Tuesday, July 15, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Symantec poisons the channel [StillSecure, After All These Years]

Posted: 15 Jul 2008 08:06 AM CDT

For a long time Symantec has enjoyed a great reputation as a the VARs best friend.  They were the ultimate channel friendly company with a large and deep channel.  As a result there is always a Symantec channel partner near by almost every customer.  In a case of biting the hand that feeds it this maybe changing. According to this article in Channel Web, Symantec is taking its largest 900 customers direct and moving all SMB renewals direct as well. 

The renewal business is viewed as a built in annuity by many of VARs and losing these follow on deals is not going to sit well.  Also by taking the largest 900 customers direct they are taking the top end or largest deals out of the channel.  The channel market is way to sensitive to this type of thing without repercussions taking place.  It just remains to be seen what they will be, but they will come.

So this is why UK police can't tackle cybercrime [Vitalsecurity.org - A Revolution is the Solution]

Posted: 15 Jul 2008 06:25 AM CDT



....or indeed, anything else for that matter. No idea how new this is, or even if it's real (his equipment looks real enough though), but what an awesome run he has.

Thanks to SB for the heads up ;)

SQL Server 2005 - Where the $%#@ is that stored proc ? [extern blog SensePost;]

Posted: 15 Jul 2008 04:47 AM CDT

While doing some prodding on SQL Server, i came across this newness (of course this is probably old hat to many SQL2005 dba's)

Essentially i was tryign to track down something in sp_addserver.

The source of this stored proc [System Databases\Master\System Stored Procedures\sys.sp_addserver] showed that another stored proc called: sys.sp_MSaddserver_internal was being called.

For the life of me though, i could not track down sys.sp_MSaddserver_internal.

Turns out the answer is reasonably well documented [SQL Books Online], with 2005 - MSFT moved stored procs / and friends into a readonly hidden db. This can be made visible by copying the physical .mdf files and attaching them. [Process reasonably documented on the interwebs if you know what to search for]

This effectively will allow you to do a:

use Resource_Copy go select name from sys.objects where name like '%MS%internal%'

to reveal the missing procs for you to examine/tinker with

Links for 2008-07-14 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 15 Jul 2008 12:00 AM CDT

5 Reasons Why the iPhone 2.0 is still not Enterprise 1.0 Ready [360 Security]

Posted: 14 Jul 2008 01:07 PM CDT

1. Apple ships a software update the same day the hardware is released.

This is clearly indicative that Apple struggled to get the product to market on time. It's an old trick. Ship the product and hope that by the time it hits consumer's hands, you'll have a massive update available for download. After a few days of heavy usage, developers are blaming Apple when users complain of spurious application crashes. According to developers, it's not a problem with their application, but with new 2.0 firmware. The enterprise invests in quality. A rushed product will inevitably mean problems.

2. Apple's own update infrastructure isn't designed to handle the load.

Enterprises can't afford failure and on release day, Apple's activation system keels over. Apple knew exactly how many iPhones were available to be sold. They simply didn't architect their infrastructure to handle the known demand. This is not like some mom and pop website getting Slashdott'ed. While consumers couldn't activate their iPhone is one problem, it also affected all users trying to use the iTunes store. If an enterprise is dependent upon this infrastructure, then prepare yourselves for outages.

3. iPhone 2.0 firmware already hacked.

In fact it was hacked before it became officially released. This is all about compliance and homogeneity. While Apple fights to keep the iPhone locked for contractual and revenue reasons, the enterprise wants it locked for compliance. A system not to the IT common spec is considered a rogue device. Rogue devices cause increased workload and introduce security risks.

4. Enterprise customers get the bait and switch.

While I may be the viewed as the "iPhone hater", I still attempted to order an iPhone from my corporate AT&T wireless account manager. After weeks of receiving email pitches to place an order, we are told at 5pm Thursday night our account isn't eligible. But I could upgrade the account type. No thanks, that's lingo for "let me lock your company into a monthly commitment plan".

5. iPhone configuration utility not quite there yet

Along with Active Sync support, Apple also released the iPhone Configuration Utility. This is a reactive step forward for Apple. They seem to have realized that IT operations need centralized configuration and management tools even when it comes to smart phones. The problem for Apple is that it's a stepchild of a utility. The configuration product is a third party tool that has no integration points with Exchange, Active Directory or any other centralized enterprise infrastructure. Further, it exhibits Apple's failure to understand true policy compliance and enforcement because it requires IT to distribute configuration XML files in email or over the web. This is not policy enforcement, its policy inclination.

Security Catalyst Community: Discussion Forum Activity (July 14 2008) [The Security Catalyst]

Posted: 14 Jul 2008 12:42 PM CDT

The forums are off to a roaring start this week - with some insightful discussions. Sure, thinking this early in the week can be scary, but it sure pays off!

 

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

ShareThis

ICO - turning the oil-tanker [RSA Conference - Blog]

Posted: 14 Jul 2008 10:36 AM CDT

Preaching to the choir [Security Karma]

Posted: 14 Jul 2008 10:30 AM CDT

Stuart King wrote an excellent post at computerweekly.com regarding how to reduce the cost of information security. His points are spot on and very similar to things I have been bringing up at work over the past few months. My organization in particular is being hit particularly hard due to current economic conditions so it is imperative that I show value for every dollar I spend, perform thorough risk analysis on new projects, and evaluate existing security projects, services, and infrastructure for cost savings. Of course I have to do all this while maintaining (or improving) the current security posture of the enterprise.

Good times.

FYI - I'll be out at O'Reilly's OSCON next week in Portland talking about voice mashups... [Blue Box: The VoIP Security Podcast]

Posted: 14 Jul 2008 08:04 AM CDT

OSCON 2008 If any of you reading this will be out at O'Reilly's OSCON Open Source Convention next week (July 21-25) in Portland, Oregon, I (Dan York) will be there giving a talk on Wednesday on "Mashing Up Voice and the Web Through Open Source and XML". Here's the abstract:
With over 4.5 billion mobile and fixed phones out there as of November 2007, the phone represents the most ubiquitous user interface out there. As "mashups" on the Web let us quickly and easily access information from multiple data sources, how do we extend those mashups to the world of the phone? How do we bring the old world of voice and telephony into the new world of the Web, social networks, and social media? And how do we do that using open source tools and open standards?

If any of you will be attending, please do drop me a note as I always enjoy meeting up with people who read this blog. If you are not attending but are interested, it's not too late... you can still register at the OSCON site. Should be a great convention for those interested in open source development. The schedule is pretty amazing as it truly has a collection of some of the best folks out there in the open source world. (The convention starts on Wednesday with Monday and Tuesday being for tutorials.) I'm definitely looking forward to the event!

Technorati Tags: , , , , , , , , ,

Confirmation bias [Kees Leune]

Posted: 14 Jul 2008 07:48 AM CDT

Robert Graham over at Errata Security has a very interesting post up. The topic of the post is confirmation bias, a well-known concept in science that revolves around the idea that a theory is only valid when you can not disprove it (rather than when you can prove it).

"Because of this, the first time somebody misconfigures BitTorrent to use too many connections, the router crashes. Likewise, internal processes within the router crash often and silently restarting without being visible from the outside - but still passes QA tests because they aren't looking for that. Anything unusual that the user does is likely to cause a crash."

Definitely an interesting read.

Happy Monday.

Roxer - still the easiest way to make a web page [Jeremiah Grossman]

Posted: 14 Jul 2008 12:03 AM CDT

Jer Blog Roxer:

It's been several months since I've written about Roxer. Currently Lex does all the coding since I'm investing just about every waking moment at WhiteHat. Primarily I help on Roxer strategy and solve extremely difficult JavaScript problems. Since the beginning we've been completely enthralled in the types of pages users build and the features they ask for. Iterative development is a lot of fun as is prioritizing enhancements into buckets that draw a crowd, improving the user experience, and keep people coming back. Astonishingly we're up over 13,000 users, not bad for near-zero marketing, and that's if you count my single blog post. :)

Its really cool seeing people from all over the world using something you've built. Actually we think over half of our users are outside the U.S. Teachers are posting classroom curriculum. Students are making online book reports. Bands are creating their online presence. Gamers are creating fan pages. And of course there is some other stuff in there we have to remove from time to time that's' not PG-13 rated. :) A lot is being published and its become impossible for even us to track.

Our next challenge is trying figure out a business model that makes sense. Fortunately though since everything is so darn cheap to run on the Amazon cloud platform we haven't really felt pressured to do so, focused more on product and kept the service free. Premium subscription pricing seems to be the way we'll go, much more attractive than advertising, but we'll probably try that to. Maybe I'll post again when we hit 50K users, that'll be something!

The battle over unlocking cell phones - carrier vs. carrier [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 13 Jul 2008 10:52 PM CDT

Apparently this is a big phenomenon. I wasn't aware of this going on until I caught this story on Quamnet.com, and it held my attention. Unlocking mobile phones from one carrier to be used on any network is technically not illegal - or not illegal in any documents that I've been able to find - but TracFone is winning law suits against people who buy hundreds or maybe even thousands of its phones, unlock them, then send them overseas to be used elsewhere.

The problem TracFone has is that it sells the phones cheap... below cost often times, only to turn a profit when people buy minutes at rediculously expensive premiums. This is how cell phone companies get you - we all know that already, so when someone unlocks a TracFone phone and doesn't buy minutes from them it's "taking money out of TracFone's pocket" their attorneys argue.

What I found interesting is that there could be a huge clash coming in the courts - as MetroPCS (another cell phone company similar to TracFone) is offering to unlock competitor's phones as long as they're the same technology (CDMA) and give them a month's worth of calling for $30. From a July 8th article in RedOrbit.com:
Under the offer's terms, MetroPCS will tinker with phones originally sold by Verizon Wireless, Sprint Nextel (S), Alltel, or any other carrier whose network is based on CDMA [code division multiple access], the technology MetroPCS uses. MetroPCS will unlock the phone and provide a month's worth of calling -- all for $30.
Whoa. So here's TracFone suing companies that unlock their phones and send them overseas to be used, when MetroPCS is doing it as part of a legal commercial promotion! I can't wait for these two forces to collide. I can see it now, TracFone filing suit against San Antonio-based Houdinisoft and MetroPCS. MetroPCS filing suit back... this could make it all the way up to the Supreme Court!

This should be fun. I feel like in the end, the customer should be the winner, but we'll still end up getting screwed (early termination fees, anyone?). Either way, I want ring-side seats for this one and a big tub of popcorn so I can watch the fur fly.

Application Security Conferences/Events (July-November) [Writing Secure Software]

Posted: 13 Jul 2008 03:54 PM CDT

I thought to announce herein a provisory list of conferences/meetings that I plan to attend:
July 30th Local OWASP Chapter: Speaking
August 6-7 Blackhat, Ceaser Palace Las Vegas: Attending
August 8-10 Defcon16: Riviera Hotel, Las Vegas: Attending
September 23rd Local OWASP Chapter: Speaking
October 2nd: IMI security symposium, Northern Kentucky University: Speaking TBC (To Be Confirmed)
October 29th:OWASP USA TBA (To Be Announced), Chapter TBA, Location TBA: Speaking TBA
November 5th Security Day in Sardegna (Italy): Speaking
November 10 and 11: IASA IT Architect Regional Conference in Singapore: Speaking

If you plan to attend any of these events/conferences. I will update this with the presentation topics as these get official in the conference schedules.

Schools Beware: You're in the bullseye [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 13 Jul 2008 01:53 AM CDT

Have you noticed the rising number of data breaches involving schools lately?
Have you noticed the number of schools who have had break-ins, data stolen on students?
Have you taken a moment to think about why?

I'm sure I won't be the first person to say that personal records (enough to steal an identity) of students and adolescents are desirable because they will likely not be used for quite some time - and therefore don't have credit monitoring or protection against them. Interesting concept huh? Stealing an identity which hasn't even opened a credit card before... no credit history to go against for triggering anomaly detection systems (in credit files) and the record is likely rarely monitored by the person (or his or her family). This is the perfect mix of ingredients for identity thieves to salivate.

I may be stating the obvious here - but schools really, really need to be on their guard because the identities of students is in the cross-hairs of criminals and would-be identity thieves as you read this.

Here are some recent data breaches in education:

It's All About the Lifecycle [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 12 Jul 2008 10:51 AM CDT

Happy Saturday everybody. We're closing up on Black Hat, and I wanted to share something I found that should interest you if you live in the world of web application security.

Dennis Hurst - a colleague of mine over at SPI Dynamics (now HP) - has started a conference which follows BlackHat called "LifeCycle Security". Application Security is a problem that everyone faces today - and I think we need to start thinking about it more than just tactical solutions. We're all so focused on PCI and compliance in general, and all the silly tactical things that go around with it that we're often missing the forest for the trees.

I'd like to take a moment to applaud Dennis's efforts in creating awareness around the Web App SDLC, and the fact that we really need to think "bigger picture". I encourage you (if you're still allowed to travel due to the economic "toughness" out there) to extend your stay long enough to come out and check the conference out. I think it'll be well-worth your time, and you can bring back some take-aways which managers like to have their employees come back with. This conference Dennis is hosting will definitely be less about hacking web apps, and more about how to think long-term when securing them.

More details, and registration here: http://www.lifecyclesecurity.com/invitation.aspx

Links for 2008-07-11 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 12 Jul 2008 12:00 AM CDT

Fun Reading on Security - 5 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Jul 2008 07:57 PM CDT

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #5, dated June 11, 2008.

  1. Another fun (and horrible) laptop theft story, to be shown to those naive souls who say "ah, just stolen for hardware"
  2. Very fun dailydave thread on security future (sad, of course :-)) - here is an excerpt: "The complexity in security is not from any complexity in technology but the complexity in motivating people to truly care about security and act accordingly."
  3. Prediction markets for security? Fun idea!
  4. "Elevator pitch for explaining security risks to executives" by Lenny Zeltser @ SANS.
  5. "In Praise of the Information Security Checklist."
  6. A great WAF battle rages on (here and in many other places). PCI + June 30 + 6.6 + WAF = BOOM!
  7. How do you protect from IT admins "going bad?" Separate data and infrastructure (easier said than done, for sure). Another related one is "Staff more dangerous than hackers."
  8. Curious about PCI DSS compliance outside the US? Read this and this. Yes, it is pretty bad.
  9. "Terminating an employee with privileged access" from SANS (scroll to bottom)
  10. An interesting view on sad state of academic research in information security.
  11. Useful reminder to many people pushing silly/useless security solutions: while you are doing this, your organization is losing 6% of revenue to fraud. Today. Every day. Fraud checklist is linked there as well.
  12. Rich on "consumerization" of IT. Good stuff. You are ready for it, aren't you? More on this subject.
  13. Obviously, you are reading Mike R mid-year grades for his predictions.  One that failed in the most spectacular fashion (grade "D") is also an instructive read.
  14. Really good post on security vs risk management. Just read it.
  15. Matasano launches a GRC solution :-)
  16. After "security idiot" became "an official meme", it didn't take long for SecurityIdiot.com to launch with much fanfare! If you are still wondering how to misspell "SOX" go there... the mystery is answered.

See you next time!

Fun AV Cartoon [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Jul 2008 11:58 AM CDT

Thanks to Dancho for the link. The cartoon is here.

Do they REALLY think SaaS is bad!? [Alert Logic]

Posted: 11 Jul 2008 11:38 AM CDT

I've been reading LogLogic's recent blog posts about the "perils of SaaS" with some amusement. Of course the obvious thing that we as a SaaS-based provider of security and compliance offerings think first is, "Wow, they must be feeling some heat!" But beyond that, their thinly-veiled attempts to disparage SaaS as a delivery [...]

What? no comment on the DNS thing ?? [extern blog SensePost;]

Posted: 11 Jul 2008 03:51 AM CDT

Mostly we have stayed silent, because too many people have commented too much already.. It was interesting however how Ptacek was quite deftly forced to eat his words by a Dan Kaminsky phonecall..

The "ill tell everyone all during my Vegas talk" angle is an obvious way to pack the room.. but hey, cheaper tricks have been pulled to pack rooms in the past.. [and if anyone didnt need help packing a room, its dan.. he has a cult following]

I think Halvar summed up my take on this pretty well:

a) nice find Dan - look forward to checking out the details

b) we should be assuming our gateways are owned by default.. its why we use ssl and ssh

(i would add one caveat here.. i would still encourage the upgrade, or the move to djb (hey.. you dont have to like him!) because such weak entropy was always a bad idea, and 8 shoulda been killed by now anyway)

I have seen crowds cheer insanely while dan drank beer during his talk on stage, and marveled at how well he handled the spotlight.. but u have to give him shouts.. this is a novel patch notification technique

[click img for dans video pimpage]

Links for 2008-07-10 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Jul 2008 12:00 AM CDT

You want the truth, you can't handle the truth! [StillSecure, After All These Years]

Posted: 10 Jul 2008 10:35 PM CDT

fewgoodmen I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco's network admission control, circa Dec '03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard's latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can't take the analyst out of the man), takes exception to Hoff's "whining" (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don't have a market, can't get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

"Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu."

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can't handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help "clean the sand" out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don't know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff's point in his article.

As to Hoff's article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to "learn" from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live"pet" customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

Zemanta Pixie

Need MORE Proof That I am Popular in UK! :-) [Anton Chuvakin Blog - "Security Warrior"]

Posted: 10 Jul 2008 06:41 PM CDT

As I said before, my blog was nominated for ComputerWeekly.com blog contest in UK. It looks like I made the final list, so feel free to vote for me in this final stage.


No comments: