Spliced feed for Security Bloggers Network |
| More virtualization fun.. [Rory.Blog] Posted: 01 Jul 2008 08:54 AM CDT There's an interesting post at Hoffs blog around virtualization and DMZs and to what level it's "ok" to virtualize a given DMZ environment, following on from a white paper by VMware on the subject As Hoff mentions you need to understand the wider context in any risk assessment, but I actually think that in the scenarios that VMware have painted out, I'd agree with Alessandro, that the fully collapsed DMZs talked about in the paper are a no-no. And there's a nice risk assessment reasoning here, it's not just a "ooh hypervisors scary" kind of reaction, honest :) .. So here's how it works. In the diagrams they've used they've laid out a picture of a number of security controls. The main one being separate firewalls segregating the Internet from each of the DMZs in turn. This would indicate to me that the risk assessment dictated that no one device should be a point of failure for the security being provided by the environment (a more cost effective, but traditionally seen as more risky design would be a single firewall with multiple interfaces, one for each network.) So if we then introduce virtualization to this scenario then it seems that the option of a "partially collapsed" DMZ meets the security requirements as each DMZ has it's own VMware ESX instance and a compromise of the hypervisor won't result in a breach of DMZ segregation. I think that in a lot of cases it's easy to look at virtualization as something new but it should be possible to look at the current risk appetite in an environment (are you using separate devices to segregate things, are you relying on VLAN tagging for separation) and then apply that to come up with the appropriate virtualization design.
| |
| Posted: 01 Jul 2008 07:42 AM CDT Spotted at net-security.org: IPVideoMarket.info released the first edition of a new free online book, the "Security Manager's Guide to Video Surveillance". The book provides over 130 pages of... | |
| Posted: 01 Jul 2008 07:29 AM CDT From the CCC Blog: Spread the word! Invite exciting people! Hand in amazing talks and workshops! It's time to announce the Call for Participation of the 25th Chaos Communication Congress 2008 (25C3).... | |
| Xobni and LinkedIn - perfect together [StillSecure, After All These Years] Posted: 01 Jul 2008 06:53 AM CDT
An interesting thing though about Xobni. As I was given invitations, I would send them out to people I know. Though many of them liked the functionality of the product, they said that it slowed their Outlook to a crawl and just did not think the performance hit was worth it. Maybe I got used to the slowness or I am just not seeing it, but I did not see what they saw. In any event, many people were not using the product. Well the Xobni folks just released a new version of the product that promises improved performance. I hope that helps those people who were complaining about this. It also offers several other new features, the biggest being LinkedIn integration. I really like this LinkedIn integration as it gives you yet another layer of information on the people writing to you. All in all, I think this just makes the product more indispensable than it is already. It is now available to the public, so I would encourage you to check it out for yourself!  | |
| Security IS a Business Function [BlogInfoSec.com] Posted: 01 Jul 2008 06:00 AM CDT If there is only one key attribute for the success of your information security program, it has to be that security is treated as a business function. In Chapter 5 of the recently published "CISO Leadership: Essential Principles for Success", the authors break down the components of a business and explain how each contributes to a relevant and successful endeavor. They posit that, as with any other business, a security program must have all of the following parts and pieces:
Makes perfect sense, doesn't it? Haven't we said all along that security is an enabler? After all, what is the mission of the information security program if not to serve as a facilitator for the development and delivery of the organization's products and services? Remember in one of my earlier columns in this blog, I referenced Chapter 10, entitled "Why and How Assessment of an Organization's Culture Should Shape Security Strategies." Once again, in Chapter 5, the authors begin with the assertion that 'the first task in developing or reviewing a security function is to assess and understand the organization's culture.' Working within the organization's culture is critical. If your job is to develop, approve and implement policies and standards, you need to know how things get done in your company. Is it a top-down patriarchy, where support from executive management ensures complete success? Is it a bottoms-up, consensus-driver organization, where buy-in and concurrence are key? Different cultures demand different perspectives and totally different approaches. Although a cultural assessment can be extensive, some key questions to ask are:
There's an ongoing debate about the last question above. Some say security should report to the CEO. Others say it should report anywhere but under IT. Regardless, it should fit where it has the best chance of succeeding. In any event, leadership of the function is essential; as the authors claim, "… a successful business function is led by a person who can effectively communicate and collaborate with other executives, managers and staff. So, how does one go about it? The authors of Chapter 5 lead us step by step, in a plan, build, run model
In summary, business requirements drive the information security function. Running information security as a business is key to keeping the function relevant and successful. © Micki Krause for BlogInfoSec.com, 2008. | Permalink | No comment This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you! | |
| Security Screensavers [/dev/random] [Belgian Security Blognetwork] Posted: 01 Jul 2008 12:56 AM CDT
Everybody use screensavers! Initially, the purpose of those little applications was to preserve the phosphor used in CRT displays. There are thousands of screensavers available (well known are floating texts, slideshows, fireworks, etc). But screensavers can also be used to display useful information to the user and why not security related information? Here is a selection of screensavers I found: Miscrosoft Security Screensavers - Microsoft proposes two versions “the Ten Immutable Laws of Security” and “the Ten Immutable Laws of Security Administration“. SaveIT Security Awareness Screensaver - SaveIT gives security facts, tips, questions and short animations. This is a commercial software. Simply Done Information Security Awareness Screensaver - Provides tips and tricks based on multimedia cartoons. Also commercial software. SuperSecurity Screensaver - Displays messages to remind users not to steal company data via removable devices. NuParadigm RSS Screensaver - Displays RSS feeds. Just configure it to read your favourite security feeds! If you know or use other screensavers related to security, feel free to share! | |
| I said "No, No, No" [Emergent Chaos] Posted: 01 Jul 2008 12:04 AM CDT
After having seen some footage of Amy Winehouse's performance at Glastonbury, I think she needs to immediately marry Shane Macgowan, preferably as part of a reality TV show. | |
| Links for 2008-06-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 01 Jul 2008 12:00 AM CDT
| |
| Top 5 Reasons WAF Will Not Die [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 30 Jun 2008 10:40 PM CDT I'd like to say that we've beaten the WAF (or as I call it a WaIDS) topic to an absolute bloody pulp... but I guess I'm wrong. A shining example is Marcin's TS/SCI security blog, which if you read their "Week of War on WAFs" is very technically accurate and packed with information - but doesn't address the real-world issue that continues to drive WAF adoption in the business world. Let's face it, there are a bunch of WAF companies out there and they're not all going belly-up - in fact, they're making a killing with the PCI DSS deadline today! By the way, this blog entry is a great read, if you are looking for some more analysis on the topic of PCI DSS and the June 30th deadline. So as I thought about this (again) I decided to come up with the top 5 reasons why Web Application Firewalls are and will continue to be deployed in world of PCI DSS requirements. So, here it is... the list. Top 5 Reasons why WAFs Won't Go Away
Cheers. | |
| Evil BETAs Attack! [Anton Chuvakin Blog - "Security Warrior"] Posted: 30 Jun 2008 07:55 PM CDT Read this awesome "The BETA Mindset: Public Enemy #1" piece from Mike R (BTW, it is a MUST-read). The maybe refresh on what I said after reading "Geekonomics." Then think! Yes, it is available today (as beta maybe - but then again "all software is beta"). Yes, it is free. Yes, it works ... well, when it does. Yes, you can trust, say, your email to it (who cares when it is made public, really! :-)) And then the same programmer mindset trickles up to the software that controls your aircraft engine. Boom! That WAS you. The more I think about it, the more I like the idea of software manufacturers' liability (succinctly described in "Geekonomics"); I suspect that everything bad that might come with it will probably still be better than what we have now (or will have soon...) | |
| TrendLabs: New Adobe PDF Exploit Detected [Infosecurity.US] Posted: 30 Jun 2008 07:17 PM CDT Edgardo Diaz, Jr., a Threats Analyst at TrendLabs, has posted an announcement detailing a newly discovered PDF Exploit monikered TROJ_PIDIEF.AC. apparently, according to reports, this pesky Trojan causes a BSOD on the host, and immediately prior to the BSOD, it installs an Info Stealer. Adobe also has a security announcement regarding this issue, and, based [...] | |
| still hacked since 31 may informaticalessen.be [belsec] [Belgian Security Blognetwork] Posted: 30 Jun 2008 06:20 PM CDT 31 May 2008 - Hacked By AdReNaLin
| |
| Posted: 30 Jun 2008 06:16 PM CDT If this patch isn't installed than your laptop or computer with xp sp2 and wireless (even WPA) will * try to connect to any wireless connection that is recognised as having the same name as those that you have defined as preferred. If those are not fined it will try to connect to any other wireless connection every minute. * broadcast a list of preferred wireless connections so an hacker-interceptors knows exactly how to set up a rogue wireless access point You can find more information and a link to the download here (the patch is not installed in automatic update but was included in SP3 xp) | |
| Fun Reading on Logs and Log Management [Anton Chuvakin Blog - "Security Warrior"] Posted: 30 Jun 2008 06:13 PM CDT I am amazed (no, AMAZED!) about how many people now write about logs; it is definitely not "the original logging evangelist" anymore :-) Here is a quick sample, useful for those struggling with logs (aka "everybody" :-))
Enjoy! | |
| Web2.0 financial services are risky for Identity theft [belsec] [Belgian Security Blognetwork] Posted: 30 Jun 2008 05:44 PM CDT “Cool” personal finance Websites such as Banzai, Mint, Wesabe and others offer a look into the future of online banking, but also open the door for ID theft, warns TowerGroup. Non-bank online personal finance sites offer a new take on traditional account aggregation services. By using Web 2.0 community-sharing concepts such as Web forums and blogs, they allow individuals to interact, share, learn, and belong to a like-minded community.“Consumers are often drawn to these new offerings by attractive interfaces and compelling market campaigns,” says TowerGroup analyst George Tubin. However, most of the new sites pose a security risk and are likely to become the next target for phishers and other fraudsters, Tubin cautions. This is because they use only single-factor authentication - user name and password - to protect customer information. TowerGroup believes that the U.S. Federal Trade Commission (FTC) should step up regulation of these online sites. Specifically, it should impose the federal banking regulators’ 2005 FFIEC (Financial Institutions Examination Council) guidance on online authentication. Notwithstanding the security concerns, Tubin says, consumer banks will want to move into this space and “will either adopt similar capabilities themselves, partner with new independent players, or acquire them.” | |
| Best of wikileaks this week [belsec] [Belgian Security Blognetwork] Posted: 30 Jun 2008 05:20 PM CDT How American soldiers clean up a radioactive site in Iraq without any protection in 2003 UK appraisal of the Iraq operation 2003 - 2005 (restricted document) 2005 Florida security assessment (secret) that says that Cuba was upgrading its telecommunication interception capabilities Arabic handwritten Jihad manual from 1998 about security and intelligence Kryptoleaks is my attempt at a solution for [1] Kryptoleaks Portable Is a Windows bundle of OSI programs optimized for anonymity (under Development) Kryptoleaks Livecd & Kryptoleaks liveusb is a linux setup that is built for ease of use & never touches the hard drive --MchlSchmdt 22:10, 25 June 2008 (GMT) The Kryptoleaks Project is still under devolpment
| |
| Posted: 30 Jun 2008 05:00 PM CDT If we read the proposition that will be put before a vote by the majority tomorrow, than we can conclude the following. First and allmost important, the use of the electronic voting system won't be compulsary in Belgium. It is up to the communes (which are the organizers of the elections here) to decide to use the electronic of the traditional system of voting. Secondly we see in the decision that they didn't count anywhere in their decision that there are some serious questions that can be asked about the electronic voting system in Belgium that is proposed by the Universities. * the use of RFID on the votes is something that is totally unbelievable because of the insecurities of the technology * the total absence of a total absence of norms, standards and objective and attacking testing methods - even if the resolution mentions that it is possible that the evotingtechnology isn't maybe so safe as they thought it would be * there is no repudiation of the proposition in the study that the counting of the papervote (proof) would be minimized, if not absent and would have no legal impact whatsoever. Maybe the cities should take here a decision about the methods and number of tests they could do to be sure that the technological results are correct before any tabulation is done. * there is nothing foreseen to make sure that the whole election doesn't depend totally on technology and electricity. It should be possible and foreseen that if the technology or electricity doesn't work, papervotes would be available in sufficient numbers to continue the election. * the auditing and supervision by the parliament of the development and preparation of the voting and the day itself isn't reinforced at all. The result is that there will be less supervision, less independent control and if there are incidents there the elections will be less legitimate and the problems afterwards will be much bigger. For the time being we will vote with code and technology that is already 15 years old. If it would be an OS we would send it to Africa. (cynical bad taste joke). | |
| SaaS-ish Identity Management [Matt Flynn's Identity Management Blog] Posted: 30 Jun 2008 02:00 PM CDT Matt P wonders about the security and reliability of having identity managed as a service. The more I think about IdM as a service, the more I like it. A company might tell you that they are concerned about the security of having their critical IdM systems hosted by (or managed by) someone other than their own trusted "Active Directory guy". But, that same company probably wouldn't think twice about bringing in consultants to help out (who easily have access to plant code, create back doors, enable bad accounts, etc.). I think most companies are already outsourcing IdM – they just do it on a project basis and therefore have the associated personnel continuity, troubleshooting, and learning curve issues. Not to mention customized hardware and software combinations that nobody has documented or even understands. Wouldn't it be better if the consultants that designed and implemented the IdM solution did it in a repeatable way that is easily understood, managed, and configurable or extensible to adapt to future requirements? And they just continue to manage it taking the burden off of you? This model also helps with infrastructure reliability due to economies of scale and the value of having a known environment. Yes, the Internet could go down. But, the internal network could go down too. Or the server. Or the database. With a managed solution, someone else will have the economies of scale to ensure a higher up time probability and a quicker response time (if they do it right). I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in. I agree with Matt that "only firms that specialize in the IdM space will be able to be successful hosts." I'd rather see an IdM service company try to move to the SaaS model rather than a SaaS provider try to create an IdM offering. But the complexity, repeatability, and value of IdM seem to make it ripe for a service-based delivery model. What do you think? | |
| Aetna goes live with EV SSL [Tim Callan's SSL Blog] Posted: 30 Jun 2008 01:16 PM CDT Readers of this SSL Blog will recall that there was a time when tracking the early adoption of Extended Validation SSL was one of this blog's main functions. As it has become more mainstream, I've left off mentioning deployment on individual sites unless they're very important.
| |
| Unauthorized reading confirmation on Outlook [Security Balance] Posted: 30 Jun 2008 11:17 AM CDT Last month, during the a exam item writing workshop for the CISSP-ISSAP certification, I got an idea about how a malicious e-mail sender could try to get a unseen by the recipient reading confirmation, including the IP address of the recipient. I was talking about S/MIME messages and I thought about the signature validation process, where some of the steps could require external information (like a CRL) to be accessed. The interesting part of it is that the location of this information can be included in the message itself, as the PKCS#7 package can also include the certificate used to generate the signature. I went into Microsoft documentation about the validation process from Outlook, and found this: (reference: http://technet.microsoft.com/en-us/library/bb457027.aspx#EKAA) When the first certificate in the chain is validated, the following process takes place. 1. The chaining engine will attempt to find the certificate of the CA that issued the certificate being examined. The chaining engine will inspect the local system certificate stores to find the parent CA certificate. The local system stores include the CA store, the Root store, and the Enterprise Trust store. If the parent CA certificate is not found in the local system certificate stores, the parent CA certificate is downloaded from one of the URLs available in the inspected certificates AIA extensions. The paths are built without signature validation at this time because the parent CA certificate is required to verify the signature on a certificate issued by the parent CA. 2. For all chains that end in a trusted root, all certificates in the chain are validated. This involves the following steps. Here is a sample of a web access from the recipient of a message crafted like that. On this case, the AIA address included in the certificate was poitining to the “http://www.securitybalance.com/ca.html” URI. 10.10.10.31 - - [12/May/2008:15:47:43 -0400] “GET /ca.html HTTP/1.1″ 200 116 “-” “Microsoft-CryptoAPI/5.131.2600.3311″ (anonymized IP address) | |
| Security Tidbits of Interest [BlogInfoSec.com] Posted: 30 Jun 2008 10:00 AM CDT Did you know that Al-qaeda uses PGP? Analysts said that as-Sahab is outfitted with some of the best technology available. Editors and producers use ultralight Sony Vaio laptops and top-end video cameras. Files are protected using PGP, or Pretty Good Privacy, a virtually unbreakable form of encryption software that is also used by intelligence agencies around the world. I’m always fascinated when something in one field impacts another in a non-obvious way. In this case it’s global warming and national security. “The conditions exacerbated by the effects of climate change could increase the pool of potential recruits into terrorist activity ,” he said. The MoD faults the recent information security security lapses on the fact that the value of security not translated to younger generation: [T]oday’s Facebook generation failed to understand the culture of security which was ingrained during the Cold War. “These well-developed processes and procedures have not been translated effectively into the information age,” he wrote. Identity theft the traditional way: raiding the physical mailbox. Brown says the two women stole the identities of the married couple by asking the postal service to forward the couple’s mail back to their old address in Rego Park, Queens. The DA says they then opened numerous credit card accounts in the couple’s name between January 2008 and June 2008. © Kenneth F. Belva for BlogInfoSec.com, 2008. | Permalink | No comment This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you! | |
| AdvFS Goes Open Source [/dev/random] [Belgian Security Blognetwork] Posted: 30 Jun 2008 07:38 AM CDT
HP announced that the AdvFS source code will be made open source. A few years ago, I worked with Tru64 and AdvFS. It was a wonderful file system but, unfortunately, Tru64 development stopped after the Compaq take over by HP. Let’s hope that the AdvFS source code will provide benefits to the whole open source community! Source is available at Sourceforge. | |
| In the land of the blind.. [Emergent Chaos] Posted: 30 Jun 2008 01:20 AM CDT  Jeff Lowder takes PCI to the New School in "PCI DSS Position on Patching May Be Unjustified:" Verizon Business recently posted an excellent article on their blog about security patching. As someone who just read The New School of Information Security (an important book that all information security professionals should read), I thought it was refreshing to see someone take an evidence-based approach to information security controls.First, thanks Jeff! Second, I was excited by the Verizon report precisely because of what's now starting to happen. I wrote "Verizon has just catapulted themselves into position as a player who can shape security. That's because of their willingness to provide data." Jeff is now using that data to test the PCI standard, and finds that some of its best practices don't make as much sense the authors of PCI-DSS might have thought. That's the good. Verizon gets credibility because Jeff relies on their numbers to make a point. And in this case, I think that Jeff is spot on. I did want to address something else relating to patching in the Verizon report. Russ Cooper wrote in "Patching Conundrum" on the Verizon Security Blog: To summarize the findings in our “Control Effectiveness Study”, companies who did a great job of patching (or AV updates) did not have statistically significant less hacking or malicious code experience than companies who said they did an average job of patching or AV updates.The trouble with this is that the assessment of patching is done by ...[interviewing] the key person responsible for internal security (CSO) in just over 300 companies for which we had already established a multi-year data breach and malcode history. We asked the CSO to rate how well each of dozens of countermeasures were actually deployed in his or her enterprise on a 0 to 5 scale. A score of “zero” meant that the countermeasure was not in use. A score of “5″ meant that the countermeasure was deployed and managed “the best that the CSO could imagine it being deployed in any similar company in the world.” A score of “3″ represented what the CSO considered an average deployment of that particular countermeasure.So let's take two CSOs, analytical Alice and boastful Bob. Analytical Alice thinks that her patching program is pretty good. Her organization has strong inventory management, good change control, and rolls out patches well. She listens carefully, and most of her counterparts say similar things. So she gives herself a "3." Boastful Bob, meanwhile, has exactly the same program in place, but thinks a lot about how hard he's worked to get those things in place. He can't imagine anyone having a better process 'in the real world,' and so gives himself a 5. This phenomenon doesn't just impact CSOs. There's fairly famous research entitled "Unskilled and Unaware of it," or "Why the Unskilled Are Unaware:" Five studies demonstrated that poor performers lack insight into their shortcomings even in real world settings and when given incentives to be accurate. An additional meta-analysis showed that it was lack of insight into their errors (and not mistaken assessments of their peers) that led to overly optimistic social comparison estimates among poor performers.Now, the Verizon study could have overcome this by carefully defining what a 1-5 meant for patching. Did it? We don't actually know. To be perfectly fair, there's not enough information in the report to make a call on that. I hope that they'll make that more clear in the future. Candidly, though, I don't want to get wrapped around the axle on this question. The Verizon study (as Jeff Lowder points out) gives us enough data to take on questions which have been opaque. That's a huge step forward, and in the land of the blind, it's impressive what a one-eyed man can accomplish. I'm hopeful that as they've opened up, we'll have more and more data, more critiques of that data. It's how science advances, and despite some mis-givings about the report, I'm really excited by what it allows us to see. Photo: "In the land of the blind, the one eyed are king" by nandOOnline, and thanks to Arthur for finding it. [Updated: cleaned up the transition between the halves of the post.] | |
| Buying Smokes in Japan is Child’s Play [Alert Logic] Posted: 29 Jun 2008 09:56 PM CDT Now this is pretty funny. Having lived in Europe for years, cigarette vending machines have always been everywhere and have never been monitored. You can still find these automated vendors of cancer sticks in pretty much every restaurant and train station there (although that is quickly changing as well). And although I applaud Japan for [...] | |
| GNUCITIZEN Opinion: Security Companies Are Boring [Infosecurity.US] Posted: 29 Jun 2008 09:13 PM CDT Succinct and direct and lest we forget on target: GNUCITIZEN never let’s us down with their timely and focused commentary on INFOSEC. In this post, they let it rip. Frankly, rather tame, but still highly noteworthy, and with a strong echo of how we see things. Can’t agree more fellas… | |
| Must Read: Application and Database Security [Infosecurity.US] Posted: 29 Jun 2008 09:05 PM CDT Securosis posts a superb examination of the current, and future states of application and database security: Part One published on June 25th, and Part Two published on June 27th comprise definate must reads. Kudo’s to Rich Mogull at Securosis for this fine peice of work. | |
| UK Passport Photos? [Emergent Chaos] Posted: 29 Jun 2008 01:57 PM CDT  2008 and UK passport photos now have the left eye 'removed' to be stored on a biometric database by the government. It's a photo that seems to say more to me about invasion of human rights and privacy than any political speech ever could.Really? This is a really creepy image. Does anyone know if this is for real, and if so, where we can read more? Photo: Alan Cleaver2000 |
A while back
| You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment