Spliced feed for Security Bloggers Network |
Chinese and Iranian hacker connection? [The Dark Visitor] Posted: 22 Jul 2008 05:58 AM CDT Skimming through the news today and came across an article in pr-inside.com, on Iranian hacker attempts to disrupt Jewish American leader’s message to Iran. A small blurb in the piece suggested that there was some evidence of Chinese fingerprints or assistance:
I have written to Jerusalemonline for further clarification on this section of the article and hopefully will have an update. It would be very interesting to see if there is more to this, even if the Iranians are just using Chinese hacker malware. |
TSGrinder - Brute Force Terminal Services Server [Darknet - The Darkside] Posted: 22 Jul 2008 04:14 AM CDT This is a tool that has been around quite some time too, it’s still very useful though and it’s a very niche tool specifically for brute forcing Windows Terminal Server. TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since... Read the full post at darknet.org.uk |
Another take on reviews [StillSecure, After All These Years] Posted: 22 Jul 2008 01:40 AM CDT Without putting out misleading press releases, I do want to mention a review that came out today that I was pretty proud of. The folks at Channel Web and CRN put out a review today of StillSecure Safe Access baked off against two well known competitors, Symantec and Sophos. You can go read the review for yourself for the entire story, but here are the final two paragraphs:
'Nuff said on that one! In other NAC news today, Mike Fratto and the Information Week folks have released their 2008 NAC survey and Mike will be doing a follow up webcast on this on Wed, July 23rd. Check out the site for all the details. This report is chock full of great stuff about NAC including vendor profiles. There is a ton of great information there for anyone interested in NAC. |
Posted: 22 Jul 2008 12:19 AM CDT After my "used car salesman of NAC" series I was going to give Ray and the gang a break. But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada. The basis for this claim was that "SC Magazine awarded ForeScout's CounterACT a four-out-of-five star rating, lauding the product's ability to "function like a firewall, an IPS and a NAC device all rolled into one". They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today? So why do I call this out? No, no sour grapes here. Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts: In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support. In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation. How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly. I have already asked for a clarification and will let you know what I find out. But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products. But I guess that is why they did not have a quote or a link to the actual review. The review starts out with this memorable quote, "The ForeScout CounterACT was the device which took the most time to install and configure." Later on the reviewers had this to say, "The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD." Now does that sound like a review to be touting? Only those master car salesman would seek to put out a press release trumpeting the results of this review. They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is! |
DNS Exploit Is Out Of The Bag [Liquidmatrix Security Digest] Posted: 21 Jul 2008 11:07 PM CDT Well, there was a rumble earlier today when Halvar Flake made it known that he had puzzled out Dan Kaminsky’s DNS vulnerability. From ADD / XOR / ROL:
Next up we saw the good folks over at Matasano jump in with their analysis of the DNS exploit. From Matasano Chargen:
A rather lengthy explanation ensues and is soon taken offline when Thomas Ptacek realizes that the nature of the post is far too informative. By then, it was too late. Google had already sunk its teeth in. Matasano published an apology soon afterward,
Dan Kaminsky jumped on Twitter shortly after 11 pm to confirm the worst. Get yer patch on people. |
Foundry Networks - Brocade's 3 billion dollar baby [StillSecure, After All These Years] Posted: 21 Jul 2008 11:04 PM CDT By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash. Actually the deal is valued at about 2.8 billion. However, Foundry has about 800 million or so in cash and liquid assets. So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash. That works out to about 2.7 billion. Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half. Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price. Pretty sweet! The real question is what does Brocade do with this. With all of that debt, do they have what it takes to go on and take on Cisco now? The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market. What about the 7 dwarfs who currently compete in this market. Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves. They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link? Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants? I don't know but it is going to be a high barrier of entry into this market. Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while. |
What a Weekend [BumpInTheWire.com] Posted: 21 Jul 2008 10:29 PM CDT Saturday was a big day. While our DBAs performed a flawless migration from SQL 2000 to SQL 2005 we took advantage of their window to retire one Vmware ESX 3.5 cluster and bring a new one into full production. This involved storage changes and migration of nearly 50 virtual servers along with VMware Tools upgrades. This also went nearly flawless. If we would have tried to coordinate all of these moves and changes it would have taken three months to complete. Luckily this SQL migration provided the perfect opportunity to get it done in four hours. Timing is everything. In the middle of writing this post my damn laptop dropped its network connection again as I previously wrote about. I’m gonna throw this damn curse into that damn pond! |
Yes! Now I Can Attend Nate Lawson’s Talk at BlackHat! [Zero in a bit] Posted: 21 Jul 2008 10:14 PM CDT By now, you probably know that details of the DNS vulnerability have leaked. Halvar Flake speculated on DailyDave and the momentum built from there, despite the fact that his guess was short on a few key details. I don’t need to rehash the full technical details here; by now, they are easy enough to find with a couple Google searches. When Slashdot picks up the story, it’s hardly a secret any more. What’s more interesting to me, now that I’ve digested the big secret, is how this whole situation has played out in the security community. The security community has been polarized for the past two weeks, not so much over the technical details being withheld, but about Dan’s plea that people not speculate about the vulnerability. As many pointed out, the “bad guys” won’t stop trying to figure it out just because the “good guys” keep quiet. To be honest, my own lack of public speculation wasn’t because I agreed with the philosophy; I just wasn’t smart enough to figure out the vulnerability myself. People implied — or stated outright — that Dan just didn’t want anyone stealing his thunder. Considering the timing of the release and the subsequent BlackHat talk, it’s obvious why such accusations were made. Personally, I think it’s a little of each. I believe the coordinated patch effort was undertaken with the best of intentions, but I also think Dan relished some of the glory and media attention as well. It’s hard to blame him for that; if you were in his shoes, wouldn’t you want some recognition too? By many accounts, dealing with the DNS vulnerability from the operational side has been an exercise in frustration. Plenty of IT people wanted to patch but couldn’t get approval without being able to justify the operational risk. “Because Dan said so” is apparently not a convincing enough argument. Some wondered why the people who were responsible for creating the problem should be blindly trusted to implement an appropriate fix? Ultimately, vulnerability disclosure is a minefield. No matter how you choose to disclose, somebody will always disagree. P.S. If you didn’t figure out the title of the post by now, Nate was one of the unlucky few to draw the same timeslot at BlackHat as Dan Kaminsky. |
Another One Bites the Dust [BumpInTheWire.com] Posted: 21 Jul 2008 09:26 PM CDT Life in the technology business is volatile. Tonight I got an email with a subject of “Accelerating the Evolution of Networking.” I get a handful of these emails every day with subjects similar to the this one and rarely read them at the time of receipt. For whatever reason I decided to read this one. Needless to say I was a little shocked at what I read. Brocade has agreed to aquire Foundry Networks. This hits close to home. Real close to home. That’s life though. Eat or get eaten. |
DNS VULNERABILITY NOW IN THE WILD [ARCHIMEDIUS] Posted: 21 Jul 2008 08:35 PM CDT There are about 11 million servers using the Internet's core Domain Name System (DNS) protocol to coordinate traffic across the Internet to their proper destinations. About 6 months ago Dan Kaminsky, director of penetration testing at IOActive, discovered a way to exploit long-known DNS vulnerabilities to easily implement cache poisoning attacks that can compromise the integrity of the Internet. A few [...] |
DNS vulnerability in the wild [Kees Leune] Posted: 21 Jul 2008 08:13 PM CDT Well, it had to happen. The DNS vulnerability discovered by Dan Kaminsky has been leaked. Go read here, here, or here. Then read this and this . The vulnerability is conceptually simple, and frankly it is amazing that no other researchers ever found it. I'll not elaborate on how dangerous it is (patch now!) or how it works exactly. Instead, I'll be trying to wrap my head around this one and get ready to explain the details when asked. Kudos to Dan on how he handled it. |
Posted: 21 Jul 2008 08:11 PM CDT |
the secretive private Dow Jones Watchlist in your mobile ? [belsec] [Belgian Security Blognetwork] Posted: 21 Jul 2008 07:55 PM CDT Dow Jones Watchlist is a global database, which tracks and monitors over This is used by Vodafone for its M-Pesa mobile money transfer service to ensure compliance with AML regulations from bodies such as the UK’s Revenue and Customs, the European Union, the Central Bank of Kenya, and the Central Bank of Tanzania as well as with the U.S. Patriot Act. The system checks customer names against Sanctions and Politically Exposed Persons (PEPs) from the Dow Jones Watch List. |
Regulator BIPT has A war fund of 3 million Euro [belsec] [Belgian Security Blognetwork] Posted: 21 Jul 2008 07:46 PM CDT It is strange to read that the minister that is responsable for the BIPT (our regulator of postal and telecommunication services) blasts his own administration away and says that it is nearly the worst regulator of the European Community. One reason - to make it totally hilarious - is that the public service operator Belgacom makes its work nearly impossible as regulator by taking to court against any of its decisions that it doesn't agree with. So the minister says that more internal specialists of the BIPT should be internally transfered to these devisions of the BIPT that should open up the telecom market. It should also use - according to its minister - its own cash it has been piling up the last years. Maybe it should use some of that cash to build finally a CERT that is worth that name. |
Posted: 21 Jul 2008 07:40 PM CDT the reason is simple, they have forgotten to make the necessary laws by december 2007 as was foreseen in the law that wanted to regulate the necessary services that would develop such services as electronic archiving. well, who cares, who needs standards anyway ? |
Posted: 21 Jul 2008 07:31 PM CDT In an answer to parliament the minister of Justice answered that his database of information about ICT criminal activity didn't have the possbility to indicate how many people were prosecuted or had a case against them because of the fact that they had hijacked a WIFI connection. |
Posted: 21 Jul 2008 07:30 PM CDT In an answer to parliament the minister of Justice answered that his database of information about ICT criminal activity didn't have the possbility to indicate how many people were prosecuted or had a case against them because of the fact that they had hijacked a WIFI connection. |
Ondertussen in de kamer van volksvertegenwoordigers [belsec] [Belgian Security Blognetwork] Posted: 21 Jul 2008 07:20 PM CDT |
Leader of Chinese female hacker “security” team not happy [The Dark Visitor] Posted: 21 Jul 2008 06:04 PM CDT
Not sure how widely the story was circulated in the western press but it sure was popular in China. On her blog, Xiao Tian admits that all the sudden publicity came as a shock when people started calling asking about the article. She claims to have stepped away from the “security” site for quite some time and that much of what was written was hype. Just a girl who enjoys blogging and computers. For someone who takes so many pictures of herself, it is hard to believe that this has become such a burden on her. The Cn Girl Security Team website has been showing a 403 error for the past week and some have suggested it was done by hackers. They say this further demonstrates the low-level technical skills possessed by the group. Xiao Tian denies the rumor and contends there was a problem with the hosting service. Either way, one more hacker website bites the dust. Hundreds remain but we got you covered. |
Missing the Point [Zero in a bit] Posted: 21 Jul 2008 05:19 PM CDT A co-worker passed along this snapshot taken at the Karsten Nohl, Jake Appelbaum, and Dino Dai Zovi talk at HOPE this past weekend. The context, of course, is that the overzealous Debian developer who accidentally crippled OpenSSL back in 2006 said he did so because valgrind reported uninitialized memory use. Click through for the full-size version. So automated software review is dangerous now? Perhaps that bullet should read “modifying code you don’t understand is dangerous.” |
Posted: 21 Jul 2008 05:09 PM CDT |
A complete list of security livecd distributions [Security4all] [Belgian Security Blognetwork] Posted: 21 Jul 2008 05:05 PM CDT |
This blog is at least a solid 8.1…maybe an 8.2!! [The Dark Visitor] Posted: 21 Jul 2008 04:55 PM CDT Received an e-mail today from www.blogged.com that has rated us as follows:
An 8.0…I mean WTF? I strongly suspect that Jumper has pulled the blog down from my own unbiased rating of around 8.15 prior to his arrival. An 8.0 is great? Not in my book buddy, that is like low hanging “B” work. We at TDV vow to increase the quality of our postings, we will spare nothing to move up the ladder at blogged.com…unless of course it involves too much effort. |
Do we need a farm system in the security industry? [StillSecure, After All These Years] Posted: 21 Jul 2008 04:17 PM CDT Just read a good article by Lisa Vaas on Computerworld titles "When security staffers fail up". The article talks about some of the challenges that are faced by companies trying to provide proper security. While one of the issues is "bundled badness" which I will talk about later, the bigger problem that Lisa writes about is the profile of our security administrators. It is a familiar story I am afraid. Security people don't do a good job of "humanizing" themselves. Their peers don't understand what they are trying to accomplish and too often we speak in geek terms and try to dictate how people conduct business. As a result we are the "people in the way". |
Posted: 21 Jul 2008 01:44 PM CDT |
Interesting Information Security Bits for July 21st, 2008 [Infosec Ramblings] Posted: 21 Jul 2008 01:09 PM CDT And we’re off. From the Blogosphere Via F-Secure’s blog, a discussion of what needs to happen to exploit the Microsoft Access Viewer vulnerability under a couple of different scenario’s. Worth a look. Gunnar Peterson has an pointed view of outside vs. inside as it applies to our enterprise networks. I won’t spoil it for you since it is a good read. Jeramiah has survey up for Web Application Security Professionals. He will be releasing the results in the near future. I took it and so should you if you have anything to do with WebApp security. Good questions. Via Wesley McGrew, Princeton released their tools for dumping and retrieving keys from memory after a cold boot. There was a bit of twittering going on about these tools during The Last Hope conference. Intersting stuff. Via DevCentral, a new Google tech talk is up. This time covering SQL injection, XSRF, and XSSI. Good stuff. LearnSecurityOnline has released Crackme 0×04 for us to solve. TaoSecurity has a perspective on the recent DNS vulnerability that is worth reading. The tisecurityguy brings to our attention an open source tool for tracking your laptop should it be stolen. As he says, “best of all, it’s open source, which means free.” From the Newsosphere DarkReading: The U.K.’s Ministry of Defence lost some USB sticks….with secret information on them. DarkReading: Damballa Inc. is to release and new tool for malware analysis at Black Hat 2008 in Las Vegas. Free to enterprises and vendors. Information Week: RIM has fixed the BlackBerry Enterprise Server pdf vulnerability. That’s all folks. Have a great day. Kevin Technorati Tags: vulnerablity, perimeter, web appsec, memory, keys, google tech talk, crackme, laptop |
Storm's-a-Brewin': How Many Clouds Are You Going to Need? [Rational Survivability] Posted: 21 Jul 2008 01:03 PM CDT For the second time in some months, Amazon's S3 (Simple Storage Service,) one of the most "invisibly visible" examples of the intersection of Web2.0 and cloud computing, has suffered some noticeable availability hiccups. Or, if you prefer to use Amazon's vernacular "elevated error rates" ;) Many well-known companies such as Twitter rely upon content hosted via Amazon's S3 which is billed as offering the following capabilities:
It's not realistic to think that infrastructure as complex as this won't suffer service disruption, but one has to wonder what companies who rely on the purported resiliency of the "cloud" from a single provider do in cases where like it's namesake, the skies open up and the service takes a dump? I'll go one further. If today you happen to use S3 for content hosting and wanted like-for-like functionality and service resiliency with a secondary provider, would your app. stack allow you to pull it off without downtime? What happens if your apps are hosted in a cloud, too? Sounds like a high-pressure front to me... Next up: "CPE Security Is Dead(?): All Hail Security in the Cloud(?)" ;) /Hoff |
Posted: 21 Jul 2008 12:33 PM CDT |
Extended Laundry List - July 21, 2008 [Security Incite Rants] Posted: 21 Jul 2008 11:36 AM CDT I'm back.... But I also have a lot of catching up to do, and I'm not going to be able to get through all the news and blog posts that accumlated without comment while I was away. So I figure I'll do a little extended laundry list action today and maybe Wednesday (perhaps even Friday if I'm so motivated) to at least point to the things I found interesting. The Extended Laundry List
|
Virtualization and information-centric security [Data-Centric Protection and Management] Posted: 21 Jul 2008 11:33 AM CDT Many more of the customers I talk to are focused on virtualization as a core infrastructure strategy. They obviously want to know more about how this will affect how they look at security. While I am not the expert on anti-virus/malware, NAC, intrusion prevention etc, one area that I get excited about is the data protection implications of this trend... As devices get abstracted and pushed to the background, it appears we are left, at the core, with applications and data. The interactions between the two dictate productivity, security et al. In this context, an information-centric security paradigm becomes even more important. There are no devices to lock down (these will be virtual - appearing and dissapearing as required). Much of the data will be accessed from virtual containers. Therefore, protecting the data itself, regardless of the applications, the devices, the networks will become crucial in this evolving landscape... |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment