Wednesday, July 23, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Is there any reason to go to Black Hat still? [StillSecure, After All These Years]

Posted: 23 Jul 2008 06:41 AM CDT

I was reading the Security Bloggers Network feed this morning. I had missed a day or so and had a lot of articles to go through. I was also thinking of what could be the next topic suggested for members to blog about as part of our cross-promotion with Black Hat.  Than I realized there really was not any need.  The topic was obvious, DNS. I didn't do an actual count of how many times it was mentioned (as Mr Bump did with NAC vendors mentioned in the Information Week NAC survey), but there had to be at least a dozen and half, if not more articles on the great DNS leak of 2008. 

Dan Kaminsky's research was exemplary, but his naivete about people keeping the exploit under there hat was not.  While Thomas Matasano apologized for his mistake, frankly from the moment Havlar Flake begain speculating on it, it was just a matter of time. 

Anyway, the cat is out of that bag, but something tells me that Dan K's presentation will still be the a standing room only crowd in just a few weeks in Vegas.  But beyond that there are still a bunch of good topics to be discovered at Black Hat.  Not to mention lots of social activities brewing for both BH and DefCon.  I amreally looking forward to it. I would hope that no one is feeling the air out of the ballon on this one!



Zemanta Pixie

San Fransisco Mayor Regains Control of the Network [Darknet - The Darkside]

Posted: 23 Jul 2008 05:42 AM CDT

In the story we recently covered where Terry Childs had locked San Fransisco officials out of their own network, there is a new development. He’s handed over the passcode to the Mayor, Gavin Newsom. It seems he came to his senses and he also seems to have VERY little faith in the IT administration for the [...]SHARETHIS.addEntry({ title:...

Read the full post at darknet.org.uk

Kaminsky’s DNS Flaw Exposed Early, Attackers Working Furiously [Infosecurity.US]

Posted: 22 Jul 2008 11:50 PM CDT

Late today, details of the DNS Flaw, publicized so thoroughly in the security media, (and soon to be announced at BlackHat by Dan Kaminsky, but not early), were “inadvertently” leaked on the primary site of security company Matasano. Evidently, the post was ‘quickly pulled down’. A bit ironic, you say (a security company betraying the trust, eh)? Perhaps premeditated, we say. Now that the flaw is out in the open, many sites, are being served by exploitable DNS platforms.
Time to forward everything to OpenDNS. Do it now folks, you will be glad you did.

[1] Dan Kaminsky on Twitter

[2] DoxPara Research

Network Security Podcast, Episode 113 [Network Security Blog]

Posted: 22 Jul 2008 11:10 PM CDT

I’m off in the cheese capital of the world, Wisconsin. And unluckily, that means my audio sounds like crap. We’ll work on something better for next week, but this was the best we could do tonight.

Show Notes:

Network Security Podcast Episode 113, July 22, 2008

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Coming Up: NAC Sauces & 1X Vulnerabilities [Security Uncorked]

Posted: 22 Jul 2008 11:09 PM CDT

Per requests, and as part of the ‘ask JJ’ responses, I’ve been working on a couple of blog post series for you.

I’m juggling blog-moving with blog-posting and trying to find the happy medium. Coming soon though, are two NAC/1X series I hope you’ll enjoy…

NAC Vendor Sauce Series: Fishing out Features
Each NAC solution on the market has it’s own special NAC ‘sauce’ , a feature that sets it apart, or makes it better for certain situations, than others. This series highlights the advantages of each solution and includes Juniper, Cisco, Symantec, Enterasys, ProCurve, StillSecure, Napera along with a few others.

802.1X Vulnerabilities: Designing for Security
Often, users put too much stake in 802.1X, relying on it too heavily in many circumstances. There are vulnerabilities with 1X, but most can be mitigated or avoided with smart planning. This series describes various vulnerabilities with 802.1X, gives you details on each and provides information on how to protect yourself from them. To get started, check out my 802.1X Technology Primer.

# # #

When your hotel does funerals [StillSecure, After All These Years]

Posted: 22 Jul 2008 10:45 PM CDT

So another week, another travel nightmare.  This week I am in the DC area for a few days, than flying over to Ohio and then back home.  Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia.  This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here.  It had 3 stars and sounded good, so I booked it.

I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good!  I was given keys to room 707 and headed on up.  I got to room 707 and tried to open the door.  No luck, the keys didn't work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. 

I went back down to the desk and told them what happened.  The woman at the desk apologized, she meant to write room 700, not 707.  While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today.  That is when I notice that one of the main events of the day was a someone's funeral!  Thats right, it seems the hotel is used for funerals in the area.  That just freaked me out.  Now I am getting Six Feet Under deja vu here.  I don't know, call me squeamish, but I just don't feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry.  Maybe I should go down and catch a funeral or two while I wait for a page to load.  In any event, I think this will be the last time I stay here.  I just can't wait for what the rest of this week brings!

NoVA Sec Infosec Meetup Event - Thursday, 07-24: Geospatial Intrusion Detection [NovaInfosecPortal.com]

Posted: 22 Jul 2008 10:19 PM CDT

Here is some information regarding this week’s Thursday NoVA Sec infosec meetup event. Note that the Labs are located at the north-west side of the building. (more…)

Free, Free, Free [BumpInTheWire.com]

Posted: 22 Jul 2008 09:58 PM CDT

VMware announced ESXi will be FREE effective July 28th.  Oh snap!  When Microsoft announced that Hyper-V would be $28 I remember thinking “28 bucks?  Why not just give it away?”  VMware must have been monitoring my thoughts that day.

This is what I got out of the 2008 NAC Survey [BumpInTheWire.com]

Posted: 22 Jul 2008 09:51 PM CDT

The 2008 NAC Survey is out and has been talked about on a couple of my stops on the Internet.  Namely Alan’s and JJ’s blogs.  I figured what the hell, I’d download it for free and give it a once over.  As I gave it a once over, mostly looking at graphs and survey results and I kept noticing the word “Cisco”.  Funny how I read Playboy for the articles yet I read the 2008 NAC Survey for the pictures.  I digress…this made me ask a very important question.  How many times was each NAC vendor mentioned in the survey?  I came up with the numbers below in a very simple way.  I used the handy dandy binoculars in Adobe Reader and did a simple search.  If a company included multiple words, such as Nevis Networks, I searched for “Nevis.”  The results were not surprising.

Cisco Systems - 65
Microsoft - 56
Consentry Systems - 20
Hewlett-Packard/HP - 20
Juniper Networks - 20
Nevis Networks - 18
Enterasys Networks - 13
Symantec - 13
InfoExpress - 10
Forescout Technologies - 9
Impulse Point - 9
Napera Networks - 9
StillSecure - 9
Mirage Networks - 8
Bradford Networks - 7
Sophos - 6

 Anybody care to guess which company and/or companies advertise most with Information Week?

*** That is way to many hyperlinks to add in one post!  I was regretting doing this post about halfway down the list.

SecuraByte Episode 1: DNS Haiku [SecuraBit]

Posted: 22 Jul 2008 09:30 PM CDT

Today we introduce a new portion of the show: SecuraBytes. SecuraBytes are unannounced episodes, they could be last minute interviews or just more beer induced security speak. So, without further ado, here is the first SecuraByte from the SecuraBit Podcast. “Introducing haiku-DNS: [laughing corruption collapsing kittens gallop nectars forgiving] = usa.gov” - Chris Wesley McGrew of McGrew [...]

This posting includes an audio/video/photo media file: Download Now

HP's NAC- What I've Been Wanting to Tell You (but couldn't) [Security Uncorked]

Posted: 22 Jul 2008 05:29 PM CDT

Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

  • The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog  posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).
  • User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.
  • Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.
  • Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)
  • Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

DoD and ODNI: New Software Licensing Model [Infosecurity.US]

Posted: 22 Jul 2008 05:25 PM CDT

The U.S. Department of Defense and the Office of the Director of National Intelligence announced (via a joint memorandum) a new, streamlined, monolithic methodology to manage computer software licenses

Infoworld’s Venezia: Rogue City of San Francisco IT Admin Update [Infosecurity.US]

Posted: 22 Jul 2008 05:24 PM CDT

Paul Venezia, blogger of “The Deep End” at InfoWorld updates us on the sad tale of Terry Childs, an IT Admin gone afoul of the law.

Also, read further updates from Paul Venezia regarding the Childs case.

Indecipherable Letter Befuddles Cryptographers [Infosecurity.US]

Posted: 22 Jul 2008 03:05 PM CDT

Wired’s ThreatLevel Blogger Kim Zetter has posted (on July 15, 2008) a tremendous puzzle for those so inclined. In a letter sent in 2007 to the Fermi National Accelerator Laboratory for all intents, everyone who has come in contact with it, befuddled.

Perhaps it is an artifact from the future, like the scap of paper found by the acolyte, in a ‘fallout-shelter’ in the book A Canticle for Leibowitz!

Hope Update: Princeton Researchers Release Cold Boot Encryption Key Attack Source Code [Infosecurity.US]

Posted: 22 Jul 2008 02:18 PM CDT

Hope (Hackers On Planet Earth) Conference: The Princeton/Wind River/EFF team comprised of J. Alex HaldermanSeth D. SchoenNadia HeningerWilliam ClarksonWilliam PaulJoseph A. CalandrinoAriel J. FeldmanJacob Appelbaum, and  Edward W. Felten have released their memory research tools at The HOPE conference in Boston. You can download the research paper from the Infosecurity.US Repository, or at Princeton.

Linus Torvalds on Security [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 22 Jul 2008 01:34 PM CDT

Linus Torvalds doesn't get it... or does he?

What?... Linus Torvalds (yes, the guy that "invented Linux") has this post off the gmane.linux.kernel newsgroup, which appears to be a rant against security people and the bugs which keep us employed and the world a darker place. Read that article again, and then take it into context - he's writing about kernel issues here.

Fortify (although I don't always agree with their tools and methods) is out there saying that caution should be undertaken before deploying Open-Source tools in the enterprise, and this guy is out there saying that security is no more important than a random crash. I admit, the first time I read that I was furious, and really wanted to tear him a new one for being so idiotic... but then I thought about it more.

Since Linus is speaking in the context of kernel development it has to be assumed he's talking about catastrophic crashes that can take down a *business* potentially when random evil things happen in an enterprise installation of Linux. I understand that a non-security bug can cause very serious damage to a business too... but come on, are you seriously comparing it to a major flaw in the code which can pwn a server, a database, or an entire enterprise?

Obviously. Let me further expand.

Linus - I honestly don't know what to think after this statement... as I don't think the security profession "encourages the wrong behavior"...
"...one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior."
While I don't agree that security people aren't "heroes" ... I can see how ordinary bug-hunters that aren't security bugs are just as important and should receive just as much notariety, so the following quote annoys me a little.
"It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important."
Yes, every bug is important - but the ones that are security bugs can cause (and here's the key) stealthy financial losses to the tune of billions. If a server crashes, odds are you or your business will notice immediately, if it's important enough. If a server is hacked and funds or transactions are being ciphened off... you'll likely never know because of the nature of a security bug. Before you even reach for the comment button - yes - I do accept that there are things like rounding bugs or errors in code that would otherwise silently pilfer money in an indirect way such as performance bugs or calculation bugs... but that's much less likely (by my calculations and experience, anyway). Let's move on.
"In fact, all the boring normal bugs are _way_ more important, just because here's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking."
OK - now he's just talking out his behind. I couldn't possibly disagree more, and not just because I've dedicated my career to security.

What strikes true here with me, and it's something that I've been saying for a long time, is the following quote. Read and re-read it... see if it catches you the same way it caught me.
"Security people are often the black-and-white kind of people that I can't stand."
Fascinating. I actually agree with Linus here, partially. I say partially because there is a large wave of us that are working our tails off helping to strike a balance between the "security" and "business" aspects of what we do. We're working very hard to eliminate this notion that we see in black and white - but maybe we're not doing enough or the message isn't getting out there fast enough. This is perhaps the one thing in this post from Linus that makes me think that we as security practitioners have a long way to go before we're fully accepted into the IT/business world without yelling about the sky falling.

As a final note, Linus drops this nugget of his wisdom which I have been thinking about, but unfortunately still can't find a way to agree with.
"To me, security is important. But it's no less important than everything *else* that is also important!"
I suspect it's because of the slant I have being from this industry, or maybe something else in me... but security is and should be at the top of the list. Now... granted that without "functionality" being good all the security in the world is stupid.

As I've always said... "If it don't work, what's there to secure?"

Quickdraw Event Categories [Digital Bond]

Posted: 22 Jul 2008 01:17 PM CDT

Quickdraw is Digital Bond’s DHS funded security project to develop an application that will generate security log events for PLC’s and other legacy field devices with little or no security event logging capability.  While evaluting the technical requirements necessary to capture the security events identified for Quickdraw, Martin Solum and I came up with some event categories to help to understand how much specific knowledge would be necessary to implement each event.

The diversity in control system platforms and applications is well-known, especially the large number of legacy equipment that will be deployed in the field for the foreseeable future.  This also means that many security events that are common in Enterprise computing are manifested in strange and mysterious ways in Industrial Control.  Some events are quite generic - all PLC and DCS systems allow the user to upload a control application.  Others, such as an user authentication system, may not be implemented by a system in a particular configuration.  Finally, many events that have relevence to the state of security of the system are specific to the control application itself, such as changing a setpoint of a critical process variable.

To manage these differences, three event categories were determined: System Events, Device Events and Application Events.  The most generic category are System Events.  A system event is one that is implemented, in some form or another, in all control systems.  An example of a System Event would be an invalid address in a message since all networked control systems must have some mechanism to identify hosts.

Device Events represent security events specific to the type of controlling devices in the system.  Some devices implement a “locking” mechanism that prevents changes to ladder logic or setpoints, where others don’t.  This is especially true for devices involved in safety systems like logic solvers.  Other Device Events could be the absence of a heartbeat message or uploading of device firmware.  The presence of an user authentication system is determined by the equipment and its configuration, and so all authentication events would fall into this category.

Application Events are the most specific and require contextual knowledge of the control application running on the system.  Setpoint and register data can be sensitive and accessing these values often have implications for the state of the system.  Knowing that a setpoint is modified to a dangerous value is something definately worth detecting, but changes to the application would require updates to the IDS rules that detect the change.

Of course, nothing is ever clear-cut when you have as much diversity as we do in process control.  Some events will fall into multiple categories, like updates to configuration files that may be device or application specific.  There are definately some interesting questions that need answering.

The conclusion of this particular conversation was the selection of some initial events that the first alpha of Quickdraw will detect.  They include software upload, software download, firmware upload, PLC Lock and PLC Unlock.  If anyone has a preference for the specific events they’d like to see implemented sooner rather than later, or have any other input for Quickdraw and the events we ought to be logging, please leave us some comments!

Episode 1 of SecuraByte [Network Security Blog]

Posted: 22 Jul 2008 12:51 PM CDT

So I’m sitting in my hotel room miles and miles from home last night and I got an IM from Rob Fuller inviting me to hop on Skype and be part of the premier episode of SecuraBytes. Similar to some of the microcasts Rich and I do for special events, over at Securabit they’re doing quick and dirty podcasts whenever there’s an incident or event that requires it. And the current DNS mess is definitely an event that requires it. We were joined by Wesley McGrew from McGrew Security; he was the guy who not only knows about the vulnerability but actually understands it enough to explain it in plain english. Or as plain as security geeks get.

Thanks for inviting me to join you last night guys. Hopefully we’ll meet at Black Hat/DefCon.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Litchfield: Critical Oracle Security Flaw Annouced, Fixed [Infosecurity.US]

Posted: 22 Jul 2008 10:59 AM CDT

David Litchfield, of NGS Software, in the UK, has released news of a critical Oracle (NasdaqGS: ORCL) security flaw, and includes paths to the patch.

One More Thing... Defining Energy Independence [The Falcon's View]

Posted: 22 Jul 2008 10:00 AM CDT

Just another quick thought... we should be seeking to become energy independent, meaning not only being independent of foreign oil, but also independent of non-renewable energy sources. Shifting from foreign oil to mythological domestic oil is not a sustainable solution,...

Don't Believe the Drilling Myth [The Falcon's View]

Posted: 22 Jul 2008 09:47 AM CDT

I just saw a McCain ad that explicitly blamed Barack Obama for the rising pricing of oil and gas because of his opposition to opening more domestic drilling. Not only is this a ludicrous accusation, but it is of course...

Decisions, Decisions... [Vitalsecurity.org - A Revolution is the Solution]

Posted: 22 Jul 2008 09:46 AM CDT


Oh man, so much awesome spam to choose from....

Update on the DNS Vulnerability: 0-day [Security Uncorked]

Posted: 22 Jul 2008 09:20 AM CDT

A quick update on the DNS vulnerability.

Based on posts and Twitters last night from Dan and the snippits of information I gleaned from fellow Security Twits and bloggers… I think we are all aware that the DNS vulnerability is now out in the open.


The team that discovered the vulnerability was due to release details of the exploit at BlackHat (in 2 weeks). However, someone has reverse-engineered the vulnerability and released the details. The contents, or portions of the exploit were accidentally posted on a very prominent security blog yesterday then quickly removed. (Don’t ask, that’s a whole ‘nother story).

If your DNS server has not been patched, you are vulnerable now. More info on Dan’s (discoverer’s) site .  You’ll notice his 13 > 0 post... letting us know instead of 13 days you now have 0. 

If you haven’t patched your DNS server(s), please see my previous DNS vulnerability post, follow the links included for more information and instructions. Consider yourself now at risk.

# # #

When Admins Go Bad [The Falcon's View]

Posted: 22 Jul 2008 09:15 AM CDT

You've undoubtedly heard by now about the San Fran net admin who refused to give up sole control of the network, and thus was thrown into the pokey to compel him to cooperate. Network World has a great article that...

Don't-Miss NAC Events This Week [Security Uncorked]

Posted: 22 Jul 2008 08:59 AM CDT

FYI, thanks for bearing with me these couple of weeks. I spent a week in a lab with no Internet access at all, which made blogging life (and actually ALL life) very difficult. Upon returning, I’ve been in the process of following up on the DNS vulnerability which has now been accidentally released. And, as I mentioned in an earlier post, I’m smack in the middle of moving this blog

to a new, fuller-featured platform. 


I did want to make sure you have a couple of important links and info! There are a couple of don’t-miss webcasts and events this week if you’re interested in NAC technologies.

  • Live Debate from Network World: Snyder vs Stiennon- Duel of the NAC Experts
    Tuesday, July 22nd, 3:00pm Eastern More info
  • 2008 NAC Survey from Information Week: Mike Fratto reviews the 2008 Report
    Wednesday, July 23rd, 2:00pm Eastern More info

If you want to read the report, you can download the entire Information Week 2008 NAC Report by Mike Fratto free, for a limited time. The report covers all the main NAC vendor offerings and contains a variety of interesting survey results. You’ll be hearing from me soon about the contents of the report and my thoughts on the product details, roadmaps and features. 

Enjoy!

# # #

Quick thoughts on using the iPhone 3G [StillSecure, After All These Years]

Posted: 22 Jul 2008 08:36 AM CDT

So I got my iPhone 3G on Friday morning and have been using it for a few days now. I have never used one before, don't use an iPod or even a Mac computer.  The iPhone was incredibily easy to use and without using and manuals quickly had a most everything working and downloaded a bunch of apps from the app store. 

Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:

  1. Sort and filter email be date, sender, etc.
  2. Select more than one mail at a time to delete, move, copy.  Yes I know you can go to edit and select messages to work on, but you still have to select them one at a time. In Windows Mobile you can just run your finger over multiple messages to complete this.
  3. Deleting duplicate contacts in bulk.  Doing them one at a time is just painful
  4. A task manager. I would like to see some list that shows me which apps are running, how many resources they are using, battery usage and stuff like that.  Also to shut down running apps
  5. Better calendar integration. I tried to click on and open calendar items, but just does not seem to work.
  6. The battery sucks! I am not getting more than about 6 to 7 hours of battery time. I think I have to turn off the push for my Exchange email.  This is much less that I was getting on my Windows Mobile phone.

I do like the phone, the iPod MP3 and camera and the overall "feel" of the phone. Went to the Apple store in the maill (which was jam packed) and bought a rubberized case, but was unable to get a phone car charger for it yet.  I ordered one for 5 bucks on Amazon and will see it if works.

All in all, things are OK but I am going to withhold my final verdict for a while yet.

Zemanta Pixie

July Podcast: This Month in Control System Security [Digital Bond]

Posted: 22 Jul 2008 07:29 AM CDT

Joining me in the July Edition of This Month In Control System Security:

This month’s topics are:

  • Lobbying Congress and government agencies on control system security. Who should be lobbying? What should they ask the government to do? What happens when there is no community consensus on lobbying goals or activities?
  • VMware and virtualization in control systems. Where should an asset owner be looking to deploy virtualization this year? In two to three years? What are the risks of implementing virtualization? What are the virtualization benefits that are important to control systems?
  • What, if anything, is missing from the growing number of control system security events?

I recorded a brief interview with Joe Weiss to preview his event in August - - and managed to wipe it out. Very sorry to Joe who was kind enough to spend time on the interview, but the podcast ends with a brief preview of Joe’s event and the PCSF annual meeting. These are two of the larger events in this space. Information on the events are available at:

Direct link to the podcast.

Podcast Info:

We have made it easier for you to get Digital Bond’s podcasts.

Subscribe via iTunes.

Or you can subscribe to the Podcast RSS Feed.

This posting includes an audio/video/photo media file: Download Now

Insiders…. (Part One) [Ascension Blog]

Posted: 22 Jul 2008 06:32 AM CDT

My apologies in advance for this being such a long post. 

I've held off commenting on the case of a disgruntled San Francisco administrator who was jailed for launching his own denial of service attack on his employer.  Initially the reason was that I didn't want to make a post that simply repeated what everyone else was saying.   You see the Insider Threat is one that is personal to me.  My wife lost her job as a result of what was very likely the work of a malicious insider.  I'm interested in what motivates this type of individual, the patterns of behavior, and what companies can do to reduce the likelihood that a malicious insider can impact their business. 

I've spend the week or so since I've heard of this most recent case reflecting on the insider threat and reviewing some research material that I've come across over the years.  I started a project a few years ago during my master program but have let it sit around since I graduated.  Now may be the time to dust off the research and revisit the topic.  This will be the first post in a multi-part series on the insider threat and possible how it can be managed within an organization.  But first my story:

When I first started in this business, my wife was able to get me a job with her company in the network support group.  We worked for a medium sized company in the Washington D.C. suburbs.  The support department was pretty small; only five people doing everything from answering the phone and running desktop support calls to server and infrastructure administration.  We were it so we did it all.  This is where I cut my teeth. 

Since no one else wanted the responsibility, I took over the firewalls, routers, and the security aspects of the company DMZ.  I learned a lot in those days and ended up getting a GIAC certification to fill in some of the gaps in my knowledge.  Things went well and when the company decided to migrate from Novell to Windows 2000 I was asked to prepare a security briefing for the IT steering committee.   My boss and I worked on a strategy to segregate the company's information and control access via least privilege.  (Pretty standard really)  The problem is that we were shot down. 

The division heads wanted the free flow of information so that people could "collaborate."  Everyone in their respective divisions could access any of the other work going on within the division and at times across divisions.  As work on various projects would ebb and flow, resources were transferred from one project to another and back again necessitating the need to access different types of information.  The division heads did not want to disrupt their ability to do this. 

We explained that this situation was normal and that while our plan would restrict access it wouldn't hamper anyone's ability to do their work.  A request for a change in access could be responded to within one business day in most cases, two days in rare circumstances.   We were still denied – nothing should interfere with the work being done.   In hindsight I also think that they were uncomfortable with the fact that we could audit and track what was being done with their information.  This was an organization that grew up from a "mom and pop" type beginning and grew organically.  Everyone was trusted and any threat was perceived to be from outside. 

About four months prior to these discussions someone new showed up at work.  This was an individual who had worked as a subcontractor for the company on one short term project and was known to a division head.  He just started showing up every morning, got someone to let him in, and squatted in an office.  Since the office wasn't being used at the time he received permission to use that office.  They liked having him around "in case" work requiring his skills be required.   Let's call him "Joe."

“Joe” was a very nice older gentleman.  He was soft spoken and apparently well liked among the staff on that floor.  We found out that he wasn't an employee when he called in a trouble ticket for his computer not being able to print.  The problem was that he didn't have a log in thus he wasn't able to map the print queue.  We reported this to our boss and when he went upstairs to investigate the division head, a vice president, said we shouldn't worry about it.  She apparently liked having staff that didn't impact her overhead when they didn't have work.  So we documented this and moved on.  "Joe" figured out how to map the printer directly so his issue was solved.  (We were running Windows 98 workstations that allowed guest access and any device with an internal IP could surf the web.  Yup, we lost those battles too.  Again this was against corporate culture.)

Within a year "Joe" was hired on full time and worked on some projects in the same division as my wife.  As work would ebb and flow, he tried to get onto a few projects but apparently he had worn out his welcome because some projects preferred to work shorthanded rather than take him on.  Nothing much was thought about "Joe" really and I had all but forgotten about him.  After a few years I had progressed as far as I could and although I knew I'd miss my colleagues and the company it was time to move on.  I moved on to a systems integrator across town to start my new life as a consultant. 

A few months after I left my wife and I found out that we were expecting our first born.  We were excited and began planning on the future.  My wife still worked at my former company.  She was the Deputy Project Manager for a multi-million dollar government contract.  The company was very family friendly and since the project was set up to pretty much run itself they agreed that it would be alright for her to step back from the project for a year and then come back.  We were overjoyed.  We trimmed our budget to the bare minimum so that we could save her paycheck.  We needed to have some savings if she was going to stay at home to raise our son the first year.  We made it eleven months as our son decided to show up a month early.

While my wife was home with our son, the contract she was working for came up for its normal recomplete.  The government had already awarded all of its option years and by law had to recomplete it.  No one was concerned.  Everyone at the government agency loved the work that was being done as well as the people working on the project.  Everyone working with the federal government at the state and local level loved the work that was being done.  The company went into this recomplete about as strong as any company could. 

Little did they know about what "Joe" was doing.  You see "Joe" was apparently upset that he wasn't allowed to work on certain projects and that he wasn't promoted into a senior management position.  He shared his frustration with management but when his concerns went unanswered he kept his feelings to himself. 

About the time the Request for Proposals (RFP) was released by the government, "Joe" resigned and went to work for another company in the next county.   Surprisingly enough, this same company bid against my wife's company on the RFP although they had no previous experience doing that sort of work or working for this government agency.  Apparently they had the right answers because they were able to successfully win the RFP with a slightly lower bid.  Oh yeah, and while "Joe" wasn't named on their proposal response.  He ended up having a senior position on that account.  (According to unofficial sources from the government agency.)

Coincidence?  Perhaps but experience tells me that it was unlikely.  The resulting aftermath was that most of the people that worked on that project were laid off.  Had my wife still officially been on maternity leave they would have had to find something for her to do but she had changed that status two months previously to "on-call" for a reason that escapes me right now.  Subsequently she was also laid off. 

Did "Joe" take valuable project information to his new company?  Honestly, no one will ever be able to prove it.  The principle of least privilege wasn't followed when setting up access.  Everyone was pretty much given access to everything within the company.   The network group wasn't allowed the resources to audit access to critical information.  There are any number of plausible scenarios but the one that has "Joe" copying all the proprietary information on the project then leaving for a position with a competitor who ended up being awarded the work is the most plausible. 

What triggers this sort of behavior?  I'm not sure anyone can say for sure but in the coming weeks I'll explore this concept.  In Part Two I'm going to look at some research that has been conducted into the insider threat as well as how people act and learn in groups in an attempt to build a basis for Part Three which will deal with how these concepts can be applied to help an organization properly manage the insider threat.

DNS Problem [Andy, ITGuy]

Posted: 22 Jul 2008 05:24 AM CDT

OK, so the news is out. Someone has figured out what it is that Dan Kaminsky discovered in DNS that has so many people concerned. Now that we know what the problem is that means that the bad guys know. If the bad guys know it's only a matter of hours (quiet possibly by now) before a exploit is released into the wild. That is bad news.

Even if you have patched your servers it could be bad news for you. Why? Because your DNS server relies on other DNS servers to tell it where web sites are. If your DNS server get bad information from a compromised DNS server it's game over. What are the chances that your DNS server will communicate with a unpatched, vulnerable DNS server? My guess is that the chances are pretty good. If you look at my little poll (which is a very small sampling of my readers and extremely small sampling of those who manage DNS servers worldwide) 42% have not patched their servers yet because they are still testing the patch. This number hopefully is smaller by now since they have had time to complete testing.

What has me worried is all of those who manage DNS servers and don't follow blogs, tech news sites and other forms of communication that would get the word to them. How are they going to know to patch their servers? I've not seen anything in the main stream media talking about this. Vendors don't have a good way of communicating with customers when problems such as this arise, especially those who download free software that doesn't require registration.

There is a lot of speculation around the release of the details of the issue. Should Halvar Flake have posted his speculations on his blog? Should the blogger at Matasano have posted his reply (which was promptly removed from the site)? People are arguing about whether or not Halvar was right or wrong in what he did. Others are complaining because Dan didn't release more details to the public. There is a place for all of this bickering and speculation but now is not the time. Now is the time to ensure that everyone patches their DNS servers and that we get the work out so that everyone knows that this needs to be done.

So get on the phone, compose emails, use Twitter or any way you can to make sure that all of your friends and contacts who manage DNS servers know about this. Call you ISP and ask them if they have patched yet and if they haven't then consider using a DNS server that you know has been patched. You can use Open DNS or another ISPs DNS servers that you know have been patched. Those of you who manage DNS servers may want to consider clamping down on who you allow your DNS servers to communicate with. This is a standard good practice any way but now you may want to be even more careful.

I'm not crying "the sky is falling" and I'm not trying to spread FUD (fear, uncertainity and doubt) but this has potential to be bad. It is something that needs to be taken seriously and dealt with. When you get this many people who are respected in the industry all saying the same thing then it needs to be heeded. When you get this many vendors working together to release a patch simultanously then we need to apply the patch.

No comments: