Spliced feed for Security Bloggers Network

More UPnP Hacking Fun with Google Media Server [GNUCITIZEN Media Portfolio]

Posted: 27 Jun 2008 04:31 AM CDT

The fun with hacking UPnP enabled devices has just began. We’ve started our exploration in the fields of UPnP earlier this year with some smoking posts which covered some basic attacks and the advance flash attacks. Today I stumbled across Google Media Server, a desktop gadget which allows you to share all your laptop/desktop media content with all other devices you may have locally such as your phone, xbox, TV, and I suspect, your fridge. And all that via UPnP. That, I like very much.

I guess I will repeat myself, but I will say it one more time: UPnP does not have any mechanisms for authenticating with your devices. Therefore, anyone can mess with your media. Good that Google has implemented some kind of IP/MAC based lockout features in the Media Server, but I as you understand these checks are insufficient.

Do not use Media Server on your home WiFi network or your corporate laptops unless you are completely aware of the risks involved.

Links for 2008-06-26 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 27 Jun 2008 12:00 AM CDT

Can You Hear Me Now? | Nemertes Research
Our brains (with functional ears) have the ability to dynamically adjust the gain control and adjust frequency sensitivity in real-time based on input from our other senses and our past experiences. The same capability is needed in SIEM/log management whe
Security and Risk Management Strategies Blog: Common Event Standard SIG Held At Catalyst

Today’s Partnerships are Tomorrow’s Liabilities [Trey Ford - Security Spin Control]

Posted: 26 Jun 2008 11:08 PM CDT

"…so here's the thing. If you can't spot the sucker in your first half hour at the table, you ARE the sucker." Let's say that your company, from an information assurance perspective, really has its act together. Even your education and awareness campaigns are paying off, you've got security testing gates in the SDLC, new software [...]

Review: Dropbox [Random Thoughts from Joel's World]

Posted: 26 Jun 2008 11:00 PM CDT

For those of you that haven't heard of DropBox, it's essentially a synced drive that is stored on DropBox's servers (in the cloud). Any file you put here is automatically synced to all the computers that you have the Dropbox software installed on. Sort of like push email, but for whole files.

Signup was easy (I was given a beta code number), and took about 3 minutes from signup to download of the software, to installation, to the syncing of my first file. Files are instantly synced and are very easy to tell the status of the sync by looking at the icon on the top of the screen (on my mac) as you can see in the below example. A small unobtrusive icon that has the two arrows syncing when a file is being transferred.

Once all your files are sync'ed and the status is good, the icon will look like this:

So it's very simple to be able to see the status of your sync at any time. How easy is it to drop files and get them uploaded?

See the DropBox folder the software installed? That's all there is to it. You can also upload and manage the files via their web page. Here's a screenshot of the webpage with a file I uploaded (the backup of my Address Book)

Dropbox has software for both Windows and the Mac. Linux is excluded, however, I am sure you could use the web GUI to get to your files.

Now the obvious thing for me is, since I'm a Mac user is, how is this different from iDisk? Well, one thing that is the most different, is files are pushed to the remote systems. So if I upload a file at home, and at work on a separate computer I have the software installed the file will be pushed down to the local machine. iDisk at this time requires a manual sync, which of course, can be automatic, but it's a bit different than a push. I don't know if this will change with the MobileMe roll out from Apple in the beginning of July, so we'll see.

It appears as if you get 2 Gb of storage in the beta program, I imagine with tiered pricing once they come out of beta, there will be more storage. But that remains to be seen. As for security all connections with the Dropbox servers are SSL encrypted. All file transfers take place over 443, and you can navigate to it via https.

Now, being as I am security guy, what kind of security risk does this pose? Well, no more than any other cloud storage option, however, since all traffic takes place over https/ssl/port 443, this will easily transverse proxies and other web limiting devices. Which is good for ease of use, not so good for people trying to keep their files on their networks without your employees opening (basically, uh, yeah) a backdoor into your network introducing files into your network. But again, it's no different from them bringing in a thumbdrive or using some other cloud storage service.

Overall, I think it's excellent, setup was easy and intuitive, and the software was easy to use. Cross Platform integration is great, and am glad to see that someone is doing cloud storage well.

I have 10 invites to Dropbox, so if you are interested, please leave me a message in the comments. I'm not going to give any invites to "Anonymous" so if you are interested, you have to have a name. :)

Subscribe in a reader

Why go to Black Hat? [spylogic.net]

Posted: 26 Jun 2008 09:04 PM CDT

I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2.

I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat:

1. Great speakers! Seriously, if you want to "be there" when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world...that's Black Hat! I liked how conference attendees were able to "vote" in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference!

2. Good mix of "black hat", "white hat", and everything in between (gray hat) attendees. With a little more on the side of "white hat". This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won't think you are just going to another "hacker con". For example, you can say to your boss "Hey, they have a vendor show with XYZ company that will be there!" Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course...). :-P

3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con's in the world! I could do a whole post on how great attending DefCon is but in short it's awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the "spot the fed" and all the other fun games and activities unique to DefCon.

Can't wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16).

The Internet is a public place [Network Security Blog]

Posted: 26 Jun 2008 07:42 PM CDT

Some time in the distant past, or maybe just a couple of years ago, I signed up for the US-CERT Cyber Security Tips mailing list. Every week they send out an email concerning online security, targeting the average home user with a simple concept they should be able to digest fairly easily. It’s not something that’s going to educate most of the professional paranoids who hang out and read a blog like this one, but it is usually a subject your parents or non-technical friends can learn from.

This week’s mailing is “Guidelines for Publishing Information Online“. To quote their own synopsis,

Remember that the internet is a public resource. Avoid putting anything online that you don’t want the public to see or that you may want to retract.

If you’ve reading the blog or listening to the podcast, you’ll probably have seen me use words very similar to that a number of times. Especially when Uncle Mike Rothman tries to get me going on a subject like privacy. Privacy isn’t dead, but the vultures are gathering and it’s up to each and every one of us to safeguard our own privacy by being aware of what we put on the Internet. ‘Cause once it’s out there and Google’s indexed it, you’ll never get that piece of information back in the bottle.

Isn’t it funny when someone who blogs as much as I do says be careful what you put on the Internet?

If you liked the game theory stuff... [NP-Incomplete]

Posted: 26 Jun 2008 07:42 PM CDT

... nominate the work for a pwnie. I won't nominate my own work (tacky), but I am not above shilling my own work (only slightly less tacky).

You Are "A Security Idiot" If ... [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Jun 2008 07:33 PM CDT

... you:

Misspell both HIPAA and SOX (how the f does one misspell SOX?)
Confuse "risks" and "threats"
Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
Quote "Insiders are 80%" without thinking for one darn second
Think that a loss of "$20 million is catastrophic to any company"
Talk about "NIST compliance"
Consider IDS a network security control
Shout that "perimeter is dead"

Please add your faves to the list and we can create an official list to be used to expose fake experts. If you think that nobody in our industry is that stupid ... think again. F*ck!

To be explained later :-)

OMG: 30 years of AD&D [Network Security Blog]

Posted: 26 Jun 2008 12:35 PM CDT

I just had a startling realization: This weekend marks thirty years that I’ve been playing Advanced Dungeons and Dragons. How do I know? Because this weekend is my birthday and I spent all of my birthday money from my 12th birthday on buying the only D&D book that was out at the time. Or at least the only book at my local store, Toy and Model.

I’d received the blue box set of Dungeons and Dragons the Christmas before, but quite frankly had no one to play it with. I’d been playing with my childhood best friend, Fred Zeiber, but it’s hard to play a game like that with just two people, so we usually ended up forgetting the rule books and just playing pretend games. Every once and a while I try to look up Fred, but it appears he has almost no presence on the net, not being a computer geek like I turned out to be.

There were other games like Gamma World and Traveller, but AD&D is the one I’ve always come back to. I do have to give Traveller credit for getting me interested in math; you had to know some basic trig and calculus to even attempt to create a game world in that system. And all of the games taught me what the word “probability” means.

I still have my Monster Manual in a storage locker across town. The cover is still recognizable, even though there are so many layers of marks from using it as a hard surface to write on. I could probably recreate at least a few of those earliest characters I created just from the marks on that book.

I know 4th Edition is out, but I haven’t had the time or the interest to pick it up. When Second edition came out, I tried playing it once or twice, but after I purchased most of the books, I realized I still liked first edition better. I got a lot of play out of editions 3 and 3.5, so I’ll probably pick up some 4th Edition books eventually. Unless someone wants to send them to me for my birthday :-).

What’s my all time favorite Role Playing Game? While I love playing AD&D, I have to say Champions: the Superhero Roleplaying game wins out. I’ve always loved four-color comic books and the epic struggle between evil. Not the angst-ridden Iron Age stuff we have now, but the wonderful Silver Age comic book stories that ended with the death of Gwen Stacy in Spiderman.

And now back to the angst-ridden real world of being an adult.

Free IronKey Giveaway!!! [LiveBolt Identity Blog]

Posted: 26 Jun 2008 11:18 AM CDT

Folks,

Just a reminder — we’re giving away a FREE 1GB IronKey Personal USB thumbdrive ($80 value). Really a cool device — check out the geeky specs.

You need to enter before noon, on July 1st. Just make sure to read our “Personal Metadirectory for Passwords” article, and leave a comment there with your response to our questions for a chance to win!

And don’t forget to tell your friends!

Week of War on WAF’s: Day 4 — Closer to the code [tssci security]

Posted: 26 Jun 2008 10:59 AM CDT

[ Andre and Marcin ]: For today’s post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security problems. We met Rohit and Nish at Shmoocon 2008 as fellow speakers — their talk was our undisputed favorite as they did an outstanding job at presenting and conveying their message.

Their talk, Using Aspect Oriented Programming to Prevent Application Attacks [PDF] discussed how to take an existing application and add input validation (XSS, SQL Injection, etc), strong error handling, and access controls without ever changing the existing source code. We strongly encourage you to check out their work. Rohit also has a fabulous post for us today on WAF vs. Aspect Oriented Programming — a warm welcome and big thank you to the great work he’s done here! [ Cheers, TS/SCI Security blog ]

Web Application Firewalls vs. Aspect Oriented Programming

As a concept, the WAF (Web Application Firewall) is brilliant. It extends an application’s trust boundary to include input from otherwise dubious sources. Fundamentally, it externalizes many security concerns away from the application’s core logic. What makes the concept of WAF so appealing is that the technology addresses security as a “cross-cutting concern”; a part of the application that is pervasive across the code base yet rarely relates directly to the business logic. Other cross-cutting concerns, such as transactional management, coarse-grained error handling, and logging also end up diluting the code within an application away from core business logic (also known as “code scattering”). On a more practical level, WAFs can implement the security cross-cutting concern without changing existing source code — meaning we can implement WAFs quickly and avoid destabilizing the application through code modification.

In practice, WAFs often suffer from a few drawbacks. In many organizations, WAFs are handled by an infrastructure or security team who are not intimately familiar with the applications that they’re protecting. This often (though not always) ends up becoming an elaborate blacklist filter for malicious characters. Blacklisting is never ideal, but in the case of WAFs the danger is exasperated. The WAF and the application it’s protecting are two different technologies. That means canonicalization attacks, such as sending malicious characters in illegal multi-byte or malformed UTF8 character sequences, may pass through the WAF interpreted one way and attack the application interpreted another way. This interpretation delta with disparate technologies is the same sort of problem that worsens attacks such as HTTP Response Splitting and HTTP Request Smuggling.

Is there a way for developers to protect their own applications without having to modify source code? Can you modularize the security cross-cutting concern without relying on an external application/appliance? Yes — with Aspect Oriented Programming (AOP). At a very high-level, AOP is like applying Servlet Filters anywhere in your code (for more details, please see the article I wrote for SecurityFocus). Using the flexibility of languages like AspectJ, developers can choose the most appropriate layer (i.e. application design layer, not OSI stack) to protect their applications. A critical feature is that you are working with data as the rest of the application server sees it — in its most canonical form. Unlike Servlet filters, AOP can be used to protect other interfaces like SOAP interfaces, RMI connections, etc. Developers can also to choose to delve much deeper in the code and protect, say, the basic Value Objects representing the application’s data types by intercepting calls to the setter methods.

With a WAF, you can protect against SQL injection by stripping out malicious characters; with AOP, you can strip out those characters and additionally throw an exception/error anytime a dynamic SQL method is invoked. Perhaps more importantly, WAFs are almost useless at protecting against whole classes of vulnerabilities (e.g. missing server-side authorization on some critical functions) whereas AOP is extremely useful (e.g. transparently adding authorization checks to the actual business methods, independent of which interface they are called from). What’s amazing about AOP is that you can implement these changes without actually modifying the source code — one of the primary advantages of WAFs.

Is AOP always more appropriate than WAFs? Well, not quite. Similarly, WAF and AOP can protect applications when raw source files are unavailable. Both also require at least some application-level knowledge. However, AOP typically requires a deeper understanding than WAF. Without prior AOP experience, the off-chance of an implementation mistake is more likely to occurr with AOP than with a WAF.

WAFs are probably a better fit to protect those apps that are developed externally and/or for which you may not have the code/skillset to understand its internal workings. AOP is not an easy sell because it’s poorly understood by most of the IT community. Don’t expect the PCI data security standard to say “perform code reviews, use an application firewall, or implement security through aspect oriented programming” anytime soon. Another roadblock is that while AspectJ has been around for 11 years, few of the other aspect-oriented languages enjoy quite the same maturity and support.

All that being said, I’m sure Andre has made you aware of many of the shortcomings of WAFs (at least, compared to how they are being marketed). AOP is gaining traction in the developer community, as well as for security specific toolkits (check out Spring Security and see how they use AOP to implement method-level authorization). Later this year, we’ll be hosting an open source project on useful security AOP aspects at Security Compass. For the time being, make sure to at least consider AOP as an alternative when modifying existing source isn’t an option.

Looking forward to Black Hat 2008 [Network Security Blog]

Posted: 26 Jun 2008 10:33 AM CDT

Black Hat 2008 is fast approaching, and I’m really looking forward to it. And as a bit of a teaser, there’s a “Forbidden Sneak Peek” webinar this afternoon. Unluckily, I’ll be boarding a plane somewhere about half way through the presentation, but I’m hoping to get a good enough signal in the airport to at least watch the beginning of the event.

I’m also looking forward to seeing a lot of friends and security professionals I only get to see a couple of times a year. Christofer Hoff will be giving a talk on virtualization; there’s a strange rumor that he may be doing it as interpretive dance. Jeremiah Grossman is co-presenter on all the dangers of Web 2.0 and the dangers of the business logic presently in use. Hacker Court will be in full swing once again, I just hope there are no pictures of Simple Nomad this year. And Johnathan Squire will be giving a talk on UPnP, which will probably go over my head, but will be full of energy and information none the less.

There’s also going to be a lot of opportunities to talk to other security bloggers and podcasters throughout the week. Alan will be there, Mike Murray better be there, and I’m hoping some of my friends like Michael Farnum and Cutaway will be able to drive up from Texas to visit, especially since Cutaway is organizing a team for the L0st challenge at Defcon over the weekend. It’ll also be the second time Rich and I have had a chance to meet face to face since we started podcasting together.

Speaking of podcasting, Rich and I are starting to formulate our plans for the event. We got a lot of positive feedback from the ‘microcasts’ we did at RSA 2008 and we plan on doing more of the same for Black Hat and Defcon. Rich is helping out at both events and I’ve applied for a press pass, so we should have some really good opportunities to interview speakers and other interesting people at both events. I’m going to take my Canon HD video camera in addition to my H4 Zoom, so I may even get more video this year. I know I’m going to be taking time to hang out at the Lock Pick Village again, especially since that ended up being some of the most popular video I ever did.

Black Hat and Defcon are both great opportunities to learn, meet people, and generally have a great time. Not to mention get a little drinking in at night. Really, please don’t mention that last part to my wife and kids, who might end up joining me for a day or two in Vegas. Well, at least they’ll be there somewhere while I learn, meet people, drink and have a great time.

New blog theme [InfoSecPodcast.com]

Posted: 26 Jun 2008 10:06 AM CDT

I’ve been working on a new theme for the blog. Please let me know what you think of the new theme!

Thanks!

–Chris

ShareThis

Twitter + Security = Security Twits [InfoSecPodcast.com]

Posted: 26 Jun 2008 09:29 AM CDT

When I first read about Twitter I didn’t see much value in it for me. It wasn’t until I started using it last year when I saw the usefulness for me. Twitter is an interesting communicaiton tool. I call it a cross between an IM client and a Bulletin Board. There are a lot of informal groups that use twitter. One of them is the Security Twits.

Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.

If you have not tried Twitter you should. You may just find it useful if not downright addictive.

– Chris

[/TAGS] Twitter, Security, Security Twits [/TAGS]

ShareThis

The Daily Incite - June 26, 2008 [Security Incite Rants]

Posted: 26 Jun 2008 09:23 AM CDT

June 26, 2008 - Volume 3, #60

Good Morning:
I know the exact moment that I lost my taste for math. It was sophomore year of engineering school in my 4th semester of calculus. The lesson for the day was to figure out some wacky theorem on how to calculate the area on the inside of a sphere. WHAT? Right, I would much rather have been drinking beer, but I decided I wanted to study engineering - so I persevered.
Even the pooch loves calculus
Now I have a lot of respect for the folks that are actually interested in counting things in Angstroms and calculating the resistance of a nanotube. These folks have come up with some of the great innovations of our time. But I've also come to appreciate the fact that high level math isn't that interesting to me.

Yet, my disdain for math can be a bit of a challenge at times. Last week I was ranting about how expensive gas is, and many of you sent me comments and even pictures showing how crazy prices are where you live. I appreciate that.

So earlier this week, I decided to do my part and search around for a cheaper tank. Not a cheaper ride, like a Prius or something. As much as I like the new car smell, the idea of dropping $30K on a new ride right now is distinctly uninteresting - if only to save a few bucks at the pump.

So I figured I would drive over to my local Costco and fill the tank. Everyone knows Costco has the cheapest gas around, no? So I diligently left Starbucks, checked out the price of premium at the gas station that I passed on the way ($4.29) and then drove about 10 minutes to Costco.

Drum roll please... The price at Costco was $4.24. That's right, I saved a nickel a gallon - which for the 14 gallons I needed, added up to a whopping 70 CENTS. Yes, I should pay more attention to the math. Between the 30 minutes of wasted time driving out of my way and the extra gas I burned to hike over to Costco - I probably lost money on the deal.

And that is one of the problems we all suffer. It's context. We (OK, I won't speak for you), I mean I get fired up about something and then engage in a Pyhrric victory that ended up having the exact opposite effect. Maybe the law of unintended consequences is rearing its wily head or something like that. But I'm going to try to take a deep breath before I go on my next wild goose chase to save less than a buck.

Have a great weekend.

Photo: "NooNoo studying calculus" originally uploaded by __dino__

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

More VirtSec ramblings
So what? - Hype begets more hype and we are certainly seeing VirtSec as front and center in the hype cycle. Which is fine, it is what it is. Again, just because I don't see a near term revenue opportunity for all the vendors that are trying to focus (and push on the string) on it, doesn't mean it's not an issue or that we should be thinking about how to architect our environment to make it secure virtualization-friendly. TechTarget figured out a way to get Matasano Thomas to put pen to paper and bang out a tip on building security into a virtualized server environment. Read it and think about it. The idea of not running financial applications on virtualized shared hosting is a bit of heresy, but it's certainly something to think about. It also seems that virtualization is front and center at Burton's annual soiree. They are beating the drum for solving the operational issues of virtualization, as opposed to throwing the latest security widget at it. At least many of the talking heads are in agreement about that. Which means it's probably wrong, but we'll play it out for a little while anyway.
Link to this

Finally, a use for that certification
So what? - It seems the US Feds are now putting the final touches on a new mandate that will require a security certification for workers in civilian agencies. This actually could have far ranging impacts on the security education market, in that these certifications would have to be accredited by the Feds to be accepted. Then you'd have a huge demand for all the security professionals out there to get their papers, so they can continue to work. We all know there is very little correlation between certifications and competency, right? So is this about improving security or putting a bunch more beaurocrats to work to administer these kinds of ridiculous programs. I guess when the current administration decided to throw billions after security, they didn't specify between products, services or education. Arghhh. Not to be a conspiracy theorist, but it seems that SANS is pretty well connected in the halls of the Beltway and they would be probably the biggest beneficiary of this kind of mandate - no? Too bad I don't eat meat anymore because this is going to be quite a pork barrel.
Link to this

Encryption + DLP = Not new
So what? - Hmmm. It seems that the "newest" capability of DLP is encryption. You mean you'd actually want to protect data at rest, and that you'd maybe think about encrypting a mail message or file with confidential information in it BEFORE it hits the big, bad Internet? Of course you would, but I don't get what's new about this. The email security gateways have done outbound filtering for years. They've also had partnerships with the encryption vendors to actually remediate on the policy violations detected by the filters. I've called the outbound email (and web) filtering stuff "poor-man's DLP" and they've been doing encryption, so is it a surprise - or even novel - that the DLP vendors are jumping on that bandwagon? And is this new even for them? It's not. Through the wonders of a 10-second search on Google, I found a partnership release from PGP and Vontu. Right, it's dated May of 2005. That's pretty new.
Link to this

The Laundry List

Barracuda tries to keep the FIRE alive by raising it's offer. The response is a cold bucket of Burris. - Sourcefire release
Deal: Proofpoint buys Fortiva to get access to the email archiving market. Guess they are doing more than just hiring all the old Postini and CipherTrust folks with all that money they raised. - Proofpoint release
Why do they have to keep reminding us how big they are? Jaquith ponders the issue. I think it's about self-esteem. Real winners don't have to tell you they are winning. - Yankee Group blog
Wait, an integrated endpoint agent that does systems management, security and backup? Took you long enough Big Yella. Or maybe Old Yeller is a better moniker. - Symantec release

Top Blog Postings

You've got no privacy - get over it
I know a lot of folks like to don their Privacy Suits and take on the role of fighting for the rights of all mankind, but ultimately it seems futile. I know Martin just soiled his pants at the thought (I just hope it wasn't his purple suit), but unfortunately it's true. There is data everywhere and lots of unscrupulous folks ready, willing and able to take advantage of it. Check out this post from Mark Gibbs about how easy it is for a collection agent to get all sorts of information about you or to look at some indirect methods of finding you. It's true that I don't like most people, but I really don't like collection agents. These folks couldn't care less about anything, except to get the money they think you owe and to pull their rather hefty fees off the top. They use sophisticated databases and mining tools to try to find connections to track people down. And this stuff is legal. Yeah, forget privacy - start monitoring all your financial accounts. Your information is digitized and stored in just too many places. There is no way to keep it safe. And on that cheery note, go use your credit card some more...
http://www.networkworld.com/columnists/2008/061908-backspin.html
Link to this

How do you define compliance?
You know, it's that thing I sort of have to do to stay in business, right? This interesting post on the RSA blog goes about trying to define a nebulous concept. Of course, they point out that most folks think compliance in terms of regulatory compliance. But we had rules and policies before we had regulations. Isn't that compliance as well? I like the definition of compliance: "the act of conforming, acquiescing, or yielding." Right. Yielding is one of my favorite things to do. Up there with root canal and athletic cup testing. That is pretty much what we are forced to do. Regulatory compliance has forced the world of security to adopt the lowest common denominator. It's all about passing the audit - NOT protecting the information or the intellectual property. Sad but true. What's the difference between a mediocre and a great security professional? Not a hell of a lot, to be honest. The great one's do just a little bit more than the lowest common denominator, and thus are not the low hanging fruit for the bad guys. But alas, this LCD-itis (as in lowest common denominator) is how most overhead functions are treated. So the secret? Make sure security isn't perceived as an overhead function - even though it really is. No, I'm not talking out of both sides of my mouth - I'm just being Pragmatic.
http://www.rsa.com/blog/blog_entry.aspx?id=1295
Link to this

The evolution of threat modeling
As Shostack shows that his day job isn't necessarily pointing out chaos, he comes to the conclusion that threat modeling is not just one thing, but many things and really a process to figure out "what could go wrong." That would seem to me to be a pretty important way to think about pretty much everything. Sure there is the formal threat models that can and should be built early on in the app development process (and what Adam calls SDL Threat Modeling), but it should also apply to everything else. You may not have to build a formal, documented threat model, but anytime someone asks you to do something - you should be thinking about what can go wrong and how to avoid it. A lot of us (that have a reasonably mature security mindset) already think this way. At least now we have a term for it, as opposed to paranoia and general grumpiness. I'm not grumpy - I'm a threat modeler! I wonder if the Boss will buy that one.
http://blogs.msdn.com/sdl/archive/2008/06/17/sdl-threat-modeling-past-present-and-future.aspx
Link to this

Security Briefing: June 26th [Liquidmatrix Security Digest]

Posted: 26 Jun 2008 08:11 AM CDT

OK, the database cluster is back up and playing nice after its petulant episode.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

MoD implements new data security measures | PC Advisor
Do natural human traits make us more vulnerable to computer malware? | Hexus
The staff, the thief, the device and its data | Network World
Credit card firms wave stick at retailers | The Australian
Merchants call credit card industry’s bluff on compliance | The Register
Chairman: Computer Hacking ‘Much More Widespread’ | WYFF 4
Fired Houston organ bank worker accused of hacking into system | Houston Chronicle
PCI standard ‘ignores’ insider threat | vnunet
Student suspended after hacking emails | Stuff NZ

Tags: News, Daily Links, Security Blog, Information Security, Security News

White House Refused to Open Pollutants E-Mail [Liquidmatrix Security Digest]

Posted: 26 Jun 2008 07:54 AM CDT

This is by far one of the more asinine things I have read in a while and speaks volumes to lunacy in the White House. The WH refused to open an email that was sent by the EPA because they disagreed with the conclusion that greenhouse gases are pollutants.

So, they played three monkeys and said, “la la la, I can’t see it. la la la” (not an exact quote) But, that’s not where the absurdity ends. The EPA could have sent a printed copy and that would have been the end of it.

Nope.

Instead they rewrote the conclusions to make more palatable for the dunking bird-set. Email has always been a best effort tool that has morphed into business critical function over the years. But, to say they wouldn’t open an email…wow. Remember folks, if you are a Republican or Democrat be sure to VOTE. You have a responsibility.

From NY Times:

Over the past five days, the officials said, the White House successfully put pressure on the E.P.A. to eliminate large sections of the original analysis that supported regulation, including a finding that tough regulation of motor vehicle emissions could produce $500 billion to $2 trillion in economic benefits over the next 32 years. The officials spoke on condition of anonymity because they were not authorized to discuss the matter.

Both documents, as prepared by the E.P.A., "showed that the Clean Air Act can work for certain sectors of the economy, to reduce greenhouse gases," one of the senior E.P.A. officials said. "That's not what the administration wants to show. They want to show that the Clean Air Act can't work."

November can’t come soon enough.

Article Link

Can The Gov Be Trusted With Your Personal Data? [Liquidmatrix Security Digest]

Posted: 26 Jun 2008 07:44 AM CDT

Survey says…(insert buzzer noise)

Faith in the (UK) gov’s ability to securely manage personal data is out the window.

From Reuters:

The inquiries followed Britain's biggest data loss scandal, when two discs containing child benefit records, including names, addresses and bank details, of some 25 million people, went missing after being put in the post by a junior employee.

The reports concluded that it wasn't individuals who were to blame - some 30 were officials played some role in events leading to the loss of the discs - but institutional and systematic failures at Britain's tax authority.

But the HMRC is not alone in such security breaches. A separate report into a stolen laptop containing the details of 600,000 potential recruits revealed similar failings at the Ministry of Defence. In all, four MoD computers had been stolen since 2004 and the report said the MoD was probably in breach of several principles set out in the Data Protection Act.

Well, where do you stand? Do you trust your respective government not to punt on data security?

Read on.

Article Link

Security Certification Rules Could Shake Up IT Mgmt [Liquidmatrix Security Digest]

Posted: 26 Jun 2008 07:33 AM CDT

This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers.

Hmm.

From GCN:

"This is a change we have not faced in the IT security industry before," he added.

The closest parallel has been in the Defense Department, which anticipated OMB's reaction in this area. DOD's Directive 8570 on information assurance, approved in December 2005, requires all of the department's information assurance workers to obtain an accredited commercial certification in computer security. DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

"If OMB issues a similar requirement, it's going to throw the supply and demand curve even more out of balance," he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification requires five years' experience. "You don't mint them out of college," he said.

OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market.

A picture is worth a thousand words.

It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much.

On the face of it this is a good idea.

Like all good intentions, they make great paving stones on the road to hell.

Article Link

Landing Blogsecurify [GNUCITIZEN Media Portfolio]

Posted: 26 Jun 2008 03:45 AM CDT

During the last couple of days we combined forces with Blogsecurity.NET in an effort to improve their online Wordpress vulnerability scanner. The result of these efforts is our new initiative called Blogsecurify.

Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come.

Week of War on WAF’s: Day 3 — Language specific [tssci security]

Posted: 26 Jun 2008 02:15 AM CDT

This post comes via WAF thoughts from Christian Matthies’s blog circa one year ago. Christian starts out with a bang:

[…] it seemed to me that quite a lot of people aren’t aware of how effective such solutions in fact are. Basically I agree that different layers of protection [are] always a good idea to get at least close to a status that can considered to be secure.

In christ1an’s post, The real effectiveness of current WAF, he speaks rather positively about WAF technology, but ends on a rather sour note:

[…] these solutions are actually doomed to fail by design […] unless a Web application firewall is implemented exclusively for a specific language, it is very likely to be insecure and therefore using them should be well considered.

He makes some interesting points that you should certainly check out. Best — this jives with what Fortify research on dynamic taint propagation discussed in their recent OWASP AppSec EU 2008 presentation, Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking [PPT] – and paper, Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output [PDF].

christ1an seems positive about Mario Heiderich’s PHPIDS Monitoring attack surface activity [PPT] web application attack `detection’ work (also presented at OWASP AppSec EU 2008). Fortify, on the other hand, seemed bullish on the CORE GRASP attack `prevention’ project (also for PHP).

With regards to XSS and SQL injection attacks, this work is nice because as some of us know — neither attack is primarily about input validation. SQL injection is a software weakness that can be prevented through parameterized queries with binding of all variables (thanks, Jim Manico, for this verbiage). Cross-site scripting (and particular variations such as HTML/CSS/JS injection) is a software weakness that can be prevented by output encoding (although for exhaustive methods, check out the work by Arshan Dabirsiaghi in the OWASP AntiSamy Project).

Now if we could only start to talk about the other 600+ software weaknesses and their root-causes and strongest defense strategies.

Links for 2008-06-25 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Jun 2008 12:00 AM CDT

And this is why I like ScribeFire [Network Security Blog]

Posted: 25 Jun 2008 11:52 PM CDT

Yesterday I complained on the blog that ScribeFire had been acting funny and eating parts of my post. Actually, in a lot of cases, it had been the majority of the posts it ate. Later in the morning, I got a comment on the post from Christopher Finke saying they think they know what it is. That’s cool. Today, I got some new code to test out and see if the same thing is still happening. Now that’s really cool.

If you haven’t guessed yet, I’m writing this post to try to recreate some of the conditions that have caused me previous problems with ScribeFire. I started the post, wrote a few lines and then changed tabs in the right window. If the problem isn’t fixed, I’ll probably get the first line of the post and nothing else will show up. I’m keeping my fingers crossed as I hit the Publish button.

My Theory: Apple is making a huge push for Enterprise [Random Thoughts from Joel's World]

Posted: 25 Jun 2008 10:59 PM CDT

I've said it before a couple times, and especially recently in the SC Magazine Podcast and the ISC Podcast that I did last night, I believe Apple is making a big push for the Enterprise. I also believe that Microsoft's focus is changing. I can't really explain what I mean by that yet, but I definitely think they are taking the emphasis off of the fact that they are a desktop operating system for everyone. Anyway, back to Apple.

Let's look at a few examples.

1) iPhone / Exchange compatibility -- Apple is finally going to have the ability to natively communicate with Microsoft Exchange on the iPhone. This alleviates the need, like RIM, to have a separate server on your network that you have to maintain in order to have email functionality on your phone. Plus, and the less noticed thing is, this is really the first big time, and certainly the big time that a major competitor to Microsoft has had native functionality with Exchange. I think Microsoft is going to concede a bit of ground with the Desktop in order to stay with their core market, and that's running the big business infrastructure. But still, this is huge.

2) Snow Leopard will have native Exchange functionality. Address Book will be your GAL, Mail will have native functionality with Exchange email, and iCal will function via the Exchange Calendar. While you have been able to do with with OSX Server for a bit now, vastly more companies already have Exchange/AD within their enterprise.

3) Things like this. A seminar to teach business users how to use a Mac within your enterprise. Worth a quick watch if you are thinking about switching to the Mac.

Just a quick theory, but I may have something here.

Subscribe in a reader

Making the switch … back! [untangling the future...]

Posted: 25 Jun 2008 07:03 PM CDT

So about 6 months ago I decided to finally to go Mac. I had been driven to the edge by Outlook on Windows - possibly the worst piece of code ever crafted. I had just suffered too much at its mercy and I would try anything to escape. So after years of sh*t-talking about Mac - I swallowed my pride and jumped in with both feet. Because at the time we were running Microsoft Exchange I couldn’t go with Linux on the laptop (no usable exchange client) and I’d always have my linux desktops nearby should I need to get any work done; so there was little risk to swapping the Windows laptop for a shiny new Macbook Pro.

First I endured a large amount of [deserved] ridiculing from all of the mac users that I had been torturing for years, but ultimately they seemed glad to convert another user - one more soldier on the good side. Next I endured a bit of discomfort as I relearned many common tasks that I had learned to accomplished on other OS’s but was clueless for Mac. But after a few weeks I found an environment that was delightfully better than Windows and truly innovative in some areas (like QuickSilver).

After a few weeks I started hitting some usability roadblocks here and there that I strongly disagreed with. I’d google or ask other Mac users about their solutions to these issues and would always receive a similar answer: “Why would you want to do that?” or “You shouldn’t be doing it that way anyway.” Thats fine - so I’d go off and look for a workaround. Unfortunately, because of Apple’s lack of transparency and lack of customizability - I usually found myself out in the cold. Eventually I found myself with this mountain of usability issues and no workarounds that really impeded my day-to-day use. I was back in the same position I was with Windows.

The problem was not the software, but the Apple’s and the Apple community’s attitude. The attitude is that if users want to do something the “non-blessed” way they are confused or incorrect. Want two mouse buttons on your MacBook Pro? “You can do that this other way.” Want to play music without storing your whole library in iTunes? “Why would you want to do that?” Want to use something besides iTunes to load your iPod? “Thats silly.” Want to run on different hardware? “Thats a bad idea.” All this was happening while Apple was clamping down on iPhone modding. Its total lack of transparency (both through code and legal action) assured that you did things their way and *only* their way. I’ll be the first to admit I’m not Apple’s target market (nor should I be), and ultimately their extreme efforts to prevent myself and others like me from improving and customizing their product was a deal killer for me.

Apple is not delivering an OS, or hardware, or even software. They are delivering an end-to-end technology experience, and if you are willing to just go with their experience you’re in good shape, but if not - you’re screwed. Apple is for people who are willing to buy into one way - their way - of doing things. Its purely the Apple way or the highway. Ironic given their 1984-esque commercial that implies Apple is for people who wanted to break the mold. Undeniably Apple has made some great choices with its harnessing of open source which contributed to my decision to switch, but its foolish to not recognize *why* those open source projects were successful in the first place. Unfortunately, should Microsoft users switch to Mac they can expect a better user interface but a more confined experience.

Meanwhile, we had switched from Outlook to Zimbra freeing me from the exchange client constraint. I promptly made the switch back to Linux on my laptop (a new Thinkpad). The mac users that had been so glad to receive me just shook their heads. It had been a year or two since I had used Linux as my default laptop, and I was delighted by how easy it is now to install the new Ubuntu Hardy. I was also delighted by how I could drastically customize and change the environment to my needs. Its not as *easy* yet, but its more *usable*. (That is there is a steeper learning curve but ultimately after climbing that curve leads to a more productive environment for those willing to make the climb)

If you’re willing to put your user experience in the hands of those at Apple, getting a Mac may be a great solution for you. Ironically, if you really want to “think different” there are many better options like Linux (or even Windows!).

11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Jun 2008 04:40 PM CDT

Prerequisite: read this (thanks Raffy). Stop reading right before you reach the last line though :-) Then maybe read this too (thanks anonymous).

Next, insert appropriate morbid jokes <here> for "IDS is dead", "NAC is dead", "GRC is dead", everybody is dead... WTF? Are we at the cemetery or what? Is "dead" dead? Yeah, but it came back as a zombie :-) So, "dead" is a "living dead" "dead" now. Ha*3.

Finally, think! Why were you thinking of buying a SIEM? 'Cause the big "G" in the sky said so? And while you are thinking, check these fun points out:

Does your SIEM require 17 beefy servers to operate? How many gallons of foreign oil have to go up in smoke to power that mammoth up? And you know what happened to mammoths, don't you?
If your "high-performance" SIEM appliance can only run 5 correlation rules at the same time, what "high" do they mean, really? Hold this thought....
Is five field engineers, two developers and CTO enough to install it? Who else needs to help? Ah, sorry, I missed the DBA :-)
Do you know when "If CustomVariable17 = Value5" condition matches? Will you still remember it in a year?
Can you tell "taxonomy" from "ontology"? You can now? Good for you. Are you more secure now? More efficient? Compliant?
How many shifts of security analysts do you have watching the shiny consoles 24/7? If zero, then why - oh - why those consoles are running in the first place? "If a tree falls..." - you know how this one ends. Correct! You get hit by the bough.
When was the last time you built a custom agent for parsing and normalizing, say, SAP logs? Did it work? What did you do after it didn't? Cried? And did it help? Then a burly vendor SE showed up, charged you $37,600 and left? Happy now?
Do you automatically correlate IDS/IPS alerts with vulnerability data ... for client-side attacks? Really? :-)
There are dozens of firewall, IDS/IPS, router, etc brands, each with its own log type. This is actually simple! But there are thousands upon thousands of applications in use today. Some have logs. All are different. Care to build rules for that? Now you finally know why SIEM vendors don't parse their own Java logs (no shit!)
Do you know what "threat x vulnerability x random()" equals to? Yup, it still equals random(). Automated prioritization, you say?
Do you know why some SIEM vendors are migrating to IT GRC now? So they can go and die there ... quietly.

All in all, I have to agree with Raffy to a large extent! The world has evolved - and SIEM has not. It might not be dead (as old attacks and defenses never really die and large organization still build and man massive SOCs where SIEM is "a must"), but in this age of web application hacking, CSRF and XSS, phishing, PCI DSS, massive bot armies, client-side 0-days, stealth malware, etc, paying $x,000,000 for a pile of ugly Java code is insane ... As a result, SIEM has greatly diminished in importance and has become just one small thing you might do with logs and some other data. What made it so? Mostly implementation complexity - but a slew of other factors mentioned above as well.

So, consider this instead:

Compliance? "Sorry, buddy, you need this for compliance, not that. "
Want to simplify your incident response? Get log management and fly through all your logs, not crawl through some of them.
Have a very real need to dig into your logs for troubleshooting or tracking that pesky user? Log management works.

Now, what if you have a latent and vague desire to "correlate something" and a million nice greenbacks to flush down the drain? OK, go get your SIEM toy for $780,000 + 20% maintenance/year ... a true bargain (price valid today only).

Finally, I would like to end this on an optimistic note. Do we need more intelligence to analyze the log data we have collected? Of course! Do we have a widest set of log use cases from today's security to tomorrow's regulations? You bet. And, for you Raffy, I'd add "... we also have other data to analyze together with logs." So, can we "reinvent SIEM?" Yes, I think so! It just hasn't been done yet ... For now, just use log management.

Technorati tags: SIEM, SIM, SEM, log management, humor, security

Back Office Fun [Liquidmatrix Security Digest]

Posted: 25 Jun 2008 02:28 PM CDT

Sorry for the lack of updates today. Our backend database cluster decided to fall on its sword this morning and we’re cleaning up the mess. We’ll be updating content again tomorrow first thing. Unless of course I happen to I feel froggy after work then I’ll tackle some updates.

Thanks for the emails. All is well.

Nothing to see here. Move along.

FBI gets involved in the Indiana bank security breach [spylogic.net]

Posted: 25 Jun 2008 12:15 PM CDT

This is a story that keeps getting more interesting...

I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base.

The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM's around the same time the breach happened. From the IHT article:

"Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation.

"As we're piecing this puzzle together, it appears that there may be a common thread," Seitz said.

A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity."

I'm starting to suspect that the ATM's themselves were compromised or the bank's back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card "skimmer" device was used (physically attached to the outside of the ATM's) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM's. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get's their act together.