Spliced feed for Security Bloggers Network |
Vulnerability in SNMP 3 [StillSecure, After All These Years] Posted: 11 Jun 2008 07:17 AM CDT Dennis Fisher blogs over at SearchSecurity.com about a new critical flaw found in SNMPv3. I have blogged before how some NAC vendors that utilize SNMP have tried to fool unknowing sys admins that SNMP stands for security network management protocol, instead of simple NMP. | ||
VIP Developer Test Drive Update [Online Identity and Trust] Posted: 11 Jun 2008 01:56 AM CDT It's now been about two months since we announced the VIP Developer Test Drive, and it's been a great success! Nearly 200 developers have downloaded the API, and many have already gone on to integrate it into their own applications. Over at Sun, Jeff Bounds has blogged about his integration of VIP with Sun Java System Access Manager/OpenSSO, and even posted step-by-step instructions on the Sun Wiki. So, have you downloaded the API yet? | ||
Links for 2008-06-10 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 11 Jun 2008 12:00 AM CDT
| ||
TSA Security Logic (follow-up) [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 10 Jun 2008 07:43 PM CDT I've had several responses, both public and private to my previous post - all of which indicate that lighters are "ok" now to carry onto planes. Some folks (presumably from the TSA) have posted links (I'll help by posting them below). Interestingly enough, there is a blog posting on the TSA Blog on the logic behind the 3-1-1 rule for airports. For the record, I still fail to see some of the logic here... maybe I'm not intelligent enough to comprehend but the power-trips the TSA folks go on is absolutely incomprehensible at best, malicious at worst... follow me on my logic here-
After all that... I can only surmise that any "real" threat will not be thwarted by these existing counter-measures (with the exception of advanced intelligence). So - much like many other things that are currently being done (reference this news story about ID requirements... http://news.cnet.com/8301-13739_3-9962760-46.html?tag=nefd.top) to secure us... it's a "feel-good" measure. It's meant to give us a sense of security - and like the rest of these measures, has very little actual anti-terrorism value. Oh, and I couldn't resist... Breast Milk is now allowed to be brought onto planes again - because... you know, we all know that Johnny Jihad likes to use breast milk as an explosive. I'm sure there's some scientific reasoning for this that I don't understand, it's just funny... Links to TSA blog/site etc...
A final analysis - I am starting to understand why the torch lighters are not permitted (higher temp, truer burn, etc) but regular lighters can STILL be used to start a fire on board a plane! Seriously. This particular piece is concerning... Q. Are lighters not a threat anymore?A. Lighters are not a serious threat. So - who made this determination that lighters are not a serious threat? Was it because so many were comfiscated? Does this mean if we bring in some other thing thats on the banned list in massive quantities the TSA will simply allow it? I'm not being argumentative for no reason - I'm just trying to comprehend the logic. It's one thing to say "that's just the way it is" but when logic appears to be taking a back seat... it would be good to understand why we're being hassled and annoyed while we fly. Sorry TSA, I'm not going to simply be pacified by the "just trust us" answer...I simply don't feel ANY safer. | ||
Verify that Compensating Controls work [PCI Blog - Compliance Demystified] Posted: 10 Jun 2008 05:40 PM CDT If you build a new deck in your backyard, would you test it out before inviting your friends and family over for a bar-b-que? Well it turns out that many merchants are documenting compensating controls but not actually testing them to make sure they work. How could this be? I’m asking myself the same question. There is a simple approach to understanding compensating controls that starts with asking the question, “When would I use a compensating control?” The answer to that is any time that you have a legitimate business or technical reason. For example, you may have some specialized technology that meets the intent of the requirement but not in the prescribed manner of the Security Audit Procedures (SAP). Then you should document your findings, so you can show them to people if they ever ask, “what in the world were you thinking?” This documentation should include those items listed in the Compensating Controls Worksheet.
But you cannot stop here! You actually need to test these compensating controls to make sure they hold up. It’s not sufficient to say that a company uses RACF security on their Mainframe as a compensating controls for something else if you do not evaluate the security of the RACF configuration. For each compensating control you must actually TEST it to make sure it is sufficient to mitigate the risk to cardholder data. As Ronald Regan always said, “Trust, but verify!” (“doveryai, no proveryai”) | ||
Merchants please submit a Feedback form to the Council [PCI Blog - Compliance Demystified] Posted: 10 Jun 2008 05:18 PM CDT People complain about many things, but the question is: have you filled out a feedback form? What, you ask? There is a feedback form? Oh yes! And you should be filling it out and sending it back to the PCI SSC (Council). Check out the Supporting Documents page on the Council website and make sure you fill out and submit the feedback form to the Council directly. The feedback form is so merchants and service providers can provide feedback to the Council on what their experience was like. Did you like your QSA? Did you like your ASV? Did you have a positive experience? They want to hear it all. If you really want to have an impact on the standard then jump in and become a Participating Organization. Then you can give your feedback not just on the audit but on the standard itself. | ||
And then there were two. Blogs, that is. [Mediaphyter - A Communications Cocktail] Posted: 10 Jun 2008 04:42 PM CDT I’ve had this little blog for a short time. I love it, I really truly do. I’ve been able to gather the Security Twits and I’ve been able to show my Twitter Love and I’ve even been able shine more light on common issues for Women in Technology. I will continue to do these things here, of course, but the bulk of my social media-related blogging will now be found over at ZDNet at a new blog called Feeds. From my first blog:
So stick around here for Security Twit updates and continued commentary on the technology industry, improv comedy and whatever else catches my attention. But for social media content, why don’t ya give a little subscribe over at Feeds. You know you wanna. :) | ||
Don't look at me, I'm hideous! [NP-Incomplete] Posted: 10 Jun 2008 04:14 PM CDT | ||
SANS WhatWorks Summits [Infosec Events] Posted: 10 Jun 2008 02:04 PM CDT Last week SANS held two WhatWorks summits in Las Vegas. One covered penetration testing and ethical hacking, and the other covered web application security.
Jeremiah Grossman was the keynote speaker for the web application security summit, and he posted his post-summit thoughts on his blog.
Based on that statement, I wished I could have covered the SANS WhatWorks summits, but I was already in Myrtle Beach covering Hacker Halted. There are lots of good information / discussion bits in his post, so check it out - Summary: SANS WhatWorks in Web Application Security Summit 2008.
Valsmith, whom lead a training class with HD Moore on tactical exploitation also posted his blog - Post SANS 2008 Recap.
To me, a penetration test shows the potential security impact to the system being tested. From there, the owner will need to factor in things like likelihood, complexity, and the worth of the data to formulate a risk rating. Penetration tests are one piece to the puzzle, and I’m happy to see that companies are starting have them done. But like Valsmith mentions, a penetration test should not be a checklist item that you want to pass, and you do nothing with the results. It does you and your company no good if you take it like that.
Lastly, the Ethical Hacker Network folks interviewed Ed Skoudis, Johnny Long, and HD Moore. | ||
Another blog contest [IT Security: The view from here] Posted: 10 Jun 2008 02:00 PM CDT I'm busy writing a presentation about data security, no surprises there, when I decide to check my mails and see the old Google alert for "Rob Newby" (don't tell me you don't do it too). Imagining it to be about the other Rob Newby, Tory councillor for Topsham in Exeter, who often does the rounds, I almost ignored it. However, it was for me this time (imagine how pissed off other Rob must be about all his IT security alerts!). As well as my fellow Euro-Securo Kai, writing about the new Black Hat Bloggers Network, there was one from the Computer Weekly magazine. Apparently I have been nominated in a blog competition. I wonder if that was down to Kai too, or if they were just thin on the ground and needed to fluff it up a bit? In fact I think it's probably because I've written a couple of articles for them recently and they probably like me because I do it as a hobby, not for work. Something I have noticed though - it specifically says "Help us to identify the best IT blogs in the UK in the IT Security category." Then it lists Bruce Schneier, Richard Bejtlich and Anton Chuvakin! Much as I respect and love them all, especially Anton, who I met at RSA recently, they're not from the UK, nor do I suppose they want to be. Besides, they're all better at security AND writing, so it's really not fair. | ||
We Not Only Write, But We Speak, Too (and on Metrics) [RiskAnalys.is] Posted: 10 Jun 2008 12:04 PM CDT Bet you didn’t know we are that multi-talented, did you? In addition to the Cisco InfoSec Leadership Forum Webinar on June 19, our own Jack Jones will be speaking at:
His talk is called, “Metrics: Measurement, Modeling & Meaning“. Come see Jack as he does more than just practice his alliteration!
| ||
Audit driven programs [Andy, ITGuy] Posted: 10 Jun 2008 12:02 PM CDT There are many different ways that a company can develop a security program and plan. Not all of them will work for all companies and a couple of them won't work anywhere. One of the best ways is to get IT and the business units together with Security and look at where you are, where you want to go and what you are doing to get there. You look at the threats to your environment and how your users interact with technology and the rest of the world. That includes Internet access, partner access, vendors, and a whole host of other variables. Once you have done this and have a general idea of what your risk profile is you determine your needs and how to address them. They you put together a plan to address the needs. (This is generic in principle, not every organization will follow this). Once you have your plan you start executing it. What happens in reality is usually one of two things. You either buy what seems cool to you, what will allow you to check off the compliance check box, what you deem necessary just as "basic" security, or what audit dictates. Maybe I should restate that, What usually happens is a combination of any of the above and occasionally a "real" plan is in the mix. I'm currently in the process of getting a "real" plan in place at my company. It's been a long and slow process but it is coming together. I have several projects that we are investigating and determining need for and priority of. There is a long list of things that need to be done and I have my idea of how things should be prioritized based on what my understanding of the business is. This is based off of conversations with business units and IT management. Again, nothing is set in stone yet. Well, now audit has come into the picture. They are recommending several things that are being looked into already but honestly most of them are not towards the top of my list. So now I'm faced with the dilemma of either trying to convince management that what audit thinks isn't what should be our top priority or do I just quietly go with the flow and re-prioritize projects to reflect what audit recommends. I think I know what I will do. I'll take audits recommendations and compare them with my plan. I'll fight for a couple of the things and give in on a couple. I hate to admit this, but it is the reality of business. I'm not pretending that I know what is best and no questions should be asked, but I do know that audit does not know the full scope of our business and they are focused on a fairly narrow part that affects financial's directly. I know the question that is going through everyone's mind is "Well, do you have management approval and buy-in on your plan. The honest answer.......... No, not yet. It's not quiet ready for that. They are aware of what I'm doing and what is on my radar and they agree with the general direction that things appear to be going at the moment. What I do know is that once audit submits their recommendations they are going to push to get them met before anything else unless I can convince them otherwise. No matter what happens it will be a busy year and full of excitement. Hopefully plenty of "blog worthy" things that I can actually write about. | ||
Connect with Napera at TechEd 2008 [Napera Networks] Posted: 10 Jun 2008 11:55 AM CDT Napera’s CTO Chris Boscolo is attending a panel discussion on Network Acccess Protection at Microsoft’s annual TechEd conference for IT professionals in Orlando today. Join Chris and experts from Microsoft and other NAP partners to see product demonstrations and talk NAP at 1:15pm today Tuesday, June 10th in room N310 E. Session: Network Access Protection Overview Session Day/Time: 6/10/2008 1:15PM-2:30PM The session repeats on Friday 6/13/2008 at 10:15am if you can’t make it today. | ||
Metro Olografix Camp 2008 [varie // eventuali // sicurezza informatica] Posted: 10 Jun 2008 11:27 AM CDT Ricevo e riporto:
Chi mi spiega cosa vuol dire "Ardetec li cannilicchie!" ? | ||
Posted: 10 Jun 2008 11:00 AM CDT Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. This looks to be another set of great talks. Too bad we’ll have to decide between this meeting and NoVA Sec’s. Pizza will be provided for a small fee. If you plan on attending, RSVP so they can get your badge processing started. (more…) | ||
The Daily Incite - June 10, 2008 [Security Incite Rants] Posted: 10 Jun 2008 10:28 AM CDT June 10, 2008 - Volume 3, #55 Good Morning:
Top Security News Why don't we call it Skynet?
Top Blog Postings My management doesn't want that level of elegance | ||
You have to have ID to fly … unless you forgot it [Network Security Blog] Posted: 10 Jun 2008 09:33 AM CDT The TSA amazes me sometimes. But usually they just leave me shaking my head. Their latest brain storm is to change their policy to state that you can’t fly without showing ID, sort of. Starting June 21st, you can ‘t claim personal or religious reasons for not showing ID at the checkpoint or you’ll be denied passage. On the other hand, if you claim you forgot you’re ID at home, you’ll be more thoroughly searched and let go on your merry way. Huh? As Lori MacVittie pointed out to me on Twitter, if you tell the truth and stand up for your personal rights, you’ll be denied entry to the airport proper. However, if you lie through your teeth and just leave your ID in your wallet or purse, you’ll be able to walk on through the security process with minimal problems. You get rewarded for lying and punished for standing up for your rights??! Yet again the TSA comes up with a policy that does absolutely nothing to strengthen the security of airports and does everything to slow down travel and interfere with legitimate travelers. I can’t wait to see what Bruce Schneier has to say about this one. I just hope it’s more than a couple sentences and a large quote from the article this time. If this move isn’t something that meets Bruce’s definition of ’security theater’ I don’t know what will. This strikes me as nothing more than an attempt to punish people who want to exercise a constitutional right. The people who’ve complained the loudest about TSA’s security practices and challenged them the most are now basically being told “Shut up and get back in line”. This change in policy doesn’t do anything to make us safer. Bad guys will lie through their teeth and everyone else will just keep plodding through the lines and hoping they’ll make their flights on time. And overall, there will be no changes to the security of the airports, just another really small hurdle the bad guys will have to overcome. I wonder sometimes if the TSA doesn’t throw out policies like this just to get some attention. Maybe they’re really a bunch of comedians and this is their way of keeping us entertained. In any case, I hope they read Mr. Schneier’s reaction to this and ignore the rest of us. After all, I have to fly tonight and I’d hate to have someone at the TSA read this before then. I’ll show my ID, but I’m sure they could find a reason to search me if they set their minds to it. | ||
Network Security Podcast, Episode 107 [Network Security Blog] Posted: 10 Jun 2008 08:34 AM CDT Long podcast today, but worth every moment of it. Author, blogger, podcaster and CTO of Cigital Software Security, Gary McGrew joined us on the podcast this week. This is the second time Gary has been on the podcast and in another 100 or so podcasts I’m sure we’ll be inviting him back. I’m releasing this week’s podcast early mostly because it was done early. And I’ll be on a plane tonight when I normally release the podcast. Portland, here I come. Show notes:
Network Security Podcast, Episode 107, June 10, 2008 Time: 58:55 This posting includes an audio/video/photo media file: Download Now | ||
Apple Security Update: QuickTime 7.5 Released [Infosecurity.US] Posted: 10 Jun 2008 12:42 AM CDT Apple (NASDAQ:AAPL) has announced the release of QuickTIme 7.6 to address multiple security issues, listed below (with MITRE CVE designators). This release is a multiple platform update, for MAC OSX, and Microsoft Windows. Due to space limitations, the description for individual CVEs have been omitted. The descriptions are available on MITRE CVE. [1] CVE-ID: CVE-2008-1581 Available for: Windows [...] | ||
Five Mistakes of Privacy Awareness Programs [The IT Security Guy] Posted: 09 Jun 2008 09:57 PM CDT Privacy has now become a buzzword linked with information security. In fact, the two seem to go hand-in-hand at some companies. And, regulatory requirements now mandate training for employees on privacy as part of the secure handling of customer data. But the quality of training varies and according to Jay Cline in this editorial in Computer World. Cline is president of Minnesota Privacy Consultants. He says most companies skimp on training by taking these five shortcuts: 1) Conducting separate training for privacy, security, records management and code of ethics. 2) Equating "campaign" with "program." 3) Equating "awareness" with "training." 4) Using one or two communications channels. 5) No measurement. | ||
Adobe Growing Attack Target? [The IT Security Guy] Posted: 09 Jun 2008 09:49 PM CDT Here's a thought-provoking item from eWeek about how Adobe software could be a growing attack vector. Why Adobe, and why now? The article gives two reasons. Adobe PDFs and other products are becoming vital parts of many companies businesses. How many times have you gotten PDFs for everything from sales brochures to white papers? I'd bet more and more. Second, Adobe is integrating Flash into its documents, increasing the attack space tremendously. Flash has already been victimized, and the two together now increase the combined threat. | ||
Debix Publishes Data on Identity Theft [Emergent Chaos] Posted: 09 Jun 2008 08:13 PM CDT
[Image is Identity Theft!! by Else Madsen] |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment