Monday, June 23, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

joke of the day : a new RFC for sex cam girls [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 06:36 AM CDT

ScreenHunter_02 Jun. 23 13.30

from faq.org discovered with Google

Time for some cleaning up ?

Why they develop ehealth in Belgium - some quotes [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 06:33 AM CDT

Datanews published an interesting column about e-health by professor Bart van den Bosch. It is always interesting to have proponents starting to talk because they always say more than they intend to. This is because for them it is all so evident and they never see any argument from the other side of the table and so they force ahaed and just say it all.

First he says that the present system of electronic healthcare is INSECURE "because of too few investments and too little knowledge". He says security is mediocre, but that is a non-concept in security. You are secure enough or you are not.

Secondly he says that we need this big institutional machine because otherwise it will be the patients /individuals /citizens themselves that will use Google and Microsoft ehealth projects to decide with whom they will trust their healthdata. In ehealth there is nothing of that sort. You give it and the moment you have given it, you have lost it. In fact, they even don't ask if they may have it.

and of course you can't have that, people deciding for themselves what they will do with the information about themselves.

The privacycommission agreed with this proposal but who sits in the privacycommission ?

FUD about personal webcam hacking by pedophiles [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 05:22 AM CDT

Just as we were saying that old security stuff will come back in the news as childprotection against pedo's stuff, there is an alert making the rounds around here by a dutch organization that pedo's could use hacking software or viruses to hack webcams of kids and oblige them to do stuff they really didin't want to do.

I suppose that in Belgium this problem is resolved as the EID would have resolved the question of access to kids chatrooms already long ago ;)

Now this story is as old as the question of hacking someones email account (you know that question that keeps popping up on all the hacking forums since a year of 10 ......)

Another old part of the story is that girls (and in lesser amount boys) are said to be coerced in showing off their 'beauties' on recorded cams - where too exited I presume - and being blackmailed afterwards. The same storyline that goes with the digital sexpics from famous and totally ordinary people that end up on the web after the break-up. A more modern twist to it is that some of these pics were taken by phonecams.

And so all these ingredients are being brought together in an old soup with some new tastemakers. But just follow the same old rules

* secure your computer (antivirus, firewall, antispyware, patching,.....)

* set the update of your webcamsoftware to automatic or update your software manually before you use the webcam

* attach your camera only when you use it (why else ?)

* limit your cam only to conversations with people you like and know

* there is nothing bad in some parental control and guidance, depending on age and some other factors

This is the only good thing about these hyped up stupid stories, to attract the attention to some things.

Oh do we have a webcam and oh do we have to secure it and oh is that really possible ?

Nieuwe voorstellen in de Kamer van volksvertegenwoordigers [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 04:52 AM CDT

Een nieuw onderdeel van deze blog en een aantal in deze zin zullen nog volgen.

FOCUS   Wetsontwerp houdende oprichting en organisatie van het eHealth-platform. 001 Datum : 19/06/2008 WETSONTWERP
<
http://www.dekamer.be/FLWB/pdf/52/1257/52K1257001.pdf>

Wetsontwerp tot wijziging van het Wetboek van de inkomstenbelastingen 1992 en tot instelling van een forfaitaire belastingregeling inzake auteursrechten en naburige rechten.
003 Datum : 16/06/2008 VERSLAG
004 Datum : 16/06/2008 AANGENOMEN TEKST
<http://www.dekamer.be/FLWB/pdf/52/1188/52K1188003.pdf>
<http://www.dekamer.be/FLWB/pdf/52/1188/52K1188004.pdf>

Voorstel van resolutie betreffende de instelling van een verbod op het gebruik van systemen van het type "Mosquito" om hangjongeren te verjagen.
003 Datum : 18/06/2008 AMENDEMENT
<http://www.dekamer.be/FLWB/pdf/52/1186/52K1186003.pdf>

 

Best of New on Wikileaks this week [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 04:39 AM CDT

US Special Forces counterinsurgency manual leaked It doesn't differ that much from older stuff and it is not yet clear if it is really a leak or just a helping hand that finds information that we otherwise wouldn't be  looking at

US Army Mortuary Affairs contaminated remains presentation 2007 This is a very interesting document.

Assassinated FARC spokesman Raul Reyes Yahoo mailbox 2007-2008 So they maybe got this on the laptop that was found during the raid. I think more FARC stuff will come out by they are doing it intelligently (sic) bit by bit.

UK and Danish rules of engagement in Iraq 2006

Yep, this is a new content around here, follow wikileaks every week with the best documents that are published over there

 

Big Brother vs. Acceptable Balance [CultSEC Blog]

Posted: 23 Jun 2008 04:17 AM CDT

One of the things I've learned over time is how people deal with change. Introducing an INFOSEC program needs to take this into account. It is also one of the most important lessons I learned...the hard way.

When I retired from the navy and moved to the civilian sector I admit I carried a large navy attitude. I was a Chief when I left. A navy chief is used to looking at problems and getting them solved asap. We're trained to make do with what you have; lead and motivate your people; and cut thru the bullshit to reach the objective. It sounds a little arrogant. For the military, it works. In my new role as being the first Information Security Manager for a rural wireless carrier, it didn't work so well.

You see, I know what should be done for good INFOSEC. When setting up the program, I went for the easy, quick hits to get security rolling. Instead, I ran right smack into a brick wall. I wasn't the chief anymore. I also was getting nowhere fast. You see, the direct approach wasn't working. People would look at me and some asked, "Who are you?" and "Why should we care?" I also discovered folks were not too willing to accept some of the security initiatives because they thought they fit into the "Big Brother" category. Oh great, someone is here to look over our backs. The open environment was over, and I was the one bringing in the change, making me the CBB, or Chief Big Brother. Others called me different names, which I'll leave to your imagination.

A good chief petty officer, or good leader, should always step back when hitting the brick wall, and reevaluate tactics. I did this and regrouped on my approach, and my leadership style. Leaders need to have multiple styles in their tool bag anyway. Sometimes you need to run into the wall first to recognize that.

What I realized is this: there is a difference between Big Brother vs. Acceptable Balance. People know this and may often jump to the conclusion a new security program is going to mean "Big Brother." If the program is implemented poorly that is what may happen. The challenge is in rolling out a new INFOSEC program in such a way it is meeting the needs of the business without going to the extreme of Big Brother. Of course, there may be exceptions when a Big Brother approach is absolutely needed. We'll save that for another day.

Finding an acceptable balance can be done, I believe, if the INFOSEC program is looked at from start to finish. A business should know what the objectives are before jumping in with both feet. The executive management should understand the risks, and make appropriate decisions to accept them or mitigate them. Before implementing anything, the front line of defense should be prepared and educated. That front line is your employee base. Without them, your INFOSEC program will go nowhere.

Take the time to discuss the needs for INFOSEC in your business. Put it into terms and scenarios your employees can relate to. Keep in mind that INFOSEC is going to be a new aspect to their jobs. For some it won't be a big deal. Others will kick and scream. After all, they weren't hired to worry about security. They are there to do marketing, sales, or some other field of specialty. Don't worry, eventually they will come along. If they don't, then it may be time for them to seek opportunity elsewhere--if you are serious about security yourselves.

Sit back and think about this for awhile. Selling and obtaining buy-in to INFOSEC will be needed to move in the direction of achieving an acceptable balance. As your program matures you may discover some aspects of it that will require a Big Brother mentality to achieve appropriate risk mitigation. The nice thing is it may seem to be just another aspect of your acceptable balance goal.

You'll get there one day at a time. And if you feel stuck, don't be afraid to reconsider your leadership style and make adjustments. A good chief petty officer is always compelled to do that. So are good leaders. What's fun is when you get to make that style change multiple times in an hour.

When I look back on how I did in getting my program started, I feel pretty good about it and I wouldn't give up the experience.

Good luck!

hack of the day : armenian embassy in Belgium and a question for zone-h.com [belsec] [Belgian Security Blognetwork]

Posted: 23 Jun 2008 02:35 AM CDT

ScreenHunter_01 Jun. 23 09.26

but when you would try to surf to the site, which has been reset since and you would go to zone-h.com to see the screenshot than there are numerous others redirects that open in your browser (if you don't block them).

We welcome the fact that zone-h.com is back and it seems that they have taken some measures to increase the stability of their unique index, but we would like to warn them that using the term screenshot is not really true. They don't take static screenshots but dynamic 'states' of the site at the moment of the hack. THis means that if you set music, redirects and exploits in your hack, they will stay active in there 'screenshots'. But many people will think that it is just a static screenshot that has neutralised all this.

So or you change the term from screenshot to 'state' and you put a warning on the site that redirects, exploits and driveby downloads are possible or you take a screenshots (eventually based on your active state that you have downloaded). You could also use dynamic states in the 'on holds' and work with static screenshots for the archive.

For the rest, good to have you back

The Product Formerly Known as WAF [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 23 Jun 2008 12:00 AM CDT

I've read too many blogs about how the Web Application Firewall (WAF) is a misnomer, and I've come up with a solution. I would like the entire micro-niche of current WAF vendors to change your name to ...
"Web Application Intrusion Defense System" or WaIDS for short

This makes far more sense than calling a product which is *not* a firewall exactly that - and it solves the issue of that managerial response "but we already have a firewall". Doesn't this make so much more sense? I'm serious. The new name would convey the idea of what a WAF actually *is* and give the technology actual meaning, and better sense of purpose.

In addition to the brilliant new name, here are the Top 5 things that WaIDS should advertise itself to solve:
  1. Short-term detection of known web application security defects
  2. Security support for legacy web-based applications (those not likely to change)
  3. Layered (defense in-depth) security for well-established application security programs
  4. Auditing, auditing, auditing of web-application attacks
There you have it. I've solved the problem. Next?

Is that black box technology? [StillSecure, After All These Years]

Posted: 22 Jun 2008 11:32 PM CDT

Computer_flowers Dr Anton has a short to the point post up about a conversation he had with someone recently. The bought a "security appliance" (and I use that term loosely) that is just off the shelf hardware with Linux/BSD and some security software. The vendor however refuses to give the customer who bought the frigging box the root password! Root password is shared among vendor's support people only!

Dr Anton want to know if somebody is insane. I am afraid the answer is yes. Too many vendors do this to add a layer of mystique to their "black box, purpose built" schtick. Give me a break. If you buy a box and you can't have root password to it, either give it back or use it as a flowerpot!

Crime Servers Discovered by Finjan [The IT Security Guy]

Posted: 22 Jun 2008 04:10 PM CDT

This isn't unusual these days. Finjan's Malicious Code Research Center recently found 500 megabytes of stolen data on servers in Argentina and Malaysia. Apparently, the data were for sale to the highest bidder, according to this report in SC Magazine last week.

This also isn't the first time Finjan, a web security outfit, has found a crimeware supermarket. They have a lot of interesting reports and tools on their web site.

Tips for Protecting Your Identity Online [The IT Security Guy]

Posted: 22 Jun 2008 04:05 PM CDT

Here are some tips from a recent Computer World article about protecting your identity online. They're pretty much common sense, but they still bear repeating.

The first, and most obvious, is to not post any personal information -- address, birthday, or phone number, for example. This is a lot different than posting about something like your musical tastes, which isn't likely to be used for either identity theft or physical assault.

Be careful about who you expose yourself to. Use privacy features, and opt out of searches, on social networking sites like Facebook.

Thirdly, be careful when dating online. Rather than just assume anybody posting is who they say they are, use a reliable and reputable service that screens its applicants.

Love can be online. It just has to be careful. It's not like a bar, where you can see and talk to potential mate in person. Even then, prudent adults would be careful. Treat the online world the same way.

links for 2008-06-21 [Raffy's Computer Security Blog]

Posted: 20 Jun 2008 09:32 PM CDT

I’m With Ptacek- I Run My Mac As Admin [securosis.com]

Posted: 20 Jun 2008 08:06 AM CDT

I’m still in New York for the FISD conference, listening to Team Cymru talk about the state of cybercrime as I wait for my turn at the podium (to talk about information-centric security and DLP). One problem with travel is keeping up with the news, so I pretty much missed the Applescript vulnerability and now have to write it up for TidBITS on the plane before Monday.

I was reading Thomas Ptacek’s post on the vulnerability, and I think it’s time I joined Tom and came out of the closet.

I run as admin on my Mac. All the time. And I’m not ashamed. Why? As Ptacek said, even without root/admin there’s a ton of nasty things you can do on my system. In fact, you can pretty much get anything I really worry about. I even once wrote some very basic Applescript malware that ran on boot (after jailbreaking an improperly configured virtual machine). It didn’t need admin to work.

There. I feel better now. Glad to get that out there.

(If you’re going to criticize this, go read Tom’s post and talk to him first. He’s smarter than me, and not on an airplane.)

Backtrack 3 FINAL is released. [Security4all] [Belgian Security Blognetwork]

Posted: 20 Jun 2008 05:49 AM CDT

Today, live on the Pauldotcom show, the developers of Backtrack announced the release of Backtrack Final. From the remote-exploit.org website: Description: CD Image Name:: bt3-final.iso Size: 695...

Application Security - Logic Flaws [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 20 Jun 2008 05:20 AM CDT

Web Application Security Scanners are great tools, in my opinion, and they are getting better and better at finding a wealth of flaws with the applications - but one perfect example of what humans are required for is the following. This is a real-world example - obviously I can't reveal the client but if you know me then you've heard this story and you know exactly who I'm talking about... my point though is the company this happened at is irrelevant. The real issue is the problem, and how it was detected. The example shows how a human being using a black-box scanning tool was able to find a logic flaw within an application that would have been catastrophic if exploited in production... a combination of technology and people with a sprinkle of process saved the day - sort of.

Imagine the following scene... A web-based application, heavily relying on database connectivity, is built in J2EE and about to be released to production. The security team, as typically happens, has to "certify" the application code as 'secure' before production. Let's take into account that the application was just load-tested with 10,000 concurrent users and it breezed through testing.
Security now gets this application and runs a black-box scanner (doesn't matter who the vendor is) against it. The application "halts" after just 10 requests. By halts I mean becomes non-responsive, and effectively dead. Obviously this test is repeated 2 or 3 times, once the app server has been restarted and the same exact result comes back. 10 requests sent, app stops responding... effectively it's dead.

At this point the project manager starts to panic, and the blame-game ensues. Clearly it's the security team's "fault" for breaking the application. Once this idiotic argument gets slapped down, rationalization begins - "well, it worked perfect with 10,000 users, what are you doing different (besides launching attacks?))?" A few days go by, the tests are repeated a few times but the result is always the same. The app server is restarted, and it sings perfectly until the black-box scanner sends 10 bad-data requests, at which point it falls over.

After a week of this, the security analyst asks to step in and analyze the logs to try and help. By now the project is behind schedule for release and people are starting to get very upset. A look through the logs around the time the scan was run produces very strange "Connection pooling" errors from the app server. Basically, there is a connection pool that is being exhausted, and the app just stops working, waiting... indefinitely.

The moral of the story was - after a week of developers trying to figure it out, it took the security analyst looking at it for 5 minutes to isolate the validator function and laugh as the solution was painfully obvious.

Here's the pseudo-code... enjoy figuring this one out - feel free to post replies...

MainDataValidatorFunction ()
{
open DBConn
if dataIsValid
process request
close DBConn
return (1)
else
return (0)
}
OOPS?

Las Vegas Hotel Security [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 20 Jun 2008 05:07 AM CDT

Las Vegas hotel security is apparently taking pointers from the TSA. You've all heard (or read) me rant about how the TSA is trying very hard to give the "perception" that commercial flight is more secure but the reality is much different... apparently the hotels here in Las Vegas are following suit.

On a recent business trip (still here as I write this) to Vegas I had occasion to stay at the Palazzo hotel, gorgeous in every way including their preception of security. As you walk towards the guest suites you're greeted and interrogated by "security guards" who ask you to show your room key - presumably to keep the hookers out, haha... The odd thing is just holding up a room key, or walking with someone who is, will get you in.

The other interesting thing is what happened to me as I walked out of my room to go down to the pool, realizing that I forgot my key in the room as it slammed behind me. In what I think is a rather disturbing story, here's what happened. I walked down to the registration desk, only to be asked for my photo ID (sound familiar yet?). Obviously I didn't have a wallet so I had no ID on me. The agent asked me for my room number, and my last name - then once I gave her that he told me to go up to my room and wait for security to come up. After about 2 minutes of waiting, security shows up, asks me my last name, which I give them, and lets me into my room. No need to watch me go in, no need for me to produce an ID from my room... nothing.

I am now offiicially worried as crap. I have a laptop, work stuff, and some rather expensive clothes in here, and if all it takes is to get security up to let you in - this is a problem. There is this illusion that there is high security in the hotel - but when it comes to practice, it's just all for show and the reality is security doesn't exist.

What a disappointment in the Palazzo, and what a scarry situation to have to be in... yikes.

Firefox vulnerability discovered [Security4all] [Belgian Security Blognetwork]

Posted: 19 Jun 2008 09:37 PM CDT

Well, a vulnerability was discovered in Firefox, not just version 3. But timing wise, just after the launch of version 3, it isn't good PR for it's security. Details are still sparse till the patch...

No comments: