Spliced feed for Security Bloggers Network |
| Survey: One In Three IT Staff Snoops [Liquidmatrix Security Digest] Posted: 20 Jun 2008 07:29 AM CDT Only one in three? I would hazard that is being conservative. From MSNBC:
Ah, there it is. One-third admitted to it. OK, that is more what I would expect. Now for the other two thirds get the electric cattle prod and some thumb screws and I’m sure they’ll start singing. hyuk. | |
| RBAC For More [BlogInfoSec.com] Posted: 20 Jun 2008 06:00 AM CDT Organizations that face significant regulatory scrutiny — or have large numbers of disparate systems containing highly sensitive data — are most likely to have, or at least to need, Roles-Based Access Controls (RBAC). These organizations are usually trying to accomplish two ends by having both transparency to and limitations on users' access profiles. The first is separation of duties, ensuring that critical processes (often those affecting financial statements) are not subject to fraud. For example, an accounts manager who can modify a customer's account information and approve and release refund payments can direct those payments to their own account. The refund process needs to be broken down into discrete steps for which distinct employees are responsible. Those controls are much more easily enforced when each staff member is assigned a role granting privileges to only the limited steps for which they are responsible. Since many organizations do an abysmal job with ongoing access reviews, individual entitlements for staff in sensitive departments is a certain prescription for audit findings or regulatory breakdowns. The other control RBAC provides is when an organization wants to restrict what data each associate can access. For example, the various investment teams at a financial services firm where I formerly worked jealously guarded their respective research, investment decisions, portfolio weighting and trading activities. The segregation was further compounded by strong demarcation between equity, fixed income, high income and institutional groups. So roles were a business enabler that allowed these groups to compete Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately. | |
| Las Vegas Hotel Security [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 20 Jun 2008 05:07 AM CDT Las Vegas hotel security is apparently taking pointers from the TSA. You've all heard (or read) me rant about how the TSA is trying very hard to give the "perception" that commercial flight is more secure but the reality is much different... apparently the hotels here in Las Vegas are following suit. On a recent business trip (still here as I write this) to Vegas I had occasion to stay at the Palazzo hotel, gorgeous in every way including their preception of security. As you walk towards the guest suites you're greeted and interrogated by "security guards" who ask you to show your room key - presumably to keep the hookers out, haha... The odd thing is just holding up a room key, or walking with someone who is, will get you in. The other interesting thing is what happened to me as I walked out of my room to go down to the pool, realizing that I forgot my key in the room as it slammed behind me. In what I think is a rather disturbing story, here's what happened. I walked down to the registration desk, only to be asked for my photo ID (sound familiar yet?). Obviously I didn't have a wallet so I had no ID on me. The agent asked me for my room number, and my last name - then once I gave her that he told me to go up to my room and wait for security to come up. After about 2 minutes of waiting, security shows up, asks me my last name, which I give them, and lets me into my room. No need to watch me go in, no need for me to produce an ID from my room... nothing. I am now offiicially worried as crap. I have a laptop, work stuff, and some rather expensive clothes in here, and if all it takes is to get security up to let you in - this is a problem. There is this illusion that there is high security in the hotel - but when it comes to practice, it's just all for show and the reality is security doesn't exist. What a disappointment in the Palazzo, and what a scarry situation to have to be in... yikes. | |
| Fear [GNUCITIZEN Media Portfolio] Posted: 20 Jun 2008 03:43 AM CDT Here is a thought for you:  This is what gives security vendors the power to sell you useless products which you don’t really need. | |
| Technitium FREE MAC Address Changer v5 Released [Darknet - The Darkside] Posted: 20 Jun 2008 02:25 AM CDT Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine. Every NIC has a MAC address hard coded in its circuit... Read the full post at darknet.org.uk | |
| Taking a second look at Rohati [StillSecure, After All These Years] Posted: 19 Jun 2008 11:33 PM CDT Last week in response to Richard Stiennon's glowing write up, I questioned what it is exactly that Rohati does. Well someone from Rohati must have seen it and I was contacted by the Rohati team and offered a peek and a deep explanation of exactly what Rohati does. So today I had a chance to speak with Shane Buckley, CEO, Prashant Ghandi VP of product management and strategy and Steven Wastie, VP of marketing. I was impressed that such a triumvirate of power players from the Rohati team took the time to speak to me. But I guess after I wrote what I did, it was followed up by JJ writing her article on it and than Rothman piling on with his own two cents.
The best way for me to describe Rohati is that it is layer 7 ACLs to control access to applications. Where we already have security at the perimeter and at the edge, Rohati is about controlling access at the server/application. The diagram on the left (click on it to get a bigger version), is a good illustration of how Rohati works. By integrating with LDAPs Rohati can assign you an access policy to any application. Based upon that Rohati gives a very fine grain level of access control at the application layer. It acts as a proxy to the app server for both regular and encrypted traffic. Because the ACLs are on the Rohati box itself, there really is not any integration with switches per say and so no integration worries. The only problem is that the Rohati box has to be able to handle the traffic flow. Hence the box is a big honker. The cheap one is about 20k list I believe and the industrial size version is 80k. This product is aimed squarely at the data center space and is sold through channels. Will Rohati succeed. Yes, I think it will. I think they have taken a unique approach to a security issue that will continue to grow in years to come. Application access is an area that I think is still up and coming. In a period of nothing is ever new in security, the Rohati team seems to have found something that has not been done before in a packaged dedicated way like this. If nothing else, with all of the ex-Cisco folks there, if nothing else Cisco will eat its young and buy the technology back in. We will watch Rohati's progress in the months to come. At the very least, it seems they are blog savvy enough to navigate the waters of social media. Maybe they will start their own blog soon.  | |
| Successful 802.1X Every Time [Security Uncorked] Posted: 19 Jun 2008 11:18 PM CDT It’s not rocket science, but any time we mingle and intertwine four or five different pieces of technology, there’s always the potential for a mess… or at least a misconfiguration or two along the way. Don’t know what 802.1X is? Check out the recent 802.1X technology primer. If you’re planning to, or are implementing wired 802.1X, wireless security and/or NAC, the contents of this blog may save you hours of time and trouble. Throughout the implementations I’ve done, for both wired and wireless 802.1X, I’ve developed a procedure for implementing and testing 802.1X each step of the way. Following these steps my seem to be tedious and unnecessarily time-consuming. But, if you’re just starting with 802.1X, I’m offering a way to implement it in phased pieces that will give you the information to test, confirm and troubleshoot at each step. To be honest, I frequently skip these steps, but I’ve done many 802.1X implementations and can usually hit the bullseye the first time (unless there’s buggy software or firmware- you guys know who you are). But, if something doesn’t work, I start right back at Number 1 here and I follow this procedure. 1) Configure wired 802.1X If this simple configuration doesn’t work, you have some troubleshooting options. First, view the system events log in the RADIUS/AD server and look for informational events from IAS. If the authentication request is making it from the client -> switch -> RADIUS, you’ll see something here. The something you see should tell you if the EAP method is mismatched, or if the credentials were wrong, etc. Your second line of troubleshooting comes if you don’t see any RADIUS log activity. If that happens, throw on a packet capture utility like Wireshark. You want to search for 2 things. First look for conversations from your Test Switch to the RADIUS server (filter on IP or MACs). If you see something here, see where the conversation drops off. If that comes up empty, it means the conversation is terminated between the Test Switch and Test Client. I have some neat tricks for troubleshooting I’ll share with you later. 2) Add in Wireless If your wireless 802.1X isn’t working, follow our troubleshooting above and re-check settings based on the RADIUS event log contents. If nothing is making it to RADIUS, then most likely something is misconfigured in your AP/Controller and the AP isn’t communicating with the RADIUS server. You know the rest of it’s working (RADIUS, AD, Client) so you can narrow your troubleshooting scope. Once that’s working you can stop if wireless is your goal, or keep going if you’re layering on more security. 3) Replace with Custom Pieces 4) Add in NAC or Endpoint Integrity If you follow these steps, you can turn a complex configuration into a set of simple baby-steps. It may sound stupid, but I promise it’ll work for you every time! # # #
| |
| DLP moves slowly into data security... [IT Security: The view from here] Posted: 19 Jun 2008 11:03 PM CDT Today it seems to be big news that DLP deployments should include encryption. I'm amazed that it's taken this long for something purporting to be data centric security to have this included as a standard feature, but it's about time! This report includes soundbites from an RSA marketing guy, which is all fine, they are the people to go to for encryption information after all, but I wonder how much of this will come back to bite them, or rather the hand that feeds them. I'm sure over time EMC will work out a clever strategy for commoditising their storage again, but data-centric security can only see storage getting cheaper and cheaper - the protection being in the data, not the hardware around it, or the applications it runs through. Centera and Celerra arrays are massively over engineered blocks of expense, but they sell at the moment because there are few well known alternatives. What these big beasts don't do is allow you to move your data with any sort of security still attached. This is their big fault. Encrypted information with a master key available to decrypt at the endpoints for scanning purposes, or to make a decision on encrypting information as it is sent out - now that's more like it... ... and exactly what I was talking about yesterday. The trick is to get this all working without getting tied into one vendor, using a standard of some sort. Perhaps the ZIP standard would work? It is already installed in 25,000 corporate users, and those are just PKZIP and SecureZIP customers, not the free download users, or everyone on WinZIP, for whom half of the security is available, despite the lack of control. I'm surprised DLP vendors have taken this long to come up with encryption, and I'm surprised they aren't already looking at compression and integrity on top of this. It would have been smarter to do this before now. | |
| Security Circumvented: My Anti-Virus [Security Uncorked] Posted: 19 Jun 2008 10:31 PM CDT I recently needed to renew the anti-virus subscription on my tablet PC. Of course, Symantec popped up and let me know well in advance, and of course, I waited until the almost-last-day before I renewed. When my renewal options appeared, there was a selection to upgrade to the shiny new Norton 360. Woo hoo! It listed all these great new security features… I don’t remember what they were… but, they sounded REALLY great (I promise). So I went with the upgrade, instead of the anti-virus signature renewal. Okay. It did seem like a good idea at the time. However, in addition to my overly-protective Vista popups eeeevvvvery time I want to run something, connect somewhere, or wipe my nose… Now, I have the Vista pop up AND the Norton 360 popup. Okay. Except, the Norton pops up with flagrantly ambiguous information like “An application is trying to access your Internet.” Do I want to allow it? I don’t know. How am I supposed to know- which application wants to access my Internet? Oh, it’s not going to tell me. Okay. Well, I guess I’ll click ‘Allow’ because I have no clue what is trying to access my Internet, but I’ll assume it’s something that I have somehow asked to access my Internet… and I’ll be quite upset if whatever I clicked on doesn’t work. So YES, ALLOW. Okay again. And what was the point in that? One click has transformed to three, and I’m no more secure than I was before, I’m just being forced to make more clicks to earn my insecurity. So today I am the poster child of what NOT to do. Security circumvented is quite possibly worse than no security at all. I see visions of ‘invalid browser certificate’ notices dancing in my head. # # # | |
| Securing Personal Data - Waste of Time? [CultSEC Blog] Posted: 19 Jun 2008 08:27 PM CDT I've often been asked from friends and relatives about why they should ensure their own personal data is protected. After all, it is only their home computer. What could anyone possibly want from that? I read this interesting article today on Darkreading.com. It begins with the usual issues about stolen credit card numbers. The twist comes when an investigation has found other personal information. Such as, healthcare data, airlines, financial data, and on. Information about ourselves may seem relatively benign. But, consider what someone can do with it when they piece it together bit by bit, or when they hit the data load, and find out all kinds of things about you. In effect, the more information on you, the easier it is to impersonate you. Especially in the digital world. Bruce Schneier recently posted an article discussing LifeLock and Identity Theft. In fact, a search of his blog using keyword of "identity" shows he has covered the topic quite a bit. At any rate, protecting information is not a new thing. Governments and corporations have been doing it for some time. You decide if they have been effective at it. Data protection from the business or government sector is something each of us individuals should learn, and apply it to our own lives. Really, each individual is a small business. Perhaps we should mind our own for a change. | |
| Patching and updating [IT Security, Windows Scripting and other matters] Posted: 19 Jun 2008 08:15 PM CDT I recently performed a series of Nessus scans for a client who had acquired a competitor. I can't offer specifics but there was a bit of a shocking revelation for me. Some companies are still not actively patching there computers. There was a computer with no patches for an old Operating System. Microsoft provides WSUS for free. Patch your systems. Patching is a base level activity - it needs to be done. You don't have to have a high end software solution for all of your applications. You can even use the Windows Update website to keep you up to date (or patched with the last patches for the OS) Be safe out there. James | |
| Interesting series of events [IT Security, Windows Scripting and other matters] Posted: 19 Jun 2008 07:44 PM CDT I was driving back from a client sit on Tuesday and saw an event that unsettled me. As I came up I-35 into downtown Kansas City, I noticed that there was a car several hundred yards ahead of me pulled over on the side of the road. As I got closer I saw the driver get out and run around to the passenger side and yank the door open. The driver then pulled the passenger out of the car and ran back around to the driver side and drove off, leaving the passenger standing on the side of the highway. I don't really have an insight as to what was going on other than what I observed. Two adults traveling down the road, one of them was apparently angry enough to leave the other on the side of the highway. Does the driver feel justified leaving the passenger on the side of the road? Does the driver believe that whatever happened just prior to pulling over was so bad that endangering the passenger by leaving them on the side of the highway was the right thing to do. (this next section is not intended to minimize the seriousness of what happened but it was part of the thought process I had afterward) How often do we make business decisions based upon a reaction to a situation without fully thinking through the ramifications? I will own up to being guilty of this and I am going to work on thinking about the ramifications of my action before acting. How often do our users not think about the ramifications of what they are doing? "I just wanted to do a little shopping during my lunch hour" "I downloaded some videos while I was on the road, I didn't think it would be a problem to leave them on my laptop." We need to start working with our users to get them thinking about their actions in terms of its effect on the company. Larry Pesce spoke on this on Episode 111 or PaulDotCom Security Weekly. Michael Santarcangelo has written a book on the subject and he and I are podcasting a series on using pop culture to relate security topics to other business users. Be safe out there. James | |
| Myrcurial Selected To Speak At Last Hope [Liquidmatrix Security Digest] Posted: 19 Jun 2008 05:26 PM CDT  I had a long crappy day as anyone who might follow my Twitter may have seen. I was wallowing in my own discontent when I met up with Myrcurial for lunch today. The cheshire grin on his face was something to behold. As it turns out, the weasel had been sitting on a rather significant announcement (for the last month) that he alluded to in his earlier posting today. Myrcurial will be speaking at Last Hope! Very cool brother! His talk entitled, “From a Black Hat to a Black Suit” will be a must see for any propeller heads that have aspirations for a corner office one day. From the talk summary:
I’ll be the smart ass in the back crackin wise. | |
| Nortel launches Voice Security Technology Blog [Voice of VOIPSA] Posted: 19 Jun 2008 04:02 PM CDT
Technorati Tags: | |
| Bring it on, Cisco! [Napera Networks] Posted: 19 Jun 2008 03:38 PM CDT Some very interesting news for the NAC market this week with multiple analysts publishing predictions and market forecasts. All of this good news was tempered by a warning to smaller NAC vendors in a Network World article this morning. In short, Gartner claims Cisco and Microsoft may marginalize NAC vendors by 2009 because of Cisco’s success in the enterprise switching market (and presumably Microsoft’s domination of desktops). It’s great to see data from IDC and Infonetics, but I’ve heard the Gartner analysis before. In the late nineties it was enterprise vendors like Cisco and Check Point that were going to crush firewall appliance startups. In reality it took Cisco ten years to get their act together, and meanwhile companies like WatchGuard, Sonicwall and Netscreen grew and prospered in the mid and large enterprise markets. If that is the definition of getting crushed by Cisco, bring it on! The Gartner hypothesis referenced in Network World doesn’t apply equally to all companies. The problems that large enterprises are solving with NAC technology are equally relevant to the small and medium enterprise customer: guest Internet and printer access, endpoint and identity enforcement, and overall visibility into the security state of computers on the network. But the SME market is very different from large enterprise. Cisco has been less than successful selling into the SME, and much of the Linksys SME product line is not interoperable with Cisco’s enterprise architecture. While SMEs have Microsoft NAP on their computers, few will build out an entire NAC/NAP infrastructure based on Cisco products. Bihammar at IDC named cost and complexity as the prime barriers to NAC adoption, which gets to the heart of the issue. I’ve posted on this exact issue before. The vast majority of Napera customers haven't heard of NAC, haven't participated in these debates, and primarily care about the practical application of technology and risks in their company to solve a business problem and not the technology itself. They want a solution that helps them take back control of the computers accessing their network and that does so easily and affordably. That’s where the real opportunity is - how do you help that customers solve those problems without complex, expensive large enterprise products? And that’s what Napera is all about. | |
| Posted: 19 Jun 2008 02:43 PM CDT This how-to describes in detail how to collect live, real email addresses from live, real people around the world. Most importantly, it will show you how you can collect 10 000 e-mails in less than 5 minutes work! In addition, this How-to will help you collect additional information about your target: like photo; full name; list of friends; and potentially also mail address; phone numbers and list their favourite books. So let's get on with it!
1. Set up an email box on Yahoo, Google or similar toolThis is easy. Just pop on over to; Yahoo Mail; Google Mail; or any other free web based e-mail services out there. I know you are able to set up the account without my help. Get back here and move to step two when you are done! Set the e-mail to automatically forward all e-mails to a different account, preferably on a system you can control – either directly, or by POP/IMAP. You want to do this to save you some work later one! You do not want to use your own name, though, but you knew that, right?
2. Get a Facebook (or pick any other social networking site) accountJust register with a plausible name (Jim Johnson, Donna James or similar). This is free, and typically available to anyone, and this is where you will meet your victims. Consider using the same name as in step one, this adds to credibility. TIP: You may consider using a western name, preferably a woman name, as it sounds less daunting and more secure. Now, it is out of the scope of this How-to to discuss how to set up your account. So, I just skip on to the next part, and you do too as soon as your Facebook account is up and running!
3. Set up a group on FacebookAnd yes, you guessed it; how to set up the group is out of the scope of this group. But believe you me, it is plenty easy!! Give it a winning title - Free gift! Or: Free trip to Dubai! Why you need it? This is where you will plant your seeds of seduction – where you will promote your give-away, and where your victims will understand why it is so important to give you their e-mail address for free – no strings attached! So, now you got a group on Facebook. Time to use it!
4. Add a prize!When you want something, you should always offer something. The bigger, and more realistic, the prize, the better it is! Here is one example:
Yes, I noted more realistic above, I know…But – the purpose is to offer something that is realistic to your victims – and they are not as smart as you are, obviously. Thus, this one count as realistic. And, unless you really want to do so, there is no need to actually give away the prize. I would strongly suggest you do NOT give it away, and use it yourself instead. Or spend your cash on something else. Your victims will never know they did not win. Period.
5. Ask for something simple/cheap compared to the prizeBy asking for something that is perceived as not dangerous to give you – like an e-mail address – you are more likely to succeed. But we do now that most anyone will be happy to share their favourite password if you give them a chocolate, so do as you like. On the other side, when you get the e-mail, you got plenty of opportunity to ask for more later on too.
So go ahead and ask for it! Make sure you add your collecting e-mail box where they can send their request for the prize, giving away their name and e-mail. Put it out there – like this:
And voila – now you got a large amount of e-mail addresses available. Addresses you can use to send nice offers of pills, travels and other stuff your customers pay you to offer to your list!
6. Collect and useNow you have a large amount of e-mails on your account, it is time to download and put them to work. By installing any kind of e-mail harvesting tool on your e-mail client (many available, find your favourit), you are now able to take the e-mail addresses and their corresponding names from your in-box, and into a database tool. And as e-mails keeps coming in, your database grows. High quality e-mails with real people on the other side. A great value to spammers. So start selling it to the highest bidder! And if someone complains about getting spam? Well, that is not what you are doing, of course. You only provide your customers with fresh e-mail addresses with real people on the receiving side! The emails are collected, and you may now use them to send out outrages offers of pills, lottery winners and other nice-to-have stuff. But, why stop there? Get back tomorrow to read about how to build a complete profile of your targets! That part is a Bonus – where I tell you how to collect more than only the e-mail and name of your victims – where I tell you how you can build a full profile of your victim! | |
| MindshaRE: Searching in IDA [DVLabs: Blogs] Posted: 19 Jun 2008 02:22 PM CDT Posted by Cody Pierce MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history. In this weeks installment of MindShaRE we will take a look at some fun uses for searching in IDA even utilizing IDC/IDAPython to automate this. IDA provides several different search options. Ranging from immediate values to undefined functions. Right now we are going to only touch on the byte/text searching options which include.
Finding Improper Sign Extension BugsWhat I'm referring to here is the promotion of an integer to a larger size. In a nutshell, this promotion results in a security vulnerability when a sign extension occurs on user data. More detailed information regarding sign extension bugs can be found elsewhere such as the very excellent book by Mark Dowd et al The Art of Software Security Assessment. A typical instance of this bug will stem at the assembly level from the instruction "movsx". Using the "Text" search (Alt+T) and entering in "movsx" with "Find all occurrences" checked provides us with a neat little window of all sign extended move operations. Locating Parsing FunctionsIf I'm analyzing an application that handles complex data, user input or configuration information I will be sure to track down and audit the various routines responsible for parsing that inbound data into data structures where programmatic logic can be applied to. Many parsers are implemented with the help of "switch" statements. At the assembly level, switch statements are actually implemented as jump tables. IDA does a good job of automatically identifying switch statements. When a switch is identified it will be commented in a form such as:2B0016DF jmp ds:off_2B001716[eax*4] ; switch jumpUtilizing the same search dialogue as before (Alt+T) we can plugin "switch jump" with "Find all Occurrences" enabled to produce a list of all switches within the binary. Taking it one step further here is a simple IDAPython script that enumerates all switches and additionally each switches number of cases and case addresses: while curea <= end and curea != BADADDR: comment = Comment(curea) if comment: if 'switch' in comment and 'cases' in comment: count = int(comment.split(' ')[1])elif 'switch jump' in comment: table = curea cases = [] switches.append({'name' : function_name, \'table' : table, \ 'count' : count, \ 'cases' : cases}) else: comment = RptCmt(curea) if comment: if 'jumptable' in comment: jt = int(comment.split(' ')[1], 16)if jt == table: cases.append({'loc' : curea, 'tag' : "cases " + comment.split(' ')[3]})curea = NextHead(curea, end)Running this IDAPython script produces the following sample output: ICMPv6Receive: 251e7: 10 cases ICMPv6Receive: 251ee: cases 128Following the addresses takes you to the individual switch case: 000251E7 jmp ds:off_2523B[eax*4] ; switch jump 000251EE 000251EE loc_251EE: 000251EE push esi ; jumptable 000251E7 case 128 000251EF call ICMPv6SendEchoReply This approach is especially effective when symbol information is present. Searching for Structure ReferencesThis example is definitely gimmicky but worthwhile none the less. IDA does not provide structure cross references. Without proper symbolic information it's relatively impossible to discern between an [ecx+4] between one function and another. Such is the nature of static reverse engineering. Sometimes though you have a pretty good idea of a structures use in a binary. This occurs most often for myself when looking at network code. Programmers usually create a structure for storing information about a request. This typically includes a socket descriptor, buffer size, buffer pointer, and any other information associated with that session.Once again we can use the search functionality to find accesses to a structure. I know what you're thinking "this will never work", but it will in lots of cases. Searching for the value "+28h" will likely show you any stores or reads to a structure that might seriously be the one you are concerned with. Try it, it might be handy. So there we have it. We have really only covered one of the search mechanisms IDA provides to its user. Immediate value searching and Sequence of Bytes searching can be used in very similar cases (movsx instruction can be searched by byte value as well) as the Text search. I hope this can come in handy at some point for someone out there. Feel free to leave a comment with some other fun ways of using IDA's searching capabilities. See you next week, Cody | |
| I’m Not The Only Blogger Here! [securosis.com] Posted: 19 Jun 2008 02:07 PM CDT I’ve been absolutely flattered by some of the positive comments on our posts this week, especially the database posts. But as much as I enjoy the credit for someone else’s work, I’d like to remind everyone that I’m not the only blogger here at Securosis anymore. Adrian Lane, our new Senior Security Strategist, has been putting up all the meat this week. Once I get back from this conference I’ll increase the font size on the writer tagline for the blog so it’s more obvious. We also occasionally have contributions from David Mortman and Chris Pepper, both of whom wrote posts I got the credit for. These are all brilliant guys, and I’m honored they contribute here. They’re probably smarter than I am… … oh. Never mind. I write it all. | |
| VIA ISN: Two More Soon To Be Disclosed Firefox 3 Vulnerabilities [Infosecurity.US] Posted: 19 Jun 2008 01:55 PM CDT ISN (actually SecurityCurmudgeon aka Jericho at attrition.org) is reporting at least two additional (soon-to-be-released pursuant to full disclosure customs) Mozilla Firefox related vulnerbilities. This time, discovered by Neohapsis. Note the following announcements from Neohapsis, the first, an overflow, and the second, protocol related. | |
| Help an analyst get some real data [StillSecure, After All These Years] Posted: 19 Jun 2008 01:49 PM CDT With all of my writing this week about lack of truth in much of the data being put on the public whether from vendors or analysts, I thought I would put my money where my mouth is. In order to get some real data to the analysts so that their reports are accurate I am posting a note I received from Aberdeen Group about a new survey they are conducting in vulnerability management. If you have a few minutes it is an excellent way to contribute. Remember, the truth shall set you free!
Would you like to learn how Best-in-Class companies successfully maximize their results in IT Security Patch and Vulnerability Management? By participating in this brief survey, you will be able to see how your experiences in Patch and Vulnerability Management compare with those of your peers, benchmark your performance, and see how you can achieve Best-in-Class results. My name is Saqib A. Khan, a Senior Research Analyst at Aberdeen Group, and I am conducting a survey that will help companies such as yours determine the Best-in-Class procedures for Vulnerability Management. Your participation is a vital part of the report development, and serves as the foundation of Aberdeen's research. If your company is planning on implementing Vulnerability Management solution, or is simply evaluating the potential benefits, we would appreciate your feedback in this brief, 10-minute survey. In appreciation for sharing your time and thoughts with us, we will provide complimentary access for you to the full benchmark report as soon as it is published (a $399 value). Individual responses will be kept strictly confidential, and data will We look forward to hearing from you, and greatly appreciate your Sincerely, Saqib Khan  | |
| Orchestria revisited [IT Security: The view from here] Posted: 19 Jun 2008 12:17 PM CDT I'm used to seeing US businesses struggle in the UK market, I've helped a few now to recover after false starts, or to launch successfully in the first place. I'm currently working with PKWare on a long term contract which I'm really very pleased about. I count myself extremely lucky that much of what I have blogged about as being necessary security over a number of months and years, actually exists as a set of products. I've commented an awful lot about the dynamics that make this possible over here, the fact that a market has to be built up from scratch, reputation not doing much for a company which is big in the States when it comes to these shores, how the American style of business differs from the slightly more staid version we have over here, etc. Something I hadn't come across before is the reverse of this process, a company launching over here and trying to break the US. I covered Orchestria a few weeks back, talking about how they seemed to appear from nowhere in the DLP space, and yet kept hearing good things about them. I found it surprising then that I got a slightly different story from some friends the other side of the pond. I have thoroughly researched Orchestria, spoken at length with their English CTO, Pete Malcolm, and gone into numerous demonstrations of their technology, proofs of their customer base, and have even, surprisingly, been shown a very impressive set of accounts. At this point an NDA prevents me from saying anything more. Needless to say, some of the negative comments that were made after my story last week now look pretty much like sour grapes. I fear that Orchestria are suffering the reverse of what many small US tech companies experience when trying to enter the EMEA market. I fear that sales and marketing teams in the US are maybe not set up for this type of technology without having it on their doorstep, or a specialist from the industry on their team. I fear that only a handful of people in the country may understand this fully. I fear that analysts in the US have been in touch with the wrong people in the organisation - because this stuff is pretty damn good. I also fear that properly marketing it is going to be a mountain to climb, but whoever takes it on is going to do very well out of it. I would urge anyone who is looking at DLP to look at Orchestria. If you are in the UK, it's a no brainer, local support, local development, etc. If you are in the US, don't believe the poor marketing and doomsayers from the rest of the industry. If you are in Orchestria, get a good marketing team out there, and beef up the support you already have out there. I think we could see them coming out near the top of the pile in the DLP wars. However, this isn't just what Orchestria does - and here's the only 'issue' that I could find with them - the technology is way more than DLP. You could use a couple of Orchestria devices and some SecureZIP in your entire environment and dispense with 50% of your hardware... if you don't believe me, try it out. This is in fact the reason that this reasonably large company (and expanding monthly) seemed to appear out of nowhere and hit the DLP market. They had a product in a different sector (compliance) which happened to cover DLP very well, and they decided to market it as such. Good idea, poor execution, to get into a security market you need people who know that market inside out, whether they are in the US, the UK, Norway or Timbuktu. This is unfortunate though, because it has given a good piece of technology a slightly false start in an industry where they could be a shining light. I haven't been this excited by a product since, well PKWare actually, but before that, Njini with their data classification / de-duplication software (another British company, yeah!). What I'd really like to do is put them all together and make a demo. What makes me feel good about all of this is that this is how I predicted the future of security just a year ago. I just didn't expect it to come so fast. | |
| Nepenthes log correlated with ClamAV and ip2country [Security Data Visualization] Posted: 19 Jun 2008 12:15 PM CDT This file is the result of correlating data from Nepenthes, ip2country and ClamAV, the process is described in the paper Regards | |
| New Paper - An approach to malware collection log visualization [Security Data Visualization] Posted: 19 Jun 2008 12:13 PM CDT I have just published an article related to malware collection log visualization. The paper focus on visualization of Nepenthes logs using AfterGlow. In the paper you can find information about correlation ips with countries and binary files with ClamAV signatures with the goal of generating interesting graphs. You can get it at Regards | |
| The Last HOPE List of Talks posted… [Liquidmatrix Security Digest] Posted: 19 Jun 2008 11:10 AM CDT The 1337 bastards at 2600 have posted the list of talks for The Last HOPE conference being held July 18-20 at the Hotel Pennsylvania in NYC.
Of course you’ll be able to find Dave and I there. Wouldn’t miss it for the world. Oh - and you might want to scroll that list of talks down… maybe just to the Featured Speakers section… or maybe just below that. See you in NYC. Tags: 2600, HOPE, the Last HOPE, hackers, conferences, NYC | |
| Interesting Information Security Bits for June 19th, 2008 [Infosec Ramblings] Posted: 19 Jun 2008 10:22 AM CDT Good day all. Got a pretty good bunch o bits to take a look at today. So, without further ado, here we go! From the Blogosphere. The Sunbelt blog warns us about some CareerBuilder jobs being emailed out which are scams. Be careful out there. They will get you any way they can. Finjin came across over half a gigabyte of stolen US Healthcare and airline data. Ouch. Adam writes that Identity Theft is more than Fraud By Impersonation. He points out than in many cases, the real pain of identity theft is not monetary, but dealing with the tarnishing of you good name as you try to clean things up. He has a good suggestion for trying to help with this issue. Go read about it. Security4all points us to a couple of white papers that are worth giving a gander. The Extended HTML Form Attack Revisited by Sandro and Enablesecurity and Defeating the Network Security Infrastructure by Philippe at Radarhack.com. They are both on my reading list now. Irongeek has released a little tool called DecaffeinatID that
Looks pretty nifty. Rich has another missive that deserves to be read more than once. He talks about Database connections and Trust. I am not going to attempt to summarize what he puts forth. Go read it. You may have already heard about this, but a vulnerability exploit has been found in FF 3.0. It was reported to Tipping Point and passed on to Mozilla. They are working on a fix. Amrit and Hoff both are talking about wheither virtualization security is a technical problem or an operational problem. Both are good reads. I won’t spoil it for you by giving away their conclusions. F-Secure has released version 3.0 of their Rescue CD. Could come in handy. From the Newsosphere. Via cjonline.com, some Kansas state equipment that was to be sold to the public contained confidential information. People, please make sure you have data retention, handling and destruction policies and procedures and that they are adhered to. From Dark Reading, ICSA Labs Forum has advanced a security standard for IPv6. Pointed to by Hack in the box and reported by Computer World UK, two laptops without encryption have been lost. This time by the HNS trust in the U.K. Again via Hack in the box and reported by Wired, it looks like Citibank had an intrusion that allowed a couple of men to grab at least $750,000 from atm machines in New York City. Oops. That’s it for today. Have a good one. Kevin Technorati Tags: scam, breach, data loss, white papers, tools, database, trust, vulnerability, virtualization         | |
| Your coffee maker wants identity management [LiveBolt Identity Blog] Posted: 19 Jun 2008 10:10 AM CDT Consumer electronics: the next market for Identity and Access Management software? We just took a giant leap towards that reality with the availability of an “Internet connectivity kit” for the Jura F90 coffee maker. We take an even larger step towards needing IdM at home when said “Internet connectivity kit” doesn’t require a username or password for remote logins. Nor does it perform input validation when changing factory parameters. We even have Bugtraq and Security Focus vuln posts.
To be fair, we are talking about a coffee machine here, so IdM might be overkill. But if I paid Amazon $1800 for a coffee machine, I wouldn’t want some script kiddie shooting coffee beans at me from across the room, or worse yet — giving me a flat white, when I clearly pressed long black. I can hear it now… “Yes, IBM? Can I get a Tivoli Access Manager license for 2 users? My wife and I are going to use TAMeb for our coffee machine…” Source: CrunchGear | |
| Nuovi Documenti per PIX ed ASA su cisco.com [varie // eventuali // sicurezza informatica] Posted: 19 Jun 2008 08:14 AM CDT Sono stati di recente pubblicati un po di documenti nuovi sulle configurazioni di ASA e PIX: ASA 8.x: AnyConnect SSL VPN CAC-SmartCards Configuration with MAC Support ASA 8.x: AnyConnect SSL VPN CAC-SmartCards Configuration for Windows ASA/PIX 8.0 with OSPF Configuration Example ASA/PIX with RIP Configuration Example Buona lettura! | |
| New Firefox 3.0 Vulnerability Discovered [Infosecurity.US] Posted: 19 Jun 2008 08:03 AM CDT A new, currently unpatched, vulnerability has been discovered in the recently released Mozilla browser, Firefox 3.0 (apparently, this issue also affects the previous 2.x series releases as well). The vulnerability, announced by the ZDI (the Zero Day Initiative at TippingPoint), is still confidential in scope, while Mozilla continues the work to mitigate the issue. [...] |
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment