Thursday, June 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Non-gov InfoSec Position in Reston, VA [The Falcon's View]

Posted: 12 Jun 2008 08:41 AM CDT

In case anybody out there is interested, one of my clients is hiring an "Information Security Analyst" and is willing to pay fairly well. Full position notice is included below, after the jump. This client has been quite decent to...

NAMHLA becomes NAAMHLA [Amrit Williams Blog]

Posted: 12 Jun 2008 12:47 AM CDT


NAMHLA (The North American Mogull Hoff Love Association) has officially expanded operations to NAAMHLA (the North American Adrian Mogull Hoff Love Association) (here) and (here)

One can only imagine the oils and love beads that this freaky information-centric menagerie a trois will rub down the inner thigh of the security blogoshpere. But in all seriousness I am very happy to see this - congratulations and best of luck guys =)

Quanta In Space! [Emergent Chaos]

Posted: 11 Jun 2008 08:54 PM CDT

Space-QUEST.jpg

What's the biggest problem with quantum cryptography? That it's too expensive, of course. Quantum anything is inherently cool, just as certain things are inherently funny. Ducks, for example. However, it's hard to justify a point-to-point quantum crypto link that starts at one-hundred grand just for the encryptors (fiber link not included, some assembly required), when you can get a couple of routers from CDW that do IPsec at a 99%+ discount.

What to do, then? Why not show the future and down-to-earth practicality of quantum cryptography by --- I know! Let's do it in space!

And so a proposal by thirty-nine co-authors for the Space-QUEST (Quantum Entanglement for Space Experiments) mission describes just that. The New Scientist also has an article, but the proposal is short and readable.

Space-QUEST proposes to the European Space Agency (ESA) that an experiment be taken to the International Space Station (ISS) that will do Quantum Key Distribution between the ISS and a ground station with an ultraviolet laser.

They would establish the one link, which shows "the generation of a provably unconditionally secure key at distance, which is not possible with classical cryptography."

They would then establish two links with separate keys and XOR the two keys together. This ensures that no one can intercept the communications of the two ground stations, according to the proposal.

Out of that one unconditionally secure key between the two ground stations can be computed. Using such a scheme would allow for the first demonstration of global quantum key distribution.

An important step towards the applicability of quantum communication on a global scale, is to extend single QKD links to a quantum network by key relaying along a chain of trusted nodes using satellites as well as fiber-based systems.

A security analysis of this XOR-and-trusted-relay system is let as an exercise for the reader.

The experimental device will meet ESA standards for a module for the European Columbus laboratory, namely volume of 1.39 × 1.17 × 0.86 m3, mass < 100 kg, and a peak power consumption of < 250W.

Photo extracted from the Space-QUEST proposal. I don't know about you, but I love the little quantum beams joining the two data rings.

Paper Breach [Emergent Chaos]

Posted: 11 Jun 2008 07:06 PM CDT

The Missing Docs

The BBC reports in "Secret terror files left on train" that an

... unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train.

A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police.

We are also told:

Just seven pages long but classified as "UK Top Secret", this latest intelligence assessment on al-Qaeda is so sensitive that every document is numbered and marked "for UK/US/Canadian and Australian eyes only", according to our correspondent.

The person who lost them is

... described as a senior male civil servant, works in the Cabinet Office's intelligence and security unit, which contributes to the work of the Joint Intelligence Committee.

His work reportedly involves writing and contributing to intelligence and security assessments, and that he has the authority to take secret documents out of the Cabinet Office - so long as strict procedures are observed.

Apparently the documents were not encrypted. Cue rimshot.

CPISM Readiness Documents are Online [PCI Blog - Compliance Demystified]

Posted: 11 Jun 2008 06:56 PM CDT

Many people ask me how they can become a Qualified Security Assessor (QSA).  The only want to become a QSA is to work for a QSA company, be accepted by the PCI SSC, and attend industry specific training.  But what about the rest of us who want a badge of legitimacy without changing jobs?  For this there is the CPISM.

The Certified Payment-Card Industry Security Manager (CPISM) is the de facto certification for those within the payment-card industry who want to prove their security and industry knowledge.  To prepare for this rigorous exam there are a few documents available online to assist you.

First there are the CPISM Knowledge Domains.

  • Payment card industry structure
  • Payment card structure and data
  • Payment card transaction processing
  • Compromise fraud statistics and trends
  • Merchant risk analysis
  • Laws and the regulatory environment
  • Payment card security programs
  • Third party relationships

Check online for the following documents at the Society of Payment Security Professionals (SPSP):

  • CPISM Overview Document
  • CPISM Bibliography
  • CPISM Study Guide

Still not ready?  Enroll in one of the in-person training classes and get direct education to help prepare you for the exam.  Check the SPSP website for dates and locations for the training classes.  The next one is August 13-14, 2008 in Salt Lake City, UT.

Thanks For A Wonderful T-shirt! [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Jun 2008 05:00 PM CDT


I would like to thank the splunk team for sending me the wonderful t-shirt (picture of its front side is on the right)

Call for DAVIX Beta Testers [Security Data Visualization]

Posted: 11 Jun 2008 05:00 PM CDT

You may have noticed a page on secviz.org called DAVIX. DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas in August 2008.

We have prepared the second beta version of DAVIX. Raffael and I are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version.

All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy's upcoming book Applied Security Visualization. Legal recourse is excluded.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

Cotton Traders: Where’s the PCI DSS Compliance? [IT Security Expert]

Posted: 11 Jun 2008 02:33 PM CDT

A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance.

Lack of Disclosure
Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That's 6 months after breach it was announced to the public, don't we have a right to know? What's more there has been a lot of smoke and mirrors about this data breach, in one statement it's 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can't be certain to what data (especially if is their own) was compromised.

Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader's bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you'd rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application.

Another example of the smoke and mirrors is Cotton Traders stating "all of its customers' credit card information was encrypted on the website", which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use "it was encrypted" as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database.

PCI DSS Compliance
Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer.

I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent.

Hacking Trends
The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches.

Intersting Information Security Bits for June 11th, 2008 [Infosec Ramblings]

Posted: 11 Jun 2008 02:09 PM CDT


Since at least a couple people find these posts helpful and/or interesting (thanks Zach and Kees), they will continue.

Dean De Beer posts about the increasing complexity of scams our users are seeing. One wonders how long until it will be virtually impossible for the average user to determine if an email is legitimate or not.

Andy Willingham has penned a missive that discusses something that every information security professional has to come to terms with at one time or another. He calls it audit driven programs.

Our last entry today comes from Alex Hutton. He posits that under certain circumstances checklists are not for dummies, but they sure are dumb. As he says, checklists have their place, but are completely inadequate and often misleading when used for some purposes.

Have a great day.

Kevin

Technorati Tags: , , , ,

Link posts: Valuable or just noise…. [Infosec Ramblings]

Posted: 11 Jun 2008 12:39 PM CDT


Monday thru Friday, when not on vacation or traveling or such, I post my Interesting Information Security

Watching Static

Bits posts. I have two questions regarding these posts:

1) Are they of value to you or are they just noise?

2) If they are of value, are my comments helpful or would you just as soon just get the links?

I would much appreciate everybody’s feedback. Leave it in the comments.

Kevin

Copyright deal could toughen rules governing info on iPods, computers [Vincent Arnold]

Posted: 11 Jun 2008 12:25 PM CDT

Vito Pilieci ,  Canwest News Service

Published: Monday, May 26, 2008

OTTAWA - The federal government is secretly negotiating an agreement to revamp international copyright laws which could make the information on Canadian iPods, laptop computers or other personal electronic devices illegal and greatly increase the difficulty of travelling with such devices.

The deal could also impose strict regulations on Internet service providers, forcing those companies to hand over customer information without a court order.

Called the Anti-Counterfeiting Trade Agreement (ACTA), the new plan would see Canada join other countries, including the United States and members of the European Union, to form an international coalition against copyright infringement.

Read More

What's up with the "New and Used" Pricing on Amazon? [Emergent Chaos]

Posted: 11 Jun 2008 12:13 PM CDT

wierd-pricing.jpgSo having a book out, you start to notice all sorts of stuff about how Amazon works. (I've confirmed this with other first time authors.) One of the things that I just can't figure out is the pricing people have for The New School.

There's a new copy for 46.43. A mere 54% premium over list, and a whopping 234% of Amazon's discounted price. There's a used copy for $58.56. What the hell?

This isn't unique to us. It happens for every book I've looked at.

Is this some sort of scheme to hide money from the tax collectors? I mean, I liked Cohen's book, (incidentally reviewed here) but not to the tune of 600 bucks.

What's going on? Your thoughts are welcome.

Fraudsters test AVS system [PCI Blog - Compliance Demystified]

Posted: 11 Jun 2008 11:34 AM CDT

David Gamey pointed me to the Register article on yet another scam fraudsters are using to defeat credit card fraud checks.  We have discussed this topic before with pay-at-the-pump, but this new attack really goes to the heart of a fraud check that is called the Address Verification System or AVS.

Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street).

However fraudsters have begun exploiting the fact that many addresses can have the same AVS code. By making sure billing addresses and delivery addresses used in scams have the same code they make it more likely that purchases will go through.

This is, at best, a weak attack because it cannot be monetized quickly over a large number of card numbers.  In order to perpetrate the attack the attacker would need to have your name, address, and credit card number.  This information is usually obtained from e-commerce compromises, though could originate from other sources.  The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street).  This could work for one account number.  If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming.

Also, let’s not forget that AVS is not used globally.   For example it is used in the UK, USA and some other regions, but not in continental-Europe and most of the Asia-Pacific region.  This diminishes the potential for attack.  Also, different Issuers may check different information via AVS which means you would need to know what information each Issuer checks, happen upon a card number from that Issuer, that is associated with an address similar to a fraudulent drop site you already have.  These stars do not align so nicely quite as often as one might think.

SCADA Hole, InfoSec Humor [The Falcon's View]

Posted: 11 Jun 2008 11:13 AM CDT

Updated: SANS Storm Center has more info on the CitechSCADA vulnerbaility here. The AP reports, via the Star Tribune, that Core Security Technologies has identified a significant hole in CitechSCADA software. I'm sure this will be one of many, many...

AppSec Conference goes to India! [Jeremiah Grossman]

Posted: 11 Jun 2008 10:14 AM CDT

Dhruv Soi, Founder & Director, OWASP – Delhi, is organizing AppSec India Conference 2008 (August 20th-21st). It's exciting to see webappsec take off in awareness continent after continent and country after country. India has some of the best experts in the industry local to the region who are already on the schedule including as Shreeraj Shah (BlueInfy) and Saumil Shah (Net-Square). Organizers are also bringing in Arshan Dabirsiaghi, Dinis Cruz, and Nishchal Bhalla. Looks like the makings of a solid event and highly recommended if you are anywhere near the area. It's sure to be unique. I would have liked to attend myself, but I'll be vacationing immediately after Black Hat /Defcon. I'll need the rest. :)

SIPVicious tools roadmap [SIPVicious]

Posted: 11 Jun 2008 10:10 AM CDT

I'm looking at improving SIPVicious and would appreciate your input for new features or any possible bug fixes. Send me an email with ideas, or simply leave a comment.

Check my current "to do" list here.

Blue Box SE#025 - An interview with Eric Hernaez about Solegy and the OpenSBC Project [Blue Box: The VoIP Security Podcast]

Posted: 10 Jun 2008 10:02 PM CDT

Synopsis:  Blue Box Special Edition #25: An interview with Eric Hernaez, CEO of Solegy, about the OpenSBC project


Welcome to Blue Box: The VoIP Security Podcast Special Edition #25, a 13-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

solegylogo.jpgIn this interview, I sat down with Eric Hernaez, CEO of Solegy, to talk about the OpenSBC Project and how it provides an open source implementation of a session border controller (SBC).  We talked about how OpenSBC came about, who is using it, how scalable it is and where users can learn more.  We also discussed Solegy, the company supporting the open source OpenSBC project and what they are doing. It was an enjoyable talk that really came about randomly when I met Eric near the press room at IT Expo in Los Angeles back in September 2007. We had been wanting to learn more about the OpenSBC project so I put my recorder on a table and we started talking.

More information about the OpenSBC project and other open source SIP-related projects can be found at opensourcesip.org.

Production assistance on this Special Edition was provided by Sergio Meinardi.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

Wild Weather [The Falcon's View]

Posted: 10 Jun 2008 08:19 PM CDT

Just had another storm blow through... this one brought pea-sized hail along with heavy thunder and lightning, including a momentary power drop... This storm seemed to be moving very quickly, too, though perhaps not as much as the storm last...

Scams are getting complex [Carnal0wnage Blog]

Posted: 10 Jun 2008 02:22 PM CDT

The timing on this could not be better considering the discussion Chris and I have been having about users being to blame if they get scammed.

It almost happened to a good friend of mine last night. Thankfully she was wary and read the email through a few times.

She has been looking for an apartment in the city and finally found this amazing deal on Craigslist. Great price, awesome location, perfect. Too perfect. She emailed the owner, who just happened to be overseas on a work contract of some sort.

So they begin an email correspondence and go back and forth trying to work out the details. Then the 'owner' says that he/she would rather go through a 3rd party escrow agency as it's a way to protect both parties. I admit that up until this point everything sounded legit.

The 'owner' decided that RE/MAX would be the escrow agency and that he would start the process and that my friend would be receiving an email with details on how to transfer the money to the escrow agency, etc..

So far it all sounds great, everyone is protected, everyone is happy. My friend waits for the email and it does not arrive. She emails back and the 'owner' says that it was sent and to check her spam folder. Yes, you and I would immediately wonder why it ended up in the spam folder and check the headers and content. The average person, that sees so many legit emails end up in that folder won't though

So last night my friend decided to go ahead and get the process started. So she prints out the email to make sure she has the instructions correct. I'm sitting at my new mac when she comes over and asks me to have a look at the email.

The reply address looks a little odd she says.

athens-remax.com@newjersey.usa.com

um, yeah it does. Now the rest of the email is well formatted and looks really legit. I asked her where the original email was. So after opening her yahoo account and showing me the email I look at the headers to the email and surprise, surprise, the email is spoofed.

***
Return-Path:
Authentication-Results: mta209.mail.re3.yahoo.com from=remax.com; domainkeys=neutral (no sig)
Received: from 208.70.128.77 (EHLO smtp-gw51.mailanyone.net) (208.70.128.77) by mta209.mail.re3.yahoo.com with SMTP; Sun, 08 Jun 2008 23:28:29 -0700
Received: from mailanyone.net by smtp-gw51.mailanyone.net with esmtpa (MailAnyone extSMTP carasove) id 1K5arj-0006bc-OU for **********@yahoo.com; Mon, 09 Jun 2008 01:28:29 -0500
Received: from 127.0.0.1 (MailAnyone web AccountID 228933) by webmail.fusemail.com with HTTP; Mon, 9 Jun 2008 01:28:27 -0500 (CDT)
Message-ID: <1212992907.v2.mailanyonewebmail-228933@fuse48>
Date: Mon, 9 Jun 2008 01:28:27 -0500 (CDT)
Subject: RE/MAX Escrow Transaction
From: "ReMax.com"
***
A little bit of searching for mailanyone.net it seems that this service is often used to send spoofed emails.

After calling REMAX directly they confirmed that the email and 'transaction' was a scam.

Thankfully my friend was cautious enough, due to the amount of money involved, to question any unusual aspects of the email and transaction.

I wonder how many people are getting caught by scams like this one? It is not a simple link or website. These scammers obviously took a lot of time to develop this scam and to execute it in such a manner as to illicit trust from the user.

dean

More Indications of the Coming Ice Age... [The Falcon's View]

Posted: 10 Jun 2008 01:50 PM CDT

My original predictions of 2010 may be off by a couple years. It's starting to sound more like 2012 could be the year of interest. I base this on the belief, supported by NASA, that the magnetic poles are indeed...

Interesting Information Security Bits for June 10th, 2008 [Infosec Ramblings]

Posted: 10 Jun 2008 01:19 PM CDT


Rich Mogull has a post up that points to the New Identity Theft Stats provided by Debix. Interesting to actually see some numbers.

Amrit Williams has some interesting thoughts on the iPhone creating a mobile malware tipping point.

Russell Handorf gives us some guidance on How-to easily deploy honeypots for production networks.

Kai Roer gives us a look at how someone might go about gathering information about you or your company.

I came across this from friend feed. SecurityTube.net - videos for security folks. Some interesting stuff there.

Finally, are you a computer security professional. Read the the article and see how many of the observations you agree with or exhibit.

Have a good day.

Kevin

Technorati Tags: , , , , ,

Take Back Your Personal Data - 50 Tips [Vincent Arnold]

Posted: 10 Jun 2008 01:16 PM CDT

Most of those who come across my blog can tell pretty quickly that data privacy is on the top of my list regarding the field of Information Security. I ran across an interesting article on personal data privacy and ways to help ensure your private, personal data is kept just that, private and personal. Most of the tips are pretty general and fall into the category of common sense. Examples include checking your credit report regularly for unauthorized charges or changes, using an anti-virus program on your computer and not sharing your driver’s license or social security number. Other tips like using TOR to “assist” in “anonymizing” your surfing habits, using an encrypted internet messaging client like Bitwise IM or signing checks with a gel pen are some of the less obvious tips that might be found useful for even those “security conscious” individuals.

50 Tips to help you secure your personal data

Fake Phishing Webmail Targets Chinese Users [Commtouch Café]

Posted: 10 Jun 2008 09:00 AM CDT

Trying to log in to your Chinese Gmail or Yahoo! webmail? Check carefully…. over the past few days phishers have spread a broad attack trying to entice users to give up their credentials to a fake login page for Google and Yahoo-reminiscent addresses, with a .cn (China) domain. Examples include (and there are dozens of [...]

No comments: