If yes, then again, they are not truly vendor neutral because there are kick-backs happening. Sure, they are finder fees, but at the end of the day, you can't be neutral if you are kicking back commission to the guy selling hardware (or software).
  3. No product comp for the services reps - Yes the converse has to be true as well. The services reps cannot get compensated if a new set of products gets sold based upon an engagement.

To be clear, these are 3 very high bars and they should be. Because NEUTRALITY is not something to be trifled with.

Personally, I don't think any vendor that does MSS (or any other services for that matter) should be claiming to be neutral. It's important to get some level of leverage from efforts both on the product and services side. If you can't do that, they why even bother? So providing multi-vendor support is not a bad thing, but it's not being vendor neutral either.

End user organizations need to figure out what is important to them. I'm cool with doing business with a product vendor's services arm. As long as they go in with their eyes open. The vendor wants to sell product, and they should. You (the user) may even want to buy that product. And you shouldn't feel bad about that. But don't believe them when the first bullet on the vendor's services PPT is "vendor-neutral."

Photo credit: shadowtech

Develop your Business Continuity and Redundancy Plan [Telecom,Security & P2P]

Posted: 09 Jun 2008 09:09 AM CDT

This is an old topic, but it’s not an easy one. For everyday, IT managers are facing the questions : how to make sure the business continuity? what’s the proper redundancy to balance between continuity and cost? You know the redundancy and complexity themselves can introduce additional potential failures and issues. So redundancy is not the silve bullet for continuity, not mentioning the cost.

I have been working on this for a while. I don’t have budget to have a consulting project to help me to get a comprehensive and holistic picture. I have to do it by myself.

As the first step, I am considering the mothodology. The below diagram is the draft in my brain.
Develop your BCP and Redundancy Plan
1 Prioritize
Prioritize the applications and users and user communities
identify the critical path
Prioritize the paths and elements
Build profiles of top critical applications
2 Critical Path
Find the critical path and dependency, both logically and physically.
3 Identify Risks
Identify potential risks and failure scenarios
Build business cases
4 Redundancy Check
P1: The least things that make the core business alive.
e.g..fibers along the critical path
5 Fix the Gaps
Fix the gaps according to prioritization
6 Drill
Create scenarios and testing plan

[Chinese]NIST推出通用配置打分系统CCSS草案 [Telecom,Security & P2P]

Posted: 09 Jun 2008 08:33 AM CDT

5月30日,NIST(美国技术标准局)推出了一个用于对安全配置进行打分的草案,其全称是:NIST IR-7502 DRAFT The Common Configuration Scoring System (CCSS) 。

CCSS是用于对有关软件安全配置问题(Issue)的特征和影响提供的一个标准测量集合。CCSS可以帮助企业组织在解决安全问题时做出正确的决定,另外,它还可以提供数据以便对主机的安全状况进行量化的评估。从体系上看,CCSS借鉴了CVSS,但是针对软件的安全配置问题做了特别调整(CVSS专注于软件缺陷和漏洞)。我们知道,一个软件系统的安全性,不仅仅是软件本身的安全问题,很大程度上还决定于安装、配置和运行管理。

据报道,NIST还计划扩展CCSS,将环境度量也包含进来。点击下载原文

NoVA Sec Infosec Meetup Event - Thursday, 6/12: New School Information Gathering [NovaInfosecPortal.com]

Posted: 09 Jun 2008 08:27 AM CDT

Here is some information regarding this week’s Thursday NoVA Sec infosec meetup event. Looks like NoVA Sec is deviating from their normal forth Thursday of the month schedule. Regardless, the topic looks interesting. Plus I hope Chris talks about LearnSecurityOnline.com as I’ve been interested in trying it out. (more…)

Stealing Password Hashes with Java and IE [Liquidmatrix Security Digest]

Posted: 09 Jun 2008 06:34 AM CDT

OK, I read a lot, I mean a lot on a regular basis. There is a lot of tripe floating about the tubes of the internet and I’m always pleased to read a new posting from several folks who buck that trend. Among which I count John Heasman. He has a great new post on his site about stealing password hashes with Java and Internet Exploder.

From Aut Disce, Aut Discede:

Consider for a moment the state of client-side bugs 5 or 6 years ago. Attacks such as this, a multi-stage miscellany of IE and Mediaplayer bugs that resulted in the “silent delivery and installation of an executable on the target computer, no client input other than viewing a web page” were reported with regularity. Gradually these type of attack gave way to exploitation of direct browser implementation flaws such as the IFRAME overflow and DHTML memory corruption flaws. So what has become of the multi-stage attacks - have they become redundant? The answer to this, which I’m sure you can guess, is a resounding “no” and will be emphatically demonstrated in my upcoming Black Hat talk “The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation”, a joint double session presentation co-presented by Billy Rios, Nate McFeters and Rob Carter.

As a teaser for that, I’m going to revisit an old attack - pre-computed dictionary attacks on NTLM - and discuss how we can steal domain credentials from the Internet with a bit of help from Java. I’m going to split it into two posts. In this post we’ll apply the attack to Windows XP (a fully patched SP3 with IE7). In my next post we’ll consider its impact on Windows Vista.

For the full article read on.

Why are you still here? Go read it.

:)

Article Link

Security Briefing: June 9th [Liquidmatrix Security Digest]

Posted: 09 Jun 2008 06:29 AM CDT

newspapera.jpg

What fresh hell is this? Monday morning and the coffee machine decides to tangle with me. The missus saves the day and potentially my sanity.

So, will the iPhone (officially) come to Canada in the WWDC keynote this morning? What say you Vegas?

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

  1. Security firm asks for help cracking ransomware key | Computer World
  2. Revisiting the Safari Vulnerability on Windows | Washington Post
  3. A rallying cry against cyberbullying | CNET
  4. HP secures data center assets with RFID tags | Network World
  5. Hans Reiser Offers To Lead Cops to Nina’s Body | OS News
  6. Full-featured IE 8 beta announced (smashy, smashy) | NZ Herald
  7. Fraudsters hack into Home Office website | Telegraph
  8. IBM sings a Symphony to rival Office | Silicon
  9. Military Supercomputer Sets Record | NY Times

Tags: , , , ,

Kapersky Discovers New Ransomware Virus [Infosecurity.US]

Posted: 08 Jun 2008 07:46 PM CDT

The Register’s Dan Goodin is reporting a newly discovered ransomware virus, and the company’s (Kapersky) call-to-arms to enlist other researchers in the effort combat this pernicious, nasty little bit of code. Goodin writes “After discovering a new and improved virus that encrypts important files on infected machines, researchers from Kaspersky are calling on fellow security professionals [...]

Opera Browser Integrates Malware Protection [Liquidmatrix Security Digest]

Posted: 08 Jun 2008 09:27 AM CDT

Opera, arguably one of the fastest rendering browsers available, is stepping up on security. With their version 9.5 release they are adding in malware protection courtesy of a deal that was struck with Haute Secure.

From Tech Crunch:

Haute Secure makes software that aggressively monitors and alerts users to malware sites. Besides the version that is being integrated into Opera, Haute is also available as a free plugin for Internet Explorer and Firefox. It differentiates itself from other blocking software by analyzing sites on the link level instead of at the domain level. This means that on very large sites like MySpace that contain a combination of legitimate material along with more sinister profiles, pages will be blocked on a case by case basis instead of simply banning the entire MySpace site.

Opera, while not nearly as popular as Internet Explorer or Firefox, has managed to gain something of a cult following since its original launch in 1996.

Nice upgrade for the little browser that could can. If you haven’t tried it give Opera a test drive. I use it as one of my 3 regular browsers.

Article Link

No comments: