Spliced feed for Security Bloggers Network |
| In Praise of the Information Security Checklist [BlogInfoSec.com] Posted: 26 Jun 2008 06:00 AM CDT This is much anger and venom spit when the subject of the information security checklist is brought up. At one point in my career I looked at the checklist in disdain figuring that only people who do not understand the true depths of a subject relied on checklists as a crutch in place of knowledge. Since then I’ve had a change of heart. I admit freely that there are people who use checklists as a crutch, but to me, this is not the ultimate purpose of a checklist. How are checklists used by information security professionals? First, they may be used by individuals to check the state of security against an ideal configuration or corporate/government policy. Essentially, this use of a checklist is for audit purposes. Second, checklists may be used by the staff to show what happens in the department on a daily, weekly or monthly basis. This checklist is often referred to as the “daily checklist” of security tasks. It basically shows the framework and methodology of the department. Finally, a checklist may be used to teach others what to do for a given subject matter. One may think of the OWASP top ten or SANS Top 20 as checklists that instruct professional what to be aware of and review in their information security program. The value of the checklist is derived from two concepts: completeness and demonstrativeness. Completeness is important because we do not want gaps in our program that may increase our exposure, whether that exposure be legal, compliance, soundness of security settings, thoroughness of reviewing (...) © Kenneth F. Belva for BlogInfoSec.com, 2008. | Permalink | No comment This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you! |
| Hackers Crack London Tube Oyster Card [Darknet - The Darkside] Posted: 26 Jun 2008 12:57 AM CDT It just goes to show, having an aluminium lined wallet could really be useful! Hackers in the Netherlands found they could clone an access card using the Mifare chip, after that they traveled to London to try their technique out on the Oyster card (used on the London Underground), which uses the same chip. It just [...]SHARETHIS.addEntry({ title:... Read the full post at darknet.org.uk |
| Black Hat Bloggers Network topic of interest #2 [StillSecure, After All These Years] Posted: 26 Jun 2008 12:54 AM CDT
I should also point out that Black Hat is doing some great promos leading up to the show. They have a great webinar coming up today that I totally spaced on because I wanted to give everyone more notice and time to register. In the meantime, don't be like  |
| Sybase aims to be your mobile phone security vendor [StillSecure, After All These Years] Posted: 25 Jun 2008 09:51 PM CDT In a blast from the past, Sybase is aiming to be your mobile phone security provider. According to this article in Information Week, Sybase iAnywhere division's, Afaria security line already provides device authentication and encryption and now will add anti-virus and firewall capabilities. I was glad to see the Sybase name in the article. I have fond memories of Sybase on Sun servers from my early web hosting days. It is also good to see a new competitor in the mobile phone business. Lets see if Sybase gives the McAfee's, Symatecs, etc a run for their money. Or who knows maybe another not yet heard from name will come out to dominate the mobile phone market. What I also was unaware of was that there were over 500 viruses that target mobile phones. With Sybase covering Windows Mobile, Symbian (they just went open source), Blackberry and more, even the Apple iPhone appears to be covered. Though overall I still think this is an immature market, it will be interesting to see who steps up.  |
| Threat Modeling Article [Writing Secure Software] Posted: 25 Jun 2008 09:47 PM CDT  I co-authored with Tony Ucedavelez (Managing Director for Versprite) an article on threat modeling. It is published on the June edition of In-secure magazine. The intent was to give an holistic view on threat modeling as security activity that can be performed by security practioners in different role and speciality. Threat modeling (TM) is not limited to just modeling threats in applications and the usage is not limited to architects that need to design secure applications. The result of the TM activity can be used by security testers to perform risk based tests as well by information security officers for technical risk analysis. This is because beside modeling threats with the logical, physical and use/misuse case views of the application, TM allows for the identification of vulnerabilities (security flaws) and the countermeasures to mitigate the risk posed by such vulnerabilities. The article also tries to strike the balance from the strategic view of threat modeling with a more tactical one such as way to perform a security assessment on existing applications. We covered the most popular TM methodologies and TM tools available today. We also tried to give best practices on how to use TM as part of the SDLC to build security into the applications independently from the TM methodology being adopted. |
| links for 2008-06-26 [Raffy's Computer Security Blog] Posted: 25 Jun 2008 09:32 PM CDT |
| The Threat Inside [CTO Chronicles] Posted: 25 Jun 2008 08:39 PM CDT Another summertime stalwart for me is Mark Twain. Whether it's due to the super-cool white suit, the fact that most stories were set during summer, or just his cool-glass-of-lemonade style of storytelling, Mark Twain stories were a mainstay of my surviving the inevitable 18 hour car trips on summer vacation. Of course, Twain had a famous quote on statistics, and I was reminded of that quote when reading the recently released databreach report from Verizon's Business Risk Team. Nathan McFeters was apparently reminded of similar things given his recent entry on zdnet. Nathan asks some reasonable questions in his entry, but it seems that the bulk of the coverage of this report has centered around the idea that the insider threat has been misoverestimated. A reasonable impression, if you read the Executive Summary. But the "Insider Threat" in the report seems to be limited to internal people (most often IT people) doing bad things for whatever reason. So, really, the report's main finding is that most of your people are good people, rather than bad people. Good to know. Not exactly groundbreaking, but still good to know. What's missing from the report (as well as the coverage of it that I've seen) is any discussion of the role played by botnets and keystroke loggers in accomplishing the initial breach. At least in my experience, this has been a major, critical factor in what ultimately ends up in data loss/corruption. To me, this is really where NAC comes in. In addition to walling off your partners and securing your critical assets, it just seems to make good whitewash-your-fence sense to put in place "reasonable" desktop policies and procedures that (a) deploy patches and AV/AS updates regularly, (b) enforce access policies around the consumption of those deployed updates, and (c) watch what users do even when they're patched and updated. A combination of those basic, non-rocket-science things would, I'm willing to bet, have prevented the overwhelming number of breaches investigated by Verizon's team. Then instead of fighting databreach fires, we could all have a cool glass of lemonade. And Verizon could focus on making my phone work. |
| New Security Tools for IIS and SQL [Jeff Jones Security Blog] Posted: 25 Jun 2008 04:45 PM CDT In cast you didn't see it, the Microsoft Security Response Center (MSRC) team just announced the release of three tools to help customers fend off SQL injection attacks:
There are already a lot of resources out there available already for these tools. Let me point you to a few of them:
and some best practice guidance for developers:
Best regards ~ Jeff |
| Chinese spam adopts a vertical strategy [Commtouch Café] Posted: 25 Jun 2008 03:10 PM CDT Spam in Chinese is problematic for traditional content-filtering anti-spam engines for several reasons: Chinese characters are “double-byte”, as opposed to “single-byte” like non-Asian languages. The second byte is due to the fact that one byte isn’t enough to transmit all the necessary information since the alphabet is so much larger than western languages like, for example, [...] |
| iPhone success based on culture? [360 Security] Posted: 25 Jun 2008 02:10 PM CDT Ben Whorten of the Wall Street Journal suggests, in his BizTech blog posting, that the iPhone adoption will be based on business culture. Ben may be partially correct. But, when it comes to enterprise infrastructure, "chic" doesn't get the PO signed. The dynamic struggle between productivity and security is sure to come into play in the decision to support the iPhone on the corporate network. Ben appears to believe that the IT crowd bans technologies on the grounds that it enables the "goof off" factor, while employees interested in using the iPhone believes that the iPhone will make them more productive. There is an element of truth in both of these viewpoints, but Ben overlooks a much larger issue central to the decision to support anything on the corporate network: compliance. Ever since the Sarbanes-Oxley act of 2002 changed the regulatory climate of business, the CIO's purchasing decisions have been heavily influenced by the vendor's security practices. Public companies generally must comply with a minimum of three different regulations, and many of the associated compliance requirements apply to the company and all of its supply chain. Additionally, the consequences for failing an audit are not to be underestimated. Aside from the serious costs involved and the long term consequences of having to endure more frequent and exacting audits, there is jail time to consider. It's enough to give any CIO pause. In Ben's defense, he does make a practical point -- businesses already invested in RIM's Blackberry phone are the least likely to make the switch. This is just economics, plain and simple. Without a solid ROI plan, no sane business manager would be willing to overhaul existing infrastructure to make the switch to iPhone when the current system already solves the problems, especially in a tight economy. But, Ben also says that the switch will "hinge on culture." While culture is a critical component to the success factor of a company -- just ask Google -- the majority of CIOs can't afford to nuke their existing infrastructure simply because the next cool widget to hit the market supports business email. Ben's points about the cultural beliefs that skew corporate buyers away from the iPhone missed the most surprising element of Apple's strategy to capture market share in the enterprise: it is relying on Microsoft for security. No one else seems to see the irony in this that I do. For years, Apple's marketing has hammered on Microsoft's products as bloated and full of security holes. However, Apple obviously realized that in order to enter the enterprise market they had to do something drastic. Evidently, the need to pump up iPhone sales was enough to get Apple behind Microsoft's Exchange ActiveSync. And remember, ActiveSync is more than just a method to deliver email to a handheld device; it is also Microsoft's conduit for delivering security configurations. Apple builds their revolutionary device to be compliant to Microsoft's handheld information security platform? And they say politics makes strange bedfellows! |
| Zattoo as backup for satellite TV [Robert Penz Blog] Posted: 25 Jun 2008 01:18 PM CDT Today is the first semifinal of the EURO 2008 (=soccer - Germany vs Turkey) which is a big deal here in Europe, and today it was a really sunny day. But just 1h before the game starts it started raining strong in my home town together with lightnings. This leaded to a bad reception of my satellite TV. As the internet via ADSL was working without any problems I started searching for a backup solution and I found Zattoo. And I couldn’t believe it. They support Linux, specially (K)Ubuntu! Wow! I downloaded the .deb file for the 3.20 version but it didn’t work I got a
I searched a little bit in the internet and found out that the 3.11 should work which I downloaded it from here. And yes it worked without any problems. One important side note: Your IP address needs to be in one of the countries for which the service is available. Ah and as I use Kubuntu and not Ubuntu I installed following packages before installing Zattoo.
|
| FBI gets involved in the Indiana bank security breach [spylogic.net] Posted: 25 Jun 2008 12:15 PM CDT This is a story that keeps getting more interesting... I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base. The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM's around the same time the breach happened. From the IHT article: "Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation. "As we're piecing this puzzle together, it appears that there may be a common thread," Seitz said. A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity." I'm starting to suspect that the ATM's themselves were compromised or the bank's back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card "skimmer" device was used (physically attached to the outside of the ATM's) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM's. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get's their act together. |
| WiFi : Coming to a plane near you [Security Karma] Posted: 25 Jun 2008 10:40 AM CDT  There were tons of stories today regarding wireless broadband becoming available on an American Airlines flight tomorrow. I can't go into particulars regarding the service but think of it like a flying starbucks/hotel hotspot/portal. It will be AA branded and allow access to aa.com and other travel-related sites such as Frommer's but otherwise it will be completely owned and operated by Aircell. More information regarding this service and can be found at Aircell's press release. |
| Microsoft releases SQL injection testing tools [Amrit Williams Blog] Posted: 25 Jun 2008 10:31 AM CDT Hat tip to Grossman (here) for the heads up about Microsoft’s recent security advisory and release of 3 new tools to help combat SQL injection errors (here). Unfortunately it always takes a significant incident to drive folks towards doing the right thing, this is especially true of security as part of the software development life cycle and even more so for web development, which tends to be rapid, ad-hoc and less structured than traditional software development. This is definitely positive and will hopefully accelerate security awareness in the same way poor product quality in the mid-90’s - a la the blue screen of death - accelerated quality assurance as a fundamental aspect of software development in the late 90’s. Although the tools have limitations and are not a substitute for more advanced technologies and experienced, thorough human analysis - which is greatly lacking in the industry - Microsoft has an opportunity to increase awareness and place these type of tools in the hands of the masses, and in doing so will hopefully highlight the ease of exploitation, the importance of security testing, and the benefits these type of tools can provide when implemented and used correctly.         |
| The Ears of a Hacker: Enumeration by Sound - No Tech Hacking (pt. 2) [BlogInfoSec.com] Posted: 25 Jun 2008 06:00 AM CDT I previously wrote an article about Johnny Long's latest book, No Tech Hacking. This book covers many points about security in the physical world from the perspective of a hacker by raising the question "What does a hacker see?" There's another observation point that must be addressed, one that I call "What does a hacker hear?" This question occurred to me while at a security conference when I heard a Microsoft Windows handheld device activate ActiveSync. I looked over and noticed that there was no tether in use, and speculated that the sync process must be occurring via Bluetooth. I quickly started a tool called hcidump and was astonished to watch the Bluetooth communication whiz by on the screen. I was astonished not because I was sniffing a Bluetooth communication, but in what triggered my curiosity: the sound of ActiveSync starting. I paid more attention to the electronic devices that were buzzing in the ether of background noises. I heard startup and shutdown sounds, cell phone ring tones, and a plethora of other device specific sounds. If you recall, all Microsoft Windows operating systems have their own unique startup and shutdown sounds; the same applies to other operating systems such as Linux. By listening, I know what kinds of exploits to run against your platform, and when to run them. As for cell phones, cellular carriers and cell phone manufacturers copyright the ring tones that are installed and in use on those devices. By listening to your cell phone ringing, I can probably determine with some accuracy the cell phone model and who you use for your cellular provider. Hacking by sound presents and interesting question; is it worthwhile to present disinformation by intentionally using other devices startup sounds? It would certainly be intriguing to see if anyone begins to inspect a Linux device that has a Windows ME/2000 startup sound attributed to it. But on the other hand, we are all so inundated by the obnoxious sound pollution that is created by these devices that it mostly goes unnoticed. But the next time you're at a conference, and the presenter asks you to set your device into vibrate mode, the end result may not be just a professional courtesy but a security countermeasure. If you feel like reading more about this, you can take my "what does a hacker hear" challenge at the No Tech Hacking website: http://www.notechhacking.com © Russell Handorf for BlogInfoSec.com, 2008. | Permalink | No comment This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you! |
| NDR or Backscatter Spam - How Non Delivery Reports Become a Nuisance [Darknet - The Darkside] Posted: 25 Jun 2008 03:11 AM CDT You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam. Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail [...]SHARETHIS.addEntry({... Read the full post at darknet.org.uk |
| Another article explaining why DLP is not a panacea for data loss [Security Karma] Posted: 24 Jun 2008 12:30 PM CDT Great article over at Network World that sums up what I've been saying to anyone who'll listen to me that DLP and similar endeavors are ultimately doomed to fail because it is corporate culture that determines how data is handled. We can scan email, put application firewalls in place, deploy DLP all the way down to the desktop, and we still can't prevent the employee from taking a picture with their camera or sending a MMS or SMS message with corporate secrets nestled inside. Since this court ruling stating that SMS and MMS are off limits without a court order and there is no way to monitor them other than confiscating mobile phones as people walk in the door (that'll play well in the corner offices, right?). Ultimately, DLP will fail because enterprises will spend gobs of money deploying complex solutions, information will still leak, the article on page 1 of the Wall Street Journal will follow, the CIO will call the CISO into his office, WTF?!?! will ensue, heads roll, etc... DLP will have it's place in the enterprise to catch the oops factor but there needs to be a healthy dose of expectations management that comes with any data loss solution. If you want a bit more of a take on my DLP ideas, see my earlier post titled "Oops I Leaked My Data." |
| Security Mindset: Nature or Nurture? [BlogInfoSec.com] Posted: 24 Jun 2008 06:00 AM CDT I have been following with interest the discussions started by Ken Belva on this site in response to Bruce Schneier’s initial post on his own blog about the “security mindset” or, to put it another way, “security folks with beautiful minds.” First, I want to say how much I admire Bruce Schneier for his intelligence, analytical ability and eloquence. He is one of very few security professionals, particularly from among those in esoteric fields such as mathematics and cryptography, who can describe complex security issues in layman’s terms. I have very much enjoyed reading his more recent books. In fact, one of his books was instrumental in identifying a convicted felon who was working on a former employer’s critical systems. But that’s another story. A particularly admirable quality of Bruce’s is his willingness to admit to the weaknesses of ideas that he has long touted. As a world leader in cryptography, he does not hesitate to point out the limitations of poor encryption implementations in his seminal work Secrets & Lies (John Wiley, 2000). I am still waiting for him to reconsider his assertion from a couple of years ago that organizations should outsource all their security functions. Having written Outsourcing Information Security (Artech House, 2004), I obviously believe that managed security services have their place, but they are not a panacea. In any event, let’s get back to the security mindset and the psychology of security. We could have anticipated Bruce’s latest foray into psychology from statements that he made to journalist Ellen Messmer at the RSA Conference in February 2007. The interview was published by CSOonline and Network World. Around that time, Bruce wrote a “long essay” on the psychology of security. Coincidentally I was working on a chapter called “An Adaptive Threat-Vulnerability Model and the Economics of Protection,” which is to appear in the forthcoming book Social and Human Elements of Information Security: Emerging Trends and Countermeasures (IGI, September 2008). As further affirmation of the expanding interest in the psychology of security, it is the featured topic of the April 2008 issue of Communications of the ACM. While I think that it is a good idea for researchers to dabble in other fields, such as mathematicians learning about psychology, I strongly object to any implication that such researchers can transfer their preeminence and credentials in one field to another very different area. As a way to deal with such issues, I have recommended on a number of occasions that we welcome psychologists (particularly forensic psychologists), sociologists and other social sciences experts into the security fold. However, even though Bruce, Ken or I are not qualified psychologists, I think that we can still express our opinions, as long as we do not masquerade as subject matter experts. As a qualified engineer, who majored in electrical engineering but was also taught about the real engineering disciplines of mechanical and civil engineering, I agree with Ken and others that an engineering education is well suited to having them become security practitioners. Engineers are certainly trained to understand and evaluate potential failures of physical and logical assets. They learn about reliability and availability, MTBF (mean time between failure) and MTTR (mean time to repair), the “bathtub” curve and related concepts. They are encouraged to test products to failure and design fail-safe systems with protective mechanisms for when something does fail. But do you know the difference between safety and security? For example, do you know whether your door entry security system fails open or closed when the computer system controlling physical access goes down? Failing closed is more secure, but jeopardizes the lives of anyone who might be trapped in a blazing inferno, unable to get out of the building. Failing open better meets the safety requirement, but is clearly less secure in terms of protecting non-human assets from compromise, theft or damage. This is something you need to know, as it can be a matter of life and death. When bridges, security systems, etc fail, news of the incident will hit the headlines. Such an example was the collapse of the Tacoma Narrows Bridge on November 7, 1940 (well worth viewing on YouTube). Another historic example of trial-and-error is the building of the pyramids - the area is scattered with designs that collapsed before architects determined the correct incline. I believe that security professionals and engineers can have a security perspective of the world without being compulsive or paranoid about it or having a criminal mind. It is just good engineering to consider the various ways in which systems can be compromised or fail and to design for such potential events. I could even go so far as to say that an engineering background is more likely to result in someone being security minded than is mathematics - but that might arouse the ire of those mathematicians in our ranks, so I will reserve judgment on that issue. It is the old discussion about whether genes, environment, education or experience has the greatest impact in creating that appropriate degree of circumspection and level of suspicion to be a good security person. I believe that all these factors have an influence, but at the top of my list is having a strong and sincere intellectual and practical interest in protecting people (and oneself) from the many threats and dangers to which we are continually subjected. So let’s just say that it is my opinion that aspiring security professionals, whatever their origins and backgrounds, can and should be trained to recognize security issues in existing and new technologies and processes, and can and should learn how to come up with effective means of dealing with the security risks that they identify. Let’s not focus on who does or doesn’t have the appropriate ‘tude for doing a good security job, but rather on how we can train every security practitioner to be more aware of the threats and vulnerabilities that challenge us every day. © C. Warren Axelrod for BlogInfoSec.com, 2008. | Permalink | No comment This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you! |
| Posted: 24 Jun 2008 03:23 AM CDT The iPhone has become one of the most wanted devices on the mobile phone market 2008. No surprise there. With Apple's previous history of gadget success, this more or less had to happen. And although Apple make money on these devices, Apple have decided to tap into the ongoing, continious revenue stream of their Telco partners. According to the Register, if you want to provide iPhone to your clients, you are required to add an Apple networking device in your datacenter. At first glance, this is only to provide the customers with the services required for the iPhone to function propperly. At next glance, you see that the device is able to capture and control the dataflow to and from any iPhone's connected through that Telco. So what? By controlling the actual dataflow to and from the device, Apple may now gather information, habits and control the way their users are actually using the iPhone. This also means that they may adopt content (advertisements) to the habits of the users - much like Google does on the web. It also may enable services like pay-per-view and strict access control. As well as full monitoring of the content and communication. According to the Register, this may become a threat to the Telco, as the Telco's themselves has been dreaming of such a tool for ages. Some have tried too - but due to too big differences on the device side, the success of identifying and controlling the content has not yet succeeded. I think that Apple will share their technology with their Telco partners - the Telcos I know would never accept the technology partner to controll everything - unless they get revenue back. I predict that Apple and the Telco's will walk this road hand-in-hand, all the way to the bank. And the customers? Nothing has really changed. You still get the bill. And you might persive the new technology as a better service to you. Wich in my book means this is a typical Win-Win-Win situation. And the security? Well, you are already monitored and analyzed, so this makes no big change. The data quality is better, so the analyzes will be of a higher value, wich in turn will give you better adds! --- Telco = TELeCOmmunication Company |
| BackTrack Final 3 Hacking LiveCD Released For Download [Darknet - The Darkside] Posted: 23 Jun 2008 11:22 PM CDT If you don’t know, BackTrack is a top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. Back in January we mentioned the BackTrack Live Hacking CD BETA 3 was released, at last the final version is... Read the full post at darknet.org.uk |
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment