Spliced feed for Security Bloggers Network |
More UPnP Hacking Fun with Google Media Server [GNUCITIZEN Media Portfolio] Posted: 27 Jun 2008 04:31 AM CDT The fun with hacking UPnP enabled devices has just began. We’ve started our exploration in the fields of UPnP earlier this year with some smoking posts which covered some basic attacks and the advance flash attacks. Today I stumbled across Google Media Server, a desktop gadget which allows you to share all your laptop/desktop media content with all other devices you may have locally such as your phone, xbox, TV, and I suspect, your fridge. And all that via UPnP. That, I like very much. I guess I will repeat myself, but I will say it one more time: Do not use Media Server on your home WiFi network or your corporate laptops unless you are completely aware of the risks involved. | ||
Links for 2008-06-26 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 27 Jun 2008 12:00 AM CDT
| ||
Today’s Partnerships are Tomorrow’s Liabilities [Trey Ford - Security Spin Control] Posted: 26 Jun 2008 11:08 PM CDT "…so here's the thing. If you can't spot the sucker in your first half hour at the table, you ARE the sucker." Let's say that your company, from an information assurance perspective, really has its act together. Even your education and awareness campaigns are paying off, you've got security testing gates in the SDLC, new software [...] | ||
Review: Dropbox [Random Thoughts from Joel's World] Posted: 26 Jun 2008 11:00 PM CDT For those of you that haven't heard of DropBox, it's essentially a synced drive that is stored on DropBox's servers (in the cloud). Any file you put here is automatically synced to all the computers that you have the Dropbox software installed on. Sort of like push email, but for whole files. Signup was easy (I was given a beta code number), and took about 3 minutes from signup to download of the software, to installation, to the syncing of my first file. Files are instantly synced and are very easy to tell the status of the sync by looking at the icon on the top of the screen (on my mac) as you can see in the below example. A small unobtrusive icon that has the two arrows syncing when a file is being transferred. Once all your files are sync'ed and the status is good, the icon will look like this: So it's very simple to be able to see the status of your sync at any time. How easy is it to drop files and get them uploaded? See the DropBox folder the software installed? That's all there is to it. You can also upload and manage the files via their web page. Here's a screenshot of the webpage with a file I uploaded (the backup of my Address Book) Dropbox has software for both Windows and the Mac. Linux is excluded, however, I am sure you could use the web GUI to get to your files. Now the obvious thing for me is, since I'm a Mac user is, how is this different from iDisk? Well, one thing that is the most different, is files are pushed to the remote systems. So if I upload a file at home, and at work on a separate computer I have the software installed the file will be pushed down to the local machine. iDisk at this time requires a manual sync, which of course, can be automatic, but it's a bit different than a push. I don't know if this will change with the MobileMe roll out from Apple in the beginning of July, so we'll see. It appears as if you get 2 Gb of storage in the beta program, I imagine with tiered pricing once they come out of beta, there will be more storage. But that remains to be seen. As for security all connections with the Dropbox servers are SSL encrypted. All file transfers take place over 443, and you can navigate to it via https. Now, being as I am security guy, what kind of security risk does this pose? Well, no more than any other cloud storage option, however, since all traffic takes place over https/ssl/port 443, this will easily transverse proxies and other web limiting devices. Which is good for ease of use, not so good for people trying to keep their files on their networks without your employees opening (basically, uh, yeah) a backdoor into your network introducing files into your network. But again, it's no different from them bringing in a thumbdrive or using some other cloud storage service. Overall, I think it's excellent, setup was easy and intuitive, and the software was easy to use. Cross Platform integration is great, and am glad to see that someone is doing cloud storage well. I have 10 invites to Dropbox, so if you are interested, please leave me a message in the comments. I'm not going to give any invites to "Anonymous" so if you are interested, you have to have a name. :) | ||
Why go to Black Hat? [spylogic.net] Posted: 26 Jun 2008 09:04 PM CDT I am writing this blog post as part of the Black Hat Bloggers Network topic of interest #2. I guess you could say I am somewhat of a Black Hat n00b! This will only be the second time I have attended Black Hat in my security career. I have been to quite a few security related conferences in the past (most of these involved training as well as conferences all integrated into one event like SANS Fire) but since coming back from Black Hat last year I discovered the value of attending a conference like Black Hat. Three things come to mind as to why someone should go to Black Hat: 1. Great speakers! Seriously, if you want to "be there" when new vulnerabilities and exploits are released to the security community by some of the greatest security researchers in the world...that's Black Hat! I liked how conference attendees were able to "vote" in advance for selection of the talks this year. I felt this added real value to the great speaker line up for this years conference! 2. Good mix of "black hat", "white hat", and everything in between (gray hat) attendees. With a little more on the side of "white hat". This adds to the whole energy of the conference and allows some good networking opportunities. Black Hat is probably the one security conference where your company won't think you are just going to another "hacker con". For example, you can say to your boss "Hey, they have a vendor show with XYZ company that will be there!" Lucky for you if you are using the security product of XYZ company. Not to mention XYZ company will get you a pass to one of the cool after parties (for more networking of course...). :-P 3. Free admittance to DefCon. As a paid Black Hat delegate you get into DefCon for free! How can you beat that? Stay at Caesars Palace in a luxury suite the whole week and attend one of the best hacker con's in the world! I could do a whole post on how great attending DefCon is but in short it's awesome to see even a more diverse crowd then Black Hat of the good, bad, and the plain ugly! Not to mention the "spot the fed" and all the other fun games and activities unique to DefCon. Can't wait to go this year and to also network with some of the other bloggers in the Black Hat bloggers network! Hope to see some of you there (and at DefCon 16). | ||
The Internet is a public place [Network Security Blog] Posted: 26 Jun 2008 07:42 PM CDT Some time in the distant past, or maybe just a couple of years ago, I signed up for the US-CERT Cyber Security Tips mailing list. Every week they send out an email concerning online security, targeting the average home user with a simple concept they should be able to digest fairly easily. It’s not something that’s going to educate most of the professional paranoids who hang out and read a blog like this one, but it is usually a subject your parents or non-technical friends can learn from. This week’s mailing is “Guidelines for Publishing Information Online“. To quote their own synopsis, Remember that the internet is a public resource. Avoid putting anything online that you don’t want the public to see or that you may want to retract. If you’ve reading the blog or listening to the podcast, you’ll probably have seen me use words very similar to that a number of times. Especially when Uncle Mike Rothman tries to get me going on a subject like privacy. Privacy isn’t dead, but the vultures are gathering and it’s up to each and every one of us to safeguard our own privacy by being aware of what we put on the Internet. ‘Cause once it’s out there and Google’s indexed it, you’ll never get that piece of information back in the bottle. Isn’t it funny when someone who blogs as much as I do says be careful what you put on the Internet? | ||
If you liked the game theory stuff... [NP-Incomplete] Posted: 26 Jun 2008 07:42 PM CDT | ||
You Are "A Security Idiot" If ... [Anton Chuvakin Blog - "Security Warrior"] Posted: 26 Jun 2008 07:33 PM CDT ... you:
To be explained later :-) | ||
OMG: 30 years of AD&D [Network Security Blog] Posted: 26 Jun 2008 12:35 PM CDT I just had a startling realization: This weekend marks thirty years that I’ve been playing Advanced Dungeons and Dragons. How do I know? Because this weekend is my birthday and I spent all of my birthday money from my 12th birthday on buying the only D&D book that was out at the time. Or at least the only book at my local store, Toy and Model. I’d received the blue box set of Dungeons and Dragons the Christmas before, but quite frankly had no one to play it with. I’d been playing with my childhood best friend, Fred Zeiber, but it’s hard to play a game like that with just two people, so we usually ended up forgetting the rule books and just playing pretend games. Every once and a while I try to look up Fred, but it appears he has almost no presence on the net, not being a computer geek like I turned out to be. There were other games like Gamma World and Traveller, but AD&D is the one I’ve always come back to. I do have to give Traveller credit for getting me interested in math; you had to know some basic trig and calculus to even attempt to create a game world in that system. And all of the games taught me what the word “probability” means. I still have my Monster Manual in a storage locker across town. The cover is still recognizable, even though there are so many layers of marks from using it as a hard surface to write on. I could probably recreate at least a few of those earliest characters I created just from the marks on that book. I know 4th Edition is out, but I haven’t had the time or the interest to pick it up. When Second edition came out, I tried playing it once or twice, but after I purchased most of the books, I realized I still liked first edition better. I got a lot of play out of editions 3 and 3.5, so I’ll probably pick up some 4th Edition books eventually. Unless someone wants to send them to me for my birthday :-). What’s my all time favorite Role Playing Game? While I love playing AD&D, I have to say Champions: the Superhero Roleplaying game wins out. I’ve always loved four-color comic books and the epic struggle between evil. Not the angst-ridden Iron Age stuff we have now, but the wonderful Silver Age comic book stories that ended with the death of Gwen Stacy in Spiderman. And now back to the angst-ridden real world of being an adult. | ||
Free IronKey Giveaway!!! [LiveBolt Identity Blog] Posted: 26 Jun 2008 11:18 AM CDT Folks, Just a reminder — we’re giving away a FREE 1GB IronKey Personal USB thumbdrive ($80 value). Really a cool device — check out the geeky specs. You need to enter before noon, on July 1st. Just make sure to read our “Personal Metadirectory for Passwords” article, and leave a comment there with your response to our questions for a chance to win! And don’t forget to tell your friends! | ||
Week of War on WAF’s: Day 4 — Closer to the code [tssci security] Posted: 26 Jun 2008 10:59 AM CDT [ Andre and Marcin ]: For today’s post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security problems. We met Rohit and Nish at Shmoocon 2008 as fellow speakers — their talk was our undisputed favorite as they did an outstanding job at presenting and conveying their message. Their talk, Using Aspect Oriented Programming to Prevent Application Attacks [PDF] discussed how to take an existing application and add input validation (XSS, SQL Injection, etc), strong error handling, and access controls without ever changing the existing source code. We strongly encourage you to check out their work. Rohit also has a fabulous post for us today on WAF vs. Aspect Oriented Programming — a warm welcome and big thank you to the great work he’s done here! [ Cheers, TS/SCI Security blog ] Web Application Firewalls vs. Aspect Oriented Programming As a concept, the WAF (Web Application Firewall) is brilliant. It extends an application’s trust boundary to include input from otherwise dubious sources. Fundamentally, it externalizes many security concerns away from the application’s core logic. What makes the concept of WAF so appealing is that the technology addresses security as a “cross-cutting concern”; a part of the application that is pervasive across the code base yet rarely relates directly to the business logic. Other cross-cutting concerns, such as transactional management, coarse-grained error handling, and logging also end up diluting the code within an application away from core business logic (also known as “code scattering”). On a more practical level, WAFs can implement the security cross-cutting concern without changing existing source code — meaning we can implement WAFs quickly and avoid destabilizing the application through code modification. In practice, WAFs often suffer from a few drawbacks. In many organizations, WAFs are handled by an infrastructure or security team who are not intimately familiar with the applications that they’re protecting. This often (though not always) ends up becoming an elaborate blacklist filter for malicious characters. Blacklisting is never ideal, but in the case of WAFs the danger is exasperated. The WAF and the application it’s protecting are two different technologies. That means canonicalization attacks, such as sending malicious characters in illegal multi-byte or malformed UTF8 character sequences, may pass through the WAF interpreted one way and attack the application interpreted another way. This interpretation delta with disparate technologies is the same sort of problem that worsens attacks such as HTTP Response Splitting and HTTP Request Smuggling. Is there a way for developers to protect their own applications without having to modify source code? Can you modularize the security cross-cutting concern without relying on an external application/appliance? Yes — with Aspect Oriented Programming (AOP). At a very high-level, AOP is like applying Servlet Filters anywhere in your code (for more details, please see the article I wrote for SecurityFocus). Using the flexibility of languages like AspectJ, developers can choose the most appropriate layer (i.e. application design layer, not OSI stack) to protect their applications. A critical feature is that you are working with data as the rest of the application server sees it — in its most canonical form. Unlike Servlet filters, AOP can be used to protect other interfaces like SOAP interfaces, RMI connections, etc. Developers can also to choose to delve much deeper in the code and protect, say, the basic Value Objects representing the application’s data types by intercepting calls to the setter methods. With a WAF, you can protect against SQL injection by stripping out malicious characters; with AOP, you can strip out those characters and additionally throw an exception/error anytime a dynamic SQL method is invoked. Perhaps more importantly, WAFs are almost useless at protecting against whole classes of vulnerabilities (e.g. missing server-side authorization on some critical functions) whereas AOP is extremely useful (e.g. transparently adding authorization checks to the actual business methods, independent of which interface they are called from). What’s amazing about AOP is that you can implement these changes without actually modifying the source code — one of the primary advantages of WAFs. Is AOP always more appropriate than WAFs? Well, not quite. Similarly, WAF and AOP can protect applications when raw source files are unavailable. Both also require at least some application-level knowledge. However, AOP typically requires a deeper understanding than WAF. Without prior AOP experience, the off-chance of an implementation mistake is more likely to occurr with AOP than with a WAF. WAFs are probably a better fit to protect those apps that are developed externally and/or for which you may not have the code/skillset to understand its internal workings. AOP is not an easy sell because it’s poorly understood by most of the IT community. Don’t expect the PCI data security standard to say “perform code reviews, use an application firewall, or implement security through aspect oriented programming” anytime soon. Another roadblock is that while AspectJ has been around for 11 years, few of the other aspect-oriented languages enjoy quite the same maturity and support. All that being said, I’m sure Andre has made you aware of many of the shortcomings of WAFs (at least, compared to how they are being marketed). AOP is gaining traction in the developer community, as well as for security specific toolkits (check out Spring Security and see how they use AOP to implement method-level authorization). Later this year, we’ll be hosting an open source project on useful security AOP aspects at Security Compass. For the time being, make sure to at least consider AOP as an alternative when modifying existing source isn’t an option. | ||
Looking forward to Black Hat 2008 [Network Security Blog] Posted: 26 Jun 2008 10:33 AM CDT Black Hat 2008 is fast approaching, and I’m really looking forward to it. And as a bit of a teaser, there’s a “Forbidden Sneak Peek” webinar this afternoon. Unluckily, I’ll be boarding a plane somewhere about half way through the presentation, but I’m hoping to get a good enough signal in the airport to at least watch the beginning of the event. I’m also looking forward to seeing a lot of friends and security professionals I only get to see a couple of times a year. Christofer Hoff will be giving a talk on virtualization; there’s a strange rumor that he may be doing it as interpretive dance. Jeremiah Grossman is co-presenter on all the dangers of Web 2.0 and the dangers of the business logic presently in use. Hacker Court will be in full swing once again, I just hope there are no pictures of Simple Nomad this year. And Johnathan Squire will be giving a talk on UPnP, which will probably go over my head, but will be full of energy and information none the less. There’s also going to be a lot of opportunities to talk to other security bloggers and podcasters throughout the week. Alan will be there, Mike Murray better be there, and I’m hoping some of my friends like Michael Farnum and Cutaway will be able to drive up from Texas to visit, especially since Cutaway is organizing a team for the L0st challenge at Defcon over the weekend. It’ll also be the second time Rich and I have had a chance to meet face to face since we started podcasting together. Speaking of podcasting, Rich and I are starting to formulate our plans for the event. We got a lot of positive feedback from the ‘microcasts’ we did at RSA 2008 and we plan on doing more of the same for Black Hat and Defcon. Rich is helping out at both events and I’ve applied for a press pass, so we should have some really good opportunities to interview speakers and other interesting people at both events. I’m going to take my Canon HD video camera in addition to my H4 Zoom, so I may even get more video this year. I know I’m going to be taking time to hang out at the Lock Pick Village again, especially since that ended up being some of the most popular video I ever did. Black Hat and Defcon are both great opportunities to learn, meet people, and generally have a great time. Not to mention get a little drinking in at night. Really, please don’t mention that last part to my wife and kids, who might end up joining me for a day or two in Vegas. Well, at least they’ll be there somewhere while I learn, meet people, drink and have a great time. | ||
New blog theme [InfoSecPodcast.com] Posted: 26 Jun 2008 10:06 AM CDT I’ve been working on a new theme for the blog. Please let me know what you think of the new theme! Thanks! –Chris | ||
Twitter + Security = Security Twits [InfoSecPodcast.com] Posted: 26 Jun 2008 09:29 AM CDT When I first read about Twitter I didn’t see much value in it for me. It wasn’t until I started using it last year when I saw the usefulness for me. Twitter is an interesting communicaiton tool. I call it a cross between an IM client and a Bulletin Board. There are a lot of informal groups that use twitter. One of them is the Security Twits. Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it. If you have not tried Twitter you should. You may just find it useful if not downright addictive. – Chris [/TAGS] Twitter, Security, Security Twits [/TAGS] | ||
The Daily Incite - June 26, 2008 [Security Incite Rants] Posted: 26 Jun 2008 09:23 AM CDT June 26, 2008 - Volume 3, #60 Good Morning:
Top Security News More VirtSec ramblings
Top Blog Postings You've got no privacy - get over it | ||
Security Briefing: June 26th [Liquidmatrix Security Digest] Posted: 26 Jun 2008 08:11 AM CDT OK, the database cluster is back up and playing nice after its petulant episode. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News | ||
White House Refused to Open Pollutants E-Mail [Liquidmatrix Security Digest] Posted: 26 Jun 2008 07:54 AM CDT This is by far one of the more asinine things I have read in a while and speaks volumes to lunacy in the White House. The WH refused to open an email that was sent by the EPA because they disagreed with the conclusion that greenhouse gases are pollutants. So, they played three monkeys and said, “la la la, I can’t see it. la la la” (not an exact quote) But, that’s not where the absurdity ends. The EPA could have sent a printed copy and that would have been the end of it. Nope. Instead they rewrote the conclusions to make more palatable for the dunking bird-set. Email has always been a best effort tool that has morphed into business critical function over the years. But, to say they wouldn’t open an email…wow. Remember folks, if you are a Republican or Democrat be sure to VOTE. You have a responsibility. From NY Times:
November can’t come soon enough. | ||
Can The Gov Be Trusted With Your Personal Data? [Liquidmatrix Security Digest] Posted: 26 Jun 2008 07:44 AM CDT Survey says…(insert buzzer noise) Faith in the (UK) gov’s ability to securely manage personal data is out the window. From Reuters:
Well, where do you stand? Do you trust your respective government not to punt on data security? Read on. | ||
Security Certification Rules Could Shake Up IT Mgmt [Liquidmatrix Security Digest] Posted: 26 Jun 2008 07:33 AM CDT This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers. Hmm. From GCN:
OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market. A picture is worth a thousand words. It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much. On the face of it this is a good idea. Like all good intentions, they make great paving stones on the road to hell. | ||
Landing Blogsecurify [GNUCITIZEN Media Portfolio] Posted: 26 Jun 2008 03:45 AM CDT During the last couple of days we combined forces with Blogsecurity.NET in an effort to improve their online Wordpress vulnerability scanner. The result of these efforts is our new initiative called Blogsecurify. Blogsecurify was created to help individuals and organization to secure their blog infrastructures by testing them against a set of security tests. The project is still in alpha stage although I am quite happy with the actual framework which I believe is the only one of its kind. The same framework will be used for several other initiatives but I will talk about them when their time come. | ||
Week of War on WAF’s: Day 3 — Language specific [tssci security] Posted: 26 Jun 2008 02:15 AM CDT This post comes via WAF thoughts from Christian Matthies’s blog circa one year ago. Christian starts out with a bang:
In christ1an’s post, The real effectiveness of current WAF, he speaks rather positively about WAF technology, but ends on a rather sour note:
He makes some interesting points that you should certainly check out. Best — this jives with what Fortify research on dynamic taint propagation discussed in their recent OWASP AppSec EU 2008 presentation, Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking [PPT] – and paper, Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output [PDF]. christ1an seems positive about Mario Heiderich’s PHPIDS Monitoring attack surface activity [PPT] web application attack `detection’ work (also presented at OWASP AppSec EU 2008). Fortify, on the other hand, seemed bullish on the CORE GRASP attack `prevention’ project (also for PHP). With regards to XSS and SQL injection attacks, this work is nice because as some of us know — neither attack is primarily about input validation. SQL injection is a software weakness that can be prevented through parameterized queries with binding of all variables (thanks, Jim Manico, for this verbiage). Cross-site scripting (and particular variations such as HTML/CSS/JS injection) is a software weakness that can be prevented by output encoding (although for exhaustive methods, check out the work by Arshan Dabirsiaghi in the OWASP AntiSamy Project). Now if we could only start to talk about the other 600+ software weaknesses and their root-causes and strongest defense strategies. | ||
Links for 2008-06-25 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 26 Jun 2008 12:00 AM CDT | ||
And this is why I like ScribeFire [Network Security Blog] Posted: 25 Jun 2008 11:52 PM CDT Yesterday I complained on the blog that ScribeFire had been acting funny and eating parts of my post. Actually, in a lot of cases, it had been the majority of the posts it ate. Later in the morning, I got a comment on the post from Christopher Finke saying they think they know what it is. That’s cool. Today, I got some new code to test out and see if the same thing is still happening. Now that’s really cool. If you haven’t guessed yet, I’m writing this post to try to recreate some of the conditions that have caused me previous problems with ScribeFire. I started the post, wrote a few lines and then changed tabs in the right window. If the problem isn’t fixed, I’ll probably get the first line of the post and nothing else will show up. I’m keeping my fingers crossed as I hit the Publish button. | ||
My Theory: Apple is making a huge push for Enterprise [Random Thoughts from Joel's World] Posted: 25 Jun 2008 10:59 PM CDT I've said it before a couple times, and especially recently in the SC Magazine Podcast and the ISC Podcast that I did last night, I believe Apple is making a big push for the Enterprise. I also believe that Microsoft's focus is changing. I can't really explain what I mean by that yet, but I definitely think they are taking the emphasis off of the fact that they are a desktop operating system for everyone. Anyway, back to Apple. Let's look at a few examples. 1) iPhone / Exchange compatibility -- Apple is finally going to have the ability to natively communicate with Microsoft Exchange on the iPhone. This alleviates the need, like RIM, to have a separate server on your network that you have to maintain in order to have email functionality on your phone. Plus, and the less noticed thing is, this is really the first big time, and certainly the big time that a major competitor to Microsoft has had native functionality with Exchange. I think Microsoft is going to concede a bit of ground with the Desktop in order to stay with their core market, and that's running the big business infrastructure. But still, this is huge. 2) Snow Leopard will have native Exchange functionality. Address Book will be your GAL, Mail will have native functionality with Exchange email, and iCal will function via the Exchange Calendar. While you have been able to do with with OSX Server for a bit now, vastly more companies already have Exchange/AD within their enterprise. 3) Things like this. A seminar to teach business users how to use a Mac within your enterprise. Worth a quick watch if you are thinking about switching to the Mac. Just a quick theory, but I may have something here. | ||
Making the switch … back! [untangling the future...] Posted: 25 Jun 2008 07:03 PM CDT So about 6 months ago I decided to finally to go Mac. I had been driven to the edge by Outlook on Windows - possibly the worst piece of code ever crafted. I had just suffered too much at its mercy and I would try anything to escape. So after years of sh*t-talking about Mac - I swallowed my pride and jumped in with both feet. Because at the time we were running Microsoft Exchange I couldn’t go with Linux on the laptop (no usable exchange client) and I’d always have my linux desktops nearby should I need to get any work done; so there was little risk to swapping the Windows laptop for a shiny new Macbook Pro. First I endured a large amount of [deserved] ridiculing from all of the mac users that I had been torturing for years, but ultimately they seemed glad to convert another user - one more soldier on the good side. Next I endured a bit of discomfort as I relearned many common tasks that I had learned to accomplished on other OS’s but was clueless for Mac. But after a few weeks I found an environment that was delightfully better than Windows and truly innovative in some areas (like QuickSilver). After a few weeks I started hitting some usability roadblocks here and there that I strongly disagreed with. I’d google or ask other Mac users about their solutions to these issues and would always receive a similar answer: “Why would you want to do that?” or “You shouldn’t be doing it that way anyway.” Thats fine - so I’d go off and look for a workaround. Unfortunately, because of Apple’s lack of transparency and lack of customizability - I usually found myself out in the cold. Eventually I found myself with this mountain of usability issues and no workarounds that really impeded my day-to-day use. I was back in the same position I was with Windows. The problem was not the software, but the Apple’s and the Apple community’s attitude. The attitude is that if users want to do something the “non-blessed” way they are confused or incorrect. Want two mouse buttons on your MacBook Pro? “You can do that this other way.” Want to play music without storing your whole library in iTunes? “Why would you want to do that?” Want to use something besides iTunes to load your iPod? “Thats silly.” Want to run on different hardware? “Thats a bad idea.” All this was happening while Apple was clamping down on iPhone modding. Its total lack of transparency (both through code and legal action) assured that you did things their way and *only* their way. I’ll be the first to admit I’m not Apple’s target market (nor should I be), and ultimately their extreme efforts to prevent myself and others like me from improving and customizing their product was a deal killer for me. Apple is not delivering an OS, or hardware, or even software. They are delivering an end-to-end technology experience, and if you are willing to just go with their experience you’re in good shape, but if not - you’re screwed. Apple is for people who are willing to buy into one way - their way - of doing things. Its purely the Apple way or the highway. Ironic given their 1984-esque commercial that implies Apple is for people who wanted to break the mold. Undeniably Apple has made some great choices with its harnessing of open source which contributed to my decision to switch, but its foolish to not recognize *why* those open source projects were successful in the first place. Unfortunately, should Microsoft users switch to Mac they can expect a better user interface but a more confined experience. Meanwhile, we had switched from Outlook to Zimbra freeing me from the exchange client constraint. I promptly made the switch back to Linux on my laptop (a new Thinkpad). The mac users that had been so glad to receive me just shook their heads. It had been a year or two since I had used Linux as my default laptop, and I was delighted by how easy it is now to install the new Ubuntu Hardy. I was also delighted by how I could drastically customize and change the environment to my needs. Its not as *easy* yet, but its more *usable*. (That is there is a steeper learning curve but ultimately after climbing that curve leads to a more productive environment for those willing to make the climb) If you’re willing to put your user experience in the hands of those at Apple, getting a Mac may be a great solution for you. Ironically, if you really want to “think different” there are many better options like Linux (or even Windows!). | ||
Posted: 25 Jun 2008 04:40 PM CDT Prerequisite: read this (thanks Raffy). Stop reading right before you reach the last line though :-) Then maybe read this too (thanks anonymous). Next, insert appropriate morbid jokes <here> for "IDS is dead", "NAC is dead", "GRC is dead", everybody is dead... WTF? Are we at the cemetery or what? Is "dead" dead? Yeah, but it came back as a zombie :-) So, "dead" is a "living dead" "dead" now. Ha*3. Finally, think! Why were you thinking of buying a SIEM? 'Cause the big "G" in the sky said so? And while you are thinking, check these fun points out:
All in all, I have to agree with Raffy to a large extent! The world has evolved - and SIEM has not. It might not be dead (as old attacks and defenses never really die and large organization still build and man massive SOCs where SIEM is "a must"), but in this age of web application hacking, CSRF and XSS, phishing, PCI DSS, massive bot armies, client-side 0-days, stealth malware, etc, paying $x,000,000 for a pile of ugly Java code is insane ... As a result, SIEM has greatly diminished in importance and has become just one small thing you might do with logs and some other data. What made it so? Mostly implementation complexity - but a slew of other factors mentioned above as well. So, consider this instead:
Now, what if you have a latent and vague desire to "correlate something" and a million nice greenbacks to flush down the drain? OK, go get your SIEM toy for $780,000 + 20% maintenance/year ... a true bargain (price valid today only). Finally, I would like to end this on an optimistic note. Do we need more intelligence to analyze the log data we have collected? Of course! Do we have a widest set of log use cases from today's security to tomorrow's regulations? You bet. And, for you Raffy, I'd add "... we also have other data to analyze together with logs." So, can we "reinvent SIEM?" Yes, I think so! It just hasn't been done yet ... For now, just use log management. | ||
Back Office Fun [Liquidmatrix Security Digest] Posted: 25 Jun 2008 02:28 PM CDT Sorry for the lack of updates today. Our backend database cluster decided to fall on its sword this morning and we’re cleaning up the mess. We’ll be updating content again tomorrow first thing. Unless of course I happen to I feel froggy after work then I’ll tackle some updates. Thanks for the emails. All is well. Nothing to see here. Move along. | ||
FBI gets involved in the Indiana bank security breach [spylogic.net] Posted: 25 Jun 2008 12:15 PM CDT This is a story that keeps getting more interesting... I have been closely following the news that I blogged about last week regarding 1st Source bank of Indiana that fell victim to a pretty serious security breach. 1st Source ended up reissuing their entire credit card portfolio to their customer base. The latest news is that other banks in the Indiana area are now reporting that their customers are reporting fraudulent transactions. The link is that all of these other bank customers used 1st Source ATM's around the same time the breach happened. From the IHT article: "Bank officials said the victims they know of appear to have all used 1st Source Bank ATMs during the first 10 days of May. James Seitz, 1st Source senior vice president, said officials from his bank met with officials from other financial institutions on Wednesday to discuss the situation. "As we're piecing this puzzle together, it appears that there may be a common thread," Seitz said. A security consulting firm alerted 1st Source about a computer breach on May 12. The bank shut down its computer system and contacted authorities. Two weeks ago, 1st Source sent letters to customers asking them to monitor their accounts for suspicious activity." I'm starting to suspect that the ATM's themselves were compromised or the bank's back end servers were compromised as well. From what I know about PIN storage, the PIN information in Track 2 data (this is the data that was reported stolen) on a credit/debit card does not have to be encrypted (however it can be, just not required by the ISO standard) so either a card "skimmer" device was used (physically attached to the outside of the ATM's) or this Track 2 data was pulled off the wire perhaps using a network sniffer installed on the ATM's. It could be similar to the Dave & Busters security breach that happened a few months ago. Whatever method was used, it was enough to replay this data to a bunch of fake ATM cards and start withdrawing cash and/or charging items from locations overseas. Hopefully the public gets to find out what really happened once 1st Source get's their act together. |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment