Monday, July 21, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Companies getting the knack of NAC [StillSecure, After All These Years]

Posted: 21 Jul 2008 07:43 AM CDT

For too long we have heard the NAC knockers bad mouthing the benefits of NAC and bemoaning its lack of adoption. I have always believed that much of this was marketing spin and that companies were finding NAC highly useful.  Typical hype cycle kind of stuff. At the end of the day though nothing speaks like real world references by customers stepping up and publicly saying they use the product.  Of course, those of us in the security industry know that this is probably one of the hardest things to do. No one wants to stand up and say what they use for security.  This could give information to the bad guys and attract attention that many companies would rather not do.  At StillSecure this has always been a double edged sword for us. With many DoD networks using the product, we have not really been able to talk a lot about the great job our NAC product does on some of the most sensitive, mission critical networks in the world.  By the same token, usually we don't announce or publicize many of the infrastructure providers who we partner with and who sell a re-branded version of our NAC product.

Recently several NAC customers have been stepping up and talking about how they use NAC and why. Last week there was a good article on Estee Lauder using NAC first for guest access control and most recently an expansion of their NAC deployment to help with PCI compliance.  This week in an article with the usual left-handed compliments, Tim Greene in between quotes by the so called analyst experts, talks about several NAC companies rolling out NAC.  One is American Bancard, another StillSecure customer who uses NAC to help with PCI and keep their network secure. The article talks about several other companies using NAC solutions from other vendors as well, which is also very encouraging.  Of course the companies I have spoken about I know for a fact are using NAC.  With some of the competition, you cannot always be sure as I have written about in the past.

In any event, I think it is important that we are starting to see some real public references for NAC deployments.  Nothing proves the point of a products value than real live customers stepping up and talking about it!

San Fransisco Officials Locked Out of Their Own Network [Darknet - The Darkside]

Posted: 21 Jul 2008 03:57 AM CDT

Another disgruntled IT worked causing mayhem, remember the guy that destroyed all the medical records? He got a pretty hefty sentence, now we have another who has locked everyone out of the new ’state of the art’ computer network in San Fransisco - he’s on a $5 million dollar bail so I’d say he’s in big...

Read the full post at darknet.org.uk

"Spring" into framework vulnerabilities [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 21 Jul 2008 12:02 AM CDT

Hey folks - I've been thinking about security defects frameworks such as Spring for a bit since someone asked me if because they use one of these major frameworks, are they safe a week or so ago. I couldn't find any valid reason to panic about using a framework to introduce new security vulnerabilities until I saw this post - which seems to have slipped under the radar of most of us bloggers/readers of security events.

Back on the 16th of July ZDNet writer Paula Rooney published this post, which aggregates some of the details around the Spring MVC framework issues. Reading the write-up I feel like there are some complex issues at work here, and patching isn't just simply done to remediate these.

What I do find interesting is that Ryan Berg from Ounce Labs doesn't see these issues as "vulnerabilities", but rather features that are "insecure by design". To quote the article further...
"SpringSource plans to release in the near future an update in one of its MVC demo templates to show app developers how to avoid this vulnerability. Ounce maintains that the vulnerability is not a security flaw in the framework itself but an application development issue. Many Java applications and business processes built on Spring are insecure by default and should be fixed – even if it means breaking existing applications, Berg said."
How interesting. I wonder if this is limited to Java? What about the Microsoft .Net frameworks... and what about all the extensive AJAX frameworks? I wonder if we're building-in security defects simply by using some of these new frameworks?

More to come, as I try and learn a little more about how frameworks can introduce vulnerabilities into code and development.

To be written... [Kees Leune]

Posted: 20 Jul 2008 07:36 PM CDT

Having come back from the Last HOPE, I have two days worth op notes in my little notebook. Unfortunately, I am too lazy to type them up into a blog post tonight, so it will have to wait until I feel like working on it again.

Happy Sunday.

Adding your own exploits and modules in Metasploit [Carnal0wnage Blog]

Posted: 20 Jul 2008 11:45 AM CDT

No not an exploit-dev 101 post but maybe an advanced tip for people new to using the Metasploit Framework. I see this question all the time so here is a little mini tutorial.

In Linux (For the love of god, don't run msf on Windows) when you install metasploit you get a hidden .msf(/home/$user/.msf) directory in your home directory.

It starts out empty, but this is where you want to place all updated exploit modules, auxiliary modules, meterpreter scripts, etc.

Why? Well if you start modifying exploits in the trunk when you do an update it will start bitching at you about it not being the same exploit and may possible overwrite your stuff and that's no fun.

Example time.

Say you want to add the "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)" exploit located on milworm. Its already in the trunk, so if you want to follow along you'll have to rm it.

What you have to do is create the same directory structure in your .msf folder as you have in your regular msf folder. So, looking at the exploit on milworm we see the path is:

class Exploits::Windows::Misc::Doubletake

So we cd into our .msf folder and create our modules folder (If you are lost, look at your regular msf folder and make a similar directory structure). Once we do that we need to create an exploits folder, a windows folder, and misc folder. Then we'll stick our doubletake.rb file into that folder.

cg@segfault:~/.msf3$ mkdir modules
cg@segfault:~/.msf3$ cd modules/
cg@segfault:~/.msf3/modules$ mkdir exploits
cg@segfault:~/.msf3/modules$ cd exploits/
cg@segfault:~/.msf3/modules/exploits$ mkdir windows
cg@segfault:~/.msf3/modules/exploits$ cd windows/
cg@segfault:~/.msf3/modules/exploits/windows$ mkdir misc
cg@segfault:~/.msf3/modules/exploits/windows$ cd misc
cg@segfault:~/.msf3/modules/exploits/windows/misc$ ls -l
total 4
-rw-r--r-- 1 cg cg 2277 2008-07-20 12:22 doubletake.rb


You don't need to mirror the directory structure completely, just add what you are adding. If you had Linux exploits you would add a linux folder in the exploits folder, since we don't its not necessary.

If everything worked right when you start the console you'll see one more exploit and you'll now be able use that exploit in the framework.

Before:

=[ msf v3.2-release
+ -- --=[ 302 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

After:

=[ msf v3.2-release
+ -- --=[ 303 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

Now we can use the exploit.

msf > use exploit/windows/misc/doubletake
msf exploit(doubletake) > info

Name: doubletake Overflow
Version: 9
Platform: Windows
Privileged: No
License: Metasploit Framework License

Provided by:
ri0t

Available targets:
Id Name
-- ----
0 doubletake 4.5.0
1 doubletake 4.4.2
2 doubletake 4.5.0.1819

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1100 yes The target port

Payload information:
Space: 500
Avoid: 1 characters

Description:
This Module Exploits a stack overflow in the authentication
mechanism of NSI Doubletake which is also rebranded as hp storage
works Vulnerability found by Titon of Bastard Labs.

msf exploit(doubletake) >


same thing goes for auxiliary modules, just make an auxiliary folder in the modules directory and populate it accordingly. Pretty much the same thing for meterpreter scripts except the scripts aren't in the modules directory they are in their own, so in this case we'd make our scripts/meterpreter directories in the main .msf directory.

Off to Belgium [Emergent Chaos]

Posted: 19 Jul 2008 01:47 PM CDT

belgian beer.jpg

I'm getting ready to leave for the 2008 Privacy Enhancing Technologies Symposium. I love this event, and I'm proud to have been involved since Hannes Federrath kicked it off as a workshop on design issues anonymity and unobservability.

I'm also happy that Microsoft has continued to sponsor an award for outstanding research in Privacy Enhancing Technologies. I used to participate in paper selection, before I took a job at Microsoft, but we are hands off as to the recipient. The award goes where the research community thinks it should go.

Finally, I'm happily reminiscing because on my last trip to Belgium, I met Andrew Stewart, leading, along a very chaotic road, to us writing The New School of Information Security.

I'll be taking a couple of days off to get over jet lag and enjoy some fine beer and frites, and [my] blogging will be light.

Photo: some delicious beer, Awynhaus.

The Last HOPE, day 1 [Kees Leune]

Posted: 18 Jul 2008 07:49 PM CDT

Today was the first day of the Last HOPE convention. Being married with children, I no longer spend full days at events like this, but the time I was there was well spent. Not only did I get to meet some people face to face, I also attended some talks.

More specifically, I went to the first talk on botnet research, the death star risk modeling talk/earth intelligence network and to the talk on the Attendee Metadata project. After that, I took a small break, before sitting in on Myrcurial's talk about climbing the corporate ladder. Then I browsed the projects area, picked up a lock picking set at the Toool table and spoke with some other person who I wanted to meet up with.

Botnet research, Mitigation and the Law
The talk on botnet research was interesting in that it presented a perspective on cases that many of the attendees never had. I found the references to Operation Botnet interesting because I had just heard the other side of that same story. The discussion of all the possibly applicable laws and regulations was thorough, but not new to me. For most of the people in the room, it was a very good introduction.

Death Star Risk Modeling
Death Star Risk Modeling was a CISSP 101 introduction to risk modeling. Interestingly explained, and nicely illustrated with Star Wars analogies. The observation that I took home from this was "If it is worth putting up, it is worth protecting".

Earth Intelligence Network: World Brain as Earth Game
Freaky.

The Attendee Meta-Data Project
Poorly prepared and presented even worse. The idea is very interesting, but the implementation sucked. These guys were very lucky that they are no students of mine.

From a Black Hat to a Black Suit
Highly entertaining and informative and for me definitely the best talk of the day. A number of good lessons for those of us who are planning to make their carreer in corporate information security and who are not afraid of the word "Suit".

The VMware versus Microsoft Smack Down: Perspectives Behind the Headlines [ARCHIMEDIUS]

Posted: 18 Jul 2008 07:34 PM CDT

All eyes are on post-Greene VMware as it prepares to announce earnings on Tuesday and as analysts speculate about how much cleanup will be included in the results.  Yet I think the most important questions to be addressed in the upcoming quarterly earnings call will have more to do with VMware's competitive response to Microsoft's [...]

Interesting Information Security Bits for July 18th, 2008 [Infosec Ramblings]

Posted: 18 Jul 2008 01:45 PM CDT


Here ya go.

From the Blogoshpere

0×000000 has the first of a series of pieces that cover Mozilla malware, how to write it and how to detect it, posted. Interesting stuff.

CG has a post up about a tool called Metagoofil and how it can be used to develop an email list. Very interesting stuff. I haven’t played with it yet, but will be soon.

Tenable has setup a way for charities and classrooms that provide information security training to get a full professional feed for free. Way to go Tenable.

Have a good one.

Kevin

Technorati Tags: , , ,

How To Attend HOPE Conference Remotely [Infosec Events]

Posted: 18 Jul 2008 12:17 PM CDT

The Last HOPE conference starts today, and for those that aren’t able to physically attend, here are a few ways to virtually attend.

Update: amazonv and quine are doing an awesome job of posting on twitter.

Come ask the CISSP Guru [An Information Security Place]

Posted: 18 Jul 2008 07:04 AM CDT

So Andrew Hay just got his CISSP.  Congrats man.  There’s not a lot of people who have as much experience as you do who are actually even considering the CISSP.  Maybe that piece of paper is actually worth it!

So he just got his, and meanwhile, I just entered into my third three-year cycle.  Yep, I have been a CISSP for 6 years.  And while I don’t consider that to be a very long time, it seems like a long time when I keep meeting all these people with these high numbers. 

As an example, I went to see a client a couple of weeks ago in San Antonio and noticed one of the guys there wearing an (ISC)2 lanyard around his neck.  I struck up a bit of conversation about the CISSP, and he mentioned his number was in the 90k range.  I was almost embarrassed to tell him my number because it felt like I was telling the guy how old I was (I am in the low 30k range).  At the same time, it made me feel like an experienced security sage on a mountain with a long white beard stuffed full of lost pages of security policies. 

clip_image002

Yes, people, I am ready to dole out advice to the brave young security professional who braves the travails of the terrain to make it to my mountaintop!  Come to me, you inexperienced infosec practitioner!  Seek me out, you untried youth!  Ask me the secret to information security! 

And I will be there with one of those nebulous answers like "risk management" or "it sure as hell ain’t compliance!"  And you’ll probably leave just as confused as when you climbed up.  Heck, you might just jump off a cliff while you’re trying to make it back down the mountain.  Everybody is searching for the easy answer.  Pssst… there ain’t one.

Vet

 

Crossing the Metrics Rubicon: Quest for the Perfect Measurement [BlogInfoSec.com]

Posted: 18 Jul 2008 06:00 AM CDT

Security metrics represent a great untamed wilderness for organizations trying to determine both their risk profile and the effectiveness of the resources they have allocated to their security program. When I first became a security person after a career managing customer service, finance, and operations teams, the most succinct argument I heard for the paucity of security metrics was that you cannot measure a negative. The thinking, it was explained, was you could not determine whether a security control was effective until it failed, at which point you could determine that it was ineffective and you needed to spend more money theoretically making it more effective until it failed again.

I suppose you could track mean time between failures as a metric to determine when it would next be likely you would petition the money masters at your organization in supplication. Of course this approach reminds me of the old comic strip where the boy, while riding in the family car, asks his father how the load limit on bridges is determined. The response is that they drive bigger and bigger trucks over the bridge until it collapses. The truck is then weighed and the bridge rebuilt exactly as it was before. The mom of course comments to the dad that he should just admit he doesn't know - an admission many of us would hesitate to make when confronted with a question about how secure is our organization.

I hail from the school that you can measure most anything; unfortunately you may not always do it well. Once, when trying to impress his boss, my boss told him about the X million hits our firewall had taken that month. The boss's response – so is that good? With that simple question he described the challenge we face with trying to provide metrics the business understands and can use to further strategic or tactical decision-making.

(...)
Read the rest of Crossing the Metrics Rubicon: Quest for the Perfect Measurement (339 words)


© Patrick Foley for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under Technical.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

Security Briefing: July 18th [Liquidmatrix Security Digest]

Posted: 18 Jul 2008 05:27 AM CDT

newspapera.jpg

Friday morning in NYC and we’re heading for The Last Hope.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Schneier, Team Hack ‘Invisibility Cloak’ for Files | Dark Reading
  2. HOPE conference highlights everyday hacking | CNET
  3. Defending against cross-site scripting | Search Security
  4. Researcher calls out Apple for delaying iPhone patch | Ars Technica
  5. ‘No decision’ on giant database | BBC News
  6. Cities Gone Wireless: Safety Or Surveillance? | NPR
  7. DNSstuff Freeware Detects Vulnerable DNS Servers | eWeek
  8. Firefox 2 And 3 Get Security Fixes | Information Week
  9. Man Held In SF City Hacking Case Asks For New Hearing | NBC 11 San Francisco
  10. Obama Calls for Cyberterror Czar (yet another czar) | Ecommerce Times

Tags: , , , ,

Zodiac - DNS Protocol Monitoring and Spoofing Tool [Darknet - The Darkside]

Posted: 18 Jul 2008 02:29 AM CDT

Zodiac is a DNS protocol analyzation and exploitation program. It is a robust tool to explore the DNS protocol. Internally it contains advanced DNS routines for DNS packet construction and disassembling and is the optimal tool if you just want to try something out without undergoing the hassle to rewrite DNS packet routines or packet...

Read the full post at darknet.org.uk

Firefox 2.0.0.16/3.0.1 Patches 3 Security Bugs [Infosec Events]

Posted: 17 Jul 2008 11:49 PM CDT

The Last HOPE Countdown - Hack Minus 1 [Liquidmatrix Security Digest]

Posted: 17 Jul 2008 10:15 PM CDT

As noted by El Jefe… We’re in NYC.

And yes, I took the bus.

Hey - I couldn’t figure a way to make work pay for the trip - well legitimately anyways… and besides… it wasn’t too bad - I had an outlet and wifi - what else does a geek need!

Note: The Greyhound NEON bus (Toronto/NYC Express Service) is highly recommended.

Went and picked up my badgey goodness…

Front:

Back:

There’s high rez images available if you ask nicely.

Oh - and while walking around midtown, I came across this scene… and was terribly interested in yelling one word… anyone know what word that was?

/me feels bad for the cliche, but hey - it’s a classic.

Should you be at HOPE, you can find me at 1300 on Friday in the Turing room. I'll be the guy at the front talking.

To keep up on all that the LSD guys are up to at the event, please follow us on Twitter (as long as the fail whale stays down) at this lovely Summize Twitter Search feed.

Tags: , , , , , ,

Liquidmatrix In NYC [Liquidmatrix Security Digest]

Posted: 17 Jul 2008 09:49 PM CDT

OK, sorry for the lack of postings today folks. We’ve been on the road. Myrcurial made his crossing into the US on bus and yours truly flew into Newark.

Gotta love frequent flier miles.

I’m beat but, I’m looking forward to the Last Hope tomorrow. Myrcurial already has his badge and will be posting shortly (if he hasn’t already)

We will be live blogging where possible. Conversely you can follow us on twitter.com @gattaca and @myrcurial

This should be interesting.

:)

The Last HOPE device preparations [Kees Leune]

Posted: 17 Jul 2008 08:02 PM CDT

While preparing to head down to The Last Hope, I figured that I'd lock down my N800 a bit more than I usually do. The network environment might be "somewhat" hostile, and I prefer to expose my device as little as I can.

The N800 has a terminal application, but it is inadequate for serious work. I started by installing the openssh package from the maemo repository, but I also realize that this means that I get an openssh server running on the device. Have to remember to shut that off when I'm done ;)

After booting, the N800 has an impressive array of ports listening on the network:

Nokia-N800-51-3:~# lsof -i
COMMAND    PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd       742   root    3u  IPv4   2608       TCP *:ssh (LISTEN)
dnsmasq   1041 nobody    4u  IPv4   4328       TCP Nokia-N800-51-3:domain (LISTEN)
dnsmasq   1041 nobody    5u  IPv4   4329       UDP Nokia-N800-51-3:domain
dnsmasq   1041 nobody    8u  IPv4   5637       UDP *:49156
sshd      1273   root    3r  IPv4   5545       TCP 10.16.1.100:ssh->10.16.1.101:1542 (ESTABLISHED)
telepathy 1292   user    4u  IPv4   6459       UDP 10.16.1.100:49157
telepathy 1292   user    5u  IPv4   6460       TCP 10.16.1.100:49157 (LISTEN)
telepathy 1292   user    6u  IPv4   6461       UDP Nokia-N800-51-3:49157
telepathy 1292   user    7u  IPv4   6462       TCP Nokia-N800-51-3:49157 (LISTEN)
telepathy 1292   user    8u  IPv4   6465       UDP Nokia-N800-51-3:49158->Nokia-N800-51-3:domain
telepathy 1292   user   10u  IPv4   6468       UDP Nokia-N800-51-3:49159->Nokia-N800-51-3:domain

That's obviously too much. Let's start by disabling telepathy. Telepathy is the N800's messaging application, and I usually have a SIP account set up. Disabling that account  immediately removed all instances of the program and also closed all ports it had open.

I do not worry too much about sshd, since I will remove the ssh-server package when I'm done cleaning up. That leaves the dnsmasq package, which is needed to resolve host names.

To fix the dnsmasq ports, all you have to do is edit /etc/dnsmasq.conf and uncomment the line with the phrase 'bind-interfaces'. Switch to offline mode and then reconnect to the wireless network, and you should be all set:

Nokia-N800-51-3:~# lsof -ni
COMMAND  PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     743   root    3u  IPv4   2623       TCP *:ssh (LISTEN)
dnsmasq 1042 nobody    4u  IPv4   4345       TCP 127.0.0.1:domain (LISTEN)
dnsmasq 1042 nobody    5u  IPv4   4346       UDP 127.0.0.1:domain
sshd    1293   root    3r  IPv4   6037       TCP 10.16.1.100:ssh->10.16.1.101:1631 (ESTABLISHED)

In an environment like The Last HOPE, you really really want to only do stuff when you are VPN'ed into a secure network. I connect to my VPN gateway by IP (just in case someone is doing some poisoning). The maemo vpnc-gui package will allow you to do just that.

As a result, this will leave me with 0 ports open that are exposed to the other Last HOPE contestants and I feel a little safer bringing my tablet ;)

Do not forget to turn off ssh by removing the package (safest) or by removing the ssh package from your boot sequence. Please do not forget to make sure to have a root backdoor if you chose the latter option.

5 lessons learned about computer security [Malta Info Security]

Posted: 17 Jul 2008 05:03 PM CDT

Extracts from the original article found here... include some sane advice to those who get thrilled by the term 'hacker' by none other than the infamous Kevin Mitnick.

Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.


Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now.

Use your powers for good, not evil.

Before, I was doing something exciting-but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation.

Even hackers get hacked. Attackers found a way onto my Web server.

Source


Network World misses the reasons why more companies are deploying NAC [Napera Networks]

Posted: 17 Jul 2008 02:41 PM CDT

Network World suggested with its headline this morning that a recent Infonetics study outlined the top reasons for delaying network access control (NAC) deployments. I think that’s an overly negative headline. While the Infonetics report did discuss some of the blockers to NAC deployments, most of it was positive and covered the increased level of NAC deployments expected over the coming year, and indicated that NAC is becoming a budgetary line item for most companies.

In fact, the report states that nearly two-thirds of the respondents have a budgetary line item for NAC in their fiscal 2009 budgets. That's double the number for 2008.

I agree with the body of the Network World article that regulatory compliance demands, lower prices and improved NAC technologies, especially around reduced complexity, are key reasons enterprises will move forward on a network access control deployment. Current solutions are too heavily focused on the large enterprises and require large investments and infrastructure upgrades and are complex to use and manage.

The whole reason Napera launched its solution for small and medium-sized enterprises was to provide a comprehensive solution focused on simplicity and cost effectiveness. This is a missing piece of the NAC market today and critical for our SME customer. The Napera N24 is the first shipping NAC product for the SME to utilize a Software as a Service approach that removes the need for local servers and leverages Microsoft's Network Access Protection architecture to minimize the need to deploy agents.

The Network World article points out that respondents to the Infonetics study clearly see security as the number one driver. This is because most security and network IT staff are still experiencing security issues, in spite of the fact that they have multiple security products already deployed.

This is a common theme we discuss with our customers. Even though companies are spending more than ever on anti-virus, anti-spyware, firewalls, and other security solutions, they still need to ensure that devices accessing their network are secure, up to date, compliant with policy and authorized before gaining access to the corporate network. This is the added layer of defense that NAC brings, tying together these disparate security solutions to control network access.

Another driver is workforce mobility. The reason security solutions are not fully protecting the network from attack or virus outbreaks is because of the lack of control IT has over laptops. Workers now demand access everywhere and work from Starbucks or a hotel as frequently as on the corporate network. In addition, consultants, customers, and other guests are demand access to the Internet and printers while at your offices, making guest access another key driver for NAC.

Finally, it's important to put the Infonetics user survey in context of another key report released at the same time about NAC: an updated market forecast that suggests the NAC market is alive and well and expected to reach $800 million by 2010. This Infonetics report came on the heels of an IDC report, featuring an aggressive forecast for the network access control market of $3.2 billion by 2011.

While there do remain blockers to NAC deployments, companies are including NAC on their list of IT purchases, because the pain is great and current security and networking solutions are not solving their security and other challenges. With Microsoft's NAP agent on Windows on the road to becoming ubiquitous (with XP SP3 appearing on Windows Update last week), we are confident there will be a faster uptake of both NAP and product like Napera that integrate with the Microsoft architecture.

Putting the fun back in threat modeling [Emergent Chaos]

Posted: 17 Jul 2008 11:52 AM CDT

I have an article in the latest MSDN magazine, "Reinvigorate your threat modeling process:"
My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable photographs (well, those of us old enough to have photos that never existed in digital form do). We model threats based on architecture: there's a wall here, a picture window there, and an easily climbed tree that we can use when we forget our keys. And we model threats based on attackers. We worry about burglars and kids falling into pools. We also worry about the weather, be it earthquakes, snow, or tornadoes.

If I wanted to sound like a management consultant, I'd say you employ a mature, multi-dimensional assessment process, with a heavy reliance on heuristics and low reproducibility across instances. At the same time, it's likely you won't have thought of everything or implemented defenses against every possible attack. It's very unlikely you have a home defense management plan or have ever run a penetration test against your home.

There's a lot in there talking about how and why some threat modeling methods became "heavy" and what to do about it. Underlying that is the start of a way of thinking about threat modeling as a family of related activities, and some ways of breaking that down. In particular, there's a breakdown into asset-centric, architecture-centric, and attacker-centric threat modeling, which I think is a useful step forward.

What works for you in threat modeling? What hasn't worked that you needed to replace?

Interesting Information Security Bits for July 17th, 2008 [Infosec Ramblings]

Posted: 17 Jul 2008 11:16 AM CDT


Hello all. I apologize for the lack of posts over the last couple of weeks. Life and death have taken up all my time. Things should be back to normal now. So without further ado, here’s are some things to take a look at today.

From the Blogosphere

Wesley over at McGrewSecurity has collected a bunch of links and embedded a bunch of videos of Dan Kaminsky talks. Very cool.

Craig at SecurityWannabe gives us a link to a video of Lee Kushner and Mike Murry’s talk about a career in Information Security. I attended their session at Defcon 15 and the informal Q&A after. Really good stuff. Go watch the video or even better attend their session at this year’s Defcon.

Rich Mogull writes on Securosis that he will be giving a webcast entitled Using Data Leakage Prevention and Database Activity Monitoring for Data Protection on July 29th. Register here. I’ll be watching. You should too.

Via security4all, VMWare has released an updated paper on hardening ESX 3.5 and VirtualCenter 2.5. It can be found here.

From the Newsosphere

Via Dark Reading, Half of Financial Firms Don’t Investigate. That’s not good.

Via Tech Republic, When your network admin hijacks your system. Talks about the San Fransisco situation you have already heard about.

Via Search Security, Blackberry server faced with critical zero-day. There is a flaw in the PDF handling function of the BlackBerrty Attachement Service. Bad stuff.

Via Dark Reading, MessageLabs Reveals Most Spammed States. Illinois apparently has the largest bulls eye painted on its forehead.

Via Information Week, Gmail Privacy Hole Shows User Names. Be careful with Google calendar.

That’s it for today’s bits. Have a great day.

Kevin

No comments: