Thursday, July 17, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Cybercapos [Phillip Hallam-Baker's Web Security Blog]

Posted: 17 Jul 2008 08:37 AM CDT

Interesting.


But as I point out in the dotCrime Manifesto, the mafia is old school. It uses the state of the art in business management being developed in the 1920s. The mafia was organized using line management before most US businesses had got there.


The organization of the cyber-gangs is fashioned after today's state of the art. They use online markets for outsourcing. The gangs are global and operate 24 hours a day. If a criminal in Russia finds some commercial information that is relevant in Brazil they can quickly connect to a local criminal who can make use of it.


In many ways the Internet crime rings are replacing the old-style mafia. And just as online commerce eventually merged with traditional e-tail, the same effect will occur in Internet crime. Those same facilities, for example money laundering, can be used for any criminal purpose. A drug ring can launder proceeds through the same network the Internet criminals developed for extracting stolen money.

Are you going to DefCon? Get your Phreak on! [StillSecure, After All These Years]

Posted: 17 Jul 2008 07:20 AM CDT

defcon party

StillSecure and IOActive are sponsoring a hot party Saturday night at DefCon.  I won't be there as I am leaving earlier, but if you are make sure to check it out!

Also, if you write me I might be able to get you on the VIP list.

The Way of Logic into Dan’s DNS Flaw [GNUCITIZEN]

Posted: 17 Jul 2008 05:49 AM CDT

There is a serious flaw in the DNS system and apparently it is a design bug, the types of bugs I like the most. I am very curious to learn what exactly Dan has prepped for us and I get the feeling that we will be deeply shaken by its simplicity.

Jon-Postel-DNS-inventor

Although, I have no clue what this bug is, and I am also reluctant to pursue its mystery for my own entertainment, I will try to express what it could be by walking you through a simple process of thinking by elimination. Keep in mind that we could have been fooled and put off track with the information that is currently available - a common showmanship trick - so much like Dan :).

So, let’s start with the information that we have:

  • It is a flaw in the DNS system which allows attackers to poison the cache of your nameservers.
  • The patch has to do with randomizing the source port of the standard query response.
  • Although quite serious, Dan is suggesting that it is not the end of the world just yet (probably irrelevant but good to mention).

Then, I would have to conclude that:

  • It has something to do with sending fake/forged responses to the attacked namerserver due to the fact that the patch is related to randomizing the source port of the standard responses and as such contributes to the increased level of difficulty for a successful forgery.
  • The attacker must know in advance or can predict the transaction ID and given the fact the source port is static, she can then forge a response.
  • It is probably something that can happen but it may not work well for high profile domains such as google.com, microsoft.com, etc due to being almost persistently cached for quite active namerservers… I don’t know, just suggesting.

That leads to the following:

  • The attack is remote so we can eliminate man-in-the-middle attacks. This means that the attacker is blindly sending packets to the attacked server hoping to poison its cache.
  • Predicting the transaction IDs could be possible but probably irrelevant to Dan’s advisory otherwise it would have been an old news. Therefore Dan probably knows it in advance and I think that this is where the design bug come into play.
  • … nothing here.. :) we can disregard this point

Which suggests that:

  • We have a remote blind attack - packet spoofing etc.
  • Dan knows the transaction IDs in advance - of course, the only thing that will save the day is to add a random source port.

Having this in mind:

  • In order to perform the attack we need a simple spoofing/flooding tool.
  • We might need to involve our own DNS server to help us predict or guess the transaction IDs - the design bug, which involves the plethora of DNS magic including CNAMES, A and PTR queries.

And this is where I am pretty much stuck after spending 30 minutes skimming through all news resources and research materials available online. As I said, I will leave the show to Dan and I am looking for some great entertainment this year at Black Hat Las Vegas. If you are interested in learning about some more design bugs, you may want to check out my own poor presentation which I will happily present on the first day of BH.

Steven J. Vaughan-Nichols is no Nobel economic laureate [StillSecure, After All These Years]

Posted: 17 Jul 2008 12:11 AM CDT

You have to both admire and laugh at zealots and extremists no matter what guise they come in. Whether it be religion, politics or technology they find God's hand guiding you towards their position in every event, good or bad. A perfect example was brought to my attention by Michael Farnum. Steven J. Vaughan-Nichols, the resident Cyber Cynic and Linux zealot at ComputerWorld, has taken the current state of our economy as a message from God that Linux is on a messianic mission to save us from high gas prices, high food prices, the mortgage and credit crisis and those satan's in Redmond. Vaughan-Nichols says that by switching to Linux and other open source products you could save your company, your job and be more secure to boot!

Michael who is no Microsoft fan boy points out some obvious pitfalls with Vaughn-Nichols strategy. I am far from a Microsoft shill myself (now my friend Mitchell might be another story). I personally think it is ludicrous. One thing obvious is the cost of the switch. Economic cycles being what they are, by the time you actually planned and implemented this switch the economy would probably be back on the upswing and the economic reasons for undertaking this drastic a move would be gone. Than you would have the expense of moving over including training and downtime. I think by the time you are done with doing all this, if the economy hasn't killed your company, the cost of switching will!

I guess that is why Vaughan-Nichols is just a fanatic on ComputerWorld and no one has nominated him for any Noble prizes or confused him with John Kenneth Galbraith.

RIM BlackBerry Vulnerability Announced [Infosecurity.US]

Posted: 16 Jul 2008 10:54 PM CDT

RIM (NasdaqGS: RIMM) has released a vulnerability announcement detailing issues with the method the Blackberry Enterprise Server’s handling of distilling PDF attachments. Also announced via US-CERT. Unfortunately for customers of RIM, and users of the now nearly ubiquitous BlackBerry Smartphone, there is no fix available. However, the issue has now been escalated to the development group at RIM. The company’s statement on the issue: “This issue has been escalated internally to our development team. No resolution time frame is currently available.

Notwithstanding the lack of mitigation, there is a workaround:

Prevent the BlackBerry Attachment Service from processing PDF files in a BlackBerry Enterprise Server environment

You can prevent the BlackBerry Attachment Service from processing PDF files by editing the list of file format extensions that the BlackBerry Attachment Service opens, and then preventing the PDF attachment distiller from running on the BlackBerry Attachment Service.

To remove the PDF file extension from the list of supported file format extensions, complete the following actions:

  1. From the Windows® Desktop, open the BlackBerry Server Configuration tool.
  2. Click the Attachment Server tab.
  3. In the Format Extensions field, delete pdf: from the colon–delimited list of extensions.
  4. Click Apply.
  5. Click OK.

Until you prevent the PDF attachment distiller from running, the BlackBerry Attachment Service still detects a PDF file with a renamed extension (in other words, its extension is not .pdf) and attempts to process the file automatically. To prevent the PDF attachment distiller from running, complete the following actions:

  1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
  2. Click the Attachment Server tab.
  3. In the Configuration Option drop-down list, select Attachment Server.
  4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column.
  5. Click Apply.
  6. Click OK.
  7. On the Windows Desktop, in Administrative Tools, open Services.
  8. Right-click BlackBerry Attachment Service and click Stop.
  9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft® Exchange and Novell® GroupWise® environments, complete the following additional steps:

  1. On the Windows Desktop, in Administrative Tools, open Services.
  2. Right-click BlackBerry Dispatcher and click Stop.
  3. Right-click BlackBerry Dispatcher and click Start.
  4. Close Services.

Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.

In IBM® Lotus® Domino® environments, complete the following additional steps:

  1. Open the IBM Lotus Domino Administrator.
  2. Click the Server tab.
  3. Click the Status tab.
  4. Click Server Console.
  5. In the Domino Command field, type tell BES quit and press ENTER.
  6. In the Domino Command field, type load BES and press ENTER.
  7. Close the IBM Lotus Domino Administrator.”

links for 2008-07-17 [Raffy's Computer Security Blog]

Posted: 16 Jul 2008 09:31 PM CDT

Comcast: The start of a new series [Room362.com]

Posted: 16 Jul 2008 09:09 PM CDT

Now, I don’t like to publicly bad mouth companies, but at some point, Comcast’s lack of “service” has got to stop. Well, let me rephrase that: Comcast needs to be held accountable for their utter lack of due diligence. I have been a Comcast customer by default ever since they swallowed the portion of Adelphia that held my area. I say this because only recently, have I actually had a choice in the matter. So, without further ado, here is my latest Tales from Comcast Customer:

Having recently moved, I decided that even though I have a choice, incurring additional “setup” fees for switching services was not something I wanted. So they guy was there 5 days after I moved in, ran the line, and we were hot with both digital cable, and speedy internet service. I came home from work, ran some speed tests and was delighted to see that I had just almost tripled my speeds from my previous residence.

Weeks go by, and this line that the Comcast installer ran from the box to my house is still strung across my lawn. I call and they say they will send someone out to put it down as soon as possible.

2 months later, I call again; they cannot see in their system that a request to put a line in the ground was ever submitted. After 20 minutes of trying to ensure that the “Customer Service Representative” fully understood that there was actually, physically, an orange coaxial line, above ground, strung across my front lawn, that was Comcast’s responsibility, she submitted a new request.

1 week after the new request, I come home to a Comcast truck in the driveway. YIPEE!, nope, he was there to fill out the request for a contractor to come and put the line in the ground. So basically he had no purpose in life or in my driveway.

2 weeks after the new request, no contractor, but someone at some point came by my house and spray painted lines on my lawn where my line should be in the ground. (And no, I didn’t miss a call or the contractor coming)

3 weeks after the new request, the wife is fed up and she has me call Comcast after our TV goes out for no apparent reason. Guess what I got when I called? A busy signal. That just doesn’t compute in my head. How is Comcast going to present me with a busy signal for a 24 hour service line? Anyways, the next day I call and actually get through. Now guess what they told me? Nope, they had the request, but it was for September!? The “Customer Service Representative” was nice enough to move it up to this Saturday.

To Be Continued....

 

Once this event has run its course, it will be filed under “Stupid People” in the links menu, under “Tales of a Comcast Customer: EP1”

 

Andrew Hay, Now With 100% More CISSP [Andrew Hay]

Posted: 16 Jul 2008 08:36 PM CDT

checkIf you couldn’t guess by the title of this blog post, I have indeed passed by CISSP certification exam (phew). I always reserve my judgement on the usefulness of particular certifications until I actually sit down and attempt them (unlike some people in the industry — you know who you are). Was it worth it? I believe it was. Due to the scope of the exam I forced myself to learn aspects of security that I had neither the reason, nor the desire, to understand. I feel that I have grown as a security professional because of my studies and hope that I can help others with the things that I have learned.

I’d like to give a shout out those people (you know who you are) who either helped me or reassured me that I would succeed. Thanks everyone!

The Last HOPE 2008 [Kees Leune]

Posted: 16 Jul 2008 07:15 PM CDT

While getting ready for the Last HOPE this weekend in New York City, I went through the program. For the time being, my schedule will look like this:

Friday

1100 - 1200 Death Star Threat Modeling (Kevin Williams in Engressia)
1200 - 1300 Citizen Engineer - Consumer Electronics Hacking and Open Source Hardware (Phillip Torrone, Limor Fried in Hopper)
1300 - 1400 From a Black Hat to a Black Suit  - How to Climb the Corporate Security Ladder Without Losing Your Soul (Myrcurial in Turing)
1400 - 1500
1500 - 1600 Introduction to the Open Web Application Security Project (Tom Brennan in Engressia)

Saturday

1000 - 1100 Policy Hacking: Taking Back Public Sector IT (Arjen Kamphuis in Turing)
1100 - 1200 "Off the Grid" Voice/Data Communications (Skip Arey, bernieS in Hopper)
1200 - 1300
1300 - 1400 Keynote address (Steven Levy in Hopper)
1400 - 1500
1500 - 1600
1600 - 1700 Port Knocking and Single Packet Authorization: Practical Deployments (Michael Rash in Engressia)

Sunday

1200 - 1300 What and Who is "Anonymous"? (Alex (DeMiNe0), Dusk, Little Sister, Mike (Sethdood), PokeAnon, Atkins, Ryan "Dr3k" Hannigan  in Turing)
1300 - 1400
1400 - 1500 Featured Speaker (Adam Savage in Hopper)
1500 - 1600
1600 - 1700 Featured Speaker (Jello Biafra in Hopper)
1700 - 1800 No-Tech Hacking (Johnny Long in Turing)

Don't forget that amateur radio operators will meet at calling frequency 147.525 MHz simplex. A special event station W2H will be operating too, so I might hang out with them when I haven't decided yet

Recent Archimedius Posts on Cloud Computing [ARCHIMEDIUS]

Posted: 16 Jul 2008 06:33 PM CDT

If you've arrived at Archimedius in search of blogs on cloud computing, here are the top cloud computing blogs, in order of views as of July 16 2008:   Who Will Ride the Clouds? (posted June 20): a high-level perspective on the strategic impact of cloud computing on competitive economic advantage between regions and nations.   Will Cloud Computing [...]

Upcoming Webcast- DLP and DAM Together [securosis.com]

Posted: 16 Jul 2008 05:49 PM CDT

On July 29th I’ll be giving a webcast entitled Using Data Leakage Prevention and Database Activity Monitoring for Data Protection. It’s a mix of my content on DLP, DAM and Information Centric security, designed to show you how to piece these technologies together.

It’s sponsored by Tizor, and you can register here (the content, as always, is my independent stuff). Here’s the description:

When it comes to data security, few things are certain, but there is one thing that very few security experts will dispute. Enterprises need a new way of thinking about data security, because traditional data security methods are just not working.

Data Leakage Prevention (DLP) and Database Activity Monitoring (DAM) are two fundamental components of the new security landscape. Predicated on the need to "know" what is actually happening with sensitive data, DLP and DAM address pressing security issues. But despite the value that these two technologies offer, there is a great deal of confusion about what these technologies actually do and how they should be implemented.

At this webinar, Rich Mogull, one of today's most well respected security experts, will clear up the confusion about DLP and DAM.

Rich will discuss:

* The business problems created by a lack of data centric security

* How these problems relate to today's threats and technologies

* What DLP and DAM do and how they fit into the enterprise security environment

* Best practices for creating a data centric security model for your organization

- Rich

Ecrypt the whole Net! [Data-Centric Protection and Management]

Posted: 16 Jul 2008 03:58 PM CDT

Now this is a big bite - the folks behind Pirate Bay are developing technology that will allow all traffic between equipped end-points to be encrypted. They are doing this to protect folks from the prying eyes of the authorities - new laws have been passed in Sweden that give the authorities rights to monitor email, web traffic and telephony of individuals. The EFF has a good post about this new law here.

Not sure how all this will be implemented, but will be interesting to follow...

Drowning in disinformation [Phillip Hallam-Baker's Web Security Blog]

Posted: 16 Jul 2008 02:40 PM CDT

iran1be3.jpg


Millions of people around the world woke up to see this image from the Iranian news agency on the front page of the morning newspaper.


Although the image is now known to be fake, or to be strictly accurate, manipulated, the damage done by the exposure may be worse than the damage done by the original fakery.


The facts of the situation are now clear: Only three of the missiles were launched successfully, as another photograph taken earlier demonstrated. What appears to be the launch second missile from the right is actually a combination of the vapor trail from the other two rockets.


The fakers were caught, so what is the problem? Well the problem is that although the fakers were caught this time, we don't know how many times a fake photograph has been used without detection. During the 2004 US Presidential campaign, a photograph purporting to show John Kerry speaking with Jane Fonda was circulated. As with the Iranian forgery, far more people saw the original photograph than the subsequent rebuttal.


But the problem is not just that the fakers may achieve their objective, its that genuine evidence may be dismissed as fake. One does not need to be unduly Machiavellian to see how creating distrust in photographic evidence might suit a government whose grasp on power depends on control of information.


So what is the solution? Cryptography of course.


Adobe themselves have been concerned about the need to authenticate digital documents for many years. Adobe Acrobat has a built in document authentication feature that uses secure digital signatures.


The Adobe system is great, the only problem is that it only authenticates the document after editing. This is exactly what we want in the case of a contract, but not if the question is the authenticity of a photograph. What we need is a publicly verifiable means of authenticating the original photograph when it is taken by the camera.


While it is highly unlikely that the images taken by the original photographer will be the ones that end up on the Web site, the ability to authenticate the input to a process is essential if there is going to be a possibility of authenticating the process as a whole. For image authentication to be effective it must be integrated into the news-room workflow so that an editor knows which images are coming in from a stringer unmodified and which may have been altered and the reader knows which images came from the paper or wire service unmodified. Alteration may be necessary in some cases, a photograph taken in the field may be too light, too dark or have the wrong color balance because of the lighting used. But when an altered photograph is uploaded there should also be a source image available for verification.


As it happens, Nikon do implement a system of this type in their D3 and D300 cameras. Unfortunately, the details of the authentication scheme are not public and image verification requires an additional software package that requires use of a hardware key.

Stolen Data Cheaper [securosis.com]

Posted: 16 Jul 2008 01:10 PM CDT

It’s rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down.

LONDON (Reuters) - Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says.

The thieves are true capitalists, and now they are experiencing one of the downsides of their success. What do you know, “supply and demand” works. And what exactly are they going to do to boost profit margins? Sell extended warranties? Maybe it is just the latent marketeer in me coming to the fore, but could you just imagine if hackers made television commericals to sell their wares? Cal Hackington? Crazy Eddie’s Datamart?

It’s time to short your investments in Cybercriminals, Inc.

-Adrian

Writing a book: The Proposal [Emergent Chaos]

Posted: 16 Jul 2008 12:45 PM CDT

To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you'd like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn't about how to come up with the idea, it's about how to sell it.

In a mature market, like the book market, you need some way to convince the publisher that thousands of people will buy your book. Some common ways to do this are to be the first or most comprehensive book on some new technology. You can be the easiest to understand. You can try to become the standard textbook. The big problem with our first proposal was that we wanted to write a book on how managers should make security decisions.

That book didn't get sold. We might rail against the injustice, or we might accept that publishers know their business better than we do. Problems with the idea include that there aren't a whole lot of people who manage security, and managers don't read a lot of books. (Or so we were told by several publishers.) We didn't identify a large enough market.

So a proposal for a new book has to do two main things: first identify a market niche that your idea will sell, and second, convince the publisher that you can write. You do that with an outline and a sample chapter. Those are the core bits of a proposal. There are other things, and most publishers have web sites like Addison Wesley's Write for us or Writing For O'Reilly. Think of each of these as a reason for some mean editor who doesn't understand you to disqualify your book, and make sure you don't give them that reason.

With our first proposal, we gave them that reason. Fortunately, both Jessica Goldstein (Addison Wesley) and Carol Long (Wiley) gave us really clear reasons for not wanting our book. We listened, and put some lipstick on our pig of a proposal.

Funny thing is, that lipstick changed our thinking about the book and how we wrote it. For the better.

Google will Unleash the Cannibals on Microsoft [ARCHIMEDIUS]

Posted: 16 Jul 2008 12:40 PM CDT

As the battleground between Microsoft and VMware takes shape with the launch of Microsoft’s Hyper-V, I've talked about what VMware should do as well as how Hyper-V could prevail.  While this is a critical battle for both companies, it is only a precursor for Microsoft as Google looks to be launching the cannibals of commoditization [...]

Oracle for HP OpenView Critical Flaw Announced, Fixed [Infosecurity.US]

Posted: 16 Jul 2008 11:35 AM CDT

Hewlett Packard (NYSE: HPQ) as announced a Critical Vulnerability in their HP Oracle for OpenView product. Current customers are strongly urged to install the Oracle July 2008 CPU.

SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c00727143
Version: 9
HPSBMA02133 SSRT061201 rev.9 - HP Oracle for OpenView (OfO) Critical Patch Update
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2006-07-19
Last Updated: 2008-07-15
Potential Security Impact: Local or remote compromise of confidentiality, availability, integrity.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Oracle® has issued a Critical Patch Update which contains solutions for a number
of potential security vulnerabilities. These vulnerabilities may be exploited locally or
remotely to compromise the confidentiality, availability or integrity of Oracle for OpenView (OfO).
References: CVE-2008-1666, Oracle Critical Patch Update
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Oracle for OpenView (OfO) v8.1.7, v9.1.01, v9.2, v9.2.0, v10g, v10gR2 running on HP-UX, Tru64 UNIX, Linux, Solaris, and Windows.
BACKGROUND
Oracle is a registered U.S. trademark of the Oracle Corporation, Redwood City, California.
Oracle has issued Critical Patch Update - July 2008. For more information:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
Information about previous Oracle Critical Patch Updates can be found here:
http://www.oracle.com/technology/deploy/security/alerts.htm
The following products are affected:
ORA200BC OfO v8.1.7 for HP-UX LTU
ORA205BC OfO v8.1.7 for HP-UX 5 LTU Bundle
ORA230BC OfO v8.1.7 for HP-UX Media
ORA240BC OfO v8.1.7 for HP-UX Eval LTU & Media
ORA300BC OfO v8.1.7 for Win 2000/NT LTU
ORA305BC OfO v8.1.7 for Win 2000/NT 5 LTU Bundle
ORA330BC OfO v8.1.7 for Win 2000/NT Media
ORA340BC OfO v8.1.7 for Win 2000/NT Eval LTU
ORA400BC OfO v8.1.7 for Sun Solaris LTU
ORA405BC OfO v8.1.7 for Sun Solaris 5 LTU Bundle
ORA430BC OfO v8.1.7 for Sun Solaris Media
ORA440BC OfO v8.1.7 for Sun Solaris Eval LTU
ORA600CA OfO for Linux LTU
ORA605CA OfO for Linux LTU Service Bureaus Bundle
ORA631EE Oracle EE v9.2 HP-UX - 1 CPU LTU
ORA631SE Oracle SE 9v.2 HP-UX - 1 CPU LTU
ORA230CA OfO v9.2 64bit HP-UX 11&11.11 Media Kit
ORA643EE Oracle EE v9.2 Windows - 1 CPU LTU
ORA643SE Oracle SE v9.2 Windows - 1 CPU LTU
ORA330CA OfO v9.2 32bit Windows Media Kit
ORA637EE Oracle EE v9.2 Solaris 64 - 1 CPU LTU
ORA634SE Oracle SE v9.2 Solaris 32 - 1 CPU LTU
ORA637SE Oracle SE v9.2 Solaris 64 - 1 CPU LTU
ORA430CA OfO v9.2 32bit Sun Solaris 2.7&2.8 Media
ORA431CA OfO v9.2 64bit Sun Solaris 2.7&2.8 Media
ORA646EE Oracle EE v9.2 Tru64 - 1 CPU LTU
ORA646SE Oracle SE v9.2 Tru64 - 1 CPU LTU
ORA530CA OfO v9.1.01 64bit Tru64 V5.1a Media Kit
ORA640EE Oracle EE v9.2 Linux - 1 CPU LTU
ORA640SE Oracle SE v9.2 Linux - 1 CPU LTU
ORA630CA OfO v9.2.0 for Linux Media Kit
T2607AA Oracle for OpenView Partition Opt LTU
T3847EE Oracle v10g EE HP-UX , 1 CPU LTU
T3847SE Oracle v10g SE HP-UX , 1 CPU LTU
T3848AA Oracle v10g EE/SE HP-UX PA-RISC 64, Media
T3847AA Oracle v10g EE/SE HP-UX Itanium, Media
T3843EE Oracle v10g EE Windows 32, 1 CPU LTU
T3843SE Oracle v10g SE Windows 32, 1 CPU LTU
T3843AA Oracle v10g EE/SE Windows 32, Media
T3844EE Oracle v10g EE Solaris 64, 1 CPU LTU
T3844SE Oracle v10g SE Solaris 64, 1 CPU LTU
T3844SE Oracle v10g SE Solaris 64, 1 CPU LTU
T3844AA Oracle v10g EE/SE Solaris 64, Media
T3844AA Oracle v10g EE/SE Solaris 64, Media
T3849EE Oracle v10g EE Tru64, 1 CPU LTU
T3849SE Oracle v10g SE Tru64, 1 CPU LTU
T3849AA Oracle v10g EE/SE Tru64, Media
T3845EE Oracle v10g EE Linux, 1 CPU LTU
T3845SE Oracle v10g SE Linux, 1 CPU LTU
T3846AA Oracle v10g EE/SE Linux x86-32, Media
T3845AA Oracle v10g EE/SE Linux x86-64, Media
T4855EE Oracle v10gR2 EE HP-UX , 1 CPU LTU
T4855AA Oracle v10gR2 EE/SE HP-UX PA-RISC 64, Media
T4856AA Oracle v10gR2 EE/SE HP-UX Itanium, Media
T4857EE Oracle v10gR2 EE Windows 32, 1 CPU LTU
T4857SE Oracle v10gR2 SE Windows 32, 1 CPU LTU
T4857AA Oracle v10gR2 EE/SE Windows 32, Media
T4858EE Oracle v10gR2 EE Solaris 64, 1 CPU LTU
T4858SE Oracle v10gR2 SE Solaris 64, 1 CPU LTU
T4858SE Oracle v10gR2 SE Solaris 64, 1 CPU LTU
T4858AA Oracle v10gR2 EE/SE Solaris 64, Media
T4858AA Oracle v10gR2 EE/SE Solaris 64, Media
T4860EE Oracle v10gR2 EE Linux, 1 CPU LTU
T4860SE Oracle v10gR2 SE Linux, 1 CPU LTU
T4860AA Oracle v10gR2 EE/SE Linux x86-32, Media
ORA200CA OfO v9.2 64bit HP-UX 11&11.11 LTU
ORA205CA OfO v9.2 64bit HP-UX 11&11.11 5 LTUs
ORA230CA OfO v9.2 64bit HP-UX 11&11.11 Media Kit
ORA300CA OfO v9.2 32bit Windows LTU
ORA305CA OfO v9.2 32bit Windows 5 LTUs
ORA330CA OfO v9.2 32bit Windows Media Kit
ORA400CA OfO v9.2 32bit Sun Solaris 2.7&2.8 LTU
ORA401CA OfO v9.2 64bit Sun Solaris 2.7&2.8 LTU
ORA405CA OfO v9.2 32bit Sun Solaris 2.7&2.8 5 LTU
ORA406CA OfO v9.2 64bit Sun Solaris 2.7&2.8 5 LTU
ORA430CA OfO v9.2 32bit Sun Solaris 2.7&2.8 Media
ORA431CA OfO v9.2 64bit Sun Solaris 2.7&2.8 Media
ORA500CA OfO v9.1.01 64bit Tru64 V5.1a LTU Ent.Ed
ORA505CA OfO v9.1.01 64bit Tru64 V5.1a LTU
ORA530CA OfO v9.1.01 64bit Tru64 V5.1a Media Kit
ORA600CA Oracle for OpenView for Linux LTU
ORA605CA OfO for Linux LTU Service Bureaus Bundle
ORA630CA OfO v9.2.0 for Linux Media Kit
T3848AA Oracle v10g EE/SE HP-UX PA-RISC 64, Media
T3847AA Oracle v10g EE/SE HP-UX Itanium, Media
T3843AA Oracle v10g EE/SE Windows 32, Media
T3844AA Oracle v10g EE/SE Solaris 64, Media
T3844AA Oracle v10g EE/SE Solaris 64, Media
T3849AA Oracle v10g EE/SE Tru64, Media
T3846AA Oracle v10g EE/SE Linux x86-32, Media
T3845AA Oracle v10g EE/SE Linux x86-64, Media
T4862AA Oracle v10g R2 EE HP-UX 1-Sys LTU
T4863AA Oracle v10g R2 EE HP-UX 5-Sys LTU
T4864AA Oracle v10g R2 EE HP-UX Itanium 1-Sys LTU
T4865AA Oracle v10g R2 EE HP-UX Itanium 5-Sys LTU
T4866AA Oracle v10g R2 EE Windows 1-Sys LTU
T4867AA Oracle v10g R2 EE Solaris 1-Sys LTU
T4867AA Oracle v10g R2 EE Solaris 1-Sys LTU
T4868AA Oracle v10g R2 EE Solaris 5-Sys LTU
T4868AA Oracle v10g R2 EE Solaris 5-Sys LTU
T4869AA Oracle v10g R2 EE Linux 1-Sys LTU
RESOLUTION
Note: This will be the last revision of this Security Bulletin. Customers should monitor the Oracle site for future Critical Patch Updates. The schedule for future Oracle Critical Patch Updates is available here: http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle for OpenView (OfO) customers who have support contracts directly
with Oracle should obtain the “Critical Patch Update - July 2008″ from Oracle.
Oracle for OpenView (OfO) customers who have support with Hewlett-Packard should
contact their normal support channel to obtain the “Critical Patch Update - July 2008.”
For support contract information, please visit:
http://www.hp.com/managementsoftware/contract_maint
MANUAL ACTIONS: Yes - NonUpdate
Install the Oracle Critical Patch Update - July 2008.
Monitor Oracle site for future Critical Patch Updates.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
HP-UX B.11.11
HP-UX B.11.23
===========
action: If Oracle for OpenView (OfO) is installed, install the Oracle Critical Patch Update - July 2008. Monitor Oracle site for future Critical Patch Updates.
END AFFECTED VERSIONS (for HP-UX)
Note: Since Oracle for OpenView (OfO) is not installed using swinstall (1M) the
HP-UX Software Assistant cannot determine whether it is present on an HP-UX
system. Customer maintained configuration documentation should be consulted
to determine whether Oracle for OpenView (OfO) is installed.
HISTORY
Version:1 (rev.1) - 19 July 2006 Initial release “Critical Patch Update - July 2006″
Version:2 (rev.2) - 23 October 2006 “Critical Patch Update - October 2006″ is available
Version:3 (rev.3) - 22 January 2007 “Critical Patch Update - January 2007″ is available
Version:4 (rev.4) - 18 April 2007 “Critical Patch Update - April 2007″ is available
Version:5 (rev.5) - 18 July 2007 “Critical Patch Update - July 2007″ is available
Version:6 (rev.6) - 24 October 2007 “Critical Patch Update - October 2007″ is available, added v10g and v10gR2
Version:7 (rev.7) - 16 January 2008 “Critical Patch Update - January 2008″ is available
Version:8 (rev.8) - 16 April 2008 “Critical Patch Update - April 2008″ is available
Version:9 (rev.9) - 15 July 2008 Last revision of this Security Bulletin
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer’s patch management policy.

Multiple Oracle Database Server Security Flaws Announced [Infosecurity.US]

Posted: 16 Jul 2008 11:10 AM CDT

This morning brought significant announcements from several security research and consulting organizations targeting Oracle (NasdaqGS: ORCL) Database Server vulnerabilities ranging from cross-site scripting issues to advanced queuing challenges. iDefense Labs released (at least) three advisories: The first, a Local Untrusted Library Path Vulnerability, the second a remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM, and the third a remote exploitation of a pre-authentication input validation vulnerability in OID (Oracle Internet Directory). The iDefense announced vulnerabilities have been mitigated (according to notation in each advisory) in the July Critical Patch Update. Whilst iDefense has been busy, let us  not forget David Litchfield at NGSSoftware, with his announcement of yet another flaw, this time in the Oracle Application Server PL/SQL engine, focused on an injection flaw, Oracle has made a patch available for this issue.

San Francisco Needs A Really Good Pen Tester [securosis.com]

Posted: 16 Jul 2008 09:36 AM CDT

Direct from the “you can’t make this up” department, this news started floating around a couple days ago:

JULY 15, 2008 | 11:55 AM — Right now, San Francisco computer experts are frantically trying to crack an exclusive administrative password of one of their former computer engineers who's sitting in jail for basically holding the city's new multimillion-dollar network hostage.

Terry Childs, 43, is cooling his heels in the slammer on charges of computer tampering for configuring sole admin control of the city's new FiberWAN network so that no other IT officials can have administrative rights to the network, which contains email, payroll, law enforcement, and inmate booking files’ apps and data, according to a published report.

Childs apparently gave some passwords to police that didn't work, and refused to give up his magic credentials when they threatened to arrest him. Seems he set up the password lockout to ensure he didn't get fired after he was cited for poor performance on the job.

There really isn’t much to say, but if you are a kick ass pen tester in the Bay area (perhaps someone booked for a lewd offense you wouldn’t like to see plastered on the Internet) I suspect there’s a potential gig out there for you.

-Rich

Linus on Information Security People [Donkey On A Waffle]

Posted: 16 Jul 2008 09:25 AM CDT

Our favorite quote machine, Linus Torvalds, in a recent email to a linux kernel developers mailing list had this to say:

On Tue, 15 Jul 2008, Linus Torvalds wrote:

> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's the "look at the source" approach.

Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything *else* that is also important!

Linus

Well here's to you Linus! Three cheers and a wonderful dirty picture!

Upcoming: Database Encryption Whitepaper [securosis.com]

Posted: 16 Jul 2008 08:15 AM CDT

We are going to be working on another paper with SANS- this time on database encryption. This is a technology that offers consumers considerable advantages in meeting security and compliance challenges, and we have been getting customer inquiries on what the available options are. As encryption products have continued to mature over the last few years, we think it is a good time to delve into this subject. If you’re on the vendor side and interested in sponsorship, drop us a line. You don’t get to influence the content, but we get really good exposure with these SANS papers.

-Adrian

It was only a matter of time… [BumpInTheWire.com]

Posted: 15 Jul 2008 10:42 PM CDT

After having LANenforcer 2024s in our environment for almost a year now I finally came across something that I actually wish was different.  And that is the ability to turn on/off the IPS functionality per port pair instead of globally.  It would be nice to be able to turn it off for one port pair and on for another port pair.  The basis for this?  We have our IPS in “detect only” mode right now.  Today El Sidekick got the external interfaces on the NetScaler demo unit configured.  I was looking at the dashboard and I started seeing SQL Slammer events being logged from outside sources.  After a momentary “oh shit” moment I realized what was happening.  I had a short lived freak-out because all of our LE ”bumps” are behind firewalls at this location.  Seeing port 1433 traffic on a LE behind a firewall caused my heart to skip a beat…that port is not open on any of our firewalls!  Ahhh, young Grasshopper.  Do not get excited until you fully understand what you are looking at.  The NetScaler straddles the firewall.  As soon as the external IP addresses were live that pesky SQL Slammer traffic started being logged.  That is why I think it  would be nice to turn the IPS on per port pair instead of globally.

Side note #2…why the hell is that SQL Slammer worm still running wild?  That stupid worm came out over 5 years ago.

Its Good to Play Well With Others [BumpInTheWire.com]

Posted: 15 Jul 2008 10:16 PM CDT

I came across this article tonight about Project Kensho, a set of tools by Citrix Systems that allows virtual environments to be more independent of hypervisors.  I think Simon Crosby, the CTO of the Virtualization and Management Division at Citrix, is spot on with this.

Every large customer I talk to doesn’t want to bet the farm on just one vendor.

That’s us.  We plan on trying XenServer once time allows.  You’d have to think that XenApp will be better suited for XenServer than ESX, right?

Side note…am I the only one having trouble adjusting to Network World’s new layout?

Breach notice primary sources [Emergent Chaos]

Posted: 15 Jul 2008 09:16 PM CDT

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.

I responded thusly (links added for this blog post):

I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ won't do it because the reports are held by the state police and not considered public. IN had that provision stripped from their revised law. I saw no evidence that ME has them on-line at the AG's site. Unless I missed any, those are all the states with central reporting.

I personally have several hundred notices to NY and NC that I am slowly scanning and making available. Unfortunately, my site is off the net for probably a couple weeks.

A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it's pretty measly.

I forgot to mention in my email that California also considered central reporting -- including a web site -- as part of an update to its breach law. We blogged about this at the time. I understand these features were cut because of lack of resources.

EC reader Iang made a perspicacious comment at the time:

At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.

I am very happy to report that the Open Security Foundation yesterday announced just such a resource. The press release tells the story, but basically it's crowd-sourcing information on breaches. I am very enthusiastic about getting my primary sources archive back on-line so that I can link with, and otherwise contribute to, this new DataLossDB.

S.F. officials locked out of computer network [Vincent Arnold]

Posted: 15 Jul 2008 07:29 PM CDT

(07-14) 19:23 PDT SAN FRANCISCO — A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.

Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today.

Source

Oracle Critical Patch Update- Patch OAS Now!!! [securosis.com]

Posted: 15 Jul 2008 06:06 PM CDT

I was just in the process of reviewing the details on the latest Oracle Critical Patch Advisory for July 2008 and found something a bit frightening. As in could let any random person own your database frightening.

I am still sifting through the database patches to see what is interesting. I did not see much in the database section, but while reading through the document something looked troubling. When I see language that says “vulnerabilities may be remotely exploitable without authentication” I get very nervous. CVE 2008-2589 does not show up on cve.mitre.org, but a quick Google search turns up Nate McFeters’ comments on David Litchfield’s disclosure of the details on the vulnerability.

Basically, it allows a remote attacker without a user account to slice through your Oracle Application Server and directly modify the database. If you have any external OAS instance you probably don’t have long to get it patched.

I am not completely familiar with the WWV_RENDER_REPORT package, but its use is not uncommon. It appears that the web server is allowing parameters to pass through unchecked. As the package is owned by the web server user, whatever is injected will be able to perform any action that the web server account is authorized to do. Remotely. Yikes!

I will post more comments on this patch in the future, but it is safe to assume that if you are running Oracle Application Server versions 9 or 10, you need to patch ASAP! Why Oracle has given this a base score of 6.4 is a bit of a mystery (see more on Oracle’s scoring), but that is neither here nor there. I assume that word about a remote SQL injection attack that does not require authentication will spread quickly.

Patch your app servers.

-Adrian

Best Practices For Endpoint DLP: Part 4, Best Practices for Deployment [securosis.com]

Posted: 15 Jul 2008 05:27 PM CDT

We started this series with an overview of endpoint DLP, and then dug into endpoint agent technology. We closed out our discussion of the technology with agent deployment, management, policy creation, enforcement workflow, and overall integration.

Today I’d like to spend a little time talking about best practices for initial deployment. The process is extremely similar to that used for the rest of DLP, so don’t be surprised if this looks familiar. Remember, it’s not plagiarism when you copy yourself. For initial deployment of endpoint DLP, our main concerns are setting expectations and working out infrastructure integration issues.

Setting Expectations

The single most important requirement for any successful DLP deployment is properly setting expectations at the start of the project. DLP tools are powerful, but far from a magic bullet or black box that makes all data completely secure. When setting expectations you need to pull key stakeholders together in a single room and define what’s achievable with your solution. All discussion at this point assumes you’ve already selected a tool. Some of these practices deliberately overlap steps during the selection process, since at this point you’ll have a much clearer understanding of the capabilities of your chosen tool.

In this phase, you discuss and define the following:

  1. What kinds of content you can protect, based on the content analysis capabilities of your endpoint agent.
  2. How these compare to your network and discovery content analysis capabilities. Which policies can you enforce at the endpoint? When disconnected from the corporate network?
  3. Expected accuracy rates for those different kinds of content- for example, you’ll have a much higher false positive rate with statistical/conceptual techniques than partial document or database matching.
  4. Protection options: Can you block USB? Move files? Monitor network activity from the endpoint?
  5. Performance- taking into account differences based on content analysis policies.
  6. How much of the infrastructure you’d like to cover.
  7. Scanning frequency (days? hours? near continuous?).
  8. Reporting and workflow capabilities.
  9. What enforcement actions you’d like to take on the endpoint, and which are possible with your current agent capabilities.

It’s extremely important to start defining a phased implementation. It’s completely unrealistic to expect to monitor every last endpoint in your infrastructure with an initial rollout. Nearly every organization finds they are more successful with a controlled, staged rollout that slowly expands breadth of coverage and types of content to protect.

Prioritization

If you haven’t already prioritized your information during the selection process, you need to pull all major stakeholders together (business units, legal, compliance, security, IT, HR, etc.) and determine which kinds of information are more important, and which to protect first. I recommend you first rank major information types (e.g., customer PII, employee PII, engineering plans, corporate financials), then re-order them by priority for monitoring/protecting within your DLP content discovery tool.

In an ideal world your prioritization should directly align with the order of protection, but while some data might be more important to the organization (engineering plans) other data may need to be protected first due to exposure or regulatory requirements (PII). You’ll also need to tweak the order based on the capabilities of your tool.

After your prioritize information types to protect, run through and determine approximate timelines for deploying content policies for each type. Be realistic, and understand that you’ll need to both tune new policies and leave time for the organizational to become comfortable with any required business changes. Not all polices work on endpoints, and you need to determine how you’d like to balance endpoint with network enforcement.

We’ll look further at how to roll out policies and what to expect in terms of deployment times later in this series.

Workstation and Infrastructure Integration and Testing

Despite constant processor and memory improvements, our endpoints are always in a delicate balance between maintenance tools and a user’s productivity applications. Before beginning the rollout process you need to perform basic testing with the DLP endpoint agent under different circumstances on your standard images. If you don’t use standard images, you’ll need to perform more in depth testing with common profiles.

During the first stage, deploy the agent to test systems with no active policies and see if there are any conflicts with other applications or configurations. Then deploy some representative policies, perhaps taken from your network policies. You’re not testing these policies for actual deployment, but rather looking to test a range of potential policies and enforcement actions so you have a better understanding of how future production policies will perform. Your goal in this stage is to test as many options as possible to ensure the endpoint agent is properly integrated, performs satisfactorily, enforces policies effectively, and is compatible with existing images and other workstation applications. Make sure you test any network monitoring/blocking, portable storage control, and local discovery performance. Also test the agent’s ability to monitor activity when the endpoint is remote, and properly report policies violations when it reconnects to the enterprise network.

Next (or concurrently), begin integrating the endpoint DLP into your larger infrastructure. If you’ve deployed other DLP components you might not need much additional integration, but you’ll want to confirm that users, groups, and systems from your directory services match which users are really on which endpoints. While with network DLP we focus on capturing users based on DHCP address, with endpoint DLP we concentrate on identifying the user during authentication. Make sure that, if multiple users are on a system, you properly identify each so policies are applied appropriately.

Define Process

DLP tools are, by their very nature, intrusive. Not in terms of breaking things, but in terms of the depth and breadth of what they find. Organizations are strongly advised to define their business processes for dealing with DLP policy creation and violations before turning on the tools. Here’s a sample process for defining new policies:

  1. Business unit requests policy from DLP team to protect a particular content type.
  2. DLP team meets with business unit to determine goals and protection requirements.
  3. DLP team engages with legal/compliance to determine any legal or contractual requirements or limitations.
  4. DLP team defines draft policy.
  5. Draft policy tested in monitoring (alert only) mode without full workflow, and tuned to acceptable accuracy.
  6. DLP team defines workflow for selected policy.
  7. DLP team reviews final policy and workflow with business unit to confirm needs have been met.
  8. Appropriate business units notified of new policy and any required changes in business processes.
  9. Policy deployed in production environment in monitoring mode, but with full workflow enabled.
  10. Protection certified as stable.
  11. Protection/enforcement actions enabled.

And here’s one for policy violations:

  1. Violation detected; appears in incident handling queue.
  2. Incident handler confirms incident and severity.
  3. If action required, incident handler escalates and opens investigation.
  4. Business unit contact for triggered policy notified.
  5. Incident evaluated.
  6. Protective actions taken.
  7. User notified if appropriate, based on nature of violation.
  8. Notify employee manager and HR if corrective actions required.
  9. Perform required employee education.
  10. Close incident.

These are, of course, just rough descriptions, but they should give you a good idea of where to start.

-Rich

No comments: