Friday, June 13, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

“Doing Well by Doing Right” [/dev/random] [Belgian Security Blognetwork]

Posted: 13 Jun 2008 04:35 AM CDT

Today, I received a mailing (partnership between ING and Steptone) to promote open career opportunities at ING. Well, I receive a lot of mailings but this one was quite special…

It said: For more information about career opportunities, visit www.ingitcrew.be.. I really liked the slogan “Doing Well by Doing Right“, check out:

ING Advertisement

Problem? Don’t try to visit the website, domain name has not been registered!

 # whois -h whois.dns.be ingitcrew.be % .be Whois Server 4.0 % % (c) dns.be 2001-2004 (http://www.dns.be) % [stuff deleted] %- % WHOIS ingitcrew Domain: ingitcrew Status: FREE 

www.ingitcrew.com is the right one. Typo error? Lack of project coordination? My first idea was, of course, to immediately register the domain. If anybody has a contact @ ING or Stepstone, give them a call!

A Continental nightmare [StillSecure, After All These Years]

Posted: 13 Jun 2008 03:35 AM CDT

The state of the airline industry is a travesty.  Today United announced that they are joining American in charging a fee for even the first bag of checked luggage.  Combined with the ban on liquids that makes it hard to carry on anything, you are forced to pay up.  This is on top of the already jacked up prices and fuel surcharges they are already charging.  They also charge if you want to fly stand by now, extra for exit seats, aisles, etc, etc.  It is not one airline worse than another, they are all pretty bad. 

Today's travel nightmare though comes courtesy of Continental Airlines.  I rarely fly Continental because in coach I find their seats are to close together and my knees get crushed.  But flying home from Denver today, they were the cheapest so I booked the flight. 

I was scheduled to be on a 4:50 flight out of Denver into Houston.  An hour layover, an 8:55 flight from Houston to Ft Lauderdale and I would get me home around midnight.  Long day for sure.  So I finished up my meetings and stuff early in Boulder and saw that Continental had a 2:30 flight from Denver to Houston and a 7:10 connection to Ft Lauderdale that would get me in around 10:20pm.  I left StillSecure HQ around noon and was at Denver airport by about 12:45.  I went to the Continental counter and asked to get on the earlier flight.  Because I am a platinum medallion member of Delta, as a Sky Team member, I am an elite plus level passenger on Continental. In days gone by that would qualify me for same day ticket changes for free.  Not anymore it doesn't!  I don't understand what the price of fuel has to do with charging me for same day ticket changes.  Anyway, they said I could fly stand by for free until June 17th, when even standby is going to cost an extra fee (again they blamed it on fuel costs).

So they put me on standby and told me my luggage would go on the earlier flight.  I then went to the 2:30 flights gate and waited.  The ticket counter agent told me about 20 minutes before take off that they only had me as a silver medallion and due to my low status I was far down the list and would not make the flight.  My luggage would though.  OK, so I will hang at the airport and work a few hours.  Just before the plane takes off they call my name and tell me to wait at the end of the jetway.  They are checking the plane and if there is a seat I can take it.  I get the last seat on the plane, a middle seat. 

I arrive at Houston and proceed to the gate for the 7:10 flight to Ft Lauderdale.  I check in with the agent and she tells me the folks in Denver only put me on standby for the Denver Houston flight and I am not on stand by for the Ft Lauderdale flight.  She can put me on and I will probably make it, but my luggage will be going on the later flight.  Now mind you I can see the plane I just got off of out the window and could have gone to the jetway and told the guys unloading the luggage to grab my bag.  Not wanting to wait two hours in Ft Lauderdale late at night for my luggage to arrive and not wanting to drive down the next day to pick it up I say thanks, but no thanks and decide to wait another two hours for the later flight that my luggage will be on.

I board my 8:55 flight as scheduled and we take off headed for Ft Lauderdale, due to land at 12:15 or so.  The plane is hot as heck and about a half hour into the flight the pilot says that we have a pressurization problem and am turning back to Houston!  We turn back and upon arrival near Houston, he tells us we have too much fuel to land and will have to fly around to burn it off.  We have no air conditioning, it is hot as can be and they are telling me how much they charge because of the cost of fuel that they are now flying around in circles to burn off!

We land in Houston, they find another plane and we finally take off from Houston around 11:45 or so. I am writing this on the plane and am due to land about 2:30am. If I find my luggage came on the earlier flight I am going to kill someone.  In the meantime, I have had enough of Continental for a while and they won't see me on their planes very soon.

End of story, we landed around 2:45 and my luggage was waiting for me, having arrived on the earlier flight.  The Continental employee at the baggage claim will remember Alan Shimel for a while, as I gave him a piece of my mind.

Whats driving the MSSP craze - critical, but non-core functions are fair game for outsourcing [StillSecure, After All These Years]

Posted: 13 Jun 2008 03:29 AM CDT

I don't know what it is, but lately everyone I am speaking to is talking SaaS, outsourcing and MSSPs. Just today I was reading Neil Roiter's column on the latest acquisition by Perimeter eSecurity. The MSSP acquisition kings have now bought Edgeos, a vulnerability scanning service. I don't really know alot about them, but it seems their vulnerability service does not utilize a distributed or local server at the customers location. I am not sure how they deal with things like firewalls and such that would result in very different results from an internal scan, but that isn't the point here. The fact is that MSSP service providers, whether it be large carriers line Verizon or ATT or dedicated security MSSPs like Perimeter or SecureWorks or smaller MSSPs like ProtectPoint here in Florida, are finding fertile ground. I will talk more at the end of the article about what kind of MSSP will likely be your MSSP in the future.

Why are they seeing such success and who are they seeing this success with? My experience with this goes back to my days at Interliant, one of the early ASPs and managed security provider. At one time (late 90's, early 2000) we were probably the largest Checkpoint firewall provider in the eastern US. We managed a bunch of firewalls and that passed for MSSP back than. Still does for a lot of folks today. One of the critical lessons I learned at Interliant was that people will not outsource everything. You can break down what most any organization does into three categories. There are non-critical, non-core activities, critical, but non-core activities and core and critical activities. A company is never going to outsource core, critical activities. Outsourcing non-critical, non-core activities are a no brainer. Showing companies that outsourcing critical, non-core activities is the key to success of the service provider market. These are activities that are critical and therefore must have services for the organization, but they are not core to the organizations functionality and they probably don't have deep expertise in that area. Analysis will show that it is better business to outsource this non-core but critical functionality.

Security is squarely in the sweet spot here. Most organizations acknowledge that security whether for compliance or other business reasons is critical to the business function. However, it is not the core expertise of these companies. Therefore outsourcing it is a smart business move. For the most part, companies do not have the in house expertise to run their own security. Part of the blame lies with security vendors, we make our products to damn hard. Part of the problem is the complexity of the problem to be solved. Security is hard. Another part of the problem is in house security just does not, for the most part, get its fair share of the resources in order to do the job. In any event, I think outsourcing security is not just a fad and is here to stay. It will continue to grow in the years to come.

Just a couple of other things though. Finance is an exception here. Security is a core function in finance, as the security of your money and information is core to a financial institutions function. However, at the mid-size level and below, financial institutions do outsource security. I have seen several MSSPs who specialize in this vertical. Lastly, I think the real battle will be who do you get your managed security from. Do you get from a general purpose network vendor, like Verizon, ATT or IBM or HP? Do you get it separate from your network, from a security expert like Perimeter or SecureWorks? That is where the real battle is going to be over the coming months.

EID : representative Jambon makes some mistakes [belsec] [Belgian Security Blognetwork]

Posted: 13 Jun 2008 02:59 AM CDT

First it is not that simple and automatic that you can steal an identity with simple the EID of your neighbor. We didn't publish that information but there is a procedure that makes it possible under certain conditions. One of these procedures has already been published but involves pictures of (or possession of) several cards and bits of information.

It seems necessary for us to stop the way that online new passwords are distributed and to change it into a physical presence procedure where you will have to present yourself in your city or commune. This doesn't sound too much digital and new, but this is the standard for all safe bankcards and identitypapers.

Secondly the films are not about the chip, they are about the privacywall that should have protected the information on the card against interception by non-authorized applications

THere are much more important political and IT problems around EID that need to be addressed. As fast and as coordinated as possible. It is not now the time to have political, intellectual or industrial fights. We are all in this together and solving this problem won't take too much effort if everybody agrees on the normal best practices and certifications that need to be in place.

We hope the government will survive the 15th of July because we need a government to do these things (among many others). These are much bigger issues than the interpretation of a word or sentence in a global agreement.

It is now time to make your ideas and proposals about a secure EID public or known [belsec] [Belgian Security Blognetwork]

Posted: 13 Jun 2008 02:08 AM CDT

We are happy to announce that the omerta around the EID has broken in a big way and would ask all those that have kept silent to get their ideas and information together and to hand it over to us or to the parliament or to FEDICT whatever you are most comfortable with.

It is now or never and if you miss this big chance you will be confronted with our remark if you say it later, why didn't you say that before.

We would even call for a DELPHI research about our EID project that doesn't take into account who says what but that takes into account what is being said and that tries to get all the specialists on EID and security together about a big masterplan for the coming years and the axes around which the new EID should work.

We also think that it is maybe time for parliament to step in and form a permament commission to follow up on technology questions. We are having one after another since january (EID, EVOTE, EHEALTH, ESECURITY, BELGACOM accounts hacked, **** online service unsecurity, .......) How do the representatives hope to have any knowledge, backup specialists and follow-up if they don't have a permanent committee with specialists and representatives that can exchange and coordinate information with collagues from all over the world who have the same speciality.

By the way we are still looking for new reports, articles and things to make public or to send through at backchannels. We are also looking for people to blog here (ask an account) or to help (even if it was an hour a week) with different sideprojects or specific follow-up sections on this site. I don't care if you agree with everything written here or not.

Onderzoek over EID door Leuvense professoren online [belsec] [Belgian Security Blognetwork]

Posted: 13 Jun 2008 01:43 AM CDT

op vraag van de onderzoekers werd dit offline genomen

Links for 2008-06-12 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 13 Jun 2008 12:00 AM CDT

Verizon Business 2008 Data Breach Investigations Report [Rational Survivability]

Posted: 12 Jun 2008 09:26 PM CDT

Vbdatabreach_2 This is an excellent report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team.

There are some very interesting statistics presented in this report that may be very eye-opening to many (italicized comments added by me):

Who is behind data breaches?
73% resulted from external sources  <-- So much for "insider risk trumps all"
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error  <-- Change control is as important as
59% resulted from hacking and intrusions   <-- compensating controls
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system <-- Know thy data/where it is!
75%  of breaches were not discovered by the victim  <-- Manage and monitor!
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls <-- So why aren't they used?

Very, very interesting...

You can get the report free of charge here.

/Hoff

Ideal Tool to Solve Real Problems ... of the Near Future? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 12 Jun 2008 09:02 PM CDT

Remember my write-up about an ideal log management tool?

Somebody asked me: "That's great that you have such a clear  vision of a future log management technology - but tell me first what future business problems will such 'ideal tool of the future' solve?"

First, I laughed and said: "Dude, look around, will ya? :-) There are plenty of log-related problems today which we are not even close to solving. We need to solve the problems of today first, before we can get to solving the future problems..."

So, what I consider to be the biggest log-related problems of today?

  1. Not knowing what to log - whether  for compliance, tracking attackers or troubleshooting system problems. Remember all the comedy about "Tell me EXACTLY what to log for PCI?" If not, reread it!
  2. Log volume  - there is too darn many log messages (seriously, 100,000 each second is a lot of log - but there is more at large companies!), and, which is worse, a lot of them are of unknown value to the users (might be useful, might not - but you never know in advance); thus, log clutter networks, systems and brains of security/system analysts.
  3. Log diversity - logs all look different (at least while standards are being developed) and no single person have the skill set to understand  more than a few types. PIX admin groking SAP logs? No way!
  4. In light of the above, just pure bad logs are also a major challenge - logs that miss a key piece of info (like the infamous "login failed" without the username...) or are useless in some other way are sadly common.
  5. How about getting the logs from all the nooks and crannies where they are stuck  (think application logs here) - it is a problem if you want to achieve  (expand, rather) your operational awareness of applications.
  6. Finally (not really, the list can go on and on), making sense of logs in  an automated fashion is still a #1 challenge  (IMHO) - we are getting better creating tools for humans to go thru logs (via reports and search), but log->conclusion process still requires a human, and a darn smart one.

Now, when you read the above think "end user", not "log management  vendor" challenges (I plan to post about these later). My idea of an ideal tool will seek to solve these and others.

Along the same line, this picture from 4th SANS Log Management Survey shows how people perceive the logging challenges:

image

as well as my logging challenges poll (analysis here):

image

Now, let's think of logging problems of the near future, say in 2 years.

But you'd have to wait for the next post for this :-)

Wake Up Call: It's Time To Protect [ImperViews]

Posted: 12 Jun 2008 06:09 PM CDT

The Verizon Business survey that was published yesterday offers many insights. It think that this is an important (and certainly not surprising)

In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study.

There are two eye opening charts in this reports, that highlight the importance of active security systems and the need to close (security) gaps as fast as possible. The first compares between the time it takes to penetrate a system and the time that it takes to discover and mitigate .

time_span.png
(click on image see a larger size)

In comparison to the other categories, the length of time between the attacker's initial entry into the corporate network and the compromise of information is relatively short. During this phase, intruders typically explore the network and systems until finding their desired plunder. To an attacker unfamiliar with the territory, this can be a time-intensive activity. Surprisingly, our findings reveal this was accomplished within minutes or hours in just under half of cases investigated.

So it takes a VERY short time to penetrate the application or breach the data, while it takes a lot of time to discover. The next chart shows how organizations discovered the breach. As you can see, most organizations surveyed by Verizon did not use monitoring tools

breach detection.png
(click on image see a larger size)

I see a clear connection between the first and second data point. Should organizations use activity monitoring solution, they will be able to detect breaches faster...this is logical and make sense. But I would like to make the case for preferring security and attack blocking over pure activity monitoring.

This survey should be used as a wake up call to many organizations that should look into their monitoring and real time security systems. As the bad guys (internal or external) are  attacking within minutes or hours, security professional can not longer assume that they'll be able to protect and defense without the use of real time security solutions capable to protect the entire application stack.

Some insights into Data Breaches [Security4all] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 06:00 PM CDT

Taosecurity posted a review of an online 2008 Data Breach Investigations Report. Some interesting quotes from his article are: Three quarters of all breaches are not discovered by the victimAttacks...

EU wants to regulate blogs [Security4all] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 05:37 PM CDT

The internet has always been a place to express freedom of speech. Social media has been a revolution helping us share information, communicate and connect to other people. Blogging is an important...

Blogger sentenced in Belgium to three months in prison for blogfight [belsec] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 05:20 PM CDT

And now you will think that it was the defender of a great cause, that there was secret state or industrial information that was published ? No, but the judge found the facts so important that he sentenced her to 3 months in prison and 5 years if she does something else wrong and 550 Euro's to pay.

So what was the huge crime she did to get such a harsh sentence ? Distribute illegal films, publish child porn, sell poker ?

There were two women who were neighbors and the best of friends. But after a while they had a huge dispute about a car that one sold to another and they hated each as much as they loved each other before. So the angry neighbor started placing anonymous harsh comments on the personal blog of her neighbor who found out who was writing them. Angry as she was at her neighbor she published on her blog that her neighbor had an abortion and was a child killer. The anonymous commenting neighbor was too shocked to respond something  and just went to court.... and won.

Just one practical thing. If comments become personal or stupid, just turn them off. Who needs them and who reads them ?

E-Health will have its debate in Belgium [belsec] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 05:10 PM CDT

E-health is the big project of Mr Robben and his vision of how e-health should be organised in Belgium. So he made his plans, prepared the reports and budgets and wrote the necessary laws and as our government didn't think that people should have any doubts about so much wisdom they just put it into the biggest law that is voted each year (programlaw) that encompasses hundreds of pages and treats about anything that must pass without parliamentary debat.

But the doctors didn't agree with this vision. Not the technological vision, that is still another matter and I doubt we will much hear about that. They don't agree about the concept of the idea in which they lose the monopoly to decide which medicine the patients will be using. They threw the term 'big brother' in their press map and so everyone jumped on it and the minister was obliged to give it its proper law and debate.

The term Big brother is about the new relationship between the Administration of Social Security and the doctors. It is not yet used for the relationship and information from the patients versus the states.

Now we can only hope there will be room and time for a debate about the security and privacy of those very important medical information about us and not only a corporatist power fight. The administration probably knows that this is a problematic point because they burried the earlier plans to put that medical information on our EID. Imagine that EID has some securityproblems..... Imagine that :)

Belgian CCC investigation goes to switserland for encryption courses [belsec] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 04:58 PM CDT

As you have read before there is a lot to do in Belgium about the arrests of the ex-CCC terrorists that were on conditional freedom. They have returned to prison. There was also some discussion about the fact that the prosecutor mentioned that they were using encryption and diskwiping technology in the list of his accusations. As security people we do that every day.

Now the prosecutor has decided to go to Switzerland. There lives a community of mostly German and Italian extremists that fled Germany and Italy during the terrorist and antiterrorist campaigns in the 70's and 80's. One of the best known is Andrea Stauffacher which has a long history of activism and is now seen as one of the organizers of other extremist movements in Switzerland at nearly 50 years old.

1_16
the Rosa Luxemburg of Switzerland

But she has a good understanding of her times as she gives courses to leftwing extremists about defending against surveillance and encryption. Not only to members of the CCC but also to other groups. She is also suspected of being call the brain behind the "black block", the very diverse group of rioters that turn up at some demonstrations and made name with the riots during the antiglobalist manifestations.

How much your compromised information trades for… [Vincent Arnold]

Posted: 12 Jun 2008 04:23 PM CDT

On page 18 of the April, 2008 Symantec Global Internet Security Threat Report, there is a chart that lists how much stolen information trades for on the underground market. I think it would be safe to say that $15 for my identity is pretty insulting. It would take a lot more than 15 bucks to get it back.

Gives you an idea of how many identities must already be compromised for the value to be so low.

Don't Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements [Rational Survivability]

Posted: 12 Jun 2008 03:52 PM CDT

Microphone Here are some of the recent press coverage on topics relevant to content on my blog:

Podcasts/Webcasts:

I am confirmed to  speak at the following upcoming events:

/Hoff

Notes from the IBM Global Innovation Outlook: Security and Society [Rational Survivability]

Posted: 12 Jun 2008 02:18 PM CDT

Gio2008 This week I had the privilege to attend IBM's Global Innovation Outlook in Chicago which focused this go-round on the topic of security and society.   This was the last in the security and society series with prior sessions held in Moscow, Berlin, and Tokyo.

The mission of the GIO is as follows:

The GIO is rooted in the belief that if we are to surface the truly revolutionary innovations of our time, the ones that will change the world for the better, we are going to need everyone's help. So for the past three years IBM has gathered together the brightest minds on the planet -- from the worlds of business, politics, academia, and non-profits – and challenged them to work collaboratively on tackling some of the most vexing challenges on earth. Healthcare, the environment, transportation.

We do this through a global series of open and candid conversations called "deep dives." These deep dives are typically done on location. Already, 25 GIO deep dives have brought together more than 375 influencers from three dozen countries on four continents. But this year we're taking the conversation digital, and I'm going to help make that happen.

The focus on security and society seeks to address the following:

The 21st Century has brought with it a near total redefining of the notion of security. Be it identity theft, border security, or corporate espionage, the security of every nation, business, organization and individual is in constant flux thanks to sophisticated technologies and a growing global interdependence. All aspects of security are being challenged by both large and small groups — even individuals — that have a disruptive capability disproportionate to their size or resources.

At the same time, technology is providing unprecedented ways to sense and deter theft and other security breaches.  Businesses are looking for innovative ways to better protect their physical and digital assets, as well as the best interests of their customers. Policy makers are faced with the dilemma of enabling socioeconomic growth while mitigating security threats. And each of us is charged with protecting ourselves and our assets in this rapidly evolving, increasingly confusing, global security landscape.

The mixture of skill sets, backgrounds, passions and agendas of those in attendance was intriguing and impressive.  Some of the folks we had in attendance were:

  • Michael Barrett, the CISO of PayPal
  • Chris Kelly, the CPO of Facebook
  • Ann Cavoukian, the Information & Privacy Commissioner or Ontario
  • Dave Trulio, special assistant to the president/homeland security council
  • Carol Rizzo, CTO of Kaiser Permanente
  • Mustaque Ahamad, Director, Georgia Tech Information Security Center
  • Julie Ferguson, VP of Emerging Technology, Debix
  • Linda Foley, Founder of the Identity Theft Resource Center
  • Andrew Mack, Director, Human Security Report Project, Simon Fraser University

The 24 of us with the help of a moderator spent the day discussing, ideating and debating various elements of security and society as we clawed our way through pressing issues and events both current and some focused on the future state.

What was interesting to me -- but not necessarily surprising -- was that the discussions almost invariably found their way back to the issue of privacy, almost to the exclusion of anything else.

I don't mean to suggest that privacy is not important -- far from it -- but I found that it became a blackhole into which much of the potential for innovation became gravitationally lured.   Security is, and likely always will be, at odds in a delicate (or not so) struggle with the need for privacy and it should certainly not take a back seat. 

However, given what we experienced, where privacy became the "yeah, but" that almost stunted discussions of innovation from starting, one might play devil's advocate (and I did) and ask how we balance the issues at hand.  It was interesting to poke and prod to hear people's reactions.

Given the workup of many of the attendees it's not hard to see why things trended in this direction, but I don't think we ever really got into the mode of discussing the solutions in lieu of being focused on the problems.

I certainly was responsible for some of that as Dan Briody, the event's official blogger, highlighted a phrase I used to apologize in advance for some of the more dour aspects of what I wanted to ground us all with when I said "I know this conversation is supposed to be about rainbows and unicorns, but the Internet is horribly, horribly broken."

My goal was to ensure we talked about the future whilst also being mindful of the past and present -- I didn't expect we'd get stuck there, however.  I was hopeful that we could get past the way things were/are in the morning and move to the way things could be in the afternoon, but it didn't really materialize.

There was a shining moment, as Dan wrote in the blog, that I found as the most interesting portion of the discussion, and it came from Andrew Mack.  Rather than paraphrase, I'm going to quote from Dan who summed it up perfectly:

Andrew Mack, the Director of the Human Security Report Project at the Simon Fraser University School for International Studies in Vancouver has a long list of data that supports the notion that, historically speaking, the planet is considerably more secure today than at any time. For example, the end of colonialism has created a more stable political environment. Likewise, the end of the Cold War has removed one of the largest sources of ideological tension and aggression from the global landscape. And globalization itself is building wealth in developing countries, increasing income per capita, and mitigating social unrest.

All in all, Mack reasons, we are in a good place. There have been sharp declines in political violence, global terrorism, and authoritarian states. Human nature is to worry. And as such, we often believe that the most dangerous times are the ones in which we live. Not true. Despite the many current and gathering threats to our near- and long-term security, we are in fact a safer, more secure global society.

I really wished we were able to spend more time exploring deeper these social issues in balance with the privacy and technology elements that dominated the discussion and actually unload the baggage to start thinking about novel ways of dealing with things 5 or 10 years out.

My feedback would be to split the sessions into two-day events.  Day one could be spent framing the problem sets and exploring the past and present.  This allows everyone to clearly define the problem space.  Day two would then focus on clearing the slate and mindmapping the opportunities for innovation and change to solve the challenges defined in day one.

In all, it was a great venue and I met some fantastic people and had great conversation.  I plan to continue to stay connected and work towards proposing and crafting solutions to some of the problems we discussed.

I hope I made a difference in a good way.

/Hoff

Don’t Start Flame Wars Via Blogs! [/dev/random] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 01:50 PM CDT

Justice

A woman (blogger) was sentenced to three months suspended prison sentence and a fine of EUR 500! This happened in Arlon. Reason: neighborhood problems and they exchanged insults on a blog. Read the article (in French).

Department of Justice on breach notice [Emergent Chaos]

Posted: 12 Jun 2008 12:23 PM CDT

data-breaches-carding-justice.jpg There's an important new report out from the Department of Justice, "Data Breaches: What the Underground World of “Carding” Reveals." It's an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification:
Several bills now before Congress include a national notification standard. In addition to merely requiring notice of a security breach to law enforcement,200 it is also helpful if such laws require victim companies to notify law enforcement prior to mandatory customer notification. This provides law enforcement with the opportunity to delay customer notification if there is an ongoing criminal investigation and such notification would impede the investigation. Finally, it is also helpful if such laws do not include thresholds for reporting to law enforcement even if certain thresholds – such as the number of customers affected or the likelihood of customer harm -- are contained within customer notification requirements. Such thresholds are often premised on the large expense of notifications for the victim entity, the fear of desensitizing customers to breaches, and causing undue alarm in circumstances where customers are unlikely to suffer harm. These reasons have little applicability in the law enforcement setting, however, where notification (to law enforcement) is inexpensive, does not result in reporting fatigue, and allows for criminal investigations even where particular customers were not apparently harmed. ("Data Breaches: What the Underground World of “Carding” Reveals," Kimberly Kiefer Peretti U.S. Department of Justice, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, page 28.)
I think such reports should go not only to law enforcement, but to consumer protection agencies. Of course, this sets aside the question of "are these arguments meaningful," and potentially costs us an ally in the fight for more and better data, but I'm willing to take small steps forward.

Regardless, it's great to see that the Department of Justice is looking at this as something more than a flash in the pan. They see it as an opportunity to learn.

Interesting Information Security Bits for June 12th, 2008 [Infosec Ramblings]

Posted: 12 Jun 2008 10:35 AM CDT


Howdy folks.

We are going to try something a little new today.

As you have all probably realized, these posts have all been built from blogger sources to date. I am going to start expanding them to include things I see in the news and from other sources that have infosec applications. As we go forward, I am interested in knowing if you would prefer to have two separate posts or if you like the combined format.

As always, leave a comment with your opinion or email me kriggins _at_ infosecramblings.com. On with the show.

From the Blogosphere.

Jennifer Leggio has a post up on her new blog Feeds at ZDNET (congrats Jennifer) about privacy concerns with Company Groups on Linked. She points out some very real privacy and data leakage concerns for this type of automated grouping.

Richard Bejtlich has a good summary of the Verizon Business 2008 Data Breach Investigations Report which you should go ahead and read.

From the newsosphere.

Via Dark Reading, RSA is introducing a flexible card shaped authenticator.

Via SearchSecurity, The PCI council is launching an assessor quality assurance program. Kinda have to wonder why it has taken this long for something like this to happen.

The Register brings us an interesting article about fraudsters gaming the address verification system in use in the UK for charges.

From Comcast.net congressmen are saying that China is hacking their computers. Of course China is denying it.

Have a great day and remember, let me know which format you prefer, combined or separate.

Kevin

Technorati Tags: , , , , , , , , ,

Information Security in three steps [Kees Leune]

Posted: 12 Jun 2008 09:22 AM CDT

Shrdlu writes an interesting post on how to explain to non-security people what it means to be secure. Three basic rules:

  1. Have control over your systems.
  2. Check your security frequently.
  3. Educate all your people.

This is an excellent summary.

Information security is about ensuring trust in data and data processing. Trust is sometimes defined as "performing as previously expected", and in order to be able to keep or attain a certain level of "living up to expectation", control is absolutely required.

Rule 2 is a little harder; if security requires checking security, we might have a circular reference that needs to be bootstrapped.

Rule 3 is another good one; if trust is indeed "performing as expected", people need to know what they can expect (and cannot expect), but they also need to know what is expected of them.  I would probably rewrite these basic rules to

  1. Have control over data and systems
  2. Educate all users
  3. Independently assess the effectiveness of rule 1 and 2 regularly

EU bloggers under assault by the European Parliament - they need your help [StillSecure, After All These Years]

Posted: 12 Jun 2008 09:09 AM CDT

One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world.  Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network.  I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government.  It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors and publishers of weblogs causes uncertainties regarding impartiality, reliability, source protection, applicability of ethical codes and the assignment of liability in the event of lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices.  There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too.  The EU is a democratic, progressive entity.  Forcing these bloggers to make their "status and identity" public should not be mandatory here.

Blogs are todays pamphlets.  Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights.  What would Thomas Paine and others like him think of this restriction?

If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so.  If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly.  If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

Zemanta Pixie

This posting includes an audio/video/photo media file: Download Now

E-mail Disclosure? [/dev/random] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 08:22 AM CDT

Belgium

One more time, a new round started today in Belgium between Flemish and Walloons… (I don’t want to start a new political debate here: I’m living in the “French” side of Belgium and working in the “Dutch” side without problems. I try to speak in Dutch and my colleagues understand me. What else?)

According to a French media, the city of Overijse encouraged people via a local publication to report any advertisement written in French or any other language (Overijse is a Dutch speaking city).

I’ll not comment this news but it seems that the reports can be posted online via a gmail.com e-mail address and this one was disclosed by several journalists.

Is it a good idea? If you check several readers comments below the article, they encouraged to flood the mailbox, subscribe the mailbox to a lot of distribution lists etc… Not very constructive!

PCI Compliance: Top Layer Networks Security Strategist Interview [Infosecurity.US]

Posted: 12 Jun 2008 07:54 AM CDT

Head over to TechnewsWorld for a succinct interview with Ken Pappas, VP of Marketing and a Security Strategist at TopLayer Networks. Good advice, but light on technical details, the interview provides a broad overview of Payment Card Industry compliance , intrusion detection, and network security at the executive level. The company was a [...]

France Will Filter Child Pornography [/dev/random] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 06:51 AM CDT

Firewall

It’s almost done. To fight child pornography on the Internet, the French government has a project of law (article in French) to filter all websites giving access to child pornography. The list will be distributed to all French ISP’s and they will have to block access to those websites (on a technical point of view). How? Proxies? DNS blacklisting? Null routing? Who cares.

Of course, regulation must occur on the Internet. Prosecution is mandatory. There is absolutely no debate here but, after reading the article, I’ve some reflections about the way the French government would like to implement the filter:

1. First point is very basic but what about the price? A new technical solution has a cost. Will the extra cost affect the end-user invoice?

2. One more time, the Internet is pointed as “the Hell”. It’s just a new media, a way of distributing data. Child pornography exists (hélas) since ever.

3. It’s quite easy to bypass such filters: Users will use open proxies or encapsulate traffic into other protocols. Child pornography professionals will move their websites in a quicker way or find new ways to deliver the data. Result: it will be far more difficult to track them.

4. If they forget HTTP and use other protocols, will they also by blacklisted? No more P2P? What about Usenet? IRC?

5. French authorities will build and maintain the blacklist. The filter will restrict child pornography but in the (near) future? If on a technical point of view, everything will be ready at the ISP side, how to avoid derives to stronger censorship? (political, ethical, …)

6. A blacklist of websites will not protect our children! Risks will remain the same during a chat session or by walking down the street!

The most important is to protect our child against those criminals! Talk to them, explain them the risks, communication is a must! My 0.02€.

China hacking into US computers more realistic than China attacking Belgium! [WAVCI] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 02:58 AM CDT

You could read the following on the net just a few hours ago: Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. You can find more at
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.

Firefox 3 Release Date Announced [Infosecurity.US]

Posted: 12 Jun 2008 02:15 AM CDT

The Mozilla Foundation has announced the release date of the highly anticipated 3rd Version of the Open Source browser, Firefox, scheduled for worldwide availability on June 17, 2008. Analysis of the new version of the browser is very positive regarding security capabilities. Also, one of our favorite podcasts, SecurityBites details many of the new features.

Apple Security Update: QuickTime 7.5 Released [Infosecurity.US]

Posted: 12 Jun 2008 02:08 AM CDT

Apple (NASDAQ:AAPL) has announced the release of QuickTIme 7.6 to address multiple security issues, listed below (with MITRE CVE designators). This release is a multiple platform update, for MAC OSX, and Microsoft Windows. Due to space limitations, the description for individual CVEs have been omitted. The descriptions are available on MITRE CVE. [1] CVE-ID: CVE-2008-1581 Available for: Windows [...]

Passwords Are … [/dev/random] [Belgian Security Blognetwork]

Posted: 12 Jun 2008 01:20 AM CDT

passwords-are-like-pants

Thanks to Grawity.

No comments: