Spliced feed for Security Bloggers Network |
Non-gov InfoSec Position in Reston, VA [The Falcon's View] Posted: 12 Jun 2008 08:41 AM CDT |
NAMHLA becomes NAAMHLA [Amrit Williams Blog] Posted: 12 Jun 2008 12:47 AM CDT NAMHLA (The North American Mogull Hoff Love Association) has officially expanded operations to NAAMHLA (the North American Adrian Mogull Hoff Love Association) (here) and (here) One can only imagine the oils and love beads that this freaky information-centric menagerie a trois will rub down the inner thigh of the security blogoshpere. But in all seriousness I am very happy to see this - congratulations and best of luck guys =) |
Quanta In Space! [Emergent Chaos] Posted: 11 Jun 2008 08:54 PM CDT What's the biggest problem with quantum cryptography? That it's too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it's hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when you can get a couple of routers from CDW that do IPsec at a 99%+ discount. What to do, then? Why not show the future and down-to-earth practicality of quantum cryptography by --- I know! Let's do it in space! And so a proposal by thirty-nine co-authors for the Space-QUEST (Quantum Entanglement for Space Experiments) mission describes just that. The New Scientist also has an article, but the proposal is short and readable. Space-QUEST proposes to the European Space Agency (ESA) that an experiment be taken to the International Space Station (ISS) that will do Quantum Key Distribution between the ISS and a ground station with an ultraviolet laser. They would establish the one link, which shows "the generation of a provably unconditionally secure key at distance, which is not possible with classical cryptography." They would then establish two links with separate keys and XOR the two keys together. This ensures that no one can intercept the communications of the two ground stations, according to the proposal. Out of that one unconditionally secure key between the two ground stations can be computed. Using such a scheme would allow for the first demonstration of global quantum key distribution. A security analysis of this XOR-and-trusted-relay system is let as an exercise for the reader. The experimental device will meet ESA standards for a module for the European Columbus laboratory, namely volume of 1.39 × 1.17 × 0.86 m3, mass < 100 kg, and a peak power consumption of < 250W. Photo extracted from the Space-QUEST proposal. I don't know about you, but I love the little quantum beams joining the two data rings. |
Posted: 11 Jun 2008 07:06 PM CDT The BBC reports in "Secret terror files left on train" that an ... unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. We are also told: Just seven pages long but classified as "UK Top Secret", this latest intelligence assessment on al-Qaeda is so sensitive that every document is numbered and marked "for UK/US/Canadian and Australian eyes only", according to our correspondent. The person who lost them is ... described as a senior male civil servant, works in the Cabinet Office's intelligence and security unit, which contributes to the work of the Joint Intelligence Committee. Apparently the documents were not encrypted. Cue rimshot. |
CPISM Readiness Documents are Online [PCI Blog - Compliance Demystified] Posted: 11 Jun 2008 06:56 PM CDT Many people ask me how they can become a Qualified Security Assessor (QSA). The only want to become a QSA is to work for a QSA company, be accepted by the PCI SSC, and attend industry specific training. But what about the rest of us who want a badge of legitimacy without changing jobs? For this there is the CPISM. The Certified Payment-Card Industry Security Manager (CPISM) is the de facto certification for those within the payment-card industry who want to prove their security and industry knowledge. To prepare for this rigorous exam there are a few documents available online to assist you. First there are the CPISM Knowledge Domains.
Check online for the following documents at the Society of Payment Security Professionals (SPSP):
Still not ready? Enroll in one of the in-person training classes and get direct education to help prepare you for the exam. Check the SPSP website for dates and locations for the training classes. The next one is August 13-14, 2008 in Salt Lake City, UT. |
Thanks For A Wonderful T-shirt! [Anton Chuvakin Blog - "Security Warrior"] Posted: 11 Jun 2008 05:00 PM CDT |
Call for DAVIX Beta Testers [Security Data Visualization] Posted: 11 Jun 2008 05:00 PM CDT You may have noticed a page on secviz.org called DAVIX. DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas in August 2008. We have prepared the second beta version of DAVIX. Raffael and I are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy's upcoming book Applied Security Visualization. Legal recourse is excluded. If you want to participate in the beta test please contact: jan.monsch ät iplosion.com |
Cotton Traders: Where’s the PCI DSS Compliance? [IT Security Expert] Posted: 11 Jun 2008 02:33 PM CDT A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance. Lack of Disclosure Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That's 6 months after breach it was announced to the public, don't we have a right to know? What's more there has been a lot of smoke and mirrors about this data breach, in one statement it's 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can't be certain to what data (especially if is their own) was compromised. Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader's bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you'd rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application. Another example of the smoke and mirrors is Cotton Traders stating "all of its customers' credit card information was encrypted on the website", which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use "it was encrypted" as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database. PCI DSS Compliance Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer. I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent. Hacking Trends The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches. |
Intersting Information Security Bits for June 11th, 2008 [Infosec Ramblings] Posted: 11 Jun 2008 02:09 PM CDT Since at least a couple people find these posts helpful and/or interesting (thanks Zach and Kees), they will continue. Dean De Beer posts about the increasing complexity of scams our users are seeing. One wonders how long until it will be virtually impossible for the average user to determine if an email is legitimate or not. Andy Willingham has penned a missive that discusses something that every information security professional has to come to terms with at one time or another. He calls it audit driven programs. Our last entry today comes from Alex Hutton. He posits that under certain circumstances checklists are not for dummies, but they sure are dumb. As he says, checklists have their place, but are completely inadequate and often misleading when used for some purposes. Have a great day. Kevin Technorati Tags: scams, complexity, audit, security program, checklists |
Link posts: Valuable or just noise…. [Infosec Ramblings] Posted: 11 Jun 2008 12:39 PM CDT Monday thru Friday, when not on vacation or traveling or such, I post my Interesting Information Security Bits posts. I have two questions regarding these posts: 1) Are they of value to you or are they just noise? 2) If they are of value, are my comments helpful or would you just as soon just get the links? I would much appreciate everybody’s feedback. Leave it in the comments. Kevin |
Copyright deal could toughen rules governing info on iPods, computers [Vincent Arnold] Posted: 11 Jun 2008 12:25 PM CDT Vito Pilieci , Canwest News ServicePublished: Monday, May 26, 2008 OTTAWA - The federal government is secretly negotiating an agreement to revamp international copyright laws which could make the information on Canadian iPods, laptop computers or other personal electronic devices illegal and greatly increase the difficulty of travelling with such devices. The deal could also impose strict regulations on Internet service providers, forcing those companies to hand over customer information without a court order. Called the Anti-Counterfeiting Trade Agreement (ACTA), the new plan would see Canada join other countries, including the United States and members of the European Union, to form an international coalition against copyright infringement. |
What's up with the "New and Used" Pricing on Amazon? [Emergent Chaos] Posted: 11 Jun 2008 12:13 PM CDT So having a book out, you start to notice all sorts of stuff about how Amazon works. (I've confirmed this with other first time authors.) One of the things that I just can't figure out is the pricing people have for The New School. There's a new copy for 46.43. A mere 54% premium over list, and a whopping 234% of Amazon's discounted price. There's a used copy for $58.56. What the hell? This isn't unique to us. It happens for every book I've looked at. Is this some sort of scheme to hide money from the tax collectors? I mean, I liked Cohen's book, (incidentally reviewed here) but not to the tune of 600 bucks. What's going on? Your thoughts are welcome. |
Fraudsters test AVS system [PCI Blog - Compliance Demystified] Posted: 11 Jun 2008 11:34 AM CDT David Gamey pointed me to the Register article on yet another scam fraudsters are using to defeat credit card fraud checks. We have discussed this topic before with pay-at-the-pump, but this new attack really goes to the heart of a fraud check that is called the Address Verification System or AVS. Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street).
This is, at best, a weak attack because it cannot be monetized quickly over a large number of card numbers. In order to perpetrate the attack the attacker would need to have your name, address, and credit card number. This information is usually obtained from e-commerce compromises, though could originate from other sources. The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street). This could work for one account number. If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming. Also, let’s not forget that AVS is not used globally. For example it is used in the UK, USA and some other regions, but not in continental-Europe and most of the Asia-Pacific region. This diminishes the potential for attack. Also, different Issuers may check different information via AVS which means you would need to know what information each Issuer checks, happen upon a card number from that Issuer, that is associated with an address similar to a fraudulent drop site you already have. These stars do not align so nicely quite as often as one might think. |
SCADA Hole, InfoSec Humor [The Falcon's View] Posted: 11 Jun 2008 11:13 AM CDT |
AppSec Conference goes to India! [Jeremiah Grossman] Posted: 11 Jun 2008 10:14 AM CDT Dhruv Soi, Founder & Director, OWASP – Delhi, is organizing AppSec India Conference 2008 (August 20th-21st). It's exciting to see webappsec take off in awareness continent after continent and country after country. India has some of the best experts in the industry local to the region who are already on the schedule including as Shreeraj Shah (BlueInfy) and Saumil Shah (Net-Square). Organizers are also bringing in Arshan Dabirsiaghi, Dinis Cruz, and Nishchal Bhalla. Looks like the makings of a solid event and highly recommended if you are anywhere near the area. It's sure to be unique. I would have liked to attend myself, but I'll be vacationing immediately after Black Hat /Defcon. I'll need the rest. :) |
SIPVicious tools roadmap [SIPVicious] Posted: 11 Jun 2008 10:10 AM CDT |
Posted: 10 Jun 2008 10:02 PM CDT Synopsis: Blue Box Special Edition #25: An interview with Eric Hernaez, CEO of Solegy, about the OpenSBC project Welcome to Blue Box: The VoIP Security Podcast Special Edition #25, a 13-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions. Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. You may also listen to this podcast right now:
Show Content: In this interview, I sat down with Eric Hernaez, CEO of Solegy, to talk about the OpenSBC Project and how it provides an open source implementation of a session border controller (SBC). We talked about how OpenSBC came about, who is using it, how scalable it is and where users can learn more. We also discussed Solegy, the company supporting the open source OpenSBC project and what they are doing. It was an enjoyable talk that really came about randomly when I met Eric near the press room at IT Expo in Los Angeles back in September 2007. We had been wanting to learn more about the OpenSBC project so I put my recorder on a table and we started talking. More information about the OpenSBC project and other open source SIP-related projects can be found at opensourcesip.org. Production assistance on this Special Edition was provided by Sergio Meinardi. Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. Thank you for listening and please do let us know what you think of the show. This posting includes an audio/video/photo media file: Download Now |
Wild Weather [The Falcon's View] Posted: 10 Jun 2008 08:19 PM CDT |
Scams are getting complex [Carnal0wnage Blog] Posted: 10 Jun 2008 02:22 PM CDT The timing on this could not be better considering the discussion Chris and I have been having about users being to blame if they get scammed. It almost happened to a good friend of mine last night. Thankfully she was wary and read the email through a few times. She has been looking for an apartment in the city and finally found this amazing deal on Craigslist. Great price, awesome location, perfect. Too perfect. She emailed the owner, who just happened to be overseas on a work contract of some sort. So they begin an email correspondence and go back and forth trying to work out the details. Then the 'owner' says that he/she would rather go through a 3rd party escrow agency as it's a way to protect both parties. I admit that up until this point everything sounded legit. The 'owner' decided that RE/MAX would be the escrow agency and that he would start the process and that my friend would be receiving an email with details on how to transfer the money to the escrow agency, etc.. So far it all sounds great, everyone is protected, everyone is happy. My friend waits for the email and it does not arrive. She emails back and the 'owner' says that it was sent and to check her spam folder. Yes, you and I would immediately wonder why it ended up in the spam folder and check the headers and content. The average person, that sees so many legit emails end up in that folder won't though So last night my friend decided to go ahead and get the process started. So she prints out the email to make sure she has the instructions correct. I'm sitting at my new mac when she comes over and asks me to have a look at the email. The reply address looks a little odd she says. athens-remax.com@newjersey.usa.com um, yeah it does. Now the rest of the email is well formatted and looks really legit. I asked her where the original email was. So after opening her yahoo account and showing me the email I look at the headers to the email and surprise, surprise, the email is spoofed. *** Return-Path: Authentication-Results: mta209.mail.re3.yahoo.com from=remax.com; domainkeys=neutral (no sig) Received: from 208.70.128.77 (EHLO smtp-gw51.mailanyone.net) (208.70.128.77) by mta209.mail.re3.yahoo.com with SMTP; Sun, 08 Jun 2008 23:28:29 -0700 Received: from mailanyone.net by smtp-gw51.mailanyone.net with esmtpa (MailAnyone extSMTP carasove) id 1K5arj-0006bc-OU for **********@yahoo.com; Mon, 09 Jun 2008 01:28:29 -0500 Received: from 127.0.0.1 (MailAnyone web AccountID 228933) by webmail.fusemail.com with HTTP; Mon, 9 Jun 2008 01:28:27 -0500 (CDT) Message-ID: <1212992907.v2.mailanyonewebmail-228933@fuse48> Date: Mon, 9 Jun 2008 01:28:27 -0500 (CDT) Subject: RE/MAX Escrow Transaction From: "ReMax.com" *** A little bit of searching for mailanyone.net it seems that this service is often used to send spoofed emails. After calling REMAX directly they confirmed that the email and 'transaction' was a scam. Thankfully my friend was cautious enough, due to the amount of money involved, to question any unusual aspects of the email and transaction. I wonder how many people are getting caught by scams like this one? It is not a simple link or website. These scammers obviously took a lot of time to develop this scam and to execute it in such a manner as to illicit trust from the user. dean |
More Indications of the Coming Ice Age... [The Falcon's View] Posted: 10 Jun 2008 01:50 PM CDT |
Interesting Information Security Bits for June 10th, 2008 [Infosec Ramblings] Posted: 10 Jun 2008 01:19 PM CDT Rich Mogull has a post up that points to the New Identity Theft Stats provided by Debix. Interesting to actually see some numbers. Amrit Williams has some interesting thoughts on the iPhone creating a mobile malware tipping point. Russell Handorf gives us some guidance on How-to easily deploy honeypots for production networks. Kai Roer gives us a look at how someone might go about gathering information about you or your company. I came across this from friend feed. SecurityTube.net - videos for security folks. Some interesting stuff there. Finally, are you a computer security professional. Read the the article and see how many of the observations you agree with or exhibit. Have a good day. Kevin Technorati Tags: identity theft, iPhone, honeypots, social engineering, security videos, amusing |
Take Back Your Personal Data - 50 Tips [Vincent Arnold] Posted: 10 Jun 2008 01:16 PM CDT Most of those who come across my blog can tell pretty quickly that data privacy is on the top of my list regarding the field of Information Security. I ran across an interesting article on personal data privacy and ways to help ensure your private, personal data is kept just that, private and personal. Most of the tips are pretty general and fall into the category of common sense. Examples include checking your credit report regularly for unauthorized charges or changes, using an anti-virus program on your computer and not sharing your driver’s license or social security number. Other tips like using TOR to “assist” in “anonymizing” your surfing habits, using an encrypted internet messaging client like Bitwise IM or signing checks with a gel pen are some of the less obvious tips that might be found useful for even those “security conscious” individuals. |
Fake Phishing Webmail Targets Chinese Users [Commtouch Café] Posted: 10 Jun 2008 09:00 AM CDT Trying to log in to your Chinese Gmail or Yahoo! webmail? Check carefully…. over the past few days phishers have spread a broad attack trying to entice users to give up their credentials to a fake login page for Google and Yahoo-reminiscent addresses, with a .cn (China) domain. Examples include (and there are dozens of [...] |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment