Spliced feed for Security Bloggers Network |
Cybercapos [Phillip Hallam-Baker's Web Security Blog] Posted: 17 Jul 2008 08:37 AM CDT
|
Are you going to DefCon? Get your Phreak on! [StillSecure, After All These Years] Posted: 17 Jul 2008 07:20 AM CDT |
The Way of Logic into Dan’s DNS Flaw [GNUCITIZEN] Posted: 17 Jul 2008 05:49 AM CDT There is a serious flaw in the DNS system and apparently it is a design bug, the types of bugs I like the most. I am very curious to learn what exactly Dan has prepped for us and I get the feeling that we will be deeply shaken by its simplicity. Although, I have no clue what this bug is, and I am also reluctant to pursue its mystery for my own entertainment, I will try to express what it could be by walking you through a simple process of thinking by elimination. Keep in mind that we could have been fooled and put off track with the information that is currently available - a common showmanship trick - so much like Dan :). So, let’s start with the information that we have:
Then, I would have to conclude that:
That leads to the following:
Which suggests that:
Having this in mind:
And this is where I am pretty much stuck after spending 30 minutes skimming through all news resources and research materials available online. As I said, I will leave the show to Dan and I am looking for some great entertainment this year at Black Hat Las Vegas. If you are interested in learning about some more design bugs, you may want to check out my own poor presentation which I will happily present on the first day of BH. |
Steven J. Vaughan-Nichols is no Nobel economic laureate [StillSecure, After All These Years] Posted: 17 Jul 2008 12:11 AM CDT You have to both admire and laugh at zealots and extremists no matter what guise they come in. Whether it be religion, politics or technology they find God's hand guiding you towards their position in every event, good or bad. A perfect example was brought to my attention by Michael Farnum. Steven J. Vaughan-Nichols, the resident Cyber Cynic and Linux zealot at ComputerWorld, has taken the current state of our economy as a message from God that Linux is on a messianic mission to save us from high gas prices, high food prices, the mortgage and credit crisis and those satan's in Redmond. Vaughan-Nichols says that by switching to Linux and other open source products you could save your company, your job and be more secure to boot! |
RIM BlackBerry Vulnerability Announced [Infosecurity.US] Posted: 16 Jul 2008 10:54 PM CDT RIM (NasdaqGS: RIMM) has released a vulnerability announcement detailing issues with the method the Blackberry Enterprise Server’s handling of distilling PDF attachments. Also announced via US-CERT. Unfortunately for customers of RIM, and users of the now nearly ubiquitous BlackBerry Smartphone, there is no fix available. However, the issue has now been escalated to the development group at RIM. The company’s statement on the issue: “This issue has been escalated internally to our development team. No resolution time frame is currently available.”
|
links for 2008-07-17 [Raffy's Computer Security Blog] Posted: 16 Jul 2008 09:31 PM CDT |
Comcast: The start of a new series [Room362.com] Posted: 16 Jul 2008 09:09 PM CDT Now, I don’t like to publicly bad mouth companies, but at some point, Comcast’s lack of “service” has got to stop. Well, let me rephrase that: Comcast needs to be held accountable for their utter lack of due diligence. I have been a Comcast customer by default ever since they swallowed the portion of Adelphia that held my area. I say this because only recently, have I actually had a choice in the matter. So, without further ado, here is my latest Tales from Comcast Customer:
Once this event has run its course, it will be filed under “Stupid People” in the links menu, under “Tales of a Comcast Customer: EP1”
|
Andrew Hay, Now With 100% More CISSP [Andrew Hay] Posted: 16 Jul 2008 08:36 PM CDT If you couldn’t guess by the title of this blog post, I have indeed passed by CISSP certification exam (phew). I always reserve my judgement on the usefulness of particular certifications until I actually sit down and attempt them (unlike some people in the industry — you know who you are). Was it worth it? I believe it was. Due to the scope of the exam I forced myself to learn aspects of security that I had neither the reason, nor the desire, to understand. I feel that I have grown as a security professional because of my studies and hope that I can help others with the things that I have learned. I’d like to give a shout out those people (you know who you are) who either helped me or reassured me that I would succeed. Thanks everyone! |
The Last HOPE 2008 [Kees Leune] Posted: 16 Jul 2008 07:15 PM CDT While getting ready for the Last HOPE this weekend in New York City, I went through the program. For the time being, my schedule will look like this: Friday 1100 - 1200 Death Star Threat Modeling (Kevin Williams in Engressia) Saturday 1000 - 1100 Policy Hacking: Taking Back Public Sector IT (Arjen Kamphuis in Turing) Sunday 1200 - 1300 What and Who is "Anonymous"? (Alex (DeMiNe0), Dusk, Little Sister, Mike (Sethdood), PokeAnon, Atkins, Ryan "Dr3k" Hannigan in Turing) Don't forget that amateur radio operators will meet at calling frequency 147.525 MHz simplex. A special event station W2H will be operating too, so I might hang out with them when I haven't decided yet |
Recent Archimedius Posts on Cloud Computing [ARCHIMEDIUS] Posted: 16 Jul 2008 06:33 PM CDT If you've arrived at Archimedius in search of blogs on cloud computing, here are the top cloud computing blogs, in order of views as of July 16 2008: Who Will Ride the Clouds? (posted June 20): a high-level perspective on the strategic impact of cloud computing on competitive economic advantage between regions and nations. Will Cloud Computing [...] |
Upcoming Webcast- DLP and DAM Together [securosis.com] Posted: 16 Jul 2008 05:49 PM CDT On July 29th I’ll be giving a webcast entitled Using Data Leakage Prevention and Database Activity Monitoring for Data Protection. It’s a mix of my content on DLP, DAM and Information Centric security, designed to show you how to piece these technologies together. It’s sponsored by Tizor, and you can register here (the content, as always, is my independent stuff). Here’s the description:
- Rich |
Ecrypt the whole Net! [Data-Centric Protection and Management] Posted: 16 Jul 2008 03:58 PM CDT Now this is a big bite - the folks behind Pirate Bay are developing technology that will allow all traffic between equipped end-points to be encrypted. They are doing this to protect folks from the prying eyes of the authorities - new laws have been passed in Sweden that give the authorities rights to monitor email, web traffic and telephony of individuals. The EFF has a good post about this new law here. Not sure how all this will be implemented, but will be interesting to follow... |
Drowning in disinformation [Phillip Hallam-Baker's Web Security Blog] Posted: 16 Jul 2008 02:40 PM CDT
|
Stolen Data Cheaper [securosis.com] Posted: 16 Jul 2008 01:10 PM CDT It’s rare I laugh out loud when reading the paper, but I did on this story. It is a great angle on a moribund topic, saying that there is such a glut of stolen finance and credit data for sale that it is driving prices down.
The thieves are true capitalists, and now they are experiencing one of the downsides of their success. What do you know, “supply and demand” works. And what exactly are they going to do to boost profit margins? Sell extended warranties? Maybe it is just the latent marketeer in me coming to the fore, but could you just imagine if hackers made television commericals to sell their wares? Cal Hackington? Crazy Eddie’s Datamart? It’s time to short your investments in Cybercriminals, Inc. -Adrian |
Writing a book: The Proposal [Emergent Chaos] Posted: 16 Jul 2008 12:45 PM CDT To start from the obvious, book publishers are companies, hoping to make money from the books they publish. If you'd like your book to be on this illustrious list, you need an idea for a book that will sell. This post isn't about how to come up with the idea, it's about how to sell it. In a mature market, like the book market, you need some way to convince the publisher that thousands of people will buy your book. Some common ways to do this are to be the first or most comprehensive book on some new technology. You can be the easiest to understand. You can try to become the standard textbook. The big problem with our first proposal was that we wanted to write a book on how managers should make security decisions. That book didn't get sold. We might rail against the injustice, or we might accept that publishers know their business better than we do. Problems with the idea include that there aren't a whole lot of people who manage security, and managers don't read a lot of books. (Or so we were told by several publishers.) We didn't identify a large enough market. So a proposal for a new book has to do two main things: first identify a market niche that your idea will sell, and second, convince the publisher that you can write. You do that with an outline and a sample chapter. Those are the core bits of a proposal. There are other things, and most publishers have web sites like Addison Wesley's Write for us or Writing For O'Reilly. Think of each of these as a reason for some mean editor who doesn't understand you to disqualify your book, and make sure you don't give them that reason. With our first proposal, we gave them that reason. Fortunately, both Jessica Goldstein (Addison Wesley) and Carol Long (Wiley) gave us really clear reasons for not wanting our book. We listened, and put some lipstick on our pig of a proposal. Funny thing is, that lipstick changed our thinking about the book and how we wrote it. For the better. |
Google will Unleash the Cannibals on Microsoft [ARCHIMEDIUS] Posted: 16 Jul 2008 12:40 PM CDT As the battleground between Microsoft and VMware takes shape with the launch of Microsoft’s Hyper-V, I've talked about what VMware should do as well as how Hyper-V could prevail. While this is a critical battle for both companies, it is only a precursor for Microsoft as Google looks to be launching the cannibals of commoditization [...] |
Oracle for HP OpenView Critical Flaw Announced, Fixed [Infosecurity.US] Posted: 16 Jul 2008 11:35 AM CDT Hewlett Packard (NYSE: HPQ) as announced a Critical Vulnerability in their HP Oracle for OpenView product. Current customers are strongly urged to install the Oracle July 2008 CPU. SUPPORT COMMUNICATION - SECURITY BULLETIN |
Multiple Oracle Database Server Security Flaws Announced [Infosecurity.US] Posted: 16 Jul 2008 11:10 AM CDT This morning brought significant announcements from several security research and consulting organizations targeting Oracle (NasdaqGS: ORCL) Database Server vulnerabilities ranging from cross-site scripting issues to advanced queuing challenges. iDefense Labs released (at least) three advisories: The first, a Local Untrusted Library Path Vulnerability, the second a remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM, and the third a remote exploitation of a pre-authentication input validation vulnerability in OID (Oracle Internet Directory). The iDefense announced vulnerabilities have been mitigated (according to notation in each advisory) in the July Critical Patch Update. Whilst iDefense has been busy, let us not forget David Litchfield at NGSSoftware, with his announcement of yet another flaw, this time in the Oracle Application Server PL/SQL engine, focused on an injection flaw, Oracle has made a patch available for this issue. |
San Francisco Needs A Really Good Pen Tester [securosis.com] Posted: 16 Jul 2008 09:36 AM CDT Direct from the “you can’t make this up” department, this news started floating around a couple days ago:
There really isn’t much to say, but if you are a kick ass pen tester in the Bay area (perhaps someone booked for a lewd offense you wouldn’t like to see plastered on the Internet) I suspect there’s a potential gig out there for you. -Rich |
Linus on Information Security People [Donkey On A Waffle] Posted: 16 Jul 2008 09:25 AM CDT Our favorite quote machine, Linus Torvalds, in a recent email to a linux kernel developers mailing list had this to say: On Tue, 15 Jul 2008, Linus Torvalds wrote:
> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's the "look at the source" approach. Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior. It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking. Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.To me, security is important. But it's no less important than everything *else* that is also important! Linus Well here's to you Linus! Three cheers and a wonderful dirty picture! |
Upcoming: Database Encryption Whitepaper [securosis.com] Posted: 16 Jul 2008 08:15 AM CDT We are going to be working on another paper with SANS- this time on database encryption. This is a technology that offers consumers considerable advantages in meeting security and compliance challenges, and we have been getting customer inquiries on what the available options are. As encryption products have continued to mature over the last few years, we think it is a good time to delve into this subject. If you’re on the vendor side and interested in sponsorship, drop us a line. You don’t get to influence the content, but we get really good exposure with these SANS papers. -Adrian |
It was only a matter of time… [BumpInTheWire.com] Posted: 15 Jul 2008 10:42 PM CDT After having LANenforcer 2024s in our environment for almost a year now I finally came across something that I actually wish was different. And that is the ability to turn on/off the IPS functionality per port pair instead of globally. It would be nice to be able to turn it off for one port pair and on for another port pair. The basis for this? We have our IPS in “detect only” mode right now. Today El Sidekick got the external interfaces on the NetScaler demo unit configured. I was looking at the dashboard and I started seeing SQL Slammer events being logged from outside sources. After a momentary “oh shit” moment I realized what was happening. I had a short lived freak-out because all of our LE ”bumps” are behind firewalls at this location. Seeing port 1433 traffic on a LE behind a firewall caused my heart to skip a beat…that port is not open on any of our firewalls! Ahhh, young Grasshopper. Do not get excited until you fully understand what you are looking at. The NetScaler straddles the firewall. As soon as the external IP addresses were live that pesky SQL Slammer traffic started being logged. That is why I think it would be nice to turn the IPS on per port pair instead of globally. Side note #2…why the hell is that SQL Slammer worm still running wild? That stupid worm came out over 5 years ago. |
Its Good to Play Well With Others [BumpInTheWire.com] Posted: 15 Jul 2008 10:16 PM CDT I came across this article tonight about Project Kensho, a set of tools by Citrix Systems that allows virtual environments to be more independent of hypervisors. I think Simon Crosby, the CTO of the Virtualization and Management Division at Citrix, is spot on with this. Every large customer I talk to doesn’t want to bet the farm on just one vendor. That’s us. We plan on trying XenServer once time allows. You’d have to think that XenApp will be better suited for XenServer than ESX, right? Side note…am I the only one having trouble adjusting to Network World’s new layout? |
Breach notice primary sources [Emergent Chaos] Posted: 15 Jul 2008 09:16 PM CDT Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line. I responded thusly (links added for this blog post): I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ won't do it because the reports are held by the state police and not considered public. IN had that provision stripped from their revised law. I saw no evidence that ME has them on-line at the AG's site. Unless I missed any, those are all the states with central reporting. A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it's pretty measly. I forgot to mention in my email that California also considered central reporting -- including a web site -- as part of an update to its breach law. We blogged about this at the time. I understand these features were cut because of lack of resources. EC reader Iang made a perspicacious comment at the time: At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info. I am very happy to report that the Open Security Foundation yesterday announced just such a resource. The press release tells the story, but basically it's crowd-sourcing information on breaches. I am very enthusiastic about getting my primary sources archive back on-line so that I can link with, and otherwise contribute to, this new DataLossDB. |
S.F. officials locked out of computer network [Vincent Arnold] Posted: 15 Jul 2008 07:29 PM CDT (07-14) 19:23 PDT SAN FRANCISCO — A disgruntled city computer engineer has virtually commandeered San Francisco’s new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today. |
Oracle Critical Patch Update- Patch OAS Now!!! [securosis.com] Posted: 15 Jul 2008 06:06 PM CDT I was just in the process of reviewing the details on the latest Oracle Critical Patch Advisory for July 2008 and found something a bit frightening. As in could let any random person own your database frightening. I am still sifting through the database patches to see what is interesting. I did not see much in the database section, but while reading through the document something looked troubling. When I see language that says “vulnerabilities may be remotely exploitable without authentication” I get very nervous. CVE 2008-2589 does not show up on cve.mitre.org, but a quick Google search turns up Nate McFeters’ comments on David Litchfield’s disclosure of the details on the vulnerability. Basically, it allows a remote attacker without a user account to slice through your Oracle Application Server and directly modify the database. If you have any external OAS instance you probably don’t have long to get it patched. I am not completely familiar with the WWV_RENDER_REPORT package, but its use is not uncommon. It appears that the web server is allowing parameters to pass through unchecked. As the package is owned by the web server user, whatever is injected will be able to perform any action that the web server account is authorized to do. Remotely. Yikes! I will post more comments on this patch in the future, but it is safe to assume that if you are running Oracle Application Server versions 9 or 10, you need to patch ASAP! Why Oracle has given this a base score of 6.4 is a bit of a mystery (see more on Oracle’s scoring), but that is neither here nor there. I assume that word about a remote SQL injection attack that does not require authentication will spread quickly. Patch your app servers. -Adrian |
Best Practices For Endpoint DLP: Part 4, Best Practices for Deployment [securosis.com] Posted: 15 Jul 2008 05:27 PM CDT We started this series with an overview of endpoint DLP, and then dug into endpoint agent technology. We closed out our discussion of the technology with agent deployment, management, policy creation, enforcement workflow, and overall integration. Today I’d like to spend a little time talking about best practices for initial deployment. The process is extremely similar to that used for the rest of DLP, so don’t be surprised if this looks familiar. Remember, it’s not plagiarism when you copy yourself. For initial deployment of endpoint DLP, our main concerns are setting expectations and working out infrastructure integration issues. Setting ExpectationsThe single most important requirement for any successful DLP deployment is properly setting expectations at the start of the project. DLP tools are powerful, but far from a magic bullet or black box that makes all data completely secure. When setting expectations you need to pull key stakeholders together in a single room and define what’s achievable with your solution. All discussion at this point assumes you’ve already selected a tool. Some of these practices deliberately overlap steps during the selection process, since at this point you’ll have a much clearer understanding of the capabilities of your chosen tool. In this phase, you discuss and define the following:
It’s extremely important to start defining a phased implementation. It’s completely unrealistic to expect to monitor every last endpoint in your infrastructure with an initial rollout. Nearly every organization finds they are more successful with a controlled, staged rollout that slowly expands breadth of coverage and types of content to protect. PrioritizationIf you haven’t already prioritized your information during the selection process, you need to pull all major stakeholders together (business units, legal, compliance, security, IT, HR, etc.) and determine which kinds of information are more important, and which to protect first. I recommend you first rank major information types (e.g., customer PII, employee PII, engineering plans, corporate financials), then re-order them by priority for monitoring/protecting within your DLP content discovery tool. In an ideal world your prioritization should directly align with the order of protection, but while some data might be more important to the organization (engineering plans) other data may need to be protected first due to exposure or regulatory requirements (PII). You’ll also need to tweak the order based on the capabilities of your tool. After your prioritize information types to protect, run through and determine approximate timelines for deploying content policies for each type. Be realistic, and understand that you’ll need to both tune new policies and leave time for the organizational to become comfortable with any required business changes. Not all polices work on endpoints, and you need to determine how you’d like to balance endpoint with network enforcement. We’ll look further at how to roll out policies and what to expect in terms of deployment times later in this series. Workstation and Infrastructure Integration and TestingDespite constant processor and memory improvements, our endpoints are always in a delicate balance between maintenance tools and a user’s productivity applications. Before beginning the rollout process you need to perform basic testing with the DLP endpoint agent under different circumstances on your standard images. If you don’t use standard images, you’ll need to perform more in depth testing with common profiles. During the first stage, deploy the agent to test systems with no active policies and see if there are any conflicts with other applications or configurations. Then deploy some representative policies, perhaps taken from your network policies. You’re not testing these policies for actual deployment, but rather looking to test a range of potential policies and enforcement actions so you have a better understanding of how future production policies will perform. Your goal in this stage is to test as many options as possible to ensure the endpoint agent is properly integrated, performs satisfactorily, enforces policies effectively, and is compatible with existing images and other workstation applications. Make sure you test any network monitoring/blocking, portable storage control, and local discovery performance. Also test the agent’s ability to monitor activity when the endpoint is remote, and properly report policies violations when it reconnects to the enterprise network. Next (or concurrently), begin integrating the endpoint DLP into your larger infrastructure. If you’ve deployed other DLP components you might not need much additional integration, but you’ll want to confirm that users, groups, and systems from your directory services match which users are really on which endpoints. While with network DLP we focus on capturing users based on DHCP address, with endpoint DLP we concentrate on identifying the user during authentication. Make sure that, if multiple users are on a system, you properly identify each so policies are applied appropriately. Define ProcessDLP tools are, by their very nature, intrusive. Not in terms of breaking things, but in terms of the depth and breadth of what they find. Organizations are strongly advised to define their business processes for dealing with DLP policy creation and violations before turning on the tools. Here’s a sample process for defining new policies:
And here’s one for policy violations:
These are, of course, just rough descriptions, but they should give you a good idea of where to start. -Rich |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment