Saturday, June 21, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Malware Files Collected By Nepenthes - Imported Symbols Relation [Security Data Visualization]

Posted: 21 Jun 2008 05:30 AM CDT

With several binaries collected by nepenthes I have correlate the imported symbols with python module pefile and generate an interesting graph.

CSV:
...
...
b02a18d2dca59219b86354a442a95b0e,USER32.DLL
146d61fca77d748f5a5ecff53afd30e4,KERNEL32.DLL
146d61fca77d748f5a5ecff53afd30e4,COMCTL32.DLL
95a7a3e5ea764eed286b53623f9521ab,KERNEL32.DLL
2059abe419dfeca527b7cf5b53bbee6f,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,KERNEL32.DLL
005472c686a5f84ad8e2dea597f50e1d,ADVAPI32.DLL
005472c686a5f84ad8e2dea597f50e1d,MPR.DLL
005472c686a5f84ad8e2dea597f50e1d,OLEAUT32.DLL
...
...

Regards

Links for 2008-06-20 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 21 Jun 2008 12:00 AM CDT

日本版PCIへようこそ! (Welcome to Japan, PCI)!) [ImperViews]

Posted: 20 Jun 2008 10:08 PM CDT

I just got back from a week long trip to Japan. I met with a few members of the press (if you read japanese, check out this article in the Nikkei BP's IT Pro magazine...I hope they got all my quotes right ;-) as well as partners and customers.  I also presented a session on Data Governance Trends for a full house seminar put on by Imperva distributor Tokyo Electron

My main conclusion after a week in Tokyo is that Application Data Security is thriving in Japan. Database security and database activity monitoring have been a strong market in Japan for the last year or eighteen months, primarily as a result of "J-SOX" (J-SOX is an informal name, the formal name is Financial Instruments and Exchange Law. It is similar to Sarbanes-Oxley in the US).  While I was there, this article (also in ITPro and written in Japanese) was published about Imperva DMG customer, Ace Insurance.

What struck me was the number of questions I got about PCI.  It came up in literally every meeting I had in Japan.  In my seminar presentation, I summarized where I think we are with PCI in the US (strong enforcement push by the card brands and adoption considerably underway) and in Eurpope (about 18 months behind the US on the enforcement/adoption curve, but currently meeting strong resistance and resentment).  I left my Japan comments blank, but throughout the week I drew the conclusion that while Japan is just starting out with PCI (I'd guess 9 months behind Europe), I think that adoption in Japan will overtake Europe fairly soon. 

I'm not sure if I know why, but my guess is that after a strong J-SOX push, the Japanese companies are more like US companies...they've been though the pain of a regulation once already, so they see a bit of the inevitablity.  Also, very much like the Americans - they DO NOT want to have to do data governance manually...so most of the questoins were about things like "How do I automate my compliance process?" and "What's the comparison of operational cost for code review/vulnerability scanning versus WAF?" (and yes, I explained why you need all of these things to work together).





Everybody wants to jump on the Green bandwagon [StillSecure, After All These Years]

Posted: 20 Jun 2008 09:23 PM CDT

GreeningburnThese days every one wants to be seen as green.  Larry Seltzer over on PC Mag has an interesting story from McAfee Avert Labs that using anti-virus on your computer is green. The reasoning goes that by keeping your computer free of malware, your CPU usage stays lower, thereby using less energy and lowering your carbon footprint.  OK, I get it.  My question is what about all of the extra CPU cycles that some of the bloated endpoint security suites use on all of these machines they are installed on.  I would bet that they far outweigh any energy savings from clean machines. 

I guess in place of wrapping yourself in the flag, the thing to do now is wrap yourself in the green thing. How long will it be until some company hires Al Gore to hawk thier technology. In the meantime I would beware of Jolly Green Giants.

Zemanta Pixie

Instant Classic: A First Coffee Machine Hacked Remotely [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 07:42 PM CDT

s- what else can I add?

Hack my coffee -> security taken seriously; screw ROI.

It Is With Great Trepidation... [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 07:13 PM CDT

... that I announce that one of the true adepts of the ancient art of log analysis has - FINALLY!!! - joined the blogging world.

Sanford's first post "Why standards?" starts thus: "I've often wondered about the viability of broad vendor adoption of a log standard" (read more)

If some of you - you know who you are! - think that my blog is sometimes shallow in its coverage, that it doesn't have enough regexes and SQL commands, you HAVE TO go and subscribe to Sanford's; this will be deeeeep, since Sanford probably forgot more about logs than most of us would ever know (BTW, I am serious). Also BTW, Sanford is a Log Data Architect at LogLogic.

Lately, there have been much more people blogging about logs (I will post some new resources in a bit), but this is truly an event of the century...

So, CAN We Have DLP? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 06:59 PM CDT

Can we have DLP - data leak prevention?

Well, can we have IDS? How about IPS? Can we really "prevent intrusions?" Can we really "control access to our networks?"

The answer to "can we have DLP?" is actually pretty simple: if you think "DLP = box that prevents all data leaks" (and you also think that deploying IPS will "prevent intrusions"), then we can't. Forget it.

But blame the idiots who called it "leak prevention" - if you think that "DLP will prevent all leaks" - sorry, but you are one of them! :-) If you treat "L" not as "leak" but as "loss" and hope that "DLP will prevent all data loss, whether intentional or not," you are an even BIGGER one.

So rambling about "Can DLP Really Stop All Leaks" is pretty silly. No, it can't. Pondering "Is DLP Possible"  is just as silly. No, complete prevention of all leaks is impossible, with OR without DLP technology. Go read Mike R instead :-)

Why seemingly smart people behave in such childish manner? I dunno. Scratch all that. Instead ask:

Is today's cutting-edge DLP technologies USEFUL?

And the answer is "Hell yeah!"

If you see how much "fun" sensitive content goes over email (corp and personal web-based), gets uploaded to forums, channeled over IM file transfers, FTP'ed somewhere, you'd scream for one of these boxes. Accidental leaks, email address typos, non-malicious leaks, blatant disregard of security policy for the sake of "productivity", even phishing, "wholesale data theft" and amateur "employee hackers" probably account for 10x (100x?)  more damage (in direct losses, brand damage, embarrassment and - yes! - non-compliance fines AND loss frequency) than "uber-hackers" (who might indeed go thru your DLP box like hot knife thru butter.) And if an advanced DLP box does one day stop some determined insider theft, that's just icing on the cake.

That is why smart people don't call it "DLP" - they call it "content monitoring and filtering." This sounds much less sexy, but much more useful. The boxes that will show up on your doorstep will still have "DLP" labels, but what they will do for you is really content monitoring and filtering.  And even though it will not stop all data theft, DLP box will likely prove useful more than once...

Finally, all rants about any preventative AND monitoring technologies should really end the same: go refresh your incident response plans.

Possibly related posts:

 

Is fear the only think stopping you from telling your security vendor to take a hike? [StillSecure, After All These Years]

Posted: 20 Jun 2008 06:24 PM CDT

YinyanimageA blog with one of the biggest followings on the SBN is the GNUCitizen blog. Today in a post called "Fear" the author states, "The entire information security industry today is based on fear." He then goes on to say, "This is what gives security vendors the power to sell you useless products which you don't really need."  So of course I don't agree with the later statement, not all of those products are useless, but is it really fear that is motivating buyers?

Fear of what is a good first question. The blog post talks about fear of being hacked, fear of harm to reputation.  To that we can add fear of jail or fines and by doing so cover the compliance issue. So yeah, at first blush it does appear that fear is the prime motivator in security.  But think a bit deeper on this and you come to the conclusion that fear is a primary driver for so much of what we do besides security.  Fear of failure, fear of loss, fear, fear, fear. Is there anything besides fear that motivates people?

For me it comes down to the carrot or the stick.  The carrot being the reward.  So making money or however you measure success is certainly motivating.  The stick is failure.  Their are consequences of failure.  But really isn't success and failure two heads of the same coin.  Aren't the rewards of success and the consequences of failure a Zoroastic type of Yin and Yang? 

So if in the final analysis, success and failure are intrinsically linked. There really is nothing wrong with saying security sales are motivated by fear, because by the same token they are motivated by success.  Now as to useless security products, lets discuss that a bit later. All of this philosophy is hurting my head.

Zemanta Pixie

CISSP Dies? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 05:42 PM CDT

Fun post on the sad fate of CISSP

See You in Vancouver at FIRST 2008 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 02:17 PM CDT

See you at FIRST2008 in Vancouver next week: my "Logs for Incident Response" tutorial - a whole day of logging fun! - will be presented there on Monday, June 23rd.

It is a great pity that I won't be able to spend more time at the conference as I have another one on Tuesday :-( - a "can't miss" kind since it is related to CEE.

Also, Honeynet members in attendance are planning a meet-up. Come find us there Monday night...

Best Security Marketing Video Ever. [NP-Incomplete]

Posted: 20 Jun 2008 01:40 PM CDT

Kaspersky did this: Hats off to Ryan Naraine for finding it.

Safari For Windows Vulnerabilities [Liquidmatrix Security Digest]

Posted: 20 Jun 2008 01:36 PM CDT

This one came out early this morning.

From Secunia:

Description:
Some vulnerabilities and a security issue have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or to compromise a user’s system.

1) A boundary error within the handling of BMP and GIF images can be exploited to trigger an out-of-bounds read and disclose content in memory.

2) A security issue exists due to Safari automatically launching downloaded executable files from sites in a Internet Explorer 7 zone with the “Launching applications and unsafe files” option set to “Enable”, or sites in the Internet Explorer 6 “Local intranet” or “Trusted sites” zone.

3) An unspecified error in the handling of Javascript arrays can be exploited to cause a memory corruption when a user visits a specially crafted web page.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

The vulnerabilities are reported in Safari for Windows prior to version 3.1.2.

If you’re running it patch ‘er up. Or conversely you could just bite the bullet and get a Mac. (right, and use Firefox with NoScript. thx folks)

:)

Article Link

CEE White Paper Out (Finally!!!!!!!!!!) [Anton Chuvakin Blog - "Security Warrior"]

Posted: 20 Jun 2008 01:32 PM CDT

Don't you dare make fun of my "Finally!!!!!!!!!!" in the title. We've been waiting for the release to happen for a "few" months already.

In any case, Common Event Expression (CEE) standard takes a major step forward: our whitepaper is finally public (page, PDF)

"Provides a detailed introduction to the Common Event Expression (CEE) initiative to create an open community-developed event interoperability standard for electronic systems. The paper describes the scope of the problem; explains how CEE's Common Log Transport (CLT), Common Log Syntax (CLS), Common Event Expression Taxonomy (CEET), and Common Event Log Recommendations (CELR) will provide the framework for a community consensus in log transportation, log syntax, event representation, and event logging recommendations for various log sources and scenarios; examines the benefits and illustrates them in two use cases; reviews CEE in comparison to past efforts; and offers a roadmap to creating the CEE Language Specifications."

We have been working on this baby for a long time, but it was "in approval" for loooonger....

Podcast Party with Shimmy & Mitchell [Security Uncorked]

Posted: 20 Jun 2008 12:28 PM CDT

I guess Alan was bored, or couldn’t find a guest for last night’s podcast, so he grabbed me ;)

Of course, I was still trying to get work done at 10:30pm, but it was a nice 45-minute distraction from my dozens (or hundreds) of 802.1X technical pages.

You, too, can bask in the amusement that is Shimel and Ashley’s SSAATY Podcast and hear a few of my random thoughts and ramblings. I have a few more thoughts to throw on the Rohati pile probably, but we’ll get to that another day.

Below if from Alan’s blog post.

StillSecure, After all these years, #55 - JJ in the house

JjEpisode 55 of SSAATY is a fun one.  Mitchell and I are joined by JJ, Jenifer Jabbusch of Security Uncorked blog.  JJ is someone I have gotten to know over the last year or so and she is a lot of fun. On top of that she is very technical and huge supporter of 802.1x, NAC and security in general.

JJ, Mitchell and I talk about Rohati, NAC, 802.1x and a bunch of other stuff in our usual rambling, stream of consciousness style.  It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonight’s music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley.

 


Listen online here:
http://www.clickcaster.com/channel/item/stillsecure—after-all-these-years—podcast-55-with-jj

# # #

StillSecure, After all these years, #55 - JJ in the house [StillSecure, After All These Years]

Posted: 20 Jun 2008 09:02 AM CDT

JjEpisode 55 of SSAATY is a fun one.  Mitchell and I are joined by JJ, Jenifer Jabbusch of Security Uncorked blog.  JJ is someone I have gotten to know over the last year or so and she is a lot of fun. On top of that she is very technical and huge supporter of 802.1x, NAC and security in general.

JJ, Mitchell and I talk abour Rohati, NAC, 802.1x and a bunch of other stuff in our usal rambling, stream of consciousness style.  It is about 40 minutes of informative good times.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Zemanta Pixie

Or download here:

Icon_enclosure_music_7mp3 

This posting includes an audio/video/photo media file: Download Now

VizSec 2008 Call for Posters and Demos [Security Data Visualization]

Posted: 20 Jun 2008 08:38 AM CDT

VizSEC 2008 Workshop on Visualization for Cyber Security
http://vizsec.org/workshop2008/
September 15, 2008 / Cambridge, MA USA
In conjunction with RAID 2008

Submission deadlines:
Poster and Demo submissions - July 18, 2008

VizSec is accepting submissions (2 page abstract) for posters and demonstrations. Poster and Demo abstracts will be made available on the VizSec web site.

Posters
Posters can be used to describe work in progress or updates to previously published VizSec research or R&D. Poster submissions should consist of a 2 page abstract. Poster will be presented at the VizSec/RAID reception. Abstracts will be made available on the web site.

Demos
Demonstrations can be used to show new or updated development efforts. Demo submissions should consist of a 2 page abstract. Demonstrations will take place at the VizSec/RAID reception. (You will need to bring a laptop for demos.) Abstracts will be made available on the web site.

http://vizsec.org/workshop2008/

Security Briefing: June 20th [Liquidmatrix Security Digest]

Posted: 20 Jun 2008 07:52 AM CDT

newspapera.jpg

Friday is upon us and I can see light at the end of the tunnel.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Computer with software stolen from RIDC Park Company (SCADA management software) | Pittsburgh Tribune-Review
  2. Staff ignore data security, surveys say | IT PRO
  3. Lessons from the Verizon 2008 Data Breach Investigations Report | InfoWorld
  4. Microsoft’s critical Bluetooth patch didn’t work on XP | Network World
  5. Sweden passes eavesdropping law | International Herald Tribune
  6. From zero day exploit to zero day fix | IT Director
  7. Briton searched web for ways to kill, court told | The Guardian
  8. FaceTime Security Program Locks out MySpace Applets | PC World
  9. Security breach hits DivShare, unauthorized access to its database | ZDNet

Tags: , , , ,

"Secure Resolutions" Sends Spam [Richi Jennings]

Posted: 20 Jun 2008 07:08 AM CDT

Update June 19: VerticalResponse has confirmed that Secure Resolutions's account is now closed and banned. Well done, guys.

Yesterday, I got email from some company called Secure Resolutions.
We are contacting you because you are currently a customer or you have been a customer and we would like to continue to be your supplier of anti-malware and backup protection. I would like to take this opportunity to introduce you to our award winning, patented technology...
etc., etc., etc.

Trouble is, I've never heard of them, and the role account they sent it to is incapable of being a "customer" of anyone. Yes, friends: ergo, this email was spam.

(Incidentally, there seems to be some connection between this company and Panda Security, who I've also caught spamming.)

The company uses VerticalResponse to send this spam, so I shot a note to their abuse alias and got an encouraging note back from their Email Delivery & Policy Enforcement team. VR says it has "completely disabled" the Secure Resolution's account and "opened an investigation."

Watch this space for updates.

Anyone else had problems with this sender?

CISSP is here to stay! Sorry, Dre. [Security Thoughts]

Posted: 20 Jun 2008 06:14 AM CDT

Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.

Can you be trusted? Can you prove it? [The Security Catalyst]

Posted: 19 Jun 2008 04:39 PM CDT

"What questions do I need to ask to make sure my vendor is protecting my information?"

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn't taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler's children wear no shoes (or the modern adaptation where the contractor's spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider's look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst - gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

 

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within "the channel." This approach:

  • sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
  • allows vendors higher confidence across their entire channel
  • creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

 

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a "common application" approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

  • Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
  • Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an "overlay" – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I'll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?

No comments: