Wednesday, June 11, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Vulnerability in SNMP 3 [StillSecure, After All These Years]

Posted: 11 Jun 2008 07:17 AM CDT

Dennis Fisher blogs over at SearchSecurity.com about a new critical flaw found in SNMPv3. I have blogged before how some NAC vendors that utilize SNMP have tried to fool unknowing sys admins that SNMP stands for security network management protocol, instead of simple NMP.

The SNMP zealots have always tried to counter the SNMP is not secure arguments by pointing to v3 as very security method and now this flaw is found. How many more will be found? In any event glad they found and fixed this. Now if they could just find someone using SNMPv3 it would be great!

VIP Developer Test Drive Update [Online Identity and Trust]

Posted: 11 Jun 2008 01:56 AM CDT

It's now been about two months since we announced the VIP Developer Test Drive, and it's been a great success! Nearly 200 developers have downloaded the API, and many have already gone on to integrate it into their own applications. Over at Sun, Jeff Bounds has blogged about his integration of VIP with Sun Java System Access Manager/OpenSSO, and even posted step-by-step instructions on the Sun Wiki.

So, have you downloaded the API yet?

Links for 2008-06-10 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Jun 2008 12:00 AM CDT

TSA Security Logic (follow-up) [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Jun 2008 07:43 PM CDT

I've had several responses, both public and private to my previous post - all of which indicate that lighters are "ok" now to carry onto planes. Some folks (presumably from the TSA) have posted links (I'll help by posting them below). Interestingly enough, there is a blog posting on the TSA Blog on the logic behind the 3-1-1 rule for airports.

For the record, I still fail to see some of the logic here... maybe I'm not intelligent enough to comprehend but the power-trips the TSA folks go on is absolutely incomprehensible at best, malicious at worst... follow me on my logic here-
  • Flammables such as lighters are an immediate threat (if you disagree, tell me why)
  • Some of the other banned substances are significantly less threatening (water?)
  • The "detectors" should be able to detect explosives (even in liquid form, right?)
  • The UK liquid bombs were to be set off by camera flash!
  • Hand-mixed liquid bombs have been deadly in small quantities before

After all that... I can only surmise that any "real" threat will not be thwarted by these existing counter-measures (with the exception of advanced intelligence). So - much like many other things that are currently being done (reference this news story about ID requirements... http://news.cnet.com/8301-13739_3-9962760-46.html?tag=nefd.top) to secure us... it's a "feel-good" measure. It's meant to give us a sense of security - and like the rest of these measures, has very little actual anti-terrorism value.

Oh, and I couldn't resist... Breast Milk is now allowed to be brought onto planes again - because... you know, we all know that Johnny Jihad likes to use breast milk as an explosive. I'm sure there's some scientific reasoning for this that I don't understand, it's just funny...

Links to TSA blog/site etc...

A final analysis - I am starting to understand why the torch lighters are not permitted (higher temp, truer burn, etc) but regular lighters can STILL be used to start a fire on board a plane! Seriously. This particular piece is concerning...

Q. Are lighters not a threat anymore?A. Lighters are not a serious threat.
Lifting the ban is a common sense, risk-based security decision. This change
allows officers to focus on finding explosives and IED components. TSA collects
22,000 lighters a day.

So - who made this determination that lighters are not a serious threat? Was it because so many were comfiscated? Does this mean if we bring in some other thing thats on the banned list in massive quantities the TSA will simply allow it? I'm not being argumentative for no reason - I'm just trying to comprehend the logic. It's one thing to say "that's just the way it is" but when logic appears to be taking a back seat... it would be good to understand why we're being hassled and annoyed while we fly.

Sorry TSA, I'm not going to simply be pacified by the "just trust us" answer...I simply don't feel ANY safer.

Verify that Compensating Controls work [PCI Blog - Compliance Demystified]

Posted: 10 Jun 2008 05:40 PM CDT

If you build a new deck in your backyard, would you test it out before inviting your friends and family over for a bar-b-que?  Well it turns out that many merchants are documenting compensating controls but not actually testing them to make sure they work.  How could this be?  I’m asking myself the same question.

There is a simple approach to understanding compensating controls that starts with asking the question, “When would I use a compensating control?”  The answer to that is any time that you have a legitimate business or technical reason.  For example, you may have some specialized technology that meets the intent of the requirement but not in the prescribed manner of the Security Audit Procedures (SAP).

Then you should document your findings, so you can show them to people if they ever ask, “what in the world were you thinking?”  This documentation should include those items listed in the Compensating Controls Worksheet.

  1. Constraint - the business or technical constraint precluding compliance with the original requirement
  2. Objective - the intent of the original control
  3. Identified Risk - the risk posed by the lack of the original control
  4. Compensating Controls - the controls in place that mitigate the risk to meet the intent that could not be achieved via the constraint

But you cannot stop here!  You actually need to test these compensating controls to make sure they hold up.  It’s not sufficient to say that a company uses RACF security on their Mainframe as a compensating controls for something else if you do not evaluate the security of the RACF configuration.  For each compensating control you must actually TEST it to make sure it is sufficient to mitigate the risk to cardholder data.

As Ronald Regan always said, “Trust, but verify!” (“doveryai, no proveryai”)

Merchants please submit a Feedback form to the Council [PCI Blog - Compliance Demystified]

Posted: 10 Jun 2008 05:18 PM CDT

People complain about many things, but the question is: have you filled out a feedback form?  What, you ask?  There is a feedback form?  Oh yes!  And you should be filling it out and sending it back to the PCI SSC (Council).

Check out the Supporting Documents page on the Council website and make sure you fill out and submit the feedback form to the Council directly.

The feedback form is so merchants and service providers can provide feedback to the Council on what their experience was like.  Did you like your QSA?  Did you like your ASV?  Did you have a positive experience?  They want to hear it all.

If you really want to have an impact on the standard then jump in and become a Participating Organization.  Then you can give your feedback not just on the audit but on the standard itself.

And then there were two. Blogs, that is. [Mediaphyter - A Communications Cocktail]

Posted: 10 Jun 2008 04:42 PM CDT


I’ve had this little blog for a short time. I love it, I really truly do. I’ve been able to gather the Security Twits and I’ve been able to show my Twitter Love and I’ve even been able shine more light on common issues for Women in Technology. I will continue to do these things here, of course, but the bulk of my social media-related blogging will now be found over at ZDNet at a new blog called Feeds.

From my first blog:

Simply called "Feeds" (largely because "microblogginglifestreamingbloggingpodcastingetc" was far too long), this blog will feature news on social media tools and trends and deep dives into business strategies. We'll talk to the pundits and the developers and the master communicators about what's working, what doesn't and what's coming down the pike.

So stick around here for Security Twit updates and continued commentary on the technology industry, improv comedy and whatever else catches my attention. But for social media content, why don’t ya give a little subscribe over at Feeds. You know you wanna. :)

Don't look at me, I'm hideous! [NP-Incomplete]

Posted: 10 Jun 2008 04:14 PM CDT

SANS WhatWorks Summits [Infosec Events]

Posted: 10 Jun 2008 02:04 PM CDT

Last week SANS held two WhatWorks summits in Las Vegas. One covered penetration testing and ethical hacking, and the other covered web application security.

 

Jeremiah Grossman was the keynote speaker for the web application security summit, and he posted his post-summit thoughts on his blog.

The format favored enterprise speakers rather than experts, which made it less about the newest attacks/threats and more about how enterprises went about solving problem X. This was great because I don’t think we have to push as hard anymore to promote general webappec awareness. In my opinion the early adopters are here and we should be supporting them in being mentors and evangelists. We need to continue facilitating knowledge exchange.

Based on that statement, I wished I could have covered the SANS WhatWorks summits, but I was already in Myrtle Beach covering Hacker Halted. There are lots of good information / discussion bits in his post, so check it out - Summary: SANS WhatWorks in Web Application Security Summit 2008.

 

Valsmith, whom lead a training class with HD Moore on tactical exploitation also posted his blog - Post SANS 2008 Recap.

A good pen test is one which you should never pass. If you ask us to test a network or a product, chances are very high that we WILL break it. So really a pen test is about discovering what your exposure and risk is so that you can make decisions and plans on what to accept and how to deal with it. Many people, however approach it from view point of finding out if they can be hacked or not. They simply want to know the next patch to applied and happily remain ignorant of the bigger picture of their situation.

Here’s the not so secret secret: A well funded, determined attacker will ALWAYS win. They don’t have rules to follow and they will get you in the end.

To me, a penetration test shows the potential security impact to the system being tested. From there, the owner will need to factor in things like likelihood, complexity, and the worth of the data to formulate a risk rating. Penetration tests are one piece to the puzzle, and I’m happy to see that companies are starting have them done. But like Valsmith mentions, a penetration test should not be a checklist item that you want to pass, and you do nothing with the results. It does you and your company no good if you take it like that.

 

Lastly, the Ethical Hacker Network folks interviewed Ed Skoudis, Johnny Long, and HD Moore.

Another blog contest [IT Security: The view from here]

Posted: 10 Jun 2008 02:00 PM CDT

I'm busy writing a presentation about data security, no surprises there, when I decide to check my mails and see the old Google alert for "Rob Newby" (don't tell me you don't do it too). Imagining it to be about the other Rob Newby, Tory councillor for Topsham in Exeter, who often does the rounds, I almost ignored it. However, it was for me this time (imagine how pissed off other Rob must be about all his IT security alerts!).

As well as my fellow Euro-Securo Kai, writing about the new Black Hat Bloggers Network, there was one from the Computer Weekly magazine. Apparently I have been nominated in a blog competition. I wonder if that was down to Kai too, or if they were just thin on the ground and needed to fluff it up a bit?

In fact I think it's probably because I've written a couple of articles for them recently and they probably like me because I do it as a hobby, not for work. Something I have noticed though - it specifically says "Help us to identify the best IT blogs in the UK in the IT Security category." Then it lists Bruce Schneier, Richard Bejtlich and Anton Chuvakin! Much as I respect and love them all, especially Anton, who I met at RSA recently, they're not from the UK, nor do I suppose they want to be.

Besides, they're all better at security AND writing, so it's really not fair.

We Not Only Write, But We Speak, Too (and on Metrics) [RiskAnalys.is]

Posted: 10 Jun 2008 12:04 PM CDT

Bet you didn’t know we are that multi-talented, did you?  In addition to the Cisco InfoSec Leadership Forum Webinar on June 19, our own Jack Jones will be speaking at:

The Burton Group Catalyst Conference North America 2008 in San Diego, California on June 23-27.

His talk is called, “Metrics: Measurement, Modeling & Meaning“.

Come see Jack as he does more than just practice his alliteration!

How do you justify security spending?  How do you gain credibility with other lines of business?  How can you get executive management to do more than just the “bare minimum” of regulatory compliance?

Increasingly, CISO’s are discovering that the use of security metrics and a quantitative approach can help show the value of Information Risk Management.

What isn’t well understood, however, is just how to create meaning from a metrics program.  Join Jack Jones, former CISO for a Fortune 100 financial services company as he discusses the challenge of finding the right things to measure, the challenges we face in creating measurement, and the role of metrics and modeling in decision making.

Audit driven programs [Andy, ITGuy]

Posted: 10 Jun 2008 12:02 PM CDT

There are many different ways that a company can develop a security program and plan. Not all of them will work for all companies and a couple of them won't work anywhere. One of the best ways is to get IT and the business units together with Security and look at where you are, where you want to go and what you are doing to get there. You look at the threats to your environment and how your users interact with technology and the rest of the world. That includes Internet access, partner access, vendors, and a whole host of other variables. Once you have done this and have a general idea of what your risk profile is you determine your needs and how to address them. They you put together a plan to address the needs. (This is generic in principle, not every organization will follow this). Once you have your plan you start executing it.

What happens in reality is usually one of two things. You either buy what seems cool to you, what will allow you to check off the compliance check box, what you deem necessary just as "basic" security, or what audit dictates. Maybe I should restate that, What usually happens is a combination of any of the above and occasionally a "real" plan is in the mix.

I'm currently in the process of getting a "real" plan in place at my company. It's been a long and slow process but it is coming together. I have several projects that we are investigating and determining need for and priority of. There is a long list of things that need to be done and I have my idea of how things should be prioritized based on what my understanding of the business is. This is based off of conversations with business units and IT management. Again, nothing is set in stone yet.

Well, now audit has come into the picture. They are recommending several things that are being looked into already but honestly most of them are not towards the top of my list. So now I'm faced with the dilemma of either trying to convince management that what audit thinks isn't what should be our top priority or do I just quietly go with the flow and re-prioritize projects to reflect what audit recommends. I think I know what I will do. I'll take audits recommendations and compare them with my plan. I'll fight for a couple of the things and give in on a couple. I hate to admit this, but it is the reality of business. I'm not pretending that I know what is best and no questions should be asked, but I do know that audit does not know the full scope of our business and they are focused on a fairly narrow part that affects financial's directly.

I know the question that is going through everyone's mind is "Well, do you have management approval and buy-in on your plan. The honest answer.......... No, not yet. It's not quiet ready for that. They are aware of what I'm doing and what is on my radar and they agree with the general direction that things appear to be going at the moment. What I do know is that once audit submits their recommendations they are going to push to get them met before anything else unless I can convince them otherwise. No matter what happens it will be a busy year and full of excitement. Hopefully plenty of "blog worthy" things that I can actually write about.

Connect with Napera at TechEd 2008 [Napera Networks]

Posted: 10 Jun 2008 11:55 AM CDT

Tech Ed 2008

Napera’s CTO Chris Boscolo is attending a panel discussion on Network Acccess Protection at Microsoft’s annual TechEd conference for IT professionals in Orlando today. Join Chris and experts from Microsoft and other NAP partners to see product demonstrations and talk NAP at 1:15pm today Tuesday, June 10th in room N310 E.

Session code: SVR369

Session: Network Access Protection Overview

Session Day/Time: 6/10/2008 1:15PM-2:30PM

The session repeats on Friday 6/13/2008 at 10:15am if you can’t make it today.

Metro Olografix Camp 2008 [varie // eventuali // sicurezza informatica]

Posted: 10 Jun 2008 11:27 AM CDT

Ricevo e riporto:

In molti ci speravano, in pochi ci credevano, le voci erano discordanti, gli animi accesi, ma alla fine ci siamo riusciti! Dopo quattro anni dalla celebrazione dei 10 anni di vita di Metro Olografix, a grande richiesta, un nuovo camp estivo ci permetterà di passare assieme alcuni caldi giorni d'agosto, tra una rustella ed un bicchier di vino, tra una nuotata ed un talk, nella ridente Pescara.

Ardetec li cannilicchie!

Dal 21 al 24 Agosto 2008, presso il Parco "ex Caserma Di Cocco" si svolgerà la seconda edizione del Metro Olografix Camp, un hacker camp in stile nord-europeo, ad accesso libero e gratuito, con lo scopo di stare assieme e divertirci condividendo informazioni e sapere.

Sarà come quattro anni fà un'occasione per incontrare vecchi e nuovi amici, tutti coloro che hanno popolato l'underground telematico da quel famoso 1994 ad oggi, che sono pronti a viverlo nel prossimi anni, assieme a chi si sta affacciando ora su una realtà telematica sempre piu' preoccupante per via delle implicazioni tecnologiche e legali.

Per questo ti aspettiamo a Pescara, tu, la tua tenda, il tuo computer: per smanettare, sperimentare, giocare, chiacchierare, fare qualsiasi cosa ci permetta di tornare a casa pensando "anche questa volta, ne valeva davvero la pena!"

Scrivici entro il 1 Agosto 2008, proponici la tua area tematica, la tua iniziativa, il tuo talk. Saremo felici di aiutarti a fare qualcosa per la manifestazione, ma soprattutto per le persone che passeranno con noi speriamo quattro indimenticabili giorni della loro vita.

Vi aspettiamo numerosi qui a Pescara, con tanta voglia di condividere esperienze e conoscenze nel puro spirito dell'etica hacker.

Information wants to be free!

Per informazioni: http://camp.olografix.org/
Invio proposte: moca-cfp@olografix.org
Mailing list per i partecipanti: camp-user@olografix.org

Chi mi spiega cosa vuol dire "Ardetec li cannilicchie!" ?

OWASP - VA Local Chapter Infosec Meetup Event - Thursday, 6/12: Open Source Software Security & Protecting Your Applications from Backdoors [NovaInfosecPortal.com]

Posted: 10 Jun 2008 11:00 AM CDT

Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. This looks to be another set of great talks. Too bad we’ll have to decide between this meeting and NoVA Sec’s. Pizza will be provided for a small fee. If you plan on attending, RSVP so they can get your badge processing started. (more…)

The Daily Incite - June 10, 2008 [Security Incite Rants]

Posted: 10 Jun 2008 10:28 AM CDT

Today's Daily Incite

June 10, 2008 - Volume 3, #55

Good Morning:
Since when is screwing your customer a good idea? I'm talking about the movie industry, by the way. The Boss and I went to take in the new Adam Sandler movie (Don't Mess with the Zohan) on Friday night, and I was reminded there is a reason that the movie business is struggling. Unfortunately (for them) a lot of the wounds are self-inflicted.
Abandoned Cinema
To their credit, the ticket buying process has become dramatically streamlined with online ticket "windows" and the ability to pick up the tickets via a kiosk outside the theater. But that's about the only pleasant thing about seeing a movie nowadays. 

Let's deal with the concession stand first. Besides providing TOTALLY overpriced refreshments (like 40 oz of pop should cost $4), they monitor the cups. That's right, if you just want a cup to split a bottle of water (for example), they give you this kiddie cup that wouldn't even provide enough volume for a urine test.

Now I get why they do this. It's too easy for a teenager to pilfer a few cups and give their friends free refreshment. And of course, since the margins on fountain cola (which tastes like crap, by the way) are only like 1200%, they definitely need to monitor that shrinkage in such a draconian fashion. But the reality is that shrinkage is the movie theater's problem - NOT MINE. So if I want to split a big bottle of water with my date - I should be able to and not use a kiddie cup. Is that too much to ask for?

And what's the deal with the commercials. I pay $10 for the right to sit in a theater and get just bombarded with ad impression after ad impression. Sometimes it's a slide show of local merchants, other times it's like an infomercial for movies I don't want to see or TV shows I don't care about. What's next, a pitch for a Tony Robbins program or maybe the ThighMaster?

Basically, what used to be a lot of fun - now pretty much sucks. Given the fact that I have a decent home theater and a couple of my friends are Torrent afficianados, I can see any movie I want - at any time. And I think I might. I can have a bunch of friends over and get the social aspects of going to the theater, and the popcorn is a lot cheaper and I can have all the big ass cups of soda I can drink.

Have a great day.

Photo: "Olympic, formerly Bard's 8th St Theater" originally uploaded by IaasB

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Why don't we call it Skynet?
So what? - One of the pieces of "insight" coming out of the G's annual security soiree was the concept of the "adaptive security architecture," which is basically an intelligent infrastructure that actually communicates policies and rules in real time to security devices, depending on the user and the policy. Personally, I think it's a pipe dream. The market has voted most IPS blocking off the island, opting instead to block maybe 2-3% of the applicable rules and monitor the rest. What makes us think, that even over a reasonable planning horizon (5-7 years), that detection will become granular and accurate enough to actually do this kind of automated blocking? The first precursor to this is reputation blocking of email messages. Reputation is starting to be applied to web filtering as well, but again it's about blocking the 2-3% of senders that we KNOW are bad. I think the vision is compelling, but I also think it's a long long long long long long long ways off. I like Ted Julian of AppSec's quote at the end. The reason none of the vendor's aren't talking about this is because even they know the balance of selling futures vs. selling THE future. It would be like Trump starting to sell his first building on Mars. Compelling vision, but a bit early.
Link to this

Speaking of far off, how about metrics?
So what? - Dennis Fisher uses some of his column space to talk about the evolution of security metrics. Or lack thereof. My own personal experience with metrics has been frustrating. At my core, I'm a quant guy - but I also understand that we are no closer to gaining consensus on what should be counted. I have Shostack's new book on my night table, just waiting until I have a few cycles to get through it. I agree with the concept, that we need to base our decisions on data, BUT what data? And where do we get it? And how to we normalize it, so we can compare out stuff to other folk's stuff? And how do we get practitioners to share what they are doing, especially given the culture of keeping security quiet? I'm not demeaning any of the work that some of the numbers folks are pushing forward. I think it's important, and I look forward to some breakthroughs. But this is going to be one where I will follow, as opposed to lead. I suspect a lot of the folks I write for (mid-market IT and security professionals) are in a similar boat. We all want it, but don't have the time to get it done.
Link to this

What is your security elevator pitch?
So what? - Great post by Savvis' Lenny Zeltzer here on the SANS site about elevator pitches. He uses some guidelines from TechCrunch to put together a few sample pitches that you could use with the executives. One of the hallmarks of the Pragmatic way is to get face time with the senior team and build credibility. Once you get there, what do you say? How do you describe your security operation? Why should they care? How do you either help them make money or save money? How do your current projects contribute to the overall corporate strategy? If you are having trouble answering any of those questions, you have a lot of work to do. Remember, security is no longer a technical discipline, it's all about the business. And if you can't talk about business, then you aren't going to be a very effective security professional. Read Lenny's post and then start working on your own elevator pitches.
Link to this


The Laundry List

  1. Deal: Axway puts Tumbleweed out of its misery. If you take out the costs of running a public, no growth company and milk the maintenance, the deal may pay off. - AP Coverage
  2. Secure Computing goes hybrid. No, it's not about saving energy, it's about treating on prem, hosted and virtual products consistently. Web is the first offering. It's about time. - Secure Computing releases
  3. What do you know about e-discovery? If you don't have a plan, you will because the only thing more inevitable than you being hacked is you being sued. - Kabay NetworkWorld column
  4. Olzak likes LinkScanner, and so do I. But it should be bundled into my AV suite, which it is if you buy from AVG. The other AV folks need to get with the program. - Tom Olzak blog
  5. Another downside of Web 2.0. The spammers have figured out how to leverage collaborative web sites to send more spam. Goody! - SC Magazine coverage

Top Blog Postings

My management doesn't want that level of elegance
A lot of folks have great disdain for good enough. They think it's a cop-out and that we should be able to do better. Maybe they even think we can win. But most likely, these folks spend very little time in the real world. If that's you (don't worry, I won't tell anyone), then you need to read Shrdlu's blog and you need to listen. This is someone who clearly has the technical chops and knows what needs to get done. But at the end of the day, she understands - as well as anyone - that it's not about what's right. It's about what threshold for pain your management has. This quote says it all: "They just want me to keep their names out of the papers, do the right thing by our customers, and tell them how much they should spend to achieve that." Remember that every decision gets back to resource allocation. Ultimately the job of the senior team is to make sure they are allocating resources effectively. Maybe they overhaul their campus networks or maybe they build a new factory in South America. You may laugh, but that's the kind of decision that these folks need to make. So don't take it personally if you can only achieve good enough. Spend you time making sure good enough really is good enough.
http://layer8.itsecuritygeek.com/layer8/why-alex-keeps-me-up-at-night/
Link to this

5 minute penalty to Hoff: Unnecessary Sine wave
I should know better than to do blog battle with the Hoff. Inevitably a small brained individual like me will end up flayed like one of Hannibal Lechter's meals. But I am a glutton for punishment and I'm also sticking to my guns. To be clear, I'm not saying (nor did I ever say) that ALL security ends up in the network. One of my earliest pieces of research was the Pragmatic Security Architecture, and that made it very clear that there is a difference between infrastructure security and application/data security. And you need both. Even though the FOCUS of what we are worried about will follow Hoff's sine curve - ultimately the controls that we utilize to deal with these emerging attacks will largely be in place already and a feature of the infrastructure. Regardless of whether that is network, servers, virtualization, applications or databases. Our control sets and defenses will always need to be tuned, but when we have the capabilities baked into the infrastructure, the tuning process becomes much easier, and that's what I mean when I talk about security being baked into the network.
http://rationalsecurity.typepad.com/blog/2008/06/security-will-n.html
Link to this

iPhone 2.0: Malware extravaganza - not so fast
Yes, Apple announced the iPhone G3 yesterday. Yes, I'm going to upgrade towards the end of July. Yes, it's a computer. But I have to respectfully disagree with Amrito, who believes this is the first step towards mobile malware oblivion. OK, maybe not oblivion since he changed his perspective of malware from an "explosion" to a "slow trickle." I still don't buy mobile devices being a high profile attack vector. Maybe they'll do a PWN2OWN the iPhone contest at next year's CanSecWest and prove me wrong. Let's play it out. Someone gets me to navigate to a compromised web site on my iPhone and it has a zero day attack on it. And they can even root my device. Huh? What does getting root on an iPhone mean? I guess as the SDK becomes more prevalent it may come to mean something, but I'm a big fan of worrying about things I KNOW will kill me (and there are plenty of those), not really the things that may kill me at some point in the future. I guess we need to be thinking about stuff like this. And the research guys need to focus on these things to figure out what the bad guys will be doing, but I think most organizations can put this in the bucket of things that aren't really an issue now, and someone (like me) will let them know when it is. Though Amrit's advice to maintain visibility is a good idea because when the lion does roar, you want to know where the impalas are to protect them.
http://techbuddha.wordpress.com/2008/06/09/iphone-creates-mobile-malware-tipping-point/
Link to this

You have to have ID to fly … unless you forgot it [Network Security Blog]

Posted: 10 Jun 2008 09:33 AM CDT

The TSA amazes me sometimes. But usually they just leave me shaking my head. Their latest brain storm is to change their policy to state that you can’t fly without showing ID, sort of. Starting June 21st, you can ‘t claim personal or religious reasons for not showing ID at the checkpoint or you’ll be denied passage. On the other hand, if you claim you forgot you’re ID at home, you’ll be more thoroughly searched and let go on your merry way. Huh?

As Lori MacVittie pointed out to me on Twitter, if you tell the truth and stand up for your personal rights, you’ll be denied entry to the airport proper. However, if you lie through your teeth and just leave your ID in your wallet or purse, you’ll be able to walk on through the security process with minimal problems. You get rewarded for lying and punished for standing up for your rights??! Yet again the TSA comes up with a policy that does absolutely nothing to strengthen the security of airports and does everything to slow down travel and interfere with legitimate travelers.

I can’t wait to see what Bruce Schneier has to say about this one. I just hope it’s more than a couple sentences and a large quote from the article this time. If this move isn’t something that meets Bruce’s definition of ’security theater’ I don’t know what will. This strikes me as nothing more than an attempt to punish people who want to exercise a constitutional right. The people who’ve complained the loudest about TSA’s security practices and challenged them the most are now basically being told “Shut up and get back in line”.

This change in policy doesn’t do anything to make us safer. Bad guys will lie through their teeth and everyone else will just keep plodding through the lines and hoping they’ll make their flights on time. And overall, there will be no changes to the security of the airports, just another really small hurdle the bad guys will have to overcome.

I wonder sometimes if the TSA doesn’t throw out policies like this just to get some attention. Maybe they’re really a bunch of comedians and this is their way of keeping us entertained. In any case, I hope they read Mr. Schneier’s reaction to this and ignore the rest of us. After all, I have to fly tonight and I’d hate to have someone at the TSA read this before then. I’ll show my ID, but I’m sure they could find a reason to search me if they set their minds to it.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Network Security Podcast, Episode 107 [Network Security Blog]

Posted: 10 Jun 2008 08:34 AM CDT

Long podcast today, but worth every moment of it. Author, blogger, podcaster and CTO of Cigital Software Security, Gary McGrew joined us on the podcast this week. This is the second time Gary has been on the podcast and in another 100 or so podcasts I’m sure we’ll be inviting him back. I’m releasing this week’s podcast early mostly because it was done early. And I’ll be on a plane tonight when I normally release the podcast. Portland, here I come.

Show notes:

Network Security Podcast, Episode 107, June 10, 2008

Time: 58:55

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Apple Security Update: QuickTime 7.5 Released [Infosecurity.US]

Posted: 10 Jun 2008 12:42 AM CDT

Apple (NASDAQ:AAPL) has announced the release of QuickTIme 7.6 to address multiple security issues, listed below (with MITRE CVE designators). This release is a multiple platform update, for MAC OSX, and Microsoft Windows. Due to space limitations, the description for individual CVEs have been omitted. The descriptions are available on MITRE CVE. [1] CVE-ID: CVE-2008-1581 Available for: Windows [...]

Five Mistakes of Privacy Awareness Programs [The IT Security Guy]

Posted: 09 Jun 2008 09:57 PM CDT

Privacy has now become a buzzword linked with information security. In fact, the two seem to go hand-in-hand at some companies. And, regulatory requirements now mandate training for employees on privacy as part of the secure handling of customer data.

But the quality of training varies and according to Jay Cline in this editorial in Computer World. Cline is president of Minnesota Privacy Consultants.

He says most companies skimp on training by taking these five shortcuts:

1) Conducting separate training for privacy, security, records management and code of ethics.
2) Equating "campaign" with "program."
3) Equating "awareness" with "training."
4) Using one or two communications channels.
5) No measurement.

Adobe Growing Attack Target? [The IT Security Guy]

Posted: 09 Jun 2008 09:49 PM CDT

Here's a thought-provoking item from eWeek about how Adobe software could be a growing attack vector. Why Adobe, and why now?

The article gives two reasons. Adobe PDFs and other products are becoming vital parts of many companies businesses. How many times have you gotten PDFs for everything from sales brochures to white papers? I'd bet more and more.

Second, Adobe is integrating Flash into its documents, increasing the attack space tremendously. Flash has already been victimized, and the two together now increase the combined threat.

Debix Publishes Data on Identity Theft [Emergent Chaos]

Posted: 09 Jun 2008 08:13 PM CDT

identity-theft.jpg
Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud rate (380 attempts out of 30,618 authorizations). This is well in-line with the 1.05% fraud rate for new bank accounts. Now as I've mention in the past, one of the cool things about Debix is that if you are a subscriber, then all credit requests have to be authorized by you. As a result all 380 fraud attempts were correctly identified as such and were blocked. Pretty damn cool eh? I highly encourage you to read the report as it has lots of other interesting data in it, including some interesting ways in which your identity can be stolen even if you have a fraud report set on your accounts (hint: interesting things can happen if you have have a spouse and they don't have fraud reports set.)

[Image is Identity Theft!! by Else Madsen]

No comments: