Spliced feed for Security Bloggers Network |
| Crazed Bovine Traversal [Room362.com] Posted: 17 Jun 2008 08:17 AM CDT So I was at a ‘talk’ recently where the topic was geared toward technically inclined, but the whole talk was geared toward managers and low level IT bubbas, if you will. But as I sat there stabbing myself in the eye with my pencil (hence the mad cow reference) I can up with some hair brained ideas. Now, some of these ideas might already be out there or thought of, and I haven’t googled any of them, just wanted to write them down somewhere for people to comment on. 1. Ringtone viruses: Now this was by no means an idea that I had but it was mentioned during the talk and I was intrigued how it worked or if the presenter just pulled it out of thin air. The reason I bring it up, other than for someone to explain it to me, but for reference later. 2. iPhone SDK based GPS hacking: So here is an idea, with the new craze that the new cheaper iPhone is going to create, what is stopping the mal-ware writers from writing an cool app that you can download, and now since you are connected to “MobileMe” it sends all of you email, contacts, files, and calendars to a new source. Plus now that it syncs everywhere, you think you are syncing with the “cool” apps servers and what they are doing a completely new form of spyware. They have a gps location on you, read your email, and have all of your corporate documents that you sync to iDisk. Talk about a Social Engineer/Phishers dream. 3. Contact Phishing: To keep going down the route we are already on, how often do you check to make sure that the phone number you have for “bank” is the correct number in your contacts list? What if someone using one of the previously mentioned avenues of attack, changed that number to another number and set up a Phishing 1800 line? Now, instead of having a browser to tell you that you are on the wrong server, you have to trust..... ? Exactly. So to completely derail this post off the Mobile Hacking topic. I am looking for a good reference on Unix/FreeBSD crypto. I have a friend that is completely convinced that even if someone has your /etc/shadow file, that you are not in any danger. Help me out guys, a link, and explanation, anything would work.
|
| Presentations: Why less is more [Security4all] [Belgian Security Blognetwork] Posted: 17 Jun 2008 08:11 AM CDT Simplicity means the achievements of maximum effects with minimum needs. Keep your slide design to a text-light but visual strong version. Even pausing with a blank screen as Steve does in the... |
| The OCC and Application Security: Vindication at Last [BlogInfoSec.com] Posted: 17 Jun 2008 06:00 AM CDT On May 8, 2008, the OCC (Office of the Comptroller of the Currency, part of the U.S. Department of the Treasury) issued Bulletin 2008-16, which you can find here. As the OCC states, there have been prior mentions of application security by the FFIEC (of which OCC is a member), NIST and others. However, this is the first guidance, as far as I am aware, issued by a U.S. government regulator, which is specific to application security and is prescriptive to a relatively fine level of detail. Yes, the PCI DSS (Payment Card Industry Data Security Standard), issued and enforced by Visa, Mastercard, American Express, and others, emphasizes measures to achieve higher levels of application security, but these organizations are not government agencies and, although highly influential, do not carry the weight of the government. Now back to the OCC Bulletin … It is gratifying to see that the OCC has acquired such a high level of knowledge and expertise in this space, as demonstrated by the content of Bulletin. For example, the OCC includes an Appendix containing the ten top vulnerabilities as posted by OWASP (Open Web Application Security Project). As an aside, I have very high regard for OWASP, and have had some involvement with the organization. I have participated in meetings of the New York/New Jersey Chapter and am scheduled to be on a panel at their World Conference in New York on September 22-25, 2008. OWASP is essentially an all volunteer international organization that issues really great material for the practicing application security professional. The OCC focuses on software which supports a bank's products and services and which is developed internally or outsourced to a third-party developer subject to a defined contractual arrangement, as well as on COTS (commercial off-the-shelf) banking applications, with particular emphasis on Web-based applications. It explicitly excludes "operating systems, generic office products, and other nonbanking software …" The OCC guidance recognizes the importance of reducing risks related to the security triad: confidentiality, availability and integrity. They say that the risk assessment should include the following key factors:
The guidance goes on to suggest the following be part of a risk assessment:
This is all good stuff. It's what many of us have been touting for years, but we have often been subjected to a whole lot of pushback. Now that a regulator is promoting these principles for achieving greater application security, it will be an easier sell to management, particularly in financial services. But even if you are in a different industry, many of the same factors and measures apply. Why not circulate the OCC Bulletin to your management as examples of practices that everyone should be following? Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. |
| Very decent Security Podcast.. [extern blog SensePost;] Posted: 17 Jun 2008 05:54 AM CDT I am probably one of the last ppl around to discover this, but ill post it here for the (probably) 2 other ppl in the world who have yet to stumble upon: Risky Business. Its pretty hard to find good quality security podcasts without some pretty sad signal to noise ratios (or adverts on spinwrite) but risky business is def. a keeper.. i downloaded a few older episodes to help me through a long drive this weekend, and was very pleasantly surprised.. if u have not yet added it to your podcatcher.. u probably will.. |
| rethinking ye old truths [extern blog SensePost;] Posted: 17 Jun 2008 05:49 AM CDT since forever, i've been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases). So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary: In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study Other interesting snippets that tie directly back into what we cover when we train, and why we think there is value in not only aiming at sploit-writing and 0-day:Most breaches resulted from a combination of events rather than a single action. Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities. In other words, bite-sized chunks for the win, core/canvas/metasploit are cute but that's not how customers get owned most often in the real world.Link to the report, link to summary. |
| Scott Richter Settles Another Spam Suit [Richi Jennings] Posted: 17 Jun 2008 05:18 AM CDT  Oh looky, it's our "friends" Steve and Scott Richter in the news again. This time, they've settled with MySpace for $6 million after being accused of spamming thousands of MySpace.com users -- and using phished accounts to do it (see today's IT Blogwatch for more).Of course, Scott gave up spamming some time ago. Or did he? Brian Krebs today offers an interesting investigation into domain registrations of spamvertised Web sites: More than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars ... Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin ... the seventh most-popular registrar among spammers ... [and] owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.Remember kids, Rule #1: Spammers lie. |
| Sicurezza Fisica e Logica [varie // eventuali // sicurezza informatica] Posted: 17 Jun 2008 05:00 AM CDT Un esempio di convergenza fra sicurezza logica e fisica: WashingtonPost : Cyber Incident Blamed for Nuclear Power Plant Shutdown A nuclear power plant in Georgia was recently forced into an emergency Una centrale nucleare in Georgia é stata forzatamente chiusa per 48ore dopo che un update software é stato installato su un singolo PC. L'esempio che generalmente faccio io é che se mi fragano il portafogli sfilandomelo dalla tasca o le credenziali del conto in banca via phishing, poco cambia. Questo della centrale nucleare é un'altro bell'esempio. |
| Ladies and Gentlemen please welcome.. [SIPVicious] Posted: 17 Jun 2008 03:16 AM CDT EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details. So what sort of things am I doing?
And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week. |
| German ID card won't include fingerprints [Security4all] [Belgian Security Blognetwork] Posted: 16 Jun 2008 08:27 PM CDT Remember when the Chaos Computer Club protested against biometric data on their upcoming ID cards? This measure was widely criticized and the CCC published the fingerprint of the Minister of Interior... |
| The used car salesmen of NAC and the BNBB [StillSecure, After All These Years] Posted: 16 Jun 2008 08:20 PM CDT
In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware. NAC companies can pretty much say what they want, claim what they will. How is a prospective customer supposed to know the truth? Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires. Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB). Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in. The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing!
Well we can look at a little history. For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did. What company took the infamous TCP reset and tried to peddle it as a "virtual firewall". Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary. So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here. Lets give them a chance to go back and check with their sources and see if they have the facts the straight. If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study. At that the BNBB would close this file without any prejudice. Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this? Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness. Lets give them a month. If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further. We are going to find out what the NAC solution there is. Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like. But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is. That hospital ain't big enough for the both of us! If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com This posting includes an audio/video/photo media file: Download Now |
| Social networking within large enterprises [Security4all] [Belgian Security Blognetwork] Posted: 16 Jun 2008 07:23 PM CDT The enterprise architecture blog has a nice article about social networking within enterprise: Have you noticed that many consulting firms such as Accenture, Bearingpoint and even McKinsey will talk... |
| Nieuwe versie EID software loopt vertraging op ? [belsec] [Belgian Security Blognetwork] Posted: 16 Jun 2008 07:08 PM CDT dit staat op de http://eid.belgium.be site "Bij wijze van voorbereiding op deze nieuwe certificaten komt begin mei eveneens een nieuwe versie (3.0) van de middleware, de software waarmee de gegevens op de eID-chip kunnen gelezen worden en die de interface toelaat met toepassingen die de eID gebruiken. Deze versie wordt door Fedict ter beschikking gesteld van alle burgers. De documentatie met betrekking tot deze versie 3.0 van de middleware wordt in diezelfde periode op deze website geplaatst." (for english readers : beginning of may the new middleware 3.0 will be made available here) but the version that you download is
|
| Posted: 16 Jun 2008 06:57 PM CDT when we use onsamehost.be we find for taxonweb.be the following 193.191.209.193
I don't know but wouldn't you expect that the most important online webservice had its own independent infrastructure so you could eliminate all the other traffic and lock everything down ? The less other sites and infrastructure the better. The higher the security has to be, the more less is better. Security by isolation |
| hack of the day www.abe-bao.be [belsec] [Belgian Security Blognetwork] Posted: 16 Jun 2008 06:42 PM CDT |
| Typosquatting taxonweb is childplay (kinderspel) [belsec] [Belgian Security Blognetwork] Posted: 16 Jun 2008 06:28 PM CDT When we checked, they were all still free. These are the best ones. taxonwb.be taxoneb.be taxnweb.be taxoweb.be tawonweb.be - taxpnweb.be tax0nweb.be |
| Posted: 16 Jun 2008 06:10 PM CDT In the Canadian press you can read more because in the Belgian press you will see that under Belgian law they have to call him just vincent D. as the law obliges the press to be protective. But a full story with all the details and the name can be found here on the internet. It tells a lot about how some laws just become plain stupid in these internet times. Video (quite amazing french for a Belgian by the way) and if you find the name and google it "name" than you will find enough other resources but there are more people with the same name, which is a pity for them. |
| Posted: 16 Jun 2008 04:39 PM CDT how many people would fall for this, we could easily copy the code and the images and change the login site, but took something that doesn't exist but it could be anything else off course and this site is just to change your login which would be the traditional phishing story saying that your account was compromised and that you have to click on a link or something like that. It is not very wise to let other sites use your graphics. You should block all graphic leeching from your site if you want to make it a bit harder on phishers. If you think that nobody wants to steal these things, even in Holland, after the States and the UK fake tax forms and other gov things are coming to a stupid yesclicking idiot near by you. No data are intercepted We had to change the thing because copying the full page took to much from those very busy pages. Think some people are curieus to see what we'll do next. You will find now a copy of the fake page that was made with the code that was available without any encryption or obfuscation or redirect links on the source page.
|
| Lynis: Security and System Auditing Tool [/dev/random] [Belgian Security Blognetwork] Posted: 16 Jun 2008 02:45 PM CDT
Michael Boelen announced today a new release of his tool called Lynis dedicated to UNIX specialists. Michael is also the developer of RootKit Hunter. Quote from the homepage: “Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).“. I use them regulary on my servers. Keep up the good work Michael! |
| Upside-Down-Ternet [/dev/random] [Belgian Security Blognetwork] Posted: 16 Jun 2008 01:19 PM CDT
Security is part of our daily life and is a serious topic. So, when it can be made with some fun, it’s even better! Check out: Upside-Down Ternet. |
| Dutch users Alert! - Beware of fake Tax Forms [miekiemoes] [Belgian Security Blognetwork] Posted: 16 Jun 2008 12:38 PM CDT This is especially a warning for Dutch users (from the Netherlands). There's malware spreading where it changes your startpage to a random dutch site (.nl domain - which is a compromised/hacked site) , presenting you with this:  Full screenshot of the form:  NOTE.. This is NOT from the legitimate belastingdienst.nl site as they DON'T ask you for this info (PINCode etc). Even though it says it's from belastingsdienst.nl, it's NOT. Only the template from belastingsdienst.nl was used here, not the form itself. Also note the "Microsoft Certified" and "Comodo Hacker Proof" logo to make it look like a legitimate site. This piece of malware is especially designed to target Dutch users in order to steal their banking info. I found this out yesterday while I was helping a user with an infected PC. The PC was severly infected/badly compromised... There was also a .bat file present, with the command to change the Internet Explorer startpage to a random .nl site with this fake tax form. I'm still waiting for the samples and more info how this user got infected in the first place. I guess this infection is spread via MSN, however, I cannot tell for sure yet. The samples and extra info should tell... So beware when you see similar forms... especially when they ask to enter your PINCode. |
| The Pain of Ordering a Ford Escape Hybrid [The Falcon's View] Posted: 16 Jun 2008 12:35 PM CDT We have a baby on the way, and so it's time to get rid of my 2-door Civic. Back in April, we decided on the Ford Escape Hybrid, but found out that they were few and far between. The 2009... |
| VoIP e Steganografia [varie // eventuali // sicurezza informatica] Posted: 16 Jun 2008 08:39 AM CDT Cornell University: Steganography of VoIP Streams In this paper we are presenting available covert channels in VoIP streams that may be utilized for hidden communication for IP telephony service. VoIP e Steganografia, ovvero una panoramica dei covert channel degli stream voce. |
| Posted: 16 Jun 2008 05:05 AM CDT I decided to do a clean install of my Ubuntu. All other backups were fine except for firefox, so I have to start collecting links again. I chose the alternate install and just hit the guided encrypted filesystem. It calculated a reasonable swap partition so hibernate also worked out of the box. I still need to put the ppp settings in place so I can use a mobile phone to dial-out, else things seem to be pretty much as I want them. I also got a Zyxel ADSL WLAN modem for free and replaced my old hardware (1 ADSL modem and 1 WLAN router). I am pretty happy with the device so far, throughput in local network increased with almost one 1MB/s so there was a considerable boost in WLAN performance. I also disabled all other means of administration than HTTP and tweaked some other security options. Vacation has gone well; quite a bit of barbeque action, some handyman work with our terrace and other activities like swimming and cycling. I've read blogs and news sites quite regularly but haven't really paid attention to blogging. As I talked in an earlier blog entry about Google's new diagnostics service, it seems they're actually in the process of removing sites from the index and contacting site owners. The site can be put back to index after the reason for removal has been corrected. I read this from belsec and it contain links to other discussions as well. I'm not sure if the removal refers to the alert banner being shown as I already talked about or if it actually gets removed from search all together (which would be a new thing). |
| Baby tests Two-Factor Authentication [PCI Blog - Compliance Demystified] Posted: 16 Jun 2008 03:12 AM CDT
|
| CPISM Wiki [PCI Blog - Compliance Demystified] Posted: 16 Jun 2008 03:04 AM CDT
They are currently in progress of upgrading the back-end software to improve all of the current features including the Forum and Blog. Once updated you will be able to subscribe to individual RSS feeds for every part of the site including the updated online forum. Look forward to new feature in the future, for even better collaboration. |
| PCI DSS Requirement 6.6 [PCI Blog - Compliance Demystified] Posted: 16 Jun 2008 02:52 AM CDT
What does it mean? In order to understand this you have to take my Attack Vector based Risk Management (AVRM) approach towards the intent behind this requirement. One could easily reference that the intent behind this requirement is to prevent Internet-facing web-application compromises and you would be correct, but also missing the deeper meaning and back story. Although card-present (typically IPOS) systems account for a greater number of credit cards stolen, about half of all account compromises are a result of web-application data breaches. Of this population, about 90%+ of the data compromises are a result of the top 5-10 web-application vulnerabilities. These include, but are not limited to, SQL injection, cross-site scripting, cross-site request forgery (CSRF) and other input/output validation issues. Knowing this you can now imagine that if we could mitigate the risk of these top attacks we could reduce the population of credit card data breaches by almost half! (This does not reduce the number of credit cards stolen by half.) The consideration here is not just to protect against the OWASP Top 10 but to consider those that apply to your web-application and understand those that cause the highest risk to your application. Consider the risk you could mitigate simply by properly validating the input/output on your application. Would this address all risk? No, but it would get you significant progress towards that goal. Also, remember there is a difference between compliance and validation. If you validated your compliance prior to June 30 you do not need to re-validate for 12 months, but you do need to be compliant with the standard at all times. Compliance is a state of being that you must maintain at all times; for this requirement it means on or after June 30, 2008. How can I comply? The best part about this (and other) requirements is the large number of ways to comply. Remember, the goal is to meat the intent - so how can we do this? Well the standard states two options, and the intent leaves it open to many others. Let’s list the two given options first:
First, remember that it is not comparing apples to apples here, but providing options that different enterprises can implement depending on their specific needs and abilities. We are still aiming to meet the same intent. Notice that, agnostic of technology, we can meet the intent using either of the prescribed methods. Second, we should use the ‘intent’ defined above, via the AVRM model, to understand what “common vulnerabilities” means. To clarify the meaning of “an organization that specializes in application security” they are saying you should use a company that can identify the “common vulnerabilities” and remediate them, rather than your 8 year old nephew who just took her first computer programming course. Now people are always asking what is an “application-firewall”. They know what it is, but want to know what you think it is. We should no longer have to answer that question again, because agnostic of technology an “application-layer firewall” should satisfy the intent behind this requirement as outlined above. Still not enough? Well, the PCI SSC has released an Information Supplement that clarifies Requirement 6.6. Among other things, this supplement offers four additional alternatives towards meeting the intent of this requirement:
Still not enough to meet your business requirements? Then document a compensating control and write up how it mitigates the risk, to meet the intent, that could not be accomplished due to a legitimate business or technical issue. |
| [Chinese]做一位出色的架构师 [Telecom,Security & P2P] Posted: 15 Jun 2008 07:16 PM CDT 前面一年多的时间里,一直不停的在寻找架构师Architect。简历收集了上百个,前后面试了至少数十人,大多有相当不错的职业经历,也有相当不错的项目经验,他们在很多技术方向都很出色,也有不少含金量高的证书,例如CCIE。可是,令人遗憾的告诉大家,找到一位令人满意的架构师实在是一件非常不容易的事情。架构师,如同字面上的含义一样,掌握着一个建筑的风格、层次、标准等。IT Architect也不例外。架构师决定技术方案的走向,很大程度上会影响管理层的决策,并且对后续的运行和业务交付都至观重要。 坦白说,虽然也有些候选人是因为英语的问题,但是大部分候选人让我放弃的原因是考虑问题的方式和技术素养。让我来总结一下我对架构师的理解。 1 面向架构的思考 2 深入浅出的展现沟通 3 广博的知识面 4 面向业务的成本概念 |
| Posted: 15 Jun 2008 12:39 PM CDT First of all, Help Firefox break a Guinness World Record by downloading it within 24h of it's release, announced for the 17th of June. Just two days from now. There are already some reviews of the... |
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment