Spliced feed for Security Bloggers Network |
If Rohati is King Arthur, what does that make Stiennon ... [StillSecure, After All These Years] Posted: 14 Jun 2008 07:12 AM CDT Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati? It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control. I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products. From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches. Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. As usual though Richard can't resist taking a few cheap shots at NAC vendors. In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work. Richard will just admit that these tests have value and people want them. They do not preclude doing the rest of the job of access control that Richard seems to approve of though. Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important. In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them. Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often". | ||
Posted: 14 Jun 2008 12:26 AM CDT So my friend Mr Bump has a problem with my post on vendor frustrations with customers. For those who don't know Mr Bump, he writes about "NAC in the real world", originally about his deployment of Nevis Networks product. At first I thought Mr Bump was a pseudonym for Dom Wilde over at Nevis, but over time I actually like some of what Mr Bump writes and he contributes to the security blogosphere in a positive way. I just like to give him crap about his choice of NAC vendors, but it is all in good fun. Plus I actually like and respect Dom Wilde and that kind of unscrupulous behavior is not his thing. There is another NAC vendor who plays fast and loose like that though and I will be writing more about that this week, so stay tuned. | ||
Posted: 13 Jun 2008 10:39 PM CDT Interesting interview with the CEO of Trend, Eva Chen at PC World on the Barracuda patent infringement suit that Trend has brought. A couple of things are pretty clear reading Chen's responses to the questions: 1. This law suit is being fought as much in the court of public opinion as it is in the courts of law. For that Dean and the Barracuda crew deserve credit. They have done a good job of making this a Trend versus open source community suit. From Chen's answer it seems Trend was taken totally by surprise by Barracuda's aggressive PR and their ability to turn elements of the open source community against Trend. The pity for Trend is that Chen actually does make clear the difference between just Clam AV being a virus scanner and the way Barracuda uses Clam AV as part of the gateway. If they would stick to that and not about who makes money from it, they might be able to get the open source community to leave this one alone. 2. In Trend's view this is not about open source but about money. I think Chen shoots Trend in the foot with this argument. She seems to say that because Barracuda is a for profit company that is why they are suing them. If ClamAV was making money, they would sue them too is dangling metaphor there. Here is what Chen says, "But we were not suing ClamAV. Barracuda is a for-profit company. They are taking ClamAV, putting it on their gateway and making money out of it. It's not free software that we are suing, it's Barracuda." So it is all about the money than. If ClamAV was making money Trend would sue them too? 3. After already suing and winning against IBM, McAfee and most of all Fortinet, Trend is very confident that their patent is the real deal in a court of law. If the Xie brothers couldn't find anything to throw this out, they are not worried about the likes of Dean Drako. But as I said, while litigating this Trend is taking black eyes and body shots in the public opinion arena every day. 4. The last thing they want is to get Sourcefire involved in this suit. You can't tell me that at this stage of the game Chen would not know if they have cut a deal with Sourcefire or not, the owners of ClamAV. Yet she plays as if she never even heard of them and would have to ask her lawyers. I suspect this is because they think that Sourcefire has more open source "chops" than Barracuda and this would turn this thing into a PR disaster for Trend. It could be this same reason that played apart (I think is the big reason) in Barracuda bidding for Sourcefire. In any event it will be interesting to see how PR and public opinion play in the eventual outcome of this suit. | ||
Loving customers frustrate security firms too [StillSecure, After All These Years] Posted: 13 Jun 2008 07:45 PM CDT Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples: | ||
PCI on Disaster Recovery and Backups [PCI Blog - Compliance Demystified] Posted: 13 Jun 2008 07:04 PM CDT Have you considered disaster recovery for your payment systems? Do you know the only thing that PCI DSS compliance requires you to backup? David Bergert writes about the basics of how to prepare your payment systems in the event of a disaster. But missing is the one critical element required for compliance. The phrase “disaster recovery” does not appear in the PCI DSS. The phrase “business continuity” only appears once in requirement 12.9.1 as, “[verify that the Incident Response Plan includes a] strategy for business continuity post compromise”. Instead of referencing disaster planning the PCI DSS references backups. There are a number of PCI DSS requirements relating to backups, such as:
What was that? The answer is that audit logs are the only thing companies must backup for PCI DSS compliance. Now, companies will want to continue business and as a result will backup all of their critical systems and corporate information, but this is outside the scope of PCI compliance which focuses on the security of payment card data. | ||
Personal Plug: I'm hiring [Security Retentive] Posted: 13 Jun 2008 06:50 PM CDT PayPal's information security team is hiring. Specifically - I'm hiring an Application Security Researcher. Primary responsibilities will be:
You can search for jobs with the keyword "security" under PayPal. Brassring makes posting a whole list of positions tricky. | ||
Storming SIP Security - now available just a click away [SIPVicious] Posted: 13 Jun 2008 05:56 PM CDT Time to release the hakin9 article to the public. This article was first released in the February edition of the English hakin9 magazine. Download now (takes you to EnableSecurity). Added: The listings can be found here. Thanks for Chris Gates for noticing that I forgot to include the listings. | ||
RECON 08 Day 1 [DVLabs: Blogs] Posted: 13 Jun 2008 05:42 PM CDT Posted by Pedram Amini RECON is a single-track reverse engineering focused conference held bi-yearly in Montreal. The 2008 showing is the third iteration of the conference with hopefully many more to come. RECON is hands down my favorite conference, a sentiment shared by many other RECON attendees. A number of factors elevate this con above others:
Pierre-Marc Bureau spoke about the history and reverse engineering of the Storm bot net. He covered some of the various protection mechanisms the bot agents employ. How they communicate. How they spread etc... Pierre will be releasing a tool for automatic extraction of daily hash search values, for those of you interested in potential network take-overs. This task has been undertaken by another team of researchers and is similar in nature to what Cody and I did with our Kraken analysis. The most interesting discovery that Pierre made in his research was that the Storm authors copied their rootkit technology directly out of Greg Hoglund and Jamie Butlers book and that the P2P functionality is not custom coded but rather utilizes the KadC library. Bruce Dang is a Microsoft SWI employee and spoke about the Microsoft Office document file format. He covered the file format specification, malicious file analysis techniques, exploitation methods and attack mitigations. He noted that a common shellcode technique for determining the current file handle is through a brute force loop calling GetFileSize() and comparing against a known file size. For a quick and dirty way to skip the vuln repro and execute the shellcode one can dump it to a file, open the file with notepad and force execution of the shellcode with a debugger. This will satisfy the file handle brute force loop. As an interesting attack mitigation, Bruce recommends running all documents through MOICE which will convert the binary file format into an XML doc. Granted, this assumes that MOICE doesn't have any bugs of its own. Ilfak Guilfanov is a name that almost anyone in the business has heard of before. Ilfak is of course the creator of the industry standard disassembly tool IDA Pro. David Ahmad made a funny and true comment that everyone loves Ilfak as both attackers and defenders, white hats and black hats all use IDA. Ilfak began with an overview of the IDA architecture and IDB file format. He then focused the remainder of his time discussing the construction of plugins. During the Q and A section of his talk he mentioned some of the upcoming features of the soon to be released version of IDA. The biggest improvements he mentioned are in the debugger component. The debugger is now more robust in the handling of multi-threaded targets, furthermore the debugger server is now multi-threaded itself allowing for multiple simultaneous debug client connections. Thomas Garnier spoke on Windows privilege escalation via LPC/ALPC. Most unfortunately I missed this talk. Sorry Thomas. Nicolas Pouvesle, the machine of a man that he is, silenced the crowd with a walkthrough of the creation of (the worlds first?) remote Netware kernel stack overflow exploit. There were many hurdles to jump, but in the end he demonstrated a pair of fully functional exploits capable of popping a shell and creating an arbitrary super-user. Amazing work. Cameron closed out the day with an intro talk on reverse engineering MacOS binaries. Not a lot of focus has been placed on MacOS X vulnerability hunting but that will certainly be changing in a short time. Apple is far behind Microsoft as far as OS level security protections are concerned; couple that fact with the constantly increasing OS market share that Apple is grabbing and you'll start to see more and more researchers migrating to Apple security auditing. Cameron covered the various file formats, application bundle structures and basic OSX reversing tools necessary to get started. He also spoke on reverse engineering Objective-C compiled binaries which present a unique set of problems in comparison to other compiled binaries specifically in that functions aren't called, rather messages are passed and therefore cross-references are non-existent. Naturally, scripts to solve this hurdle were presented. A positive benefit of Objective-C compiled binaries is that symbols are all preserved. This is especially helpful when there are Mac/Windows released software, you can augment your Windows binary reversing by pulling the symbols from the Mac version. That rounds up the first day. There is a conference party tonight where a series of 5 minute lightning talks will be presented with of course the standard night time activities to follow. | ||
MindshaRE: Looping in Assembly [DVLabs: Blogs] Posted: 13 Jun 2008 05:33 PM CDT Posted by Cody Pierce MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history. After the entry last week comparing source to disassembly I thought it might be a good idea to cover some basics. Often when learning how to read assembly is helps to take source code, compile it, and then look at it in your disassembler of choice to get an understanding of how a language looks in its final form. By doing this you can pick out common patterns in assembly quickly. So for today we are going to look at loops in assembly. In particular these are the 3 looping constructs available in C, for, while, and do while. For each one I will give a brief explanation and a comment about the loop being used. I have included the source, disassembly, and screenshot of the diassembly using the IDA graph view. I know a lot of people detest the IDA graph view, but for loops it is very handy and I use it religiously to quickly see code flow in loops. All of these examples have been compiled with the Microsoft compiler version 15.00.21022.08. No optimization or debug flags have been used. For the curious try and compile your own with various optimization and debug flags. Source: for_loop.c printf("I am executing loop\n"); for (i=0; i<256; i++) { printf("I am executing %d\n", i); } printf("I am done executing loop\n"); Binary: for_loop.exe 00401018 mov [ebp+var_4], 0 0040101F jmp short loc_40102A 00401021 mov eax, [ebp+var_4] 00401024 add eax, 1 00401027 mov [ebp+var_4], eax 0040102A cmp [ebp+var_4], 100h 00401031 jge short loc_401046 00401033 mov ecx, [ebp+var_4] 00401036 push ecx 00401037 push offset aIAmExecutingD ; "I am executing %d\n" 0040103C call printf 00401041 add esp, 8 00401044 jmp short loc_401021 00401046 push offset aIAmDoneExecuti ; "I am done executing loop\n" 0040104B call printf Screenshot: for_loop.jpg Anyone familiar with programming has surely written a few thousand for loops. Our tell-tell sign is the initialization of the counter variable used in the for loop before the actual loop test. In our case we are setting a local variable "i" to 0. This can be seen at .text:00401018. Looking at the graph view allows us to quickly see our comparison to 256 and the branch to either continue execution or terminate. It also allows us to see the "add eax, 1" (AKA i++) before our next iteration of the loop. Source: while_loop.c printf("I am executing loop\n"); while (i < 256) { printf("I am executing %d\n", i); i++; } printf("I am done executing loop\n"); Binary: while_loop.exe
00401018 cmp [ebp+var_4], 100h 0040101F jge short loc_40103D 00401021 mov eax, [ebp+var_4] 00401024 push eax 00401025 push offset aIAmExecutingD ; "I am executing %d\n" 0040102A call printf 0040102F add esp, 8 00401032 mov ecx, [ebp+var_4] 00401035 add ecx, 1 00401038 mov [ebp+var_4], ecx 0040103B jmp short loc_401018 0040103D push offset aIAmDoneExecuti ; "I am done executing loop\n" 00401042 call printf Screenshot: while_loop.jpg The while loop is a much simpler loop to look at because it does not have the intrinsic ability to initialize data being tested. In our case we are again checking to make sure our counter "i" is less than 256. As previously mentioned in a while loop we do not see the initialization of the counter before the loop begins because it is up to the programmer to prepare any tests being measured in the loop. As you can see in the graph view we also have less basic blocks. This is because the compiler is not incrimenting our counter for us. Instead it is compiling our code into a single basic block. An astute reader will notice that by using a while loop we save a branch instruction. Source: do_while_loop.c printf("I am executing loop\n"); do { printf("I am executing %d\n", i); i++; } while (i < 256); printf("I am done executing loop\n"); Binary: do_while_loop.exe 00401018 mov eax, [ebp+var_4] 0040101B push eax 0040101C push offset aIAmExecutingD ; "I am executing %d\n" 00401021 call printf 00401026 add esp, 8 00401029 mov ecx, [ebp+var_4] 0040102C add ecx, 1 0040102F mov [ebp+var_4], ecx 00401032 cmp [ebp+var_4], 100h 00401039 jl short loc_401018 0040103B push offset aIAmDoneExecuti ; "I am done executing loop\n" 00401040 call printf Screenshot: do_while_loop.jpg The do while loop is obviously similar to the while loop. Except for one very important distinction, the lack of a check at the top of the loop. This means we will always execute code at least once, then check for our condition. Once again going to the graph view shows us the loop is happening in a single basic block. Our code is executed, our counter is incrimented, and then our check against 256 happens. Again those paying attention to potential optimization will notice the do while in this case only hase a single branch instruction. I hope this has been a handy example of loops in assembly. Obviously in the real world looping in general is much more complex. However, they all share the same test and branch logic as these examples. Try and spot some loops in other binaries you may have. Maybe in future weeks we can revist this and see how other language features compile into assembly. | ||
Podcast Episode Six [Random Thoughts from Joel's World] Posted: 13 Jun 2008 04:04 PM CDT As always, for your enjoyment, we have published Podcast Episode Six of the Internet Storm Center Podcast. I'd like to thank all the viewers that were live on the show while broadcasting, it was great having you, maybe next time we'll be able to get more? We again, had Larry Pesce of PaulDotCom Security Weekly. Go grab it through iTunes. As I said in my after-show notes, subscribe to PaulDotCom and our show through iTunes, that way together, we can become more powerful than you can possibly imagine. Subscribe in a reader | ||
Why we chose small business [untangling the future...] Posted: 13 Jun 2008 03:58 PM CDT I recently enjoyed reading SpiceWorks’ recent blog on why they chose to target the small business market. They clearly understand the S in SMBs and their buying behavior, which is crucial if you’re planning on attacking the small business market. I thought I’d follow up with a similar post explaining why Untangle targets small business. Small business, on the other hand, was far behind on the adoption curves of most solutions. The problem was that most solutions available don’t fit the requirements for SMB. Small business are too big to borrow consumer solutions yet much too small to afford the enterprise solutions. Why weren’t small businesses who suffer the same pain as their larger enterprise counterparts adopting these solutions? In a word - ‘friction.’ There is simply too much friction associated with the adoption of these solutions. Friction of adoption comes in many forms, usually high cost, high complexitiy, or large time requirements. If you look across the board at IT solutions (Anti-Virus, Spam Filtering, Email Server, Backup, VOIP, Firewall, Web Filtering, etc etc) you’ll notice that small business’s adoption is inversely related to the friction associated with adopting the solution. They simply don’t buy expensive or difficult solutions, and this usually leaves them out in the cold. They don’t have the money that enterprise does so they can’t adopt those solutions. They don’t have IT staffs and they can’t take the time away from their business to learn and deploy complex solutions so they can’t adopt the multitude of open source solution available. Untangle was born because here was a large segment with acute IT pain that stood to benefit greatly from a IT platform designed to frictionlessly deliver them IT services and solutions. The platform delivers these solutions in an easy and free manner and opens the flood gates such that small businesses can finally adopt all the technologies they need. Untangle stands to benefit from the wide distribution of our platform by leveraging that channel to deliver future IT services and solution, but our first goal is to solve small business’s problems in order to get that massive distribution. | ||
GRC - Love it or hate it [Andy, ITGuy] Posted: 13 Jun 2008 02:43 PM CDT Last week I received an email from a marketing firm wanting to know if I'd like to talk to Symantec about IT GRC and an upcoming announcement that they were going to be making. Usually I ignore these emails because my blog is NOT an advertisement for vendors. It's my place to voice my thoughts, good or bad, on technology and security. I try to stay as focused as possible and not get off on tangents regarding politics, religion, personal life, food, or anything else. That includes free advertising for vendors. Plus, I usually am not that interested in talking to marketing people about their product. If I want information on a product I want to talk to the engineers that designed it and support it. Not the marketers and sales guys. Anyway, since I do have an interest in GRC and like the concept of it I decided to take the bait and have a conversation with them. So we scheduled a time and spent about an hour talking about what Symantec is doing in the GRC space. Of course they have a product that helps manage and maintain your program and that was they jest behind the conversation. They let me in on the announcement that they were making on Wednesday of this week and we had a good conversation. Then they invited me to sit in on a conference call of Wednesday this week where they were having a round table discussion about their offering and getting ready to make their big announcement as part of their Vision Conference. I wasn't sure if I'd get to because of the audit that we were having but I did find time to join in on the call. In preparation for the call they sent me an advance copy of the announcement and a report on IT GRC. I tried to be a good blogger and read the report before the call but just didn't get the time to do more than skim it quickly. It looked interesting and like it had some good information in it, but I just didn't get the time to really read it. Then the time for the call came and I dialed in, pen in hand (my new Cross fountain pen that I LOVE to write with) ready to take notes and hear some good stuff regarding GRC. Of course you know that didn't happen. I was tired from lack of sleep and 2 1/2 days of audit and my mind wandered. I kept trying to bring it back and just as I'd get focused someone would talk who wasn't close enough to the mic and I couldn't hear them very well and I'd fade again. After about 45 minutes I gave in and hung up. Today I see that Neil Roiter over at Search Security has a write up on the report and the Symantec Round table. You can check it out if you have any interest in what the report or Symantec has to say regarding this. There are a couple of things that I want to point out myself. It seems that the report seems to validate many of my thoughts regarding IT GRC. Mainly that it isn't about technology but about process. The longer I work in IT and especially dealing with security and compliance the more I appreciate how effective good processes can be in your program. Here are the things in the Search Security write up that I really like. My comments are in blue.
| ||
Verizon Data Breach Report: IT Admins Biggest Culprits [Infosecurity.US] Posted: 13 Jun 2008 01:57 PM CDT Wired’s ThreatLevel blog writer Kim Zetter announces and analyzes a newly released Verizon (NYSE: VZ) Business Risk Team report detailing 4 yours of security and data breach incidents. Surprise, surprise, IT Administrators, based on the reports finds, are shown to be the single largest group of perpetrators of breach related activities. Report links will download the [...] | ||
Posted: 13 Jun 2008 01:33 PM CDT Securify (founded in 1998 by former Netscape chief scientist Taher Elgamal, Ph.D., now CTO at Tumbleweed Communications) information security researchers John Guzik and Alex Matthews discovered an vulnerability resident in the Microsoft (Nasdaq: MSFT) ActiveDirectory infrastructure LDAP variant in late December 2007. The patch for the vulnerability was made available to [...] | ||
Posted: 13 Jun 2008 12:39 PM CDT One of my favorite responsibilities at StillSecure is business/corporate development. The biz dev role is something I have done for a long time for several companies. Having a decent grasp of technology, insight into business and my legal training have helped me to conclude many successful business deals over the many years I have been at it. Over the years I have also had the opportunity to work with many good people on both sides of the table, as well as the chance to help train many good people. Some of the things I have tried to teach others and that I myself try to remember in negotiating business terms are: 1. Win-win - I know it is such a cliche, but it is also still true. I have seen so many people from attorneys, to entrepreneurs to other biz dev people try to "beat" the other guy. You may put one over on the other side and get favorable terms in your agreement, but ultimately if doesn't work for the other side, all of the agreements in the world won't make it work for you. The most successful deals I have been involved in have been ones where both sides feel that they are getting real value out of the deal. 2. Don't think you are smarter than the other guy - How many times have I seen this vain attitude ruin deals. Everybody sitting at the table puts their pants on one leg at a time. Don't think that you are so superior or more intelligent than the other side. They usually are perfectly capable of seeing exactly what you are really driving at and trying to outsmart them again will wind up with a lose-lose. 3. Its not the battle, but the war that counts - One of the things I disliked most about practicing law was dealing with other lawyers. Every single point of every single agreement could become a knock down, throw down battle to the death, as each side tried to show that they were the better attorney on each point. Its not about winning any given point, its about getting the deal done. Unless a particular point is truly a showstopper, you have to remember the big picture of what you are trying to accomplish. Too many times I have dealt with people who seemed to keep a running tally of how many points they got their way versus how times they gave in. Is the deal in total a good deal, accomplishing your goals the real scoreboard. 4. Theory is fine, but go for the meat and potatoes - I have seen so many deals drag out because a particular point is taken to a theoretically possible, but highly unlikely scenario. Good legal drafting practices says you should try to plan for every eventuality. But because a corner case of a corner case is remotely possible, don't throw away a great opportunity. Try to draft around that remote possibility. 5. Put as much effort into the success of the relationship as you do in negotiating the contract. I have been involved in some deals that by the time the agreement is agreed to, one party or the other is spent and just seems to lose the momentum to carry the relationship beyond the contract. The contract is the beginning of the business relationship, not the end. 6. Put yourself in the other guys shoes - Empathize with what your colleague is thinking and feeling. Understanding their needs, motivations and state-of-mind can help understand what it will take to reach an agreement. Of course every deal is different, but remembering these rules will serve you well every time. | ||
EU decides to keep ineffective agency around to watch pwnage [Security Karma] Posted: 13 Jun 2008 12:37 PM CDT From the "We Gotta Look Like We're Doing Something" Desk. The EU is keeping ENISA around for another three years to keep an eye on the networks in Europe and to answer questions as entire countries are crippled (Estonia where you at?) by DDOS attacks and hacking, pirating, phishing, etc. go on unfettered. What we can expect from ENISA is more great quotes like "The need for secure networks, systems and services will certainly not suddenly disappear in 2012," from Andrea Pirotti the Executive Director of ENISA. Well said sir, well said. I feel safer already... until 2012 that is. | ||
Interesting Information Security Bits for June 13th, 2008 [Infosec Ramblings] Posted: 13 Jun 2008 10:31 AM CDT Good morning all. Here are today’s bits. From the Blogosphere. Adam shares with us that the Department of Justice has release a new report “Data Breaches: What the Underground World of "Carding" Reveals.” Jeff Jones brings to our attention a new installation option available in Windows Server 2008, Server Core. Based on his first analysis, this type of install significantly reduces the vulnerability footprint of Windows Server. He will be providing further guidance. Very interesting stuff. Shrdlu gives us Information Security in 60 Seconds. Succinct and to the point. The Guerilla CISO has some observations on security services as commodities and the implications of such how those services are provided. Something to think about. Paterva has released a community version of Maltego v2. I found out via CarnalOwnage. From the Newsosphere. From The Register, looks like the XSS monster has raised its ugly head at McAfee, Symantec and VeriSign. Orginal article at XSSed. Informationweek informs us that a network engineer in San Diego has been sentenced to more than five years in prison. Another reminder about the insider attack. CIO brings us a discussion about whether or not virtualization can improve security or not. Via Dark Reading, PGP has added pre-boot authentication to their full-disk encryption solution. The Register tells us that there is a security flaw in a populare piece of software used to manage SCADA systems. Not good. That’s it for today. Have a great Friday. Kevin Technorati Tags: trojan, dns, router, data breach, carding, server core, windows server 2008, maltego, information gathering, outsourcing, xss | ||
British hacker faces extradition hearing [Vincent Arnold] Posted: 13 Jun 2008 10:21 AM CDT By Jeremy Kirk, IDG News Service Gary McKinnon could become the first British hacker extradited to the U.S. for allegedly deleting data and accessing information on U.S. military and NASA computers A British hacker fighting extradition to the U.S. on computer hacking charges is preparing for his final U.K. appeal on Monday in London. If Gary McKinnon loses this appeal, he would be the first British hacker extradited to the U.S. He could face up to 60 years in prison. McKinnon, of London, is accused of deleting data and illegally accessing information on 97 U.S. military and NASA computers between February 2001 and March 2002. He’s been charged in U.S. District Court for the Eastern District of Virginia. McKinnon admitted to using a program called “RemotelyAnywhere” to hack into PCs late at night when employees were gone. His hacking exploits started to unravel after McKinnon miscalculated the time difference between the U.S. and U.K., and one employee noticed their PC was acting oddly. | ||
Thinking About “Unconferences” [RSA Conference - Blog] Posted: 13 Jun 2008 07:15 AM CDT | ||
Posted: 13 Jun 2008 06:38 AM CDT To facilitate training processes are something I truly enjoy. Particularly when I can enter a class where the energylevel is low, and the participants expects to be handed tasks to work with. When you enter the room, you feel their lack of motivation. And no motivation usually means a tough day for both participants and the trainer. And if you want people to learn new skills, and hopefully to change their attitude towards the subject, you need them to be motivated. This is particularly true when training security and user awareness. People act if the topic is as interesting as a piece of dead wood. I believe you me – I do not want to be that piece of wood! Thus, one of my main focuses during a training is to build; and keep; the energy level high. This can be done by using groupexercises, open discussions and by sharing of your own crazyness (and boy, can I be crazy!) I build an environment where it is safe to ask questions and to wonder. A group where they support and help each other – even when I am no longer there. Because only when the motivation and fun is present, can we focus on knowledge transferal. Where the participants get their learning experience. Where the actual message is conveyed, understood and put into use.
So now you know my secret to giving successful trainings! | ||
Posted: 12 Jun 2008 06:00 PM CDT I’m back. OK, almost. Today I spent two hours reading lots of accumulated RSS news, blog postings and others. I was glad to see that nothing very exciting happened during the last weeks, when I was moving to Toronto and wasn’t able to follow the news and post on the blog. Now my life is slowly getting into something we may call “routine”, so I think it’s time to resume the activities of this blog. First, it seems that there are some good stuff from Mogull and Schneier. I’ll read their posts as soon as possible to see if there is something I can add about. Today I went to Infosecurity Toronto. I was impressed on how small the exhibition was. Someone told me that the owners of the event did something weird on the marketing side, starting the negotiation of space and sponsorships too late. However, it was good to go there and take a quick look into the local security market. As always, conferences are those places where there are lots of vendors and not a single customer I’m still looking for a job here. I’m having some good conversations with some pretty interesting companies, I hope to be employed by the end of this month. One interesting thing to mention here is that during my last week in Brazil I was hacked. Yes. I’m not ashamed to say that, specially because I’m aware that security professionals draw more attention from potential attackers. What happened was that I made two mistakes related to my personal password management “policy”. I was using the same password to services supposed to be less low-risk to me. The first mistake was to consider 3 services that have higher risk implied as “low risk” (actually, I couldn’t even remember I was using that pwd on them - it was something very automatic for me) and the second was to use that password on a very target and potentially insecure service. There is a small group of self-called “hackers” in Brazil that are trying to cause problems to the key names of Information Security of the country. Unfortunately, I am on that list. As I was caught in the middle of my relocation I was unable to follow a lot of incident response procedures I would like to, but I’m also aware that some of the others that are being targeted by this group are doing that. I won’t even talk too much about it as it seems that what they are really looking for is that people talk about them. This, however, is interesting as a reminder for me that as a security professional I need to be a little more paranoid about security on my personal stuff. That’s all for now. I hope to able to find more interesting stuff to write about again. I’m keeping my personal “in portuguese” blog updated with my impressions about my new city, but this one needs some special care too. I’ll try harder. | ||
Peach 2.1 BETA3 Released [Security-Protocols] Posted: 12 Jun 2008 05:40 PM CDT | ||
The Daily Incite - June 12, 2008 [Security Incite Rants] Posted: 12 Jun 2008 11:38 AM CDT June 12, 2008 - Volume 3, #56 Good Morning:
Top Security News You know you are a redneck security professional when...
Top Blog Postings That's what we do is a bad answer |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment