Thursday, July 10, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Senate Approves Wider Wiretap Powers Bill [Liquidmatrix Security Digest]

Posted: 10 Jul 2008 08:00 AM CDT

This is just sad.

From The New York Times:

The measure, approved by a vote of 69 to 28, is the biggest revamping of federal surveillance law in 30 years. It includes a divisive element that Mr. Bush had deemed essential: legal immunity for the phone companies that cooperated in the National Security Agency wiretapping program he approved after the Sept. 11 attacks.

The vote came two and a half years after public disclosure of the wiretapping program set off a fierce national debate over the balance between protecting the country from another terrorist strike and ensuring civil liberties. The final outcome in Congress, which opponents of the surveillance measure had conceded for weeks, seemed almost anticlimactic in contrast.

So, the ISP’s get their immunity.

Talk amongst yourselves.

Article Link

What's behind online banking guarantee's? [spylogic.net]

Posted: 10 Jul 2008 05:00 AM CDT

100% Guarantee!

Wow...I'm really on this banking kick as of late...

So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their "Online Banking Guarantee". What I found interesting was the whole scenario that played out in the commercial...

Woman: "Hey, I'm using WaMu Online Banking..."
Man: "Online Banking?? That's not safe!!"
Woman: "It's safe...I have WaMu's Online Banking Guarantee!"
Man: "Oh...cool."

(Note: this wasn't word for word but pretty close...you get the idea.)

As a security professional I find it disturbing that you would "guarantee" something (like online banking) is safe and secure without a ton of terms and conditions (I'll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards...etc...So how does WaMu pull this off? Here's the deal:

"For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction."

Sounds good right? Here is the kicker...you as the customer have responsibilities which if you don't live up to, you get no guarantee...check these out:

"You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone."

Customer: Hard to guess password? So my dog's name isn't hard to guess?

"If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days..."

Customer: I'm on it...I never, ever procrastinate about anything!

"If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction."

Customer: My wife knows my username/password does that count? Damn...I'm getting a ton of these pop-up's on my PC...weird.

and...buried deep in the Online Services Agreement & Disclosure:

"You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software."

Thus...no guarantee (unless they get hacked via online banking, and we know that could never happen) Enjoy your online banking guarantee.

South Florida ISSA Hack the Flag and Chili Cook Off [StillSecure, After All These Years]

Posted: 09 Jul 2008 11:16 PM CDT

PDF flyer for the event with details click to download the PDF

Image1As part of doing my thing with StillSecure I get a chance to visit and speak at lots of ISSA chapters throughout the US.  But in a case of there is no place like home, my favorite chapter is my home chapter, the South Florida ISSA. Jeff Dell, Pete Nicolletti, Tim Krabec and the rest of the gang do a great job of making ISSA fun and interesting for those of us down here.  My only regret is that I am to often out of town for our monthly meetings and I don't get a chance to attend as much as I would like.  Anyway, one of the highlights of the year for our ISSA chapter is the hack the flag and chili cook off.  You should be able to click and download the PDF with all of the details.  If not visit the SFISSA chapter page here .

This posting includes an audio/video/photo media file: Download Now

Dan Kaminsky Disqualified from Most Overhyped Bug Pwnie [...And you will know me by the trail of bits]

Posted: 09 Jul 2008 11:03 PM CDT


I can be pretty skeptical and cynical at times (part of what drives my interest in security) and I am especially skeptical of massively hyped vulnerabilities. If anything, I tend to underhype what I do and let others hype it for me if they think that it warrants more attention.

With all of the hype around Dan Kaminsky’s DNS vulnerability, I naturally doubted that all of the hype was warranted.  I was flattered, however, when Rich Mogull called me and invited onto a conference call with Dan Kaminsky and the other Doubting Thomas (Ptacek, that is).  Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined.  Yes, I am being light on the specifics here because I was sworn to secrecy and if I were to break it, Dan would cause my nameservers to rickroll me until the end of time.

In summary, when the full details of Dan’s attack come out, you will most likely be impressed.  I definitely was.

Its About Time [BumpInTheWire.com]

Posted: 09 Jul 2008 10:37 PM CDT

I’ve decided after much reluctance to hone my Exchange skills and actually learn Exchange 2007.  I’ve been reading “Mastering Exchange Server 2007” by Sybex to get myself up to date with what’s new and different from Exchange 2003.  So far this afternoon I got about halfway through Chapter 1 which really is not very far but I did read the part about the new features.

We’ve been talking recently around the office about “What the hell took you so long to do it that way” type things.  Like the peel back top on a bag of oreos that are out now.  What in the hell took so long to figure that out?  Or puting the console connection for a Cisco router on the front of the router instead of on the back.  What the hell took so long to figure that design out?  Some of these new features of Exchange 2007 fall into that “What the hell” category.  Some of the new features of Exchange 2007 that caught my eye were:

  • Message classification - message transport rules can take action based on sender, recipient, content, etc, etc
  • Smaller transaction logs - tlogs decrease from 5120 KB to 1024 KB
  • Out of Office Assistant improvements - the ability to schedule when to turn it off and on
  • Autodiscover - users can put their name and email address in their Outlook profile and it will configure the correct Exchange server automatically
  • Edge Transport Services - spam filtering, virus scanning, recipient filtering, real time IP blocking, etc, etc

 

So there you have it.  I think a couple of those are key improvements…particularly the Out of Office Assistant scheduling and the Autodiscover for Outlook profile creation.  I’m late to the table with Exchange 2007 but better late than never is what I say!!

OWASP - VA Local Chapter Infosec Meetup Event - Thursday, 7-10: Secure Development Processes & Protecting Web Apps and Databases [NovaInfosecPortal.com]

Posted: 09 Jul 2008 10:27 PM CDT

Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. Pizza will be provided for a small fee. If you plan on attending, RSVP to Stan Wisseman (email available in their post - linked below) so they can get your badge processing started. (more…)

Want to learn about voice biometrics? VoiceVerified to be interviewed tomorrow (July 10, 2008) [Voice of VOIPSA]

Posted: 09 Jul 2008 08:52 PM CDT

voiceverifiedlogo.jpgAre you interested in using voice for authentication, also known as voice biometrics? Would you like to know how far voice biometrics has come from that 1992 film “Sneakers” with “My voice is my password”?

If you are free tomorrow, July 10, 2008, at 11am US Eastern time you can join in a conference call/podcast where I’ll be interviewing David Standig with VoiceVerified.com about voice biometrics in general and VoiceVerified’s specific offering. If you can’t join us at 11am, the interview will be available as a “Squawk Box” podcast later in the day.

The deal is that Alec Saunders, the regular host/producer of the daily Squawk Box podcast is away on vacation and I’ve been guest-hosting this week in his absence. The daily shows have been about a range of topics (today was a great one about P2PSIP) and tomorrow’s show actually gets into VoIP security in terms of voice verification/biometrics.

If you would like to join into the show, there are two ways you can do so:

In either case, you’ll get access to the telephone number you need to call and, during the call, will also have access to the live chat session that is used.

If you aren’t able to attend (or don’t want to use the app), you can listen to the show after I post it on Alec’s Saunderslog.com sometime later tomorrow, probably in the evening.

Also, if you are interested in being on Alec’s Squawk Box show, my guest hosting is done tomorrow but drop me a note and I’ll be glad to suggest your name to Alec after he returns. I frequently participate and they’ve been enjoyable shows to be a part of.

P.S. In the interest of full transparency and disclosure, I should note that VoiceVerified is actually a business partner of my employer, Voxeo, as I outlined in a blog post. That fact, however, did not influence my decision to bring them on the show - I was just looking for interesting companies to interview and they were one that caught my eye.

Technorati Tags:
, , , , , ,

DNS Vulnerability Survives Scrutiny of Peer Review [Zero in a bit]

Posted: 09 Jul 2008 08:30 PM CDT

The security community is cynical. So much so, that most of the chatter that’s taken place over the past 24-36 hours has suggested that Kaminsky’s DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS — that’s the protocol itself — but hell, it’s always nice to give a guy the benefit of the doubt.

Faced with nearly a month of criticism and questioning, and understanding the persuasive power of a technical peer review, Dan decided to expand the inner circle, so to speak. Rich Mogull arranged a phone call with Tom Ptacek and Dino Dai Zovi so that Dan could spill the beans and let them decide for themselves whether it was spin or substance. Turns out there was substance.

Now we sit around and wait until August 6th to cram into a ballroom with a thousand sweaty conference-goers to hear the juicy details. And Dan’s presentations are usually packed to the brim even when he’s not announcing anything.

In the meantime… how about patching those servers?

More On The DNS Vulnerability [securosis.com]

Posted: 09 Jul 2008 07:13 PM CDT

Okay- it’s been a crazy 36 hours since Dan Kaminsky released his information on the massive multivendor patch and DNS issue. I want to give a little background on how I’ve been involved (for full disclosure) as well as some additional aspects of this. If you hate long stories, the short version is he just walked me through the details, this is a very big deal, and you need to patch immediately.

Dan contacted me about a week or so ago to help get the word out to the CIO-level audience. As an analyst, that’s a group I have more access to. I was involved with the initial press conference and analyst briefings, and helped write the executive overview to put the issue in non-geek terms.

At the time he just gave me the information that was later made public. I’ve known Dan for a few years now and trust him, so I didn’t push as deeply as I would with someone I don’t have that relationship with. Thus, as the comments and other blogs dropped into a maelstrom of discontent, I didn’t have anything significant to add.

Dan realized he underestimated the response of the security community and decided to let me, Ptacek, Dino, and someone else I won’t mention into the fold.

Here’s the deal- Dan has the goods. More goods than I expected. Dino and Ptacek agree. Tom just issued a public retraction/apology. This is absolutely one of the most exceptional research projects I’ve seen. Dan’s reputation will emerge more than intact, although he will still have some black eyes for not disclosing until Black Hat.

Here’s what you need to know:

  1. You must patch your name servers as soon as possible. This is real, it’s probably not what you’re thinking. It’s a really good exploit (which is bad news for us).
  2. Ignore the “Important” rating from Microsoft, and other non-critical ratings. You have to keep in mind that for many of those organizations nothing short of remote code execution without authentication will result in a critical rating. That’s how the systems are built.
  3. Dan screwed up some of his handling of this, and I’m part of that screwup since I set my cynical analyst hat aside and ran totally on trust and reputation. Now that I know more, I stand behind my reaction and statements, but that’s a bad habit for me to get into.
  4. This still isn’t the end of the world, but it’s serious enough you should break your patch cycle (if you have one) on name servers to get them fixed. Then start rolling out to the rest of your infrastructure.
  5. CERT is updating their advisory on an ongoing basis. It’s located here.

Next time something like this happens I’ll push for full details sooner, but Dan is justified in limiting exposure of this. His Black Hat talk will absolutely rock this year.

Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones) [securosis.com]

Posted: 09 Jul 2008 05:44 PM CDT

I have a sneaking suspicion my hosting provider secretly hates me after getting Slashdotted twice this week. But I don’t care, because in less than 48 hours it’s iPhone Day!!!

Okay, so I already have one and all the new one adds is a little more speed, and a GPS that probably isn’t good enough for what I need. But I use the friggen thing so darn much I can definitely use that speed.

It’s been up for a few days, but with everything else going on I’m just now getting back to my latest Dark Reading column. This month I take a look at what may be one of the most disruptive trends in enterprise technology- the consumerization of IT. Here’s an excerpt:

That’s the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we’re watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology – work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it’s not like the call center will be running off their own laptops, but they’ll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals.

This is far from the end of the world. While we need to change some of our approaches, we’re gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks:

Security Catalyst Community: Discussion Forum Activity (9 July 2008) [The Security Catalyst]

Posted: 09 Jul 2008 02:23 PM CDT

Join the in the Discussion!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

ShareThis

Ouch [Matt Flynn's Identity Management Blog]

Posted: 09 Jul 2008 01:26 PM CDT

Dave Kearns calls my argument smoke and mirrors and labels it FUD. His argument is that the Global 2000 have more users and are therefore more important? Should their needs drive solutions for the mid-market?

Dave, I don't think the number of users is even relevant. What is relevant is the experience of those customer organizations and how they can meet their requirements. The number of infrastructures is more relevant than the number of end users in this discussion. I don't think a huge amount of them have a need or desire for multiple user directories. They seem to run off of AD and seem to prefer to have apps leverage AD instead of figuring out how to use a virtual directory (or metadirectory for that matter). Where is the FUD in that? Where is the smoke? What would be my motive to raise smoke and mirrors?

The discussion of how should Oracle build a product is very different than whether customers should consider metadirectory as an alternative. I think they should. I think there are still plenty of environments that could benefit from that approach. But I conceded Clayton's point -- if Oracle wants to build a virtual directory into it's suite to enable flexibility for customers, that's great. I just don't think a virtual directory is the answer to everything (and I spent a lot of time discussing the various use-cases that cry for one).

I would just hate to have people shy away from a good technology because some people say it's no good anymore. That doesn't make sense.

Ultimately, we might agree. Dave's conclusion is one that I've echoed over and over:

The need for, and uses of, virtual directories is growing and is still a few years away from peaking.

Let's just not declare something dead because it no longer seems cool to the in-crowd. It's OK to take a pragmatic approach to whatever challenge your organization is facing. That's my point.

No, I Don’t Know the Answer to the Big DNS Secret [Zero in a bit]

Posted: 09 Jul 2008 10:26 AM CDT

Rich Mogull’s executive overview of Dan Kaminsky’s latest DNS vulnerability fluffed a few feathers yesterday:

The good news is that due to the nature of this problem, it is extremely difficult to determine the vulnerability merely by analyzing the patches; a common technique malicious individuals use to figure out security weaknesses.

The typical response I heard was “what do you mean, it can’t be reverse engineered? I’ll just look at the diffs!”

In hindsight, after examining the BIND diffs (yes, I did it too) and discussing with colleagues, all most people saw was UDP source port randomization and a better PRNG for generating the transaction ID, the latter of which would appear to be related to Amit Klein’s cache poisoning attack from about a year ago.

What Rich was really saying is that you can reverse engineer the patch until you’re blue in the face, but that won’t reveal the specifics of the vulnerability.

Dan’s blog post this morning appeared to confirm that interpretation:

DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.

There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that's no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got "lucky" here — he ended up defending himself against an attack he almost certainly never encountered.

Such is the mark of excellent design. Excellent design protects you against things you don't have any information about. And so we are deploying this excellent design to provide no information.

To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from Anonymous to Authenticated User only, or even all the way to Admin Only. Or wait, just remember Windows XPSP2 :) This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why. Astonishingly subtle bugs can be easily hidden, or even rendered irrelevant, by a suitably blunt fix.

Nate McFeters appears to think that Tom Ptacek has figured it out. I’m going to go out on a limb and say that Tom didn’t figure anything out yet but still wanted to write a pithy blog post. I think that if Tom had figured it out, he would have written it down privately and posted the SHA-1 hash, as is the trendy thing to do these days.

Speculation aside, the title of Tom’s blog entry, Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!, does make an important point — Dan didn’t sell the details to ZDI, he used his influence and reputation to coordinate a massive vendor patch effort. That’s an admirable move.

July 2008 SRT: Battling Botnets with Botnets [Network Security Blog]

Posted: 09 Jul 2008 10:02 AM CDT

Michael Santarcangelo has posted this month’s Security Roundtable, Battling Botnets with Botnets. We had a lot of fun recording this episode, even though we barely talked about the main subject at all. I took away a lot to think about, especially the law of unintended consequences: there’s what you meant it to do, what it does, and what effects a system has on other systems around it. Phalanx is a great example of that.

This is a long one, by the way. That always seems to happen when Michael and I get together to talk.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Master dissertation test [Security Balance]

Posted: 09 Jul 2008 09:59 AM CDT

I’m trying to finish my Master dissertation on the next months. In order to do that I need to test the log analysis methodology I’m proposing. The methodology is targeted to detect insider attacks, so I need to collect logs from internal resources, which include AD domain controllers, internal e-mail systems, file and folder access audit logs, firewalls and other network devices, http servers, applications, and everything else that can produce logs and indicate internal users behavior. I would need to collect one week of logs for the tunning phase and after that one week of logs that will include some “simulated attacks”. If there is anybody out there that can help me by providing those logs (everything will be anonymized, of course), please drop me an e-mail at augusto (at) securitybalance.com.

Thanks!

The July Security Rountable is available: Battling Botnets with Botnets [The Security Catalyst]

Posted: 09 Jul 2008 09:51 AM CDT

Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/

The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community. 

Thanks to the panel:

Joining the conversation in the Security Catalyst Community

Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

ShareThis

This posting includes an audio/video/photo media file: Download Now

If you want to talk to me your caller ID should not come up unknown [StillSecure, After All These Years]

Posted: 09 Jul 2008 09:46 AM CDT

The caller ID information is masked when a Sky...

Image via Wikipedia

Much has been written lately about annoying sales tactics and how many in the security field try to duck vendor calls.  Believe it or not, I get my share of annoying sales calls as well.  Whether it is the great conference that is being organized with all of the CIOs that I would ever want to speak to or the latest, greatest new product that is going to make my life easier and define the road to riches, I am swamped with spam telephone calls (on my cell phone no less) every day. 

One thing that I have come to see is that many of these unsolicited calls come in with an unknown caller ID. I don't mean no name for entity, but no number either.  Most of these people don't leave a voice mail either, they just keep calling until the get an answer.  My view is that if the caller has to go to the effort of hiding their name and number, than they have something to hide and are not being upfront.  I don't want to do business with anyone like that. I think this just puts two strikes against anyone calling.  Why are you hiding who you are?  Are you ashamed of what you are doing?

So here is my Shimel rule on sales calls. If your caller ID does not identify you, than I don't want to talk to you!

Zemanta Pixie

This is not the vulnerability you’re looking for [Network Security Blog]

Posted: 09 Jul 2008 09:31 AM CDT

Marcus Sachs over at the Internet Storm Center suggests that a vulnerability in Windows XP DNS resolver found 3 years ago is the same vulnerability Dan Kaminsky found and multiple companies patched yesterday. While it might be related, it’s not the same thing. First of all, Dan’s vulnerability isn’t just in resolvers, it affects any system using DNS, either as a resolver or as a name server. Second, this outlines a Man in the Middle Attack and Dan specifically stated that his vulnerability is a remotey executable attack, meaning there doesn’t need a MITM.

As an interesting side note, Thomas Ptacek points out that Dan could have made a lot of money by selling this to Tipping Point or someone else. He didn’t and he put his reputation on the line to organize the vendors to patch this issue in a coordinated manner. Kudo’s to Dan and his team for taking the high road. Now we just have to wait until Black Hat to find out the real details of the vulnerability. I bet that’ll be a crowded talk.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

.mac phishing? Say it ain't so [Random Thoughts from Joel's World]

Posted: 09 Jul 2008 09:23 AM CDT


Check this guy out!  Phishing attempt specifically targeted at mac.com users.  Be aware for this one!  

 Subscribe in a reader

When Security Tools Go Bad [un-excogitate.org]

Posted: 09 Jul 2008 09:19 AM CDT

Noticed on milworm today PoC buffer overflows for both OllyDBG and ImpREC. This reminded me of a post I wrote last year about some vulnerabilities that were discovered in EnCase and the Sleuth Kit. These sorts of issues do get me thinking about how much, and how effectively, we verify the validity of the security tools we use.

At a forensic acquisition training course I attended recently, one of the items discussed was assuring and validating that the tools you use do not compromise the information you are acquiring. This is particularly important for chain of custody and tamper-proofing. You don’t want to use a particular piece of software, which claims to access a storage media without making any changes to it, only to discover that it has made minute changes. Or that a hardware device designed to prevent data being written to a hard-drive actually makes small changes to the drive itself.

This same principle applies to tools used for malware reverse engineering or software validation. You don’t want to find that the tools you’re using to try and determine if software is malicious, are exploitable by DLLs able to run foreign executables. If you aren’t careful with your testing environments, you may un-expectantly expose it to malware (in the bad way, not in the way that is controlled). This isn’t much of a problem if you run your reverse engineering tools in a virtualised environment, but if you don’t then you might find that you’ll have to spend some time rolling back or re-installing everything.

Being pragmatic of course, I don’t think anyone would expect you to be able to find the sorts of vulnerabilities as was found in this PoC. But sure, you’ll have to show some degree of rigour in validating your tools. Most of the time it will be sufficient to check for any current or previous vulnerabilities on security sites such as securityfocus, sans, securitytracker or milworm. Perhaps rigour around also means that you maintain an up-to-date tools list, including your licensing and version information. Perhaps you utilise Secunia’s software to ensure that all software is current.

I’m unsure how other people perform this process, or even if it’s necessary. Perhaps it’s only necessary in the forensic space. I’m not entirely sure. I’ve posted the question on the Security Catalyst Community so hopefully I’ll find out what other people think.

Taming of the Information Security [Musings on Information Security]

Posted: 09 Jul 2008 08:33 AM CDT

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast.  In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

 

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework.   The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS).  On the Firewall arena: the focus has moved from perimeter security to end point security.  There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning.

 

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without co-ordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company's security initiative. Security leaders who do not have a clear vision of

security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

 

The attitude of IT security leaders and security team members has a significant impact on security.  Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

 

It could be a pipedream to accomplish complete  information security but accomplishing a well managed information security program is an attainable possibility.

 

The Microsoft Bloggers Network [StillSecure, After All These Years]

Posted: 09 Jul 2008 08:17 AM CDT

My podcast co-host and friend Mitchell Ashley started a bloggers network for people who write about anything Microsoft. It is not just security related, but anything to do with Microsoft. If you do, the Microsoft Bloggers Network If you would like to join the network, you need to send Mitchell and email here. I am joining today.

Security Briefing: July 9th [Liquidmatrix Security Digest]

Posted: 09 Jul 2008 08:03 AM CDT

newspapera.jpg

The little one screamed in my ear so much last evening that I have a constant ringing this morning. Not so much fun. Unless you missed it yesterday there is a major DNS patch roll out that you should be aware of.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Beijing scales back RFID ticket plans | Channel Register
  2. DMV puts Coloradans at risk of ID theft | Denver Post
  3. Gmail Rolls Out Remote Security Features | PC World
  4. Apple hasn't learned from past security mistakes | ZDNet
  5. Palestinian hackers breach Likud Web site | Jerusalem Post
  6. Cybercrime research centre nets $350,000 grant from B.C. gov’t | The Province
  7. Florida health agency corrects security flaw | Jacksonville Business Journal
  8. African smuggling rings possible US terror threat | Associated Press

Tags: , , , ,

Bell,Telus To Charge For Incoming Text, Spam [Liquidmatrix Security Digest]

Posted: 09 Jul 2008 07:49 AM CDT

Bell Canada and Telus looking to cash in on SMS spam.

Or that is the appearance.

Starting in August both Bell Canada and Telus Mobility in Canada are going to be charging 15 cents for incoming text messages to pay-per-use customers.

From the Globe and Mail:

“The growth in text messages has been nothing short of phenomenal,” wrote Telus Corp. spokeswoman Anne-Julie Gratton in an e-mail to The Globe and Mail. She pointed to the latest statistics from the Canadian Wireless Telecommunications Association (CWTA) that peg the number of text messages sent in Canada at more than 45.3 million a day.

“This volume places tremendous demands on our network and we can’t afford to provide this service for free any more,” Ms. Gratton wrote.

Sadly, this includes spam messages.

Mr. Laszlo said that if a Bell customer receives any spam messages, he or she can contact customer care to have their account credited.

“If a client is experiencing an ongoing issue with spam, the client has the option of changing their phone number,” Mr. Laszlo wrote.

Wow. So, for every spam you received you would have to contact customer service? And if it is bad you have “the option of changing their phone number”. Negative option billing.

Not cool.

Article Link

Tags: , , ,

Kaminsky and the new vulnerability patching world [Security Balance]

Posted: 08 Jul 2008 07:01 PM CDT

A few years ago, it would be impossible to imagine something like what Dan Kaminsky has done with the recently uncovered DNS cache poisoning vulnerability. Although the technical details of the issue are still not public (and are probably “wicked cool”, 3117, etc), the mosr impressive fact of the whole story is that there was an joint effort from several companies (competitors included) and organizations to release the patch in a organized way. It is the best sample of responsible disclosure I’ve ever seen so far. I think this is a vey good example of how mature our field is comparing to old times.

Congratulations (one more time) to Kaminsky. And to the participants of the joint effort too.

 

 

Penetration testing tools - DirBuster [Hackers Center Blogs]

Posted: 08 Jul 2008 06:00 PM CDT

I decided to take a break from giving my two cents about the hot topics in the security industry and write some posts about the best tools for a web application penetration tester.

The selected tools are the ones I personally use every day and know better.
Comments are welcome on alternatives available in the open source area since I'm not going through commercial tools.


The tools order will follow the natural order of use: Information gathering tools, Proxy [...]

No comments: