Spliced feed for Security Bloggers Network

Whathehuhnammm…heh, heh. [The Dark Visitor] Posted: 04 Jul 2008 07:06 AM CDT That was the actual sound that came out of my mouth when I first viewed this picture from Xinhuanet of People’s Armed Police officers demonstrating new Olympic counter-terrorism equipment: Eastwood, if you can bring me back one of these Segways-of-Death…man, we are buds for life!

EPIC FAIL FOR ALL [Vitalsecurity.org - A Revolution is the Solution] Posted: 04 Jul 2008 02:50 AM CDT "The reality is though that in most cases, an IP address without additional information cannot (identify you)." Google Public Policy Blog Wow, that came around and bit everyone on the ass, didn't it? Such a cacophony of disasters, I'm not sure what to roll my eyes at first - the mass treasure trove of data hoarded under the stairs, Viacoms grab for the cookie jar (they want everything including material copyrighted by *others* and deleted material that for all they know might have been illegal? Can someone do Viacom for possession and copyright infringement please)? Maybe it's the fact that the Judge ruling over this case is about six thousand years old and clearly wouldn't know what an Internet was if it hit him in the face, which I strongly suspect is about to happen. The EFF blog has an update where Viacom claim they don't intend to go harassing individual Youtube users, but we've seen stuff like this enough times to know everything has a huge potential to go entirely tits up further down the line. Samwell sums this up far better than I ever could:

In Congress Assembled, July 4, 1776 [Emergent Chaos] Posted: 04 Jul 2008 01:18 AM CDT In CONGRESS, July 4, 1776 The unanimous Declaration of the thirteen united States of America, When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world. He has refused his Assent to Laws, the most wholesome and necessary for the public good. He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them. He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only. He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures. He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people. He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within. He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands. He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers. He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries. He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance. He has kept among us, in times of peace, Standing Armies without the consent of our legislatures. He has affected to render the Military independent of and superior to the Civil power. He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation: For Quartering large bodies of armed troops among us: For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States: For cutting off our Trade with all parts of the world: For imposing Taxes on us without our Consent: For depriving us, in many cases, of the benefits of Trial by Jury: For transporting us beyond Seas to be tried for pretended offences: For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies: For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments: For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever. He has abdicated Government here, by declaring us out of his Protection and waging War against us. He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people. He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation. He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands. He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions. In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people. Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends. We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. The signers of the Declaration represented the new states as follows: New Hampshire Josiah Bartlett, William Whipple, Matthew Thornton Massachusetts John Hancock, Samual Adams, John Adams, Robert Treat Paine, Elbridge Gerry Rhode Island Stephen Hopkins, William Ellery Connecticut Roger Sherman, Samuel Huntington, William Williams, Oliver Wolcott New York William Floyd, Philip Livingston, Francis Lewis, Lewis Morris New Jersey Richard Stockton, John Witherspoon, Francis Hopkinson, John Hart, Abraham Clark Pennsylvania Robert Morris, Benjamin Rush, Benjamin Franklin, John Morton, George Clymer, James Smith, George Taylor, James Wilson, George Ross Delaware Caesar Rodney, George Read, Thomas McKean Maryland Samuel Chase, William Paca, Thomas Stone, Charles Carroll of Carrollton Virginia George Wythe, Richard Henry Lee, Thomas Jefferson, Benjamin Harrison, Thomas Nelson, Jr., Francis Lightfoot Lee, Carter Braxton North Carolina William Hooper, Joseph Hewes, John Penn South Carolina Edward Rutledge, Thomas Heyward, Jr., Thomas Lynch, Jr., Arthur Middleton Georgia Button Gwinnett, Lyman Hall, George Walton Image: Washington's copy of the Declaration of Independence, from the Library of Congress.

Links for 2008-07-03 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 04 Jul 2008 12:00 AM CDT The Daily Incite - July 3, 2008 | Security Incite: Analysis on Information Security Where the truth is: Logs and breach-disclosure laws The Security Catalyst Community - CISSP - on it's way out, or not. Or both? Rational Survivability: Visualization Through Virtualization... practical risk management: So now everyone is an IT GRC vendor

A thin line between blog theft and promotion - another opinion [StillSecure, After All These Years] Posted: 03 Jul 2008 10:24 PM CDT Rich Mogull has been writing a bit about his disagreement with a the SecurityRatty site posting his content (original posts here and here). These posts have set off a rash of comments and other articles on both sides of this issue. Finally Rich wrote his defining post on this topic here. Rich's position is that he owns his words. Ratty took them without his permission, ads nothing to the conversation or commentary at all and actually hosts the content rather than just linking to it. Now for those who don't know, SecurityRatty is a site allegedly owned and operated by some Russian CISSP dude. Basically, they claim they are an RSS aggregator and they just republish blog posts in their entirety. A couple of things to note though: 1. SecurityRatty does not usually add any content of their own or edit the posts in any way 2. They link back to the blogs or articles which are aggregated 3. They do appear to sell some advertising on the site 4. You can search their aggregated content on their site 5. At least recently they are removing content and feeds from their site if you request it. 6. They did not ask anyones permission that I know of before posting content OK, now that the groundwork is laid, let me give my Shimel view on this. I disagree with Rich. Hey it is a big world and I think there is room for a dissenting opinion here. The reasons I disagree with Rich are: 1. Though Ratty plainly posts up others content, he does not hold it out as his own. He plainly gives credit to those who actually created the words and in fact links back to their sites. 2. Rich is publishing his data under a creative commons license, I am not sure if the meager ad on Ratty would qualify this as a commercial site. 3. Rich distinguishes what Ratty does from Google and other search engines (who clearly profit from Rich's content) by the fact that they just point to it. Not all together true. They also keep a cached copy of the content that you can go to as well. 4. The fact is that I have a tough time seeing any harm to Rich here. In fact if Ratty were not pointing back to Rich's site, if he did not make it as easy to see that it is just an aggregate feed or if Ratty were adding his own comments and not clearly delineating his from Rich's, I would feel differently. Some of this is directly in contrast to Rich who says that if Ratty did add his own views to Rich's, that would make it right by him. 5. Finally, I would go even further than Rich not being harmed by Ratty. I think Rich actually benefits from Ratty. It is yet another outlet for Rich's content and though not everyone reading it at Ratty may go back to Rich's site, they do know it is him and can go back easily. In fact if Rich did advertise at his site, I could understand him losing hits at his site. Otherwise if Ratty just pointed back, one could say the more hits Ratty generates, it could cost Rich more money. Much like people who link to graphics hosted elsewhere. So, Rich I see that Ratty has stopped aggregating your content so that should be enough of a victory for you. In the long run though I think it is a Pyrrhic victory and you would have been better off with Ratty publicizing your words.

Let Freedom Ring [The Dark Visitor] Posted: 03 Jul 2008 09:36 PM CDT US Declaration of Independence When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world. He has refused his Assent to Laws, the most wholesome and necessary for the public good. He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them. He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only. He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures. He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people. He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within. He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands. He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers. He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries. He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance. He has kept among us, in times of peace, Standing Armies without the consent of our legislatures. He has affected to render the Military independent of and superior to the Civil power. He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation: For Quartering large bodies of armed troops among us: For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States: For cutting off our Trade with all parts of the world: For imposing Taxes on us without our Consent: For depriving us, in many cases, of the benefits of Trial by Jury: For transporting us beyond Seas to be tried for pretended offences: For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies: For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments: For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever. He has abdicated Government here, by declaring us out of his Protection and waging War against us. He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people. He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation. He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands. He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions. In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people. Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends. We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor. Posted under US attacks…for those men and women who sacrificed so much for our freedom.

US Army Network Warfare Battalion Activated [Infosecurity.US] Posted: 03 Jul 2008 05:28 PM CDT The United States Army has activated it’s new Network Warfare Battalion, during a ceremony at Fort George G. Meade, Maryland. The Battalion’s mission is mandated to provide support to the Army and the DoD. According to Maj. Gen. David Lacquement, Commander, U.S. Army Intelligence and Security Command, “This battalion formalizes and centralizes the Army’s mission to [...]

Google Releases New Web Security Software [Infosecurity.US] Posted: 03 Jul 2008 05:26 PM CDT Google (NasdaqGS: GOOG), has just released internally developed web security software monikered RatProxy. The product,  (essentially a web sniffer) performs in-depth analysis on specific html, and other web objects for  security assessment and generates reports for privileged users to examine. Interested users can download  RatProxy from the Google Code site (via VNUNET) WooHoo! Google’s description: “A [...]

Survey warning [IT Security: The view from here] Posted: 03 Jul 2008 05:24 PM CDT My dear chum Walt has something to say on PCI surveys today. He puts his questions in a very understated way, such is his low-key manner. I can reveal that it was I that was the straw which broke the camel's back however. You might recall my recent whingeing about a NetIQ survey which said that PCI in Europe wasn't being taken seriously, and they could prove it from a pretty small sample. I was approached by their marketing manager afterwards, and whilst my back was up initially, I have to say he has won me over with his patience and more importantly, his desire to learn what would make it better. We are going to try and increase the sample size in the coming weeks with a new survey, more targeted and less commercially orientated. Hopefully this will have some real value, and maybe even more coverage in The Register again. Walt has been very helpful in pointing me in the right direction about how to make this survey objective, but something he did say in a mail to me, he didn't put in his post. The gist was that now PCI awareness has been achieved, everyone wants to know what everybody else is doing. This is subtly different from "wanting to learn from each other", which is a very nice way of looking at it. Maybe that's because it assumes too much and he knew I'd get what he was saying, but it kind of put things in a nutshell for me. What IS everyone else doing. It seems that the more we talk about PCI, the less we want anyone else to know what we've done. Are we afraid that our solutions aren't as good as next door's? Are we afraid they will try and copy our homework? Come on retailers and banks, let's have a bit of care in the community, share the knowledge!

If you can't beat 'em, join 'em [IT Security: The view from here] Posted: 03 Jul 2008 05:23 PM CDT I have to be careful what I say here, but this annoyed me. No, not because they are promoting firewalls, which suck, and will always suck, and should be shot, but because of this: Firewalls are underrated, but only by an industry which is perpetually looking at selling you the next new thing. Again, not because it's a lie, firewalls are not underrated, they couldn't be. No, because it's hypocritical crap. Sorry Matasano, you may have some of the finest security minds in the business, who could knock me into a cocked hat, but this is spin. If you don't like being part of an industry that is perpetually trying to sell the next new thing, don't build new things and try to sell them whilst pretending to be a research company. You guys are supposed to be teaching people about security, not dragging it back into the 20th Century. No wonder "Firewall adoption is huge, and what most companies struggle with is with managing their rules and making sure they get the most out of their existing deployment" - when even the most stand-up, hands-on-hearts, honest to goodness pure security folks are trying to hawk them bloody firewall enablement software! This is the most circular, hypocritical and ridiculous argument from a bunch of otherwise extremely clever and normally responsible people that I've read in a long time. And I've been reading PCI surveys.

On Gaming Security [Emergent Chaos] Posted: 03 Jul 2008 05:21 PM CDT Adam comments on Dave Maynor commenting on Blizzard selling authentication tokens. Since I have the ability to comment here, I shall. This isn't the case of a game having better security than most banks (as Maynor says). This is a game company leaping ahead of some banks, because they realize they have bank-like security issues. It's been a year or so since I read on El Reg that on the black market, a credit card number sells for (as I remember) £5, but a WoW account sells for £7. I would look up the exact reference, but I'm not in the mood. Your search skills are likely as good as mine. The exact reasons for this are a bit of a mystery, but there are some non-mysterious ones. There is a black market for WoW gold and (to a lesser extent) artifacts. That black market is shuddering because Blizzard has done a lot to crack down on it. (Blizzard's countermeasures are one main reason that the artifact market is low. Most artifacts become bound to one character when used, and so are not transferrable and so are not salable.) Nonetheless, many WoW players have gold in their pockets that would sell for hundreds to thousands of dollars on this black market. (If you think from this, that WoW can be a profitable hobby, think again. That many players have gold worth some real change says more about the time they have spent playing than anything else. If you live in a first-world country, you can earn far more flipping burgers than playing WoW. It is only if you are in a third-world country that WoW is a reasonable career choice.) This means that by putting a keylogger on someone's system, you can steal a pretty penny from them and sell it on the black market. A not-insignificant number of WoW players have logged into their accounts to find their characters naked and penniless. However, there's an interesting twist on this. Blizzard can and does restore the lost gold and items. Presumably, Blizzard has a transaction log and can rewind it. However, this is work for them and annoyance for the victim. Two-factor authentication will lower Blizzard's costs but fear of robbery is high enough among the players that they're snapping these things up and are willing to pay for them. Bank customers rightly think that increased security is something that the bank should pay for. So in the banking world, the cost-benefit calculation of two-factor authentication is complex. In the gaming world, it's pretty straightforward. Since Blizzard can shift the cost of the device to the customer base, it's easier to justify.

Indian DoT vs. RIM’s Blackberries: Further Commentary [Infosecurity.US] Posted: 03 Jul 2008 04:19 PM CDT In kowtow to the will of the now nearly ubiquitous Blackberry, the Indian DoT has relented in their quest to force RIM into submission…. The Indian Department of Telecommunications doesn’t have a hope in hell of decrypting transmitted data over BIS pipes…predicated on the known level of expertise in such matters within their public sector information [...]

Happy 4th of July [BumpInTheWire.com] Posted: 03 Jul 2008 04:14 PM CDT Mr. Bump has been on hiatus this week. For good reason as well…after doing the BBQ contest last weekend I ended up with tonsillitis.  I won’t get into the details on how I got it.  There is a valid reason that Mrs. Bump has been treating me like an idiot the past few days.  Let your imaginations run wild. We did well in the BBQ contest.  We finished 29th overall out of 187 teams and we get “a call” in brisket with a 4th place finish. Getting a call at a big contest like that is a pretty big deal so it was exciting for us to accomplish that.  Unfortunately myself and the two other husbands of the “Three Angry Wives” missed the call.  We figured we save some time and go pack about halfway through the awards ceremony because we figured we wouldn’t finish in the top 10 of any category.  Boy were we wrong.  Then the insanity continued after everyone got back and we were celebrating.  A team member put our ribbon and prize money envelope in the truck of another team and they drove off with it.  Luckily we hunted it down yesterday and took possession of it today. Here is how we placed in each category: 36th in Chicken 52nd in Pork Ribs 142nd in Pork Butt 4th in Brisket 44th in Sausage 29th Overall Not to shabby for our first competition ever. Have a great holiday weekend!!

Misc Reading Related To Verizon Breach Report [Anton Chuvakin Blog - "Security Warrior"] Posted: 03 Jul 2008 04:07 PM CDT All sort of fun stuff was unearthed, discussed and - sometimes -  made-up upon reading the Verizon Security Breach Investigations report. Here are some things from the pile which I found fun: Report itself [PDF] and brief on it from Verizon (and two fun follow-ups, this and this here) "90% of all statistics can be made to say anything… 50% of the time, aka my thoughts on the Verizon report" "Data Breach Post Mortem Offers Surprises" (well, to some people, they are surprises ...) "Insider Threat Exaggerated, Study Says" (not, it doesn't, BTW) "Verizon Business Report Speaks Volumes" (from Richard, thus a MUST read) And of course, here is my favorite part: "In 82 percent of cases, our investigators noted that the victim possessed the ability to discover the breach had they had they been more diligent in monitoring and analyzing event-related information [AC - i.e. logs] available to them at the time of the incident." and this  "Furthermore, a crime scene devoid of any network and system logs, a key resource for computer forensics, is a disturbingly common occurrence." What can I say? Back to battle stations for me - to fight the war of making logs more popular! :-) About me: http://www.chuvakin.org

CISSP Dies? [Anton Chuvakin Blog - "Security Warrior"] Posted: 03 Jul 2008 04:01 PM CDT Fun post on the sad fate of CISSP. UPDATE: a LOT of fun discussion about this is here. About me: http://www.chuvakin.org

On Logs and Breach Disclosure Laws [Anton Chuvakin Blog - "Security Warrior"] Posted: 03 Jul 2008 03:49 PM CDT Check out my fun paper called "Where the truth is: Logs and breach-disclosure laws" at ComputerWorld. I personally find the premise that logs help with breach notification mandates to be a perfect no-brainer, but it looks like some people consider it to be deep insight. And, let's leave it at that: deep insight it is :-) Key point for the impatient bunch: "... logs are essential for compliance with breach-notification laws because you know who exactly to notify. Proper log-keeping will save massive amounts of money while complying with both the letter and the spirit of this law." About me: http://www.chuvakin.org

Microsoft: Security Bulletin Advance Notification for July 2008 [Infosecurity.US] Posted: 03 Jul 2008 01:58 PM CDT Microsoft (NasdaqGS: MSFT) has released the July 2008 Security Bulletin Notification, in preparation for their Patch Tuesday event next week. The notification covers nearly all Microsoft Operating Systems, and has a wide range of security implications as well. Issues range from Spoofing to Priviledge Escalation.

MindshaRE: Identifying Encryption Functions [DVLabs: Blogs] Posted: 03 Jul 2008 01:30 PM CDT Posted by Cody Pierce Welcome back to another installation of MindshaRE.  This week we will cover identifying a common pattern seen in encryption and compression functions.  The purpose is to quickly identify locations of interest in a binary that may handle this type of activity. MindshaRE is our weekly look at some simple reverse engineering tips and tricks.  The goal is to keep things small and discuss every day aspects of reversing.  You can view previous entries here by going through our blog history. When analyzing a binary looking for patterns can help quickly identify what purpose a function may serve.  By doing this we can gain an insight into how a binary works.  There are plenty of patterns you can identify.  In this case we will be discussing functions that handle encryption or compression. There are hundreds of instructions in Intel assembly language.  Most are never used.  In fact, running some heuristics proves that less than 100 are used (in most cases).  We can use this to our advantage when identifying encryption/compression routines.  These functions in almost every case do bit shifting and flipping.  Doing so requires the usage of a few key instructions such as xor, shl, shr, ror. Obviously these instructions can be used for many things.  However, in encryption/compression functions they occur in an easily identifiable pattern.  Lets look at a sample from the Kraken bot. 001AF08F   shl     eax, 4 001AF092   add     eax, [ebp+var_8] 001AF095   mov     edi, edx 001AF097   shr     edi, 5 001AF09A   add     edi, [ebp+var_C] 001AF09D   xor     eax, edi 001AF09F   lea     edi, [esi+edx] 001AF0A2   xor     eax, edi One of our hints is the xor.  The xor of two different registers is a tell-tell sign of encryption or compression.  If we can identify a few of these we might be able to automate the identification of such routines. I have come up with a few metrics to do this.  I give each rule a weight.  My script runs through each function in a binary, and calculates a score.  If a function scores high enough it will print out its location.  This has proved fairly effective at quickly identifying interesting functions.  Here's my rules. xor of different registers is weighted the highest shl, shr, ror, rol, and cdq are counted as well, all having a lower score than xor since they occur naturally If any of these instructions occur in a loop it increases the score If any of these instructions are in the same basic block it increases the score I use this weighting system for lots of different purposes, but it seems to work best in the cases of encryption and compression routines.  This is due to the xor.  Like I stated its rare to see xor'ing of different registers, and in the case of a false positive it can be manually verified. We are always looking for ways to better understand functions in a binary.  Using patterns is a good way to do this quickly.  Try putting this in a script and running it on various binaries. -Cody

Want Real Homeland Security? [Emergent Chaos] Posted: 03 Jul 2008 11:32 AM CDT All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that "The next president should create a brand new position, which should become a permanent part of the Executive Branch in the future: a Civil Liberties Advisor". Given past posts here, regular Emergent Chaos readers will hardly be surprised that I am a supporter of this proposal. While I encourage everyone to read the entire post, it's the closing paragraph that really sums why I think this is so important: Of course, Civil Liberties Advisors may often lose the debate, or even be shunted aside. But sometimes they will win, and sometimes they will raise consciousness and help frame the discussion. Moreover, an administration without such a voice is much more likely to short-change civil liberties than one with such an advocate. The stakes for our nation are simply too high for us to continue to muddle along without someone in this critical position. Indeed, this idea this might well give rise to a whole new meaning to the notion of Homeland Security. And actually if you replace administration with corporation and civil liberties with customer privacy, you pretty much have the argument for why companies need (and have) privacy evangelists.... [Image is 'Real' Homeland Security by richdrogpa.]

On Banking Security [Emergent Chaos] Posted: 03 Jul 2008 11:11 AM CDT Dave Maynor comments: Blizzard is going to sell a One Time Password device...Isn't it kind of funny when an online game has better security than most banks? Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button. This code is unique, valid only once, and active for a limited time; it must be provided along with the account name and password when signing in to the World of Warcraft account linked to it. Damnit, Dave, I have nothing to add to that analysis!

Google’s Free Web Security Assessment Tool [Infosec Events] Posted: 03 Jul 2008 09:49 AM CDT Yesterday, Google released their open-source passive web application security assessment tool called ratproxy. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern. The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. Based on the ratproxy documentation, it looks like the tool has several useful security checks. The current version is ratproxy 1.50, and you can download it on Google Code.

When did you last update your browser? [The InfoSec Blog] Posted: 03 Jul 2008 07:57 AM CDT http://www.theregister.co.uk/2008/07/03/browser_insecurity_survey/ I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ’snuck in’ by various methods such as XSS. Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected - I’ll leave servers out of this for the moment. Updating [...]

Colour blind elephants [IT Security: The view from here] Posted: 03 Jul 2008 07:42 AM CDT I'm off to Chicago again at the weekend, 2 days in Dayton, Ohio and 2 days in Milwaukee, then back on the red-eye next Friday. I wasn't really looking forward to this traveling much, in fact I'm still not, I hate flying and I usually think that most trips to the US could be pretty easily replaced by a Webex, but that's another story entirely. I was treating it as a chance to meet some new people and see a bit of some new places, until I remembered that last time I came out to San Francisco I'd polled all my security contacts in advance to see who'd be there. I met up with quite a few, but one who I'd always wanted to hook up with was all the way out in Columbus... Ohio. See where this is going? I quickly rattled off a mail to Alex Hutton on Tuesday, and by close of play yesterday we had not only arranged to meet up, but he's picking me up from the airport and depositing me at my hotel. I think that just about sums up what I love about the Security Bloggers Network, security people in general, and particularly Alex. From the very moment I started waffling in these pages about data, PCI, certificates, encryption and the like, I have had a warm reception and made some great friends. Yes, yes, I realise you're waiting for the reference in the title, and no, as far as I know, Alex is neither colour blind, nor an elephant. At the same time as I was writing my mail to Alex to say thank you for his hospitality, another email landed in my inbox. A spam mail, which I usually ignore as they refer to me reclaiming my manhood or enlarging it somehow. This one I could not, the sender name held my attention for far longer than necessary, and the title I had to explore more. Mr. Rottenberg Bonson has sent me a mail about "proboscidean tritanopia". Two words so obscure even my spellcheck questions them (but then it questions 'spellcheck' too.) I had to look them up, but on closer inspection this does of course refer to a subject close to my heart: pro·bos·cid·i·an (prō'bə-sĭd'ē-ən) also pro·bos·ci·de·an (prō-bŏs'ĭ-dē'ən) n. A mammal of the order Proboscidea, such as the elephant or its extinct relatives, having a long trunk, large tusks, and a massive body. tri·tan·o·pi·a (trī'tə-nō'pē-ə) n. A visual defect characterized by the inability to discern blue and yellow. Yes, my interest in colour blind elephants has emerged, my fame is spreading. Rottenberg and I would now be firm friends, except the body of the mail then complete ignored my interest in dichromatic pachyderms and instead waffled on about Viagra. Boo. Sorry Mr. Bonson, if indeed that IS your real name, I won't be following you up on that one.

Here Be Dragons: Intro to Critical Thinking [Jon's Network] Posted: 03 Jul 2008 02:28 AM CDT Well worth the 40 minutes to watch this intro to critical thinking by Brian Dunning. Here’s his recommended reading list from the end: The Demon Haunted World by Carl Sagan Flim Flam by James Randi The Adventures of Huckleberry Finn by Mark Twain Skeptoid by Brian Dunning

Apple’s iTunes U for K-12 Schools [Jon's Network] Posted: 03 Jul 2008 01:45 AM CDT Apple just launched K-12 on iTunes U(opens iTunes) that allows schools to use iTunes as a platform to distribute educational content. Not quite sure why a school would find this easier than just posting the stuff on the web, but I do know Apple would love to get all those students spending even more time in iTunes.

Firefox Auto-Update Leads the Pack [Jon's Network] Posted: 03 Jul 2008 01:30 AM CDT Some interesting new research out of ETH Zürich showed that Firefox’s Auto-Update mechanism works the best at keeping users updated with the latest and safest version compared to all other major browsers. The report, Understanding the web browser threat, used Google’s browser data from the last 18 months to figure out a lower bound on the amount of users that surf the internet using an outdated browser. It turns out that at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008. To improve this number, the paper suggests the following: browser vendors follow Mozilla’s lead and implement an auto-update mechanism that checks for updates each time the browser is used consumers implement URL filtering to reduce odds of visiting an infected website implement a “best by” dating system for software similar to what consumers are familiar with when they shop for groceries. This is supposed to increase awareness of the risk of outdated browsers and motivate users to update. someone implement an authentic, open repository of plugin version information that can be queried by vendors to make sure browser plugins are updated regularly I don’t like the “best by” idea. A little red notice that states “145 days expired, 3 patches missed” isn’t much different from the existing software update schemes. Trying to raise awareness for the sake of awareness is futile. Outdated software alone doesn’t cause loss and discomfort like spoiled produce does so consumers won’t be motivated to pay attention to the “best by” date.

You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610