Sunday, July 20, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Cross-Site Scripting - the Gateway Drug [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 19 Jul 2008 07:39 PM CDT

Remember when you were younger (or for some of you that's now...) and your parents told you that pot was a "gateway drug"? The whole message was that once you got into smoking the reefer, you would be much more exposed to other dangerous drugs and therefore would fall victim more easily.

Let's put that into the web app security context. I know, I know... it's not exactly the same thing but hear me out. If you're open to XSS, or script injection of some kind... it's only a matter of time before someone moves on to bigger and better attacks on your site. CSRF, SQLi to name the things you'll be getting hit with next, and it's all about where you start. Sure, Cross-Site Scripting is relatively simple to detect, and requires you to trick a user into doing something... to exploit themselves - but if you're open to script attacks it means you're not validating and sanitizing input or output... this leads to possible CSRF if you're a transactional application - or worse... SQL injection! If Cross-Site Scripting is pot's equal... SQL injection has to be like... crystal meth or something. Dangerous to the point where it'll kill you and potentially blow up the whole place.

... and my parents said I never paid attention to them. Ha!

Non-Fiction Review: Ask the Right Questions Hire the Best People by Ron Fry [The Falcon's View]

Posted: 19 Jul 2008 04:12 PM CDT

This past week I had a chance to mostly read Ron Fry's Ask the Right Questions Hire the Best People. This book provides an interesting perspective on hiring from the employer's vantage point, instead of the typical candidate's viewpoint. I...

Lynis - an auditing tool for Linux/Unix [Robert Penz Blog]

Posted: 19 Jul 2008 03:15 AM CDT

The first step to higher security of your system is to assess the current state of the system. Lynis is a small command line tool, licensed under GPL 3, which can help you achieving this. From the authors homepage:

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

He also clearly states what Lynis is not:

Not a hardening tool: Lynis does not fix things automatically, it reports only (and makes suggestions).

More to the technicial stuff: The basis of the program are shell scripts which scan the operating system and installed software (e.g. old software) but also stuff like SSL certificates (e.g. expire date). The software checks for accounts without password or wrong file permissions and it takes also a look at your local firewall. It runs under many Linux and Unix versions including Debian and Ubuntu.

iPhone 3G review [Random Thoughts from Joel's World]

Posted: 18 Jul 2008 12:17 PM CDT

Okay, so I have had my iPhone 3G with iPhone 2.0 software for a solid week now.  

BLUF:  I like it.

Now, I live in a 3G area.  Which means I get the full capabilities of the speed, and it's nice.  Browsing the internet is faster, Mail is faster, everything is nice and quick.  Even the apps I use.  The truth is, I was considering not getting one, but the touchscreen stopped working on my old iPhone about a month ago, and therefore, I had to upgrade (oh darn).

iPhone 2.0 software
--
This is the greatest feature about the new iPhone (and the old iPhone too) is the apps.  Now that you can have apps, it's awesome.  I hacked my phone in the past but there were no apps that I was excited about and I really didn't care to do it again.  There were really three apps I wanted on my old iPhones software.  
1) something to manage my to-do's
2) some kind of music buying app
3) Instant messenger.

Well, now I have Omnifocus for the iPhone (and the mac, and it's great, everything syncs up..  awesome.  Although I do have to call Omnigroup out on something.  They say that their databases sync via "MobileMe".  Now, if I said that to you, that would imply you have to-do syncing through the cloud right?  Well, not really.  All that happens is your Omnifocus DB is stored on your iDisk, and your devices have to sync to iDisk, so while technically true, it's ill worded...anyway..  Omnifocus is great, I recommend it, little high in price, but... yeah)  So that takes care of my to-do's.

2)  Some kind of music buying app.  Well iPhone has had the iTunes store for a while, and it has been great.  But there are occasions that you didn't know what the song was that you heard on the radio and you wanted to know.  Well now my iPhone has an app called Shazam, that will listen to the song I am listening to and tell me what the song is.  Awesome.

3)  Instant Messenger, well I got my AOL IM, but it's just not as polished as I think it should be.  It should be iChat'ish.  Come on Apple, do your thing.

Of course I have some other apps on there as well, games, facebook, pownce, twitter..etc..  and I use them, but they are just add ons.  Not must haves.

The GPS is awesome, quick too.  While it doesn't TELL you where to make turns, it WILL follow where you are at on Google Maps, and you can just get your directions through there.  So it works just fine for a GPS phone.  I'd like to replace my Car GPS with the iPhone, which requires two things.  A touch bit better GPS turn-by-turn software, say from Tom-Tom or Garmin, and a Car Charger.  No car charger yet.  Let's go!

All in all..  Excellent phone, I highly recommend it for people who live in a 3G area.  If you don't live in a 3G area, then don't worry about it, because the speed won't help you.  Get your software update.  

However if you live in a 3G area, or you like the 'flush headset jack' idea, or the fact that it fits better in your hand (with the rounded back), then get it.  The iPhone 3G FEELS thinner.  But in fact it's a 0.2 mm thicker in the middle.  But you probably won't notice.



 Subscribe in a reader

PaulDotCom Security Weekly - Episode 115 - July 17, 2008 [PaulDotCom]

Posted: 18 Jul 2008 09:26 AM CDT

Live from the PaulDotCom studios with special guest Rich Mogul!

Hosts: Larry "Uncle Larry" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Lack of usable emails for your pentest got you down...metagoofil FTW! [Carnal0wnage Blog]

Posted: 18 Jul 2008 06:07 AM CDT

Hopefully a useful day in the life of a pentest post...

So there I was, trying to gather emails for our pentest. The only problem is that we were doing an assessment of city.domain.com but all the emails are listed as @domain.com. Just for clarification, searching domain.com for email addresses wouldn't necessarily give me emails that were in scope, so I had to think of something.

First step was some google-fu of "site:city.domain.com + @domain.com" that brought in a few emails addresses in. Next step was metagoofil. Metagoofil is awesome because it will download ms office, open office, and pdf documents from the domain you specify. It will parse the metadata and give you a list of the usernames in the documents and the path to where the document was saved.

How it works (images from the Edge-Security site)


It downloads the documents to your local computer so you can view them for extra info gatherings. It also gives you a nice little html page with the results.



After that I took the possible usernames, put them in the proper naming convention for the domain, rocketed off my SE email and crossed my fingers.

The result? Metagoofil for the win! Overall I had about 160 possible email addresses, 20 actually made it to someone's inbox...sad face but not bad considering how I got the possibles.

5 of the 20 opened it :-)
2 were forwarded (meaning the user that opened it was not initially emailed), 1 was from google, and 2 of the 5 were from metagoofil :-)

Not bad if you ask me.

Root passwords to LiveCD Linux distros [Roer.Com Information Security - Your source of Information Security]

Posted: 18 Jul 2008 05:52 AM CDT

If you are in need of root password to the LiveCD *nix distro you just downloaded, this resource may be of help for you.

I know I need them from time to time, and usually when I do, I miss a "one-stop-shop" like this one :)

Thank you Benny!

Password Really is the Key to the City [CultSEC Blog]

Posted: 17 Jul 2008 06:05 PM CDT

I haven't posted in a couple of weeks. But this little incident was enough to jump in the saddle real quick. I am working on a couple of other posts which will appear soon.

This incident ongoing in San Francisco is an excellent example for employing "checks and balances." There should never be a situation where one person holds the only set of keys to the data. Never. What should happen then?

Well, every company is going to have one or two "trusted" people. I may be going out on a limb here. At least the owner or executive in charge should fit that category. At any rate, the "trusted" person should set an enterprise level password. Then they should write down the password, seal it in an envelope and stash it in a safe deposit box. Wait, you're not done. The enterprise level account should then be used to create sub-accounts for those entrusted to do system admin work. That way, if one of them does something they shouldn't, like locking out everyone's access, the enterprise level admin can still get in.

Of course, there is no real 100% solution to ensuring this type of event doesn't happen. Heck, the executive in charge could decide they've had enough and lock down the systems. Somewhere along the line a human being has to be trusted to do the right thing.

Maybe then, they could have the real keys to the city.

Recording and Stream Notice - Episode 115 [PaulDotCom]

Posted: 17 Jul 2008 03:51 PM CDT

The live stream should be active about 6:45 PM EDT, Thursday, July 17th. We should begin recording the live show at about 7:00 PM EDT. Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

Ustream: http://ustream.tv/channel/pauldotcom-security-weekly

Icecast: http://radio.oshean.org:8000

Please join us, and thanks for listening!

psw-simpsons.jpg

- Larry & Paul

Cybercapos [Phillip Hallam-Baker's Web Security Blog]

Posted: 17 Jul 2008 08:37 AM CDT

Interesting.


But as I point out in the dotCrime Manifesto, the mafia is old school. It uses the state of the art in business management being developed in the 1920s. The mafia was organized using line management before most US businesses had got there.


The organization of the cyber-gangs is fashioned after today's state of the art. They use online markets for outsourcing. The gangs are global and operate 24 hours a day. If a criminal in Russia finds some commercial information that is relevant in Brazil they can quickly connect to a local criminal who can make use of it.


In many ways the Internet crime rings are replacing the old-style mafia. And just as online commerce eventually merged with traditional e-tail, the same effect will occur in Internet crime. Those same facilities, for example money laundering, can be used for any criminal purpose. A drug ring can launder proceeds through the same network the Internet criminals developed for extracting stolen money.

Pop Culture Security Episode 2 [IT Security, Windows Scripting and other matters]

Posted: 16 Jul 2008 10:06 PM CDT

Michael Santarcangelo and I have released the second episode of the Security Catalyst Show: Pop Culture Security.

The show is available here. Show notes are available here.

This time we are taking a different approach, we are covering two topics using several movies.

Michael and I had a great time recording the episode and hope that you enjoy it. We also want you to take what you hear and start applying it.

Be safe out there.

James

Comcast: The start of a new series [Room362.com]

Posted: 16 Jul 2008 09:09 PM CDT

Now, I don’t like to publicly bad mouth companies, but at some point, Comcast’s lack of “service” has got to stop. Well, let me rephrase that: Comcast needs to be held accountable for their utter lack of due diligence. I have been a Comcast customer by default ever since they swallowed the portion of Adelphia that held my area. I say this because only recently, have I actually had a choice in the matter. So, without further ado, here is my latest Tales from Comcast Customer:

Having recently moved, I decided that even though I have a choice, incurring additional “setup” fees for switching services was not something I wanted. So they guy was there 5 days after I moved in, ran the line, and we were hot with both digital cable, and speedy internet service. I came home from work, ran some speed tests and was delighted to see that I had just almost tripled my speeds from my previous residence.

Weeks go by, and this line that the Comcast installer ran from the box to my house is still strung across my lawn. I call and they say they will send someone out to put it down as soon as possible.

2 months later, I call again; they cannot see in their system that a request to put a line in the ground was ever submitted. After 20 minutes of trying to ensure that the “Customer Service Representative” fully understood that there was actually, physically, an orange coaxial line, above ground, strung across my front lawn, that was Comcast’s responsibility, she submitted a new request.

1 week after the new request, I come home to a Comcast truck in the driveway. YIPEE!, nope, he was there to fill out the request for a contractor to come and put the line in the ground. So basically he had no purpose in life or in my driveway.

2 weeks after the new request, no contractor, but someone at some point came by my house and spray painted lines on my lawn where my line should be in the ground. (And no, I didn’t miss a call or the contractor coming)

3 weeks after the new request, the wife is fed up and she has me call Comcast after our TV goes out for no apparent reason. Guess what I got when I called? A busy signal. That just doesn’t compute in my head. How is Comcast going to present me with a busy signal for a 24 hour service line? Anyways, the next day I call and actually get through. Now guess what they told me? Nope, they had the request, but it was for September!? The “Customer Service Representative” was nice enough to move it up to this Saturday.

To Be Continued....

 

Once this event has run its course, it will be filed under “Stupid People” in the links menu, under “Tales of a Comcast Customer: EP1”

 

Drowning in disinformation [Phillip Hallam-Baker's Web Security Blog]

Posted: 16 Jul 2008 02:40 PM CDT

iran1be3.jpg


Millions of people around the world woke up to see this image from the Iranian news agency on the front page of the morning newspaper.


Although the image is now known to be fake, or to be strictly accurate, manipulated, the damage done by the exposure may be worse than the damage done by the original fakery.


The facts of the situation are now clear: Only three of the missiles were launched successfully, as another photograph taken earlier demonstrated. What appears to be the launch second missile from the right is actually a combination of the vapor trail from the other two rockets.


The fakers were caught, so what is the problem? Well the problem is that although the fakers were caught this time, we don't know how many times a fake photograph has been used without detection. During the 2004 US Presidential campaign, a photograph purporting to show John Kerry speaking with Jane Fonda was circulated. As with the Iranian forgery, far more people saw the original photograph than the subsequent rebuttal.


But the problem is not just that the fakers may achieve their objective, its that genuine evidence may be dismissed as fake. One does not need to be unduly Machiavellian to see how creating distrust in photographic evidence might suit a government whose grasp on power depends on control of information.


So what is the solution? Cryptography of course.


Adobe themselves have been concerned about the need to authenticate digital documents for many years. Adobe Acrobat has a built in document authentication feature that uses secure digital signatures.


The Adobe system is great, the only problem is that it only authenticates the document after editing. This is exactly what we want in the case of a contract, but not if the question is the authenticity of a photograph. What we need is a publicly verifiable means of authenticating the original photograph when it is taken by the camera.


While it is highly unlikely that the images taken by the original photographer will be the ones that end up on the Web site, the ability to authenticate the input to a process is essential if there is going to be a possibility of authenticating the process as a whole. For image authentication to be effective it must be integrated into the news-room workflow so that an editor knows which images are coming in from a stringer unmodified and which may have been altered and the reader knows which images came from the paper or wire service unmodified. Alteration may be necessary in some cases, a photograph taken in the field may be too light, too dark or have the wrong color balance because of the lighting used. But when an altered photograph is uploaded there should also be a source image available for verification.


As it happens, Nikon do implement a system of this type in their D3 and D300 cameras. Unfortunately, the details of the authentication scheme are not public and image verification requires an additional software package that requires use of a hardware key.

Something Old and Something New [Matt Flynn's Identity Management Blog]

Posted: 16 Jul 2008 02:14 PM CDT

Eric Norlin provides some insight into what to do (related to identity management) in an economic slowdown:

Something Old:

"1. SSO and Password Reset: The facts are on the wall. If you can reduce the number of helpdesk calls for password reset, you're going to save a TON of money. You can do that through self-service modules, E-SSO, web sso, or even federation. Just do it."

Something New:

"2. Automating Compliance: This is a big one, and you probably won't get it done before the recession ends. However, the more you achieve automated compliance controls, the more big bucks you can save on manual audits. Throw everything from RBAC to de-provisioning into this bucket and then get started looking at what really will slice greenbacks soonest."

Password Reset and SSO have long been good entry points into Identity Management and also proven creators of cost reduction and efficiency.

Automated Compliance is a somewhat more recent phenomena that also yields cost reduction and efficiency. You may be wondering though how many companies are able to get to automated compliance without giving an arm and a leg to define requirements and processes that enable automated compliance. Might the initial effort might defeat the purpose of cost reduction?

One thing Eric wrote is probably key to that discussion – "the more you achieve automated compliance controls..." which to me means, let's not get caught up in the grand notion of automated compliance. Implement a few key automated controls that eliminate significant manual effort in the compliance audit process. And that will bring you cost reduction.

SaaS Eases Security Cost and Complexity [Matt Flynn's Identity Management Blog]

Posted: 16 Jul 2008 12:57 PM CDT

I first read an article in InformationWeek titled SaaS Makes A Run At Security and then found this very similar article by the same author online.

I've posted recently about identity as a service (be sure to check the comments and links if you visit that posting). But my day job dictates that I think more about identity reporting as a service. (intelligence around who has what access and what changes are being made).

One of the striking take-aways from the article is the Gartner estimate that by 2018, 85% of security intelligence will be offered as a service. I guess the words "offered as" seem to deflate the energy of the claim. I wonder what the estimates are for how much will be consumed as a service in 10 years.

In any case, I think the writer hits on the right points - cost and complexity. Especially for the mid-market (his target audience). I think (particularly in the mid-market) the simplification of key capabilities will outweigh the emotional hurdles that make SaaS a tough sell for security. Of course, actual security capabilities may remain a harder sell than security capabilities. That is, companies may be more willing to have managed identity reporting than managed provisioning.

I think mid-market security practitioners want their lives to be easier. They're not driven by the same concerns as large enterprises. What do you think?

Linus on Information Security People [Donkey On A Waffle]

Posted: 16 Jul 2008 09:25 AM CDT

Our favorite quote machine, Linus Torvalds, in a recent email to a linux kernel developers mailing list had this to say:

On Tue, 15 Jul 2008, Linus Torvalds wrote:

> So as far as I'm concerned, "disclosing" is the fixing of the bug. It's the "look at the source" approach.

Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

In fact, all the boring normal bugs are _way_ more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking.

Security people are often the black-and-white kind of people that I can't stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

To me, security is important. But it's no less important than everything *else* that is also important!

Linus

Well here's to you Linus! Three cheers and a wonderful dirty picture!

Hacking the CPU using Java [Roer.Com Information Security - Your source of Information Security]

Posted: 16 Jul 2008 05:54 AM CDT

This just came into my Snarfer!

How can I not love the fact that hacking the CPU - the hardware - is the next big threat? I mean, how do you patch a CPU?

---

IT-manager: "Oh, its patch day. Let me just shut down the boxes."
(Shuts down most boxes in the server room)
IT-slave: "Oh, so silent it suddenly became. It's almost as when I was a kid, and only had my Nintendo DS to play with!"
IT-manager: "Yea, well, lettus gedon widdit."
(They open each box, snap out the CPU, add a transistor or two to the CPU, stick it back in there, and put the lid back on. )
IT-manager: "Cross the fingers, and hit the POWER button."
IT-slave: "Please, please, pretty please, let the main server start again."
(The server spins up, lamps blinking red, green and blue. An ambient light comes out of the cup-holder and after a few seconds, the screen flickers blue, then black, and finally back to blue. A Log-On screen appears on the screen).
IT-manager: "Ah, it worked again. God, I miss the days with automatic updates from Microsoft."
IT-slave: "Yea, when do you think Intel will start with automatic updates?"

---Technorati Tags: , , , , ,

Deep Packet Capturing - the saviour of the day? [Roer.Com Information Security - Your source of Information Security]

Posted: 16 Jul 2008 05:07 AM CDT

I have been asked to take a look at Deep Packet Capturing - a technology used to capture and store network packets. The keyword here is Capturing. The point is to capture and store networking traffic for (possible) later analysis and modeling.

One of the suppliers is Solera Networks, which offers appliances to capture and store information on your network at high speed - up to 10Gbit/s.


Why do you want this kind of tool?

So far, you have a Deep Packet Inspection tool, you save and analyze logs, and you also monitor your network. Then, one day, the police knocks on your door (or heaven forbid - the Media). Your logs and day-to-day analysis will only take you, and the police so far. You may pick up some irregularities from the past, but most likely you will not be able to rebuild and document the actual data stream. You end up with poorly documented speculations.

With a Deep Packet Capturing device, chances are that you would be able to not only figure out what when, who and what was done - but you would also be able to replay the sequence, re-analyze it, and most importantly document the whole process. In addition, you would be able to develop and test new rules for finding irregularities - without having to risk your day-to-day network flow. When your new rules are designed and tested, your can implement them.


Compliance

Compliance is still an important buzzword around the security space. One of the compliance issues requires you to save quite large amounts of data - usually from solutions and technology not designed to give you easy access to the very same data. A Deep Packet Capturing device may be an easy and cheap way to comply with such regulations.

If you are an ISP or VoIP service provider in the US, you also need to comply with CALEA. To capture and monitor VOIP data may be a challenge, and Solera Networks claim their CALEA Appliance is a low cost solution tackling this very challenge.


Virtualization

Another buzzword these days is Virtualization. Now, virtualization itself is not without risk, but considering the upside of fewer physical devices, lower power consumption and easier (at least in theory) administration, I think virtualization is here to stay. It just makes business sense.

Thus, I like the fact that some of the Solera Network devices are also available as VMWare Virtual Appliances. This also means I can easily test run these devices in my lab, if I so desire.

I like new technology and new ideas. With the low cost of storage these days, a Deep Packet Capturing device makes perfect sense to me.

San Francisco IT Admin Charged with Hijacking the City's Network. [360 Security]

Posted: 15 Jul 2008 06:37 PM CDT

Link to PC World Article


Link here

Being an IT manager and security professional, this story make me shake my head. It has certainly been the talk soup at the office today. A few quick thoughts on this.

Terry Childs seems to have backed himself into a corner and created a no-win situation. He had to have been in a desperate position to take the system hostage by blocking access and refusing to hand over passwords. Unfortunately for Childs, real life computer security rarely works like it does in the movies, bargaining power is limited by the long arm of the law.

Child's managers should have known better. A situation like this could only occur if safety nets and best practices were ignored or circumvented. Any security program that could allow one person to cause much damage is seriously deficient, especially since this has apparently been going on since June 20th.

The big question in my mind concerns the ramifications of continuing to run a system that could have been rigged to remotely delete data. If this concern turns out to be accurate, every minute that the city keeps the system up while it is not entirely in their control is another minute that city data is in jeopardy. A compromised system could mean data is deleted and confidential information gets leaked. Both of these are a significant risks.


Update:
Linked to the Robert McMillan article in PC World since he used my quote.

Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more... [Blue Box: The VoIP Security Podcast]

Posted: 15 Jul 2008 04:22 PM CDT

Synopsis:  Blue Box #80: VoIPShield vulnerabilities, what is ethical disclosure?, SIP trunking, VoIP security news, new nomadism, and much more...


Welcome to Blue Box: The VoIP Security Podcast #80, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on April 17, 2008.

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

Where should the CSO or Network Security reside within the corporate structure? [Ascension Blog]

Posted: 15 Jul 2008 03:23 PM CDT

This is another question that I have received via email.  As with many questions, there are no generic answers.  My answer is typically “It depends.” So much depends on the organization and its corporate culture.  That said, here is my attempt to generically answer the question. 

As I am sure everyone involved with this discussion will argue, at least on even par with the CIO. I agree with that argument whole-heartedly but the sad reality is that all too often the CSO or Network Security group is an element of the IT department under the CIO. The line of thinking that places us there is that since the devices we oversee are IT assets, that is the most appropriate place for us.

Ideally the CSO should answer directly to the CEO or COO and be on the same level or above the CIO. That said, not many of our colleagues sitting in these positions find themselves so positioned. The trick becomes how to be effective from a disadvantageous position.

Network Security should enable business, not hinder it. Why not leverage this to push our agenda. As an enabler, we need to facilitate change through sound business practices and by becoming the ultimate team player. That does not mean compromising our ethics with regard to security. In my opinion, anyone who finds himself in a position where they need to compromise their ethics probably was ineffective in delivering or framing their argument for security.

A good leader is also a good listener. Listening to the needs of business and formulating ways to meet the business need while being secure is the key to success in the CSO position. Granted, there will be times where we may find ourselves up against roadblocks and we cannot win every battle. An occasional roadblock or defeat can be dealt with but if we are faced with a systematic disregard for security then we need to ask ourselves two questions: Why did the company really create this position and why do I really want to stay here if I am not being effective?

I like beer (bear with me here - I’ll tie back into the topic). I use to have a girlfriend back before I got married who hated beer. While she didn’t have a problem with me having a few cold one’s occasionally, she kept asking me why I liked beer. She just couldn’t understand how anyone could like the taste. I told her that she just hadn’t had a beer she liked yet but that there were hundreds of different varieties. She of course didn’t believe me until I cooked dinner for her one night. At dinner, I served a Raspberry Lambic (beer). She commented on how wonderful the dinner was (I went to Culinary School after college, classically French trained) and how wonderful the Raspberry Champagne was, wherever did I find it. Imagine her astonishment when I told her that it wasn’t champagne but beer.

The point is that my ex-girlfriend thought she didn’t like beer but in reality she just hadn’t tried a beer she liked yet. Information Security is a lot like that.  If you keep serving up the same old beer time and time again when you know that your boss doesn’t like it then you deserve to have it thrown back in your face. By switching tactics and attempting to give your boss something that they think they want and then tell them that not only does it taste good but it something that they thought they didn’t want in the first place will probably be met with a different outcome.

We need to be educators.  We need to deliver our message in such a way that we keep our audience receptive to what we are saying and educate them in why this should be important to them. If we are “organizationally challenged,” that does not mean that we cannot be effective; the job is definitely harder but nothing worthwhile is easy.

Often the org-charts place security where the organization feels it best fits. This is sometimes indicative of the importance the organization places on Information Security (and sometimes it is just where it is without any meaning whatsoever). Our jobs are to change that perception, relate what we do to our business’s mission, and show that by adopting secure practices business, the mission will become more effective.  In short - our jobs are to educate.

AEP left high and dry moves to ID access control [StillSecure, After All These Years]

Posted: 15 Jul 2008 12:33 PM CDT

AEP had been a victim of the NAC fallout.  They made a bad bet on an OEM partner to provide them with NAC technology.  When that NAC vendor went belly up, so did AEPs NAC product as a result.  Now Tim Greene reports that AEP has come out with a new device that while not strictly a NAC product, does more identity access control and does not seem to do any admission control.

AEP which makes a SSL VPN type of appliance has a new appliance that delivers an agent to an endpoint and authenticates the user.  It than according to the article inserts an identifier in the payload of every packet that shows where and who that packet is from which then allows it to either pass or not pass through, only to its allowed base.  I don't know that seems a bit of a chokepoint/bottleneck to me, but I don't know enough about it, only what I read in the article.

The appliance is not cheap with a price tag of over 50k for just 99 users.  It seems like an awful lot of money for what it does.  An important lesson I think on picking the right OEM partner.  Pick the wrong one and your product goes down as collateral damage to the OEM partners demise.

419 Scams New Angle- US Soldiers in Iraq [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 15 Jul 2008 10:51 AM CDT

We've hit an all-time new low folks. Those 419 scammers are now using US Soldiers in Iraq as the "source" for their scamming activities. They are preying upon the actions in Iraq to make their scams sound legitimate and of course, hoping that human greed takes over and you'll fall for these scams.

Here's the latest one I've gotten, haven't seen this reported yet so I figured I'd do it...

Subject:
"CAN I TRUST YOU? (Assistance Needed From Iraq)
Body:
Hello,
I hope my email meets you well. I am in need of your assistance. My name is SGT JOEY JONES.I am a military attache with the Engineering unit here in Ba'qubah Iraq for the united states, we have about $20 Million American dollars here which is in our possesion and we are ready to move out of the country.
My partners and I need a good partner someone we can trust to actualize this venture.The money is from oil proceeds and legal.But we are moving it through diplomatic means to your house directly or a safe and secured location of your choice using diplomatic courier services.
But can we trust you? Once the funds get to you, you take your 30% out and keep our own 70%. Your own part of this deal is to find a safe place where the funds can be sent to. Our own part is sending it to you.
If you are interested I will furnish you with more details.
Awaiting your urgent response.
Your Buddy.
SGT JOEY JONES.
IN GOD WE TRUST...
Header Info:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2w9MDthPTA=
X-Message-Status: n:0
X-SID-PRA: SGT JOEY JONES
X-Message-Info: R00BdL5giqozMkaXg1EgzSz4aOURDSSSsdVXN2U2M+EHFR5kwi1AO7U766046vZapUswEWCFJBqPUuCVXV50Q//LLjGjCxHj
Received: from sccmmhc91.asp.att.net ([204.127.203.211]) by bay0-pamc1-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 15 Jul 2008 08:06:24 -0700
Received: from sccqwbc02 (scommcenter02.asp.att.net[204.127.203.162])
by sccmmhc91.asp.att.net (sccmmhc91) with SMTP
id <20080715150552m91003hckpe>; Tue, 15 Jul 2008 15:06:23 +0000
Received: from [117.96.101.143] by sccqwbc02;
Tue, 15 Jul 2008 15:05:51 +0000
From: mail090@mchsi.com (SGT JOEY JONES)
Subject: CAN I TRUST YOU?(Assistance Needed From Iraq)
Date: Tue, 15 Jul 2008 15:05:51 +0000
Message-Id: <071520081505.479.487cbcc700020d6b000001df219791299503010cd2079c080c03bfcfc7cf04070e03@mchsi.com>
X-Mailer: AT&T Message Center Version 1 (Oct 30 2007)
X-Authenticated-Sender: bWFpbDA5MEBtY2hzaS5jb20=
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="NextPart_Webmail_9m3u9jl4l_479_1216134351_0"
Bcc:
Return-Path: mail090@mchsi.com
X-OriginalArrivalTime: 15 Jul 2008 15:06:24.0382 (UTC) FILETIME=[590BE1E0:01C8E68C]


--NextPart_Webmail_9m3u9jl4l_479_1216134351_0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

For the love of God and Country... let's fight these bastards!

Symantec poisons the channel [StillSecure, After All These Years]

Posted: 15 Jul 2008 08:06 AM CDT

For a long time Symantec has enjoyed a great reputation as a the VARs best friend.  They were the ultimate channel friendly company with a large and deep channel.  As a result there is always a Symantec channel partner near by almost every customer.  In a case of biting the hand that feeds it this maybe changing. According to this article in Channel Web, Symantec is taking its largest 900 customers direct and moving all SMB renewals direct as well. 

The renewal business is viewed as a built in annuity by many of VARs and losing these follow on deals is not going to sit well.  Also by taking the largest 900 customers direct they are taking the top end or largest deals out of the channel.  The channel market is way to sensitive to this type of thing without repercussions taking place.  It just remains to be seen what they will be, but they will come.

No comments: