Sunday, June 29, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Big Brother Can't Lead People [CultSEC Blog]

Posted: 28 Jun 2008 10:09 PM CDT

People always seem to be afraid of Big Brother. They don't like to be watched or have the feeling they are being watched. I don't blame them. What is   interesting to me is how some supervisors and managers want to rely on it when it might suit their needs.

It amazes me how many times I've had to turn down requests from these "leaders" attempting to use Big Brother as a management tool. I've heard the whole list of explanations:

1. My direct reports are spending too much time surfing the web.

2. I think someone is going to web sites they shouldn't be.

3. Can you block these sites?

4. I think someone is using eBay a lot.

5. Can you give me a report of web history on so and so?

When these type of requests come in by email or in person, I shake my head. This is a time when I should encourage "leaders" to lead. Get in there and talk with your people face to face. You're in charge. It is up to the leader to teach people what is expected and what is appropriate. Once the expectations are set and you find your folks still ignoring the boundaries, then turn it up a notch. Point out what is already covered and remind them if they don't cease they will be on the road of peril. Verbal warnings, then written warnings, performance improvement plans, up to termination.

Don't get me wrong. There are legitimate times when technology can and should be used to manage your teams. But recognize they don't want Big Brother. They would rather have you in the trenches with them. If there is too much time on their hands, then redefine their position. Challenge them. You also must recognize some people may require differing types of supervision. You will only learn what works best when you get to know your folks. Really, if you can't provide that type of leadership then you need to reflect on why you are in a leadership position.

The flip side of all of this for a business is figuring out how to use Big Brother effectively. Look at the reports. Obviously look at the categories of sites being visited. Look at user times and keep in mind some users will have a spike now and then. You will spot some obvious time wasters over a period of time. You will also see some obvious bandwidth wasters such as Internet Radio/TV, music, and other streaming junk. Use these areas as first hits to block.

In the end, you will find the right balance between Big Brother and appropriate use. If you can't get comfortable with it, then remove the content filters or block Internet usage. It comes down to you...lead or get out of the way.

Chinese cell phone use goes through the roof: One out of every two people now own one [The Dark Visitor]

Posted: 28 Jun 2008 07:35 PM CDT

(From Zaobao) Xinhua News, citing statistics from the Chinese Industry and Informationization Department, reported that cell phone use in China increased to the point that one out of every two people owns a set and that traditional landline use continues its steady decline.

End of May (2008) statistics showed that out of China’s 1.3 billion population, 592 million households now had a cell phone.  This was a 9% increase from numbers at the close of  2007, which showed 547 million users.

The report stated that the telecommunications industry had continued to slash prices in order to increase cell phone use.

Furthermore, traditional landline household use had dropped by 6.5 million to 358 million users.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Sir, sir…please don’t poke the bear! [The Dark Visitor]

Posted: 28 Jun 2008 06:27 PM CDT

From the Heilongjiang Daily, via News China, a 19-year-old Chinese hacker going by the online name of Autumn Breeze decided to deface the main page of the… Daqing Public Security Bureau website … and leave behind several taunting messages to include his contact information. Brilliant!

According to the report, Autumn Breeze felt that his skills at hacking were so good there was no way he could get caught. Well, it did take the police a little over an hour to track him down…so he has that going for him.

On 12 June, police who were working online discovered that a hacker had managed to gain access to the Daqing Public Sercurity Bureau website and leave behind several taunting messages:

“So, basically Daqing doesn’t have a cyber police force?”

“Do the cyber police just get paid to do nothing?”

“Is the software installed on the internet cafes used by the cyber police to collect fees?”

He also left behind the name “Autumn Breeze” and his e-mail contact information.

Under the direction of Captain Liu, of the Daqing Cyber Police, officers were able to track Autumn Breeze to a local internet cafe and arrest him while in the process of attacking another website. Autumn Breeze made a full confession saying, “Oh, you get paid to do this!”

Yeah, I may have fudged that last quote a bit.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Everything you ever wanted to know about WAF (and more) [Carnal0wnage Blog]

Posted: 28 Jun 2008 05:18 PM CDT

Is available over on the TS/SCI security blog.

http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is/
http://www.tssci-security.com/archives/2008/06/23/web-application-firewalls-a-slight-change-of-heart/
http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/
http://www.tssci-security.com/archives/2008/06/25/week-of-war-on-wafs-day-2-a-look-at-the-past/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-3-language-specific/
http://www.tssci-security.com/archives/2008/06/26/week-of-war-on-wafs-day-4-closer-to-the-code/
http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/

**As always on the TS/SCI blog, the comments is where the "real hotness" is and you should make sure you read them with each post.

Also check out this thread on Jeremiah Grossman's blog:
http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html

While I don't always agree with Dre, I have to admit that before I would drop $110k + yearly maintenance, I might have to crunch the numbers to see how much it would cost me for a real thorough web application code rewrite/review/& pentest before you get stuck with yet another appliance in the rack that you have to pay money for every year and I have to pay someone to run.

I'm not a SDLC guy but are we really to the point that we CANT write a secure web application for any amount of money? I would hope that isnt the case.

Read the posts. Dre and Marcin put it better than I ever will.

You Have Confused Me for the Last Time! [Emergent Chaos]

Posted: 28 Jun 2008 04:16 PM CDT

sexy-storm-trooper-boots.jpg

I love these boots, via "BoingBoing gadgets." They're transgressive on so many levels. Star Wars geek versus fashion. Military versus sexy.

I'm glad George Lucas isn't an obsessive control freak who hunts down anyone who adopts the visual language that he created.

Quotes of the Week [Carnal0wnage Blog]

Posted: 28 Jun 2008 02:58 PM CDT

Probably not going to be a weekly occurrence but wanted to share some quotes I heard this week and last week.

1. (For NoVA Drivers) "If you don't like being passed...F**king drive faster or get out of the left lane"

2. While in Hawaii for an assessment (yeah life is rough)... "We Hawaiian people are such nice, friendly, sharing people...that's probably why we don't have any land left" doh!

Free Advice For The Single People [Carnal0wnage Blog]

Posted: 28 Jun 2008 02:54 PM CDT

If your significant other is talking about how they spent 4+ hours doing something in excel... DO NOT DO NOT DO NOT
1. Say "nothing should take 4 hours with excel!"
&
2. Start talking about how excel has these cool things called functions and how you can use functions to aggregate data in multiple worksheets...

more penalty points if they have been drinking and now you really cant talk your way out of it :-(

Later this evening: [The Dark Visitor]

Posted: 28 Jun 2008 11:09 AM CDT

Another Chinese hacker makes the Stupid/Evil category…mainly just stupid

One cell phone for every two people in China…WOW! Use grows by 9%, old school landline users sinking like a stone

Off to see Wall-E with the little one, back later tonight

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Dividing up the Chinese hacker world by region [The Dark Visitor]

Posted: 28 Jun 2008 10:49 AM CDT

Chinese hackers are much more organized than I could ever hope to be and as a consequence, do a lot of the heavy lifting for you in finding them. So, you want to figure out what groups are operating in certain regions of China, where do you begin? Let me suggest cn-hack.cn as a great place to start your research. They have conveniently broken down the groups by province and city:

Next, click on the area you are interested in (I chose Henan) and presto, hacker website from the region:

Not a comprehensive listing to be sure but thought it was interesting. Do you think they have their own sports teams?  Go, Beijing Hackers! Boo, Hebei!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Information gathering…not just a computer thing [The Dark Visitor]

Posted: 28 Jun 2008 10:02 AM CDT

Hat-Tip: GaoYuLong

At times, I get so busy going through Chinese hacker websites that I forget there are other methods of collecting information that should not be ignored. Fortunately, reader GaoYuLong reminds me that HUMINT has not passed the way of the dinosaur and we need to keep track of the methodology used by China. GaoYuLong points to two articles from the Epoch Times that clearly illustrates these techniques:

Chinese Regime Looks to Student-Spies to Push Agenda in Canada

It was a sobering moment. Countless Falun Gong adherents in mainland China had received similar threats, and hundreds—if not thousands—went on to face torture and brainwashing after being turned in by fellow students and teachers.

But Lingdi Zhang does not live in China. The then-computer science student was studying at the University of Ottawa.

FBI Chinese Advertisement Targets CCP’s State Security
An advertisement by the Federal Bureau of Investigation (FBI) aimed at Chinese-speaking residents of San Francisco’s Bay Area, ran from July 2 through July 8 in three local Chinese-language newspapers, seeking information about Chinese espionage to the United States.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

ATM Thieves Caught By IT Security and Stakeout [The IT Security Guy]

Posted: 27 Jun 2008 05:22 PM CDT

Here's a fascinating story in Wired about how authorities grabbed a ring of ATM thieves by combining network security monitoring with an old-fashioned stakeout.

Normal Sites Like Google Host Malware [The IT Security Guy]

Posted: 27 Jun 2008 05:15 PM CDT

It used to be that if you avoid dicey sites, like porn, you could stay aware from malware. But that's not the case any more, as even reputable sites like Google and The New York Times get snagged by links to spyware-laden sites.

And, as online advertising grows, which it inevitably will, the problem will only get worse. The problem is called cross-linking, as major web sites have links to less reputable sites, without even knowing it.

AxBan 1.5 [Errata Security]

Posted: 27 Jun 2008 02:31 PM CDT

Errata Security has published the long-awaited AxBan 1.5 today.

This version has the auto-update feature that downloads the latest list of bad ActiveX Controls from an XML file on launch. It also has new usability features such as cut/paste and overview information.

Download the latest version to get these new features here.

Please send your feature requests or bug reports for this version to me at marisa@erratasec.com.

Thanks!

Interactive Mode SUDO [Room362.com]

Posted: 27 Jun 2008 11:25 AM CDT

So, I made a new category basically for posts that I want to keep for myself and also post for other people not to have as hard a time finding: Archiving.

In Ubuntu I have always set a password for root and “su -” up to root to run things that needed root access. Well after watching IronGeek’s latest video on Labrea (click here to watch the video). I gleaned a new way to get to a root prompt without having to set a password and su up each time. He called it SUDO Interactive mode. And al you do is:

sudo -i

That’s it, and you are good. Just thought I would share.

 

Compliance Feedback...What About Security? [ImperViews]

Posted: 27 Jun 2008 10:54 AM CDT

Nik Cubrilovic at TechCrunchIT brings the story of how Opera Software is building a team of "web evangelists" whose job it is to find sites that do not display correctly in Opera and are not standards-compliant, and then email the site owners. Great. I'm enjoying everything that comes from this company (using Opera Mini with my BlackBerry ).
But what about security? Why can't we email site owners when we find vulnerabilities?

Here's a challenge for myself and the others. Let's see if I'm falling into the SANS statistics I wrote about earlier: Can the community write a browser extension that identifies web vulnerabilities (there are many open tools), finds the site owner (there are tools that can do this as well), suggests a fix (might be tricky) and emails the web owner? In theory, it can work.

operamini and a friend.png
Opera Mini and a friend. Source: http://www.operamini.com/

Virtual Security NIC - Concept [Security In The Virtual World]

Posted: 27 Jun 2008 10:50 AM CDT

Virtual Environment performance has been a widely discussed topic when it comes to running security within virtual environments and there is this concept that I have had in my head for a while now that I thought I'd share with the public to get feedback on.  Its called the Virtual Security Nic and is intended to move security out of the shared computing layer (virtual environment) and into the physical layer with dedicated processors.  By doing this the performance challenge goes away and you are able to get security as close as possible to the VM's.  All traffic going from VM to VM will have to traverse the bus and be inspected by this security NIC before it is delivered to its final destination.

Take a look at the picture bellow and feel free to comment either on this blog or email me at:  jpeterson@montegonetworks.com

Securitynic_2

Links for 2008-06-26 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 27 Jun 2008 12:00 AM CDT

Today’s Partnerships are Tomorrow’s Liabilities [Trey Ford - Security Spin Control]

Posted: 26 Jun 2008 11:08 PM CDT

"…so here's the thing. If you can't spot the sucker in your first half hour at the table, you ARE the sucker." Let's say that your company, from an information assurance perspective, really has its act together. Even your education and awareness campaigns are paying off, you've got security testing gates in the SDLC, new software [...]

Worm source code... [Errata Security]

Posted: 26 Jun 2008 08:43 PM CDT

http://www.offensivecomputing.net/?q=node/773

Every wanted to see what a mobile virus looks like? Here is the source code to the infamous Caribe worm which infects Symbia phones.

You Are "A Security Idiot" If ... [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Jun 2008 07:33 PM CDT

... you:
  1. Misspell both HIPAA and SOX (how the f does one misspell SOX?)
  2. Confuse "risks" and "threats"
  3. Think that "Trojan is a vulnerability" AND "DoS is a vulnerability"
  4. Quote "Insiders are 80%" without thinking for one darn second
  5. Think that a loss of "$20 million is catastrophic to any company"
  6. Talk about "NIST compliance"
  7. Consider IDS a network security control
  8. Shout that "perimeter is dead"
Please add your faves to the list and we can create an official list to be used to expose fake experts. If you think that nobody in our industry is that stupid ... think again. F*ck!

To be explained later :-)

Why go to Black Hat? [CultSEC Blog]

Posted: 26 Jun 2008 04:32 PM CDT

Black Hat Security Bloggers NetworkThe Black Hat Conference has been going on for years. For me, I've always said I would like to get there some day. Instead, I've always opted for making it to the RSA conference because the companies I've worked for were willing to send me to one or the other each year.

I used to believe the Black Hat conference was on the forbidden list for those of us certified with CISSP. Maybe this was true. I did a quick scan of the ethics policy on www.isc2.org web. It touches on many points which could be argued for and against when deciding to attend conferences like the Black Hat. I would argue for attending because I've always believed I might actually learn something about tips and tricks I'm trying to protect against.

I also believed Black Hat was more technical in nature. As I continue in my career, where I've been managing for a good number of years, I drift further away from solid keyboard interactions. I did notice in this years track there are topics for folks like me. Even if I'm not a hard core hands on technical professional, it still is good to attend classes that are. For me it keeps me plugged in with how things work at that level, which helps me understand appropriate needs in managing security analysts.

Nowadays I don't worry as much about maintaining the status of my certifications. I always do my best to operate in an ethical manner and don't think attending venues, such as the Black Hat, would cause me to do something unethically.

At any rate, I am not planning to be there this year either. I've been to RSA. Perhaps next year, I'll opt for the Black Hat instead.

Aren't PHDs put in cages...err..classrooms... [Errata Security]

Posted: 26 Jun 2008 04:32 PM CDT

http://www.securityfocus.com/brief/764?ref=rss

The failure of this program is all but assured with it being handled by "academic researchers".

[Errata Security]

Posted: 26 Jun 2008 03:50 PM CDT

http://www.theregister.co.uk/2008/06/26/fired_it_manager_rampage/

I keep seeing stories about people "hacking" into their former employers. You have to wonder if she used a SQL injection exploit to access the database or maybe a buffer overflow. I am guessing neither but instead used her only credentials that were not changed after she was fired. In my opinion that's no more hacking than claiming a building was broken into after an ex-employee used keys they didn't turn in to unlock a door. Sure they were trespassing but they didn't "break in".

No comments: