Spliced feed for Security Bloggers Network |
Senate Approves Wider Wiretap Powers Bill [Liquidmatrix Security Digest] Posted: 10 Jul 2008 08:00 AM CDT This is just sad. From The New York Times:
So, the ISP’s get their immunity. Talk amongst yourselves. |
What's behind online banking guarantee's? [spylogic.net] Posted: 10 Jul 2008 05:00 AM CDT Wow...I'm really on this banking kick as of late... So I was watching TV tonight and saw a commercial for WaMu (Washington Mutual Bank) advertising their "Online Banking Guarantee". What I found interesting was the whole scenario that played out in the commercial... Woman: "Hey, I'm using WaMu Online Banking..." Man: "Online Banking?? That's not safe!!" Woman: "It's safe...I have WaMu's Online Banking Guarantee!" Man: "Oh...cool." (Note: this wasn't word for word but pretty close...you get the idea.) As a security professional I find it disturbing that you would "guarantee" something (like online banking) is safe and secure without a ton of terms and conditions (I'll get to this in a minute). We all know that nothing is 100% secure. Sure, online banking in general is safe to use..we all know banks are regulated to provide customer safeguards...etc...So how does WaMu pull this off? Here's the deal: "For any fraudulent or unauthorized transaction that has been initiated during an online banking session at wamu.com, WaMu will provide 100% reimbursement of the transaction amount plus any related account charges imposed by WaMu or lost account interest resulting from such transaction." Sounds good right? Here is the kicker...you as the customer have responsibilities which if you don't live up to, you get no guarantee...check these out: "You have protected your password by creating one that would be hard for others to guess and do not write down or share your password with anyone." Customer: Hard to guess password? So my dog's name isn't hard to guess? "If you suspect a fraudulent or unauthorized transaction has occurred, you must contact WaMu within 60 days..." Customer: I'm on it...I never, ever procrastinate about anything! "If you knowingly share your username and/or password information with others, we will consider any direct or indirect transaction initiated online by this person as an authorized transaction." Customer: My wife knows my username/password does that count? Damn...I'm getting a ton of these pop-up's on my PC...weird. and...buried deep in the Online Services Agreement & Disclosure: "You are responsible for the installation, maintenance, and operation of the Computer and browser software. The risk of error, failure, or non-performance is your risk and includes the risk that you do not operate the Computer or software properly. The Bank is not responsible for any errors or failures from any malfunction of the Computer or the software nor is it responsible for any electronic virus, viruses, worms, or similar software that you may encounter. The Bank has no liability to you for any damage or other loss, direct or consequential, which you may suffer or incur by reason of your use of the Computer or the software." Thus...no guarantee (unless they get hacked via online banking, and we know that could never happen) Enjoy your online banking guarantee. |
South Florida ISSA Hack the Flag and Chili Cook Off [StillSecure, After All These Years] Posted: 09 Jul 2008 11:16 PM CDT PDF flyer for the event with details click to download the PDF As part of doing my thing with StillSecure I get a chance to visit and speak at lots of ISSA chapters throughout the US. But in a case of there is no place like home, my favorite chapter is my home chapter, the South Florida ISSA. Jeff Dell, Pete Nicolletti, Tim Krabec and the rest of the gang do a great job of making ISSA fun and interesting for those of us down here. My only regret is that I am to often out of town for our monthly meetings and I don't get a chance to attend as much as I would like. Anyway, one of the highlights of the year for our ISSA chapter is the hack the flag and chili cook off. You should be able to click and download the PDF with all of the details. If not visit the SFISSA chapter page here . This posting includes an audio/video/photo media file: Download Now |
Posted: 09 Jul 2008 11:03 PM CDT I can be pretty skeptical and cynical at times (part of what drives my interest in security) and I am especially skeptical of massively hyped vulnerabilities. If anything, I tend to underhype what I do and let others hype it for me if they think that it warrants more attention. With all of the hype around Dan Kaminsky’s DNS vulnerability, I naturally doubted that all of the hype was warranted. I was flattered, however, when Rich Mogull called me and invited onto a conference call with Dan Kaminsky and the other Doubting Thomas (Ptacek, that is). Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined. Yes, I am being light on the specifics here because I was sworn to secrecy and if I were to break it, Dan would cause my nameservers to rickroll me until the end of time. In summary, when the full details of Dan’s attack come out, you will most likely be impressed. I definitely was. |
Its About Time [BumpInTheWire.com] Posted: 09 Jul 2008 10:37 PM CDT I’ve decided after much reluctance to hone my Exchange skills and actually learn Exchange 2007. I’ve been reading “Mastering Exchange Server 2007” by Sybex to get myself up to date with what’s new and different from Exchange 2003. So far this afternoon I got about halfway through Chapter 1 which really is not very far but I did read the part about the new features. We’ve been talking recently around the office about “What the hell took you so long to do it that way” type things. Like the peel back top on a bag of oreos that are out now. What in the hell took so long to figure that out? Or puting the console connection for a Cisco router on the front of the router instead of on the back. What the hell took so long to figure that design out? Some of these new features of Exchange 2007 fall into that “What the hell” category. Some of the new features of Exchange 2007 that caught my eye were:
So there you have it. I think a couple of those are key improvements…particularly the Out of Office Assistant scheduling and the Autodiscover for Outlook profile creation. I’m late to the table with Exchange 2007 but better late than never is what I say!! |
Posted: 09 Jul 2008 10:27 PM CDT Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. Pizza will be provided for a small fee. If you plan on attending, RSVP to Stan Wisseman (email available in their post - linked below) so they can get your badge processing started. (more…) |
Posted: 09 Jul 2008 08:52 PM CDT Are you interested in using voice for authentication, also known as voice biometrics? Would you like to know how far voice biometrics has come from that 1992 film “Sneakers” with “My voice is my password”? If you are free tomorrow, July 10, 2008, at 11am US Eastern time you can join in a conference call/podcast where I’ll be interviewing David Standig with VoiceVerified.com about voice biometrics in general and VoiceVerified’s specific offering. If you can’t join us at 11am, the interview will be available as a “Squawk Box” podcast later in the day. The deal is that Alec Saunders, the regular host/producer of the daily Squawk Box podcast is away on vacation and I’ve been guest-hosting this week in his absence. The daily shows have been about a range of topics (today was a great one about P2PSIP) and tomorrow’s show actually gets into VoIP security in terms of voice verification/biometrics. If you would like to join into the show, there are two ways you can do so:
In either case, you’ll get access to the telephone number you need to call and, during the call, will also have access to the live chat session that is used. If you aren’t able to attend (or don’t want to use the app), you can listen to the show after I post it on Alec’s Saunderslog.com sometime later tomorrow, probably in the evening. Also, if you are interested in being on Alec’s Squawk Box show, my guest hosting is done tomorrow but drop me a note and I’ll be glad to suggest your name to Alec after he returns. I frequently participate and they’ve been enjoyable shows to be a part of. P.S. In the interest of full transparency and disclosure, I should note that VoiceVerified is actually a business partner of my employer, Voxeo, as I outlined in a blog post. That fact, however, did not influence my decision to bring them on the show - I was just looking for interesting companies to interview and they were one that caught my eye. Technorati Tags: |
DNS Vulnerability Survives Scrutiny of Peer Review [Zero in a bit] Posted: 09 Jul 2008 08:30 PM CDT The security community is cynical. So much so, that most of the chatter that’s taken place over the past 24-36 hours has suggested that Kaminsky’s DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS — that’s the protocol itself — but hell, it’s always nice to give a guy the benefit of the doubt. Faced with nearly a month of criticism and questioning, and understanding the persuasive power of a technical peer review, Dan decided to expand the inner circle, so to speak. Rich Mogull arranged a phone call with Tom Ptacek and Dino Dai Zovi so that Dan could spill the beans and let them decide for themselves whether it was spin or substance. Turns out there was substance. Now we sit around and wait until August 6th to cram into a ballroom with a thousand sweaty conference-goers to hear the juicy details. And Dan’s presentations are usually packed to the brim even when he’s not announcing anything. In the meantime… how about patching those servers? |
More On The DNS Vulnerability [securosis.com] Posted: 09 Jul 2008 07:13 PM CDT Okay- it’s been a crazy 36 hours since Dan Kaminsky released his information on the massive multivendor patch and DNS issue. I want to give a little background on how I’ve been involved (for full disclosure) as well as some additional aspects of this. If you hate long stories, the short version is he just walked me through the details, this is a very big deal, and you need to patch immediately. Dan contacted me about a week or so ago to help get the word out to the CIO-level audience. As an analyst, that’s a group I have more access to. I was involved with the initial press conference and analyst briefings, and helped write the executive overview to put the issue in non-geek terms. At the time he just gave me the information that was later made public. I’ve known Dan for a few years now and trust him, so I didn’t push as deeply as I would with someone I don’t have that relationship with. Thus, as the comments and other blogs dropped into a maelstrom of discontent, I didn’t have anything significant to add. Dan realized he underestimated the response of the security community and decided to let me, Ptacek, Dino, and someone else I won’t mention into the fold. Here’s the deal- Dan has the goods. More goods than I expected. Dino and Ptacek agree. Tom just issued a public retraction/apology. This is absolutely one of the most exceptional research projects I’ve seen. Dan’s reputation will emerge more than intact, although he will still have some black eyes for not disclosing until Black Hat. Here’s what you need to know:
Next time something like this happens I’ll push for full details sooner, but Dan is justified in limiting exposure of this. His Black Hat talk will absolutely rock this year. |
Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones) [securosis.com] Posted: 09 Jul 2008 05:44 PM CDT I have a sneaking suspicion my hosting provider secretly hates me after getting Slashdotted twice this week. But I don’t care, because in less than 48 hours it’s iPhone Day!!! Okay, so I already have one and all the new one adds is a little more speed, and a GPS that probably isn’t good enough for what I need. But I use the friggen thing so darn much I can definitely use that speed. It’s been up for a few days, but with everything else going on I’m just now getting back to my latest Dark Reading column. This month I take a look at what may be one of the most disruptive trends in enterprise technology- the consumerization of IT. Here’s an excerpt:
|
Security Catalyst Community: Discussion Forum Activity (9 July 2008) [The Security Catalyst] Posted: 09 Jul 2008 02:23 PM CDT
Join the in the Discussion! Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard. |
Ouch [Matt Flynn's Identity Management Blog] Posted: 09 Jul 2008 01:26 PM CDT Dave Kearns calls my argument smoke and mirrors and labels it FUD. His argument is that the Global 2000 have more users and are therefore more important? Should their needs drive solutions for the mid-market? Dave, I don't think the number of users is even relevant. What is relevant is the experience of those customer organizations and how they can meet their requirements. The number of infrastructures is more relevant than the number of end users in this discussion. I don't think a huge amount of them have a need or desire for multiple user directories. They seem to run off of AD and seem to prefer to have apps leverage AD instead of figuring out how to use a virtual directory (or metadirectory for that matter). Where is the FUD in that? Where is the smoke? What would be my motive to raise smoke and mirrors? The discussion of how should Oracle build a product is very different than whether customers should consider metadirectory as an alternative. I think they should. I think there are still plenty of environments that could benefit from that approach. But I conceded Clayton's point -- if Oracle wants to build a virtual directory into it's suite to enable flexibility for customers, that's great. I just don't think a virtual directory is the answer to everything (and I spent a lot of time discussing the various use-cases that cry for one). I would just hate to have people shy away from a good technology because some people say it's no good anymore. That doesn't make sense. Ultimately, we might agree. Dave's conclusion is one that I've echoed over and over:
Let's just not declare something dead because it no longer seems cool to the in-crowd. It's OK to take a pragmatic approach to whatever challenge your organization is facing. That's my point. |
No, I Don’t Know the Answer to the Big DNS Secret [Zero in a bit] Posted: 09 Jul 2008 10:26 AM CDT Rich Mogull’s executive overview of Dan Kaminsky’s latest DNS vulnerability fluffed a few feathers yesterday:
The typical response I heard was “what do you mean, it can’t be reverse engineered? I’ll just look at the diffs!” In hindsight, after examining the BIND diffs (yes, I did it too) and discussing with colleagues, all most people saw was UDP source port randomization and a better PRNG for generating the transaction ID, the latter of which would appear to be related to Amit Klein’s cache poisoning attack from about a year ago. What Rich was really saying is that you can reverse engineer the patch until you’re blue in the face, but that won’t reveal the specifics of the vulnerability. Dan’s blog post this morning appeared to confirm that interpretation:
Nate McFeters appears to think that Tom Ptacek has figured it out. I’m going to go out on a limb and say that Tom didn’t figure anything out yet but still wanted to write a pithy blog post. I think that if Tom had figured it out, he would have written it down privately and posted the SHA-1 hash, as is the trendy thing to do these days. Speculation aside, the title of Tom’s blog entry, Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!, does make an important point — Dan didn’t sell the details to ZDI, he used his influence and reputation to coordinate a massive vendor patch effort. That’s an admirable move. |
July 2008 SRT: Battling Botnets with Botnets [Network Security Blog] Posted: 09 Jul 2008 10:02 AM CDT Michael Santarcangelo has posted this month’s Security Roundtable, Battling Botnets with Botnets. We had a lot of fun recording this episode, even though we barely talked about the main subject at all. I took away a lot to think about, especially the law of unintended consequences: there’s what you meant it to do, what it does, and what effects a system has on other systems around it. Phalanx is a great example of that. This is a long one, by the way. That always seems to happen when Michael and I get together to talk.
This posting includes an audio/video/photo media file: Download Now |
Master dissertation test [Security Balance] Posted: 09 Jul 2008 09:59 AM CDT I’m trying to finish my Master dissertation on the next months. In order to do that I need to test the log analysis methodology I’m proposing. The methodology is targeted to detect insider attacks, so I need to collect logs from internal resources, which include AD domain controllers, internal e-mail systems, file and folder access audit logs, firewalls and other network devices, http servers, applications, and everything else that can produce logs and indicate internal users behavior. I would need to collect one week of logs for the tunning phase and after that one week of logs that will include some “simulated attacks”. If there is anybody out there that can help me by providing those logs (everything will be anonymized, of course), please drop me an e-mail at augusto (at) securitybalance.com. Thanks! |
The July Security Rountable is available: Battling Botnets with Botnets [The Security Catalyst] Posted: 09 Jul 2008 09:51 AM CDT Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/ The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community.
Thanks to the panel:
Joining the conversation in the Security Catalyst Community Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard. This posting includes an audio/video/photo media file: Download Now |
Posted: 09 Jul 2008 09:46 AM CDT Image via Wikipedia Much has been written lately about annoying sales tactics and how many in the security field try to duck vendor calls. Believe it or not, I get my share of annoying sales calls as well. Whether it is the great conference that is being organized with all of the CIOs that I would ever want to speak to or the latest, greatest new product that is going to make my life easier and define the road to riches, I am swamped with spam telephone calls (on my cell phone no less) every day. One thing that I have come to see is that many of these unsolicited calls come in with an unknown caller ID. I don't mean no name for entity, but no number either. Most of these people don't leave a voice mail either, they just keep calling until the get an answer. My view is that if the caller has to go to the effort of hiding their name and number, than they have something to hide and are not being upfront. I don't want to do business with anyone like that. I think this just puts two strikes against anyone calling. Why are you hiding who you are? Are you ashamed of what you are doing? So here is my Shimel rule on sales calls. If your caller ID does not identify you, than I don't want to talk to you! |
This is not the vulnerability you’re looking for [Network Security Blog] Posted: 09 Jul 2008 09:31 AM CDT Marcus Sachs over at the Internet Storm Center suggests that a vulnerability in Windows XP DNS resolver found 3 years ago is the same vulnerability Dan Kaminsky found and multiple companies patched yesterday. While it might be related, it’s not the same thing. First of all, Dan’s vulnerability isn’t just in resolvers, it affects any system using DNS, either as a resolver or as a name server. Second, this outlines a Man in the Middle Attack and Dan specifically stated that his vulnerability is a remotey executable attack, meaning there doesn’t need a MITM. As an interesting side note, Thomas Ptacek points out that Dan could have made a lot of money by selling this to Tipping Point or someone else. He didn’t and he put his reputation on the line to organize the vendors to patch this issue in a coordinated manner. Kudo’s to Dan and his team for taking the high road. Now we just have to wait until Black Hat to find out the real details of the vulnerability. I bet that’ll be a crowded talk. |
.mac phishing? Say it ain't so [Random Thoughts from Joel's World] Posted: 09 Jul 2008 09:23 AM CDT Check this guy out! Phishing attempt specifically targeted at mac.com users. Be aware for this one! |
When Security Tools Go Bad [un-excogitate.org] Posted: 09 Jul 2008 09:19 AM CDT Noticed on milworm today PoC buffer overflows for both OllyDBG and ImpREC. This reminded me of a post I wrote last year about some vulnerabilities that were discovered in EnCase and the Sleuth Kit. These sorts of issues do get me thinking about how much, and how effectively, we verify the validity of the security tools we use. At a forensic acquisition training course I attended recently, one of the items discussed was assuring and validating that the tools you use do not compromise the information you are acquiring. This is particularly important for chain of custody and tamper-proofing. You don’t want to use a particular piece of software, which claims to access a storage media without making any changes to it, only to discover that it has made minute changes. Or that a hardware device designed to prevent data being written to a hard-drive actually makes small changes to the drive itself. This same principle applies to tools used for malware reverse engineering or software validation. You don’t want to find that the tools you’re using to try and determine if software is malicious, are exploitable by DLLs able to run foreign executables. If you aren’t careful with your testing environments, you may un-expectantly expose it to malware (in the bad way, not in the way that is controlled). This isn’t much of a problem if you run your reverse engineering tools in a virtualised environment, but if you don’t then you might find that you’ll have to spend some time rolling back or re-installing everything. Being pragmatic of course, I don’t think anyone would expect you to be able to find the sorts of vulnerabilities as was found in this PoC. But sure, you’ll have to show some degree of rigour in validating your tools. Most of the time it will be sufficient to check for any current or previous vulnerabilities on security sites such as securityfocus, sans, securitytracker or milworm. Perhaps rigour around also means that you maintain an up-to-date tools list, including your licensing and version information. Perhaps you utilise Secunia’s software to ensure that all software is current. I’m unsure how other people perform this process, or even if it’s necessary. Perhaps it’s only necessary in the forensic space. I’m not entirely sure. I’ve posted the question on the Security Catalyst Community so hopefully I’ll find out what other people think. |
Taming of the Information Security [Musings on Information Security] Posted: 09 Jul 2008 08:33 AM CDT In many mid-size to large organizations, information security grows up to become an unmanageable complex beast. In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos. The information security field is not yet fully mature; there is a lack of cohesive interoperable framework. The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS). On the Firewall arena: the focus has moved from perimeter security to end point security. There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning.
Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without co-ordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company's security initiative. Security leaders who do not have a clear vision of security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership. The attitude of IT security leaders and security team members has a significant impact on security. Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar. It could be a pipedream to accomplish complete information security but accomplishing a well managed information security program is an attainable possibility. |
The Microsoft Bloggers Network [StillSecure, After All These Years] Posted: 09 Jul 2008 08:17 AM CDT My podcast co-host and friend Mitchell Ashley started a bloggers network for people who write about anything Microsoft. It is not just security related, but anything to do with Microsoft. If you do, the Microsoft Bloggers Network If you would like to join the network, you need to send Mitchell and email here. I am joining today. |
Security Briefing: July 9th [Liquidmatrix Security Digest] Posted: 09 Jul 2008 08:03 AM CDT The little one screamed in my ear so much last evening that I have a constant ringing this morning. Not so much fun. Unless you missed it yesterday there is a major DNS patch roll out that you should be aware of. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
Bell,Telus To Charge For Incoming Text, Spam [Liquidmatrix Security Digest] Posted: 09 Jul 2008 07:49 AM CDT Bell Canada and Telus looking to cash in on SMS spam. Or that is the appearance. Starting in August both Bell Canada and Telus Mobility in Canada are going to be charging 15 cents for incoming text messages to pay-per-use customers. From the Globe and Mail:
Sadly, this includes spam messages.
Wow. So, for every spam you received you would have to contact customer service? And if it is bad you have “the option of changing their phone number”. Negative option billing. Not cool. Tags: Bell Mobility, Telus Mobility, Text Messaging, SMS |
Kaminsky and the new vulnerability patching world [Security Balance] Posted: 08 Jul 2008 07:01 PM CDT A few years ago, it would be impossible to imagine something like what Dan Kaminsky has done with the recently uncovered DNS cache poisoning vulnerability. Although the technical details of the issue are still not public (and are probably “wicked cool”, 3117, etc), the mosr impressive fact of the whole story is that there was an joint effort from several companies (competitors included) and organizations to release the patch in a organized way. It is the best sample of responsible disclosure I’ve ever seen so far. I think this is a vey good example of how mature our field is comparing to old times. Congratulations (one more time) to Kaminsky. And to the participants of the joint effort too.
|
Penetration testing tools - DirBuster [Hackers Center Blogs] Posted: 08 Jul 2008 06:00 PM CDT I decided to take a break from giving my two cents about the hot topics in the security industry and write some posts about the best tools for a web application penetration tester. The selected tools are the ones I personally use every day and know better. Comments are welcome on alternatives available in the open source area since I'm not going through commercial tools. The tools order will follow the natural order of use: Information gathering tools, Proxy [...] |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment