Spliced feed for Security Bloggers Network |
Is there any reason to go to Black Hat still? [StillSecure, After All These Years] Posted: 23 Jul 2008 06:41 AM CDT I was reading the Security Bloggers Network feed this morning. I had missed a day or so and had a lot of articles to go through. I was also thinking of what could be the next topic suggested for members to blog about as part of our cross-promotion with Black Hat. Than I realized there really was not any need. The topic was obvious, DNS. I didn't do an actual count of how many times it was mentioned (as Mr Bump did with NAC vendors mentioned in the Information Week NAC survey), but there had to be at least a dozen and half, if not more articles on the great DNS leak of 2008. Dan Kaminsky's research was exemplary, but his naivete about people keeping the exploit under there hat was not. While Thomas Matasano apologized for his mistake, frankly from the moment Havlar Flake begain speculating on it, it was just a matter of time. Anyway, the cat is out of that bag, but something tells me that Dan K's presentation will still be the a standing room only crowd in just a few weeks in Vegas. But beyond that there are still a bunch of good topics to be discovered at Black Hat. Not to mention lots of social activities brewing for both BH and DefCon. I amreally looking forward to it. I would hope that no one is feeling the air out of the ballon on this one! |
San Fransisco Mayor Regains Control of the Network [Darknet - The Darkside] Posted: 23 Jul 2008 05:42 AM CDT In the story we recently covered where Terry Childs had locked San Fransisco officials out of their own network, there is a new development. He’s handed over the passcode to the Mayor, Gavin Newsom. It seems he came to his senses and he also seems to have VERY little faith in the IT administration for the [...]SHARETHIS.addEntry({ title:... Read the full post at darknet.org.uk |
Kaminsky’s DNS Flaw Exposed Early, Attackers Working Furiously [Infosecurity.US] Posted: 22 Jul 2008 11:50 PM CDT Late today, details of the DNS Flaw, publicized so thoroughly in the security media, (and soon to be announced at BlackHat by Dan Kaminsky, but not early), were “inadvertently” leaked on the primary site of security company Matasano. Evidently, the post was ‘quickly pulled down’. A bit ironic, you say (a security company betraying the trust, eh)? Perhaps premeditated, we say. Now that the flaw is out in the open, many sites, are being served by exploitable DNS platforms. [2] DoxPara Research |
Network Security Podcast, Episode 113 [Network Security Blog] Posted: 22 Jul 2008 11:10 PM CDT I’m off in the cheese capital of the world, Wisconsin. And unluckily, that means my audio sounds like crap. We’ll work on something better for next week, but this was the best we could do tonight. Network Security Podcast Episode 113, July 22, 2008 This posting includes an audio/video/photo media file: Download Now |
Coming Up: NAC Sauces & 1X Vulnerabilities [Security Uncorked] Posted: 22 Jul 2008 11:09 PM CDT Per requests, and as part of the ‘ask JJ’ responses, I’ve been working on a couple of blog post series for you. I’m juggling blog-moving with blog-posting and trying to find the happy medium. Coming soon though, are two NAC/1X series I hope you’ll enjoy… NAC Vendor Sauce Series: Fishing out Features 802.1X Vulnerabilities: Designing for Security # # # |
When your hotel does funerals [StillSecure, After All These Years] Posted: 22 Jul 2008 10:45 PM CDT So another week, another travel nightmare. This week I am in the DC area for a few days, than flying over to Ohio and then back home. Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia. This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here. It had 3 stars and sounded good, so I booked it. I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good! I was given keys to room 707 and headed on up. I got to room 707 and tried to open the door. No luck, the keys didn't work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. I went back down to the desk and told them what happened. The woman at the desk apologized, she meant to write room 700, not 707. While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today. That is when I notice that one of the main events of the day was a someone's funeral! Thats right, it seems the hotel is used for funerals in the area. That just freaked me out. Now I am getting Six Feet Under deja vu here. I don't know, call me squeamish, but I just don't feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry. Maybe I should go down and catch a funeral or two while I wait for a page to load. In any event, I think this will be the last time I stay here. I just can't wait for what the rest of this week brings! |
Posted: 22 Jul 2008 10:19 PM CDT |
Free, Free, Free [BumpInTheWire.com] Posted: 22 Jul 2008 09:58 PM CDT VMware announced ESXi will be FREE effective July 28th. Oh snap! When Microsoft announced that Hyper-V would be $28 I remember thinking “28 bucks? Why not just give it away?” VMware must have been monitoring my thoughts that day. |
This is what I got out of the 2008 NAC Survey [BumpInTheWire.com] Posted: 22 Jul 2008 09:51 PM CDT The 2008 NAC Survey is out and has been talked about on a couple of my stops on the Internet. Namely Alan’s and JJ’s blogs. I figured what the hell, I’d download it for free and give it a once over. As I gave it a once over, mostly looking at graphs and survey results and I kept noticing the word “Cisco”. Funny how I read Playboy for the articles yet I read the 2008 NAC Survey for the pictures. I digress…this made me ask a very important question. How many times was each NAC vendor mentioned in the survey? I came up with the numbers below in a very simple way. I used the handy dandy binoculars in Adobe Reader and did a simple search. If a company included multiple words, such as Nevis Networks, I searched for “Nevis.” The results were not surprising. Cisco Systems - 65 Anybody care to guess which company and/or companies advertise most with Information Week? *** That is way to many hyperlinks to add in one post! I was regretting doing this post about halfway down the list. |
SecuraByte Episode 1: DNS Haiku [SecuraBit] Posted: 22 Jul 2008 09:30 PM CDT Today we introduce a new portion of the show: SecuraBytes. SecuraBytes are unannounced episodes, they could be last minute interviews or just more beer induced security speak. So, without further ado, here is the first SecuraByte from the SecuraBit Podcast. “Introducing haiku-DNS: [laughing corruption collapsing kittens gallop nectars forgiving] = usa.gov” - Chris Wesley McGrew of McGrew [...] This posting includes an audio/video/photo media file: Download Now |
HP's NAC- What I've Been Wanting to Tell You (but couldn't) [Security Uncorked] Posted: 22 Jul 2008 05:29 PM CDT Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can! Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited. What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32) Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination. I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.
I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward. Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon… # # # |
DoD and ODNI: New Software Licensing Model [Infosecurity.US] Posted: 22 Jul 2008 05:25 PM CDT The U.S. Department of Defense and the Office of the Director of National Intelligence announced (via a joint memorandum) a new, streamlined, monolithic methodology to manage computer software licenses |
Infoworld’s Venezia: Rogue City of San Francisco IT Admin Update [Infosecurity.US] Posted: 22 Jul 2008 05:24 PM CDT Paul Venezia, blogger of “The Deep End” at InfoWorld updates us on the sad tale of Terry Childs, an IT Admin gone afoul of the law. Also, read further updates from Paul Venezia regarding the Childs case. |
Indecipherable Letter Befuddles Cryptographers [Infosecurity.US] Posted: 22 Jul 2008 03:05 PM CDT Wired’s ThreatLevel Blogger Kim Zetter has posted (on July 15, 2008) a tremendous puzzle for those so inclined. In a letter sent in 2007 to the Fermi National Accelerator Laboratory for all intents, everyone who has come in contact with it, befuddled.
|
Posted: 22 Jul 2008 02:18 PM CDT Hope (Hackers On Planet Earth) Conference: The Princeton/Wind River/EFF team comprised of J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten have released their memory research tools at The HOPE conference in Boston. You can download the research paper from the Infosecurity.US Repository, or at Princeton. |
Linus Torvalds on Security [Digital Soapbox - Security, Risk & Data Protection Blog] Posted: 22 Jul 2008 01:34 PM CDT Linus Torvalds doesn't get it... or does he? What?... Linus Torvalds (yes, the guy that "invented Linux") has this post off the gmane.linux.kernel newsgroup, which appears to be a rant against security people and the bugs which keep us employed and the world a darker place. Read that article again, and then take it into context - he's writing about kernel issues here. Fortify (although I don't always agree with their tools and methods) is out there saying that caution should be undertaken before deploying Open-Source tools in the enterprise, and this guy is out there saying that security is no more important than a random crash. I admit, the first time I read that I was furious, and really wanted to tear him a new one for being so idiotic... but then I thought about it more. Since Linus is speaking in the context of kernel development it has to be assumed he's talking about catastrophic crashes that can take down a *business* potentially when random evil things happen in an enterprise installation of Linux. I understand that a non-security bug can cause very serious damage to a business too... but come on, are you seriously comparing it to a major flaw in the code which can pwn a server, a database, or an entire enterprise? Obviously. Let me further expand. Linus - I honestly don't know what to think after this statement... as I don't think the security profession "encourages the wrong behavior"... "...one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior."While I don't agree that security people aren't "heroes" ... I can see how ordinary bug-hunters that aren't security bugs are just as important and should receive just as much notariety, so the following quote annoys me a little. "It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important."Yes, every bug is important - but the ones that are security bugs can cause (and here's the key) stealthy financial losses to the tune of billions. If a server crashes, odds are you or your business will notice immediately, if it's important enough. If a server is hacked and funds or transactions are being ciphened off... you'll likely never know because of the nature of a security bug. Before you even reach for the comment button - yes - I do accept that there are things like rounding bugs or errors in code that would otherwise silently pilfer money in an indirect way such as performance bugs or calculation bugs... but that's much less likely (by my calculations and experience, anyway). Let's move on. "In fact, all the boring normal bugs are _way_ more important, just because here's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking."OK - now he's just talking out his behind. I couldn't possibly disagree more, and not just because I've dedicated my career to security. What strikes true here with me, and it's something that I've been saying for a long time, is the following quote. Read and re-read it... see if it catches you the same way it caught me. "Security people are often the black-and-white kind of people that I can't stand."Fascinating. I actually agree with Linus here, partially. I say partially because there is a large wave of us that are working our tails off helping to strike a balance between the "security" and "business" aspects of what we do. We're working very hard to eliminate this notion that we see in black and white - but maybe we're not doing enough or the message isn't getting out there fast enough. This is perhaps the one thing in this post from Linus that makes me think that we as security practitioners have a long way to go before we're fully accepted into the IT/business world without yelling about the sky falling. As a final note, Linus drops this nugget of his wisdom which I have been thinking about, but unfortunately still can't find a way to agree with. "To me, security is important. But it's no less important than everything *else* that is also important!"I suspect it's because of the slant I have being from this industry, or maybe something else in me... but security is and should be at the top of the list. Now... granted that without "functionality" being good all the security in the world is stupid. As I've always said... "If it don't work, what's there to secure?" |
Quickdraw Event Categories [Digital Bond] Posted: 22 Jul 2008 01:17 PM CDT Quickdraw is Digital Bond’s DHS funded security project to develop an application that will generate security log events for PLC’s and other legacy field devices with little or no security event logging capability. While evaluting the technical requirements necessary to capture the security events identified for Quickdraw, Martin Solum and I came up with some event categories to help to understand how much specific knowledge would be necessary to implement each event. The diversity in control system platforms and applications is well-known, especially the large number of legacy equipment that will be deployed in the field for the foreseeable future. This also means that many security events that are common in Enterprise computing are manifested in strange and mysterious ways in Industrial Control. Some events are quite generic - all PLC and DCS systems allow the user to upload a control application. Others, such as an user authentication system, may not be implemented by a system in a particular configuration. Finally, many events that have relevence to the state of security of the system are specific to the control application itself, such as changing a setpoint of a critical process variable. To manage these differences, three event categories were determined: System Events, Device Events and Application Events. The most generic category are System Events. A system event is one that is implemented, in some form or another, in all control systems. An example of a System Event would be an invalid address in a message since all networked control systems must have some mechanism to identify hosts. Device Events represent security events specific to the type of controlling devices in the system. Some devices implement a “locking” mechanism that prevents changes to ladder logic or setpoints, where others don’t. This is especially true for devices involved in safety systems like logic solvers. Other Device Events could be the absence of a heartbeat message or uploading of device firmware. The presence of an user authentication system is determined by the equipment and its configuration, and so all authentication events would fall into this category. Application Events are the most specific and require contextual knowledge of the control application running on the system. Setpoint and register data can be sensitive and accessing these values often have implications for the state of the system. Knowing that a setpoint is modified to a dangerous value is something definately worth detecting, but changes to the application would require updates to the IDS rules that detect the change. Of course, nothing is ever clear-cut when you have as much diversity as we do in process control. Some events will fall into multiple categories, like updates to configuration files that may be device or application specific. There are definately some interesting questions that need answering. The conclusion of this particular conversation was the selection of some initial events that the first alpha of Quickdraw will detect. They include software upload, software download, firmware upload, PLC Lock and PLC Unlock. If anyone has a preference for the specific events they’d like to see implemented sooner rather than later, or have any other input for Quickdraw and the events we ought to be logging, please leave us some comments! |
Episode 1 of SecuraByte [Network Security Blog] Posted: 22 Jul 2008 12:51 PM CDT So I’m sitting in my hotel room miles and miles from home last night and I got an IM from Rob Fuller inviting me to hop on Skype and be part of the premier episode of SecuraBytes. Similar to some of the microcasts Rich and I do for special events, over at Securabit they’re doing quick and dirty podcasts whenever there’s an incident or event that requires it. And the current DNS mess is definitely an event that requires it. We were joined by Wesley McGrew from McGrew Security; he was the guy who not only knows about the vulnerability but actually understands it enough to explain it in plain english. Or as plain as security geeks get. Thanks for inviting me to join you last night guys. Hopefully we’ll meet at Black Hat/DefCon. |
Litchfield: Critical Oracle Security Flaw Annouced, Fixed [Infosecurity.US] Posted: 22 Jul 2008 10:59 AM CDT David Litchfield, of NGS Software, in the UK, has released news of a critical Oracle (NasdaqGS: ORCL) security flaw, and includes paths to the patch. |
One More Thing... Defining Energy Independence [The Falcon's View] Posted: 22 Jul 2008 10:00 AM CDT |
Don't Believe the Drilling Myth [The Falcon's View] Posted: 22 Jul 2008 09:47 AM CDT |
Decisions, Decisions... [Vitalsecurity.org - A Revolution is the Solution] Posted: 22 Jul 2008 09:46 AM CDT |
Update on the DNS Vulnerability: 0-day [Security Uncorked] Posted: 22 Jul 2008 09:20 AM CDT A quick update on the DNS vulnerability. Based on posts and Twitters last night from Dan and the snippits of information I gleaned from fellow Security Twits and bloggers… I think we are all aware that the DNS vulnerability is now out in the open. The team that discovered the vulnerability was due to release details of the exploit at BlackHat (in 2 weeks). However, someone has reverse-engineered the vulnerability and released the details. The contents, or portions of the exploit were accidentally posted on a very prominent security blog yesterday then quickly removed. (Don’t ask, that’s a whole ‘nother story). If you haven’t patched your DNS server(s), please see my previous DNS vulnerability post, follow the links included for more information and instructions. Consider yourself now at risk. # # # |
When Admins Go Bad [The Falcon's View] Posted: 22 Jul 2008 09:15 AM CDT |
Don't-Miss NAC Events This Week [Security Uncorked] Posted: 22 Jul 2008 08:59 AM CDT FYI, thanks for bearing with me these couple of weeks. I spent a week in a lab with no Internet access at all, which made blogging life (and actually ALL life) very difficult. Upon returning, I’ve been in the process of following up on the DNS vulnerability which has now been accidentally released. And, as I mentioned in an earlier post, I’m smack in the middle of moving this blog to a new, fuller-featured platform. I did want to make sure you have a couple of important links and info! There are a couple of don’t-miss webcasts and events this week if you’re interested in NAC technologies.
If you want to read the report, you can download the entire Information Week 2008 NAC Report by Mike Fratto free, for a limited time. The report covers all the main NAC vendor offerings and contains a variety of interesting survey results. You’ll be hearing from me soon about the contents of the report and my thoughts on the product details, roadmaps and features. Enjoy! # # # |
Quick thoughts on using the iPhone 3G [StillSecure, After All These Years] Posted: 22 Jul 2008 08:36 AM CDT So I got my iPhone 3G on Friday morning and have been using it for a few days now. I have never used one before, don't use an iPod or even a Mac computer. The iPhone was incredibily easy to use and without using and manuals quickly had a most everything working and downloaded a bunch of apps from the app store. Over all, the iPhone just is really nice to use and in many ways very easy, polished and intuitive. In other ways, it is still missing some key features in my book:
I do like the phone, the iPod MP3 and camera and the overall "feel" of the phone. Went to the Apple store in the maill (which was jam packed) and bought a rubberized case, but was unable to get a phone car charger for it yet. I ordered one for 5 bucks on Amazon and will see it if works. All in all, things are OK but I am going to withhold my final verdict for a while yet. |
July Podcast: This Month in Control System Security [Digital Bond] Posted: 22 Jul 2008 07:29 AM CDT Joining me in the July Edition of This Month In Control System Security:
This month’s topics are:
I recorded a brief interview with Joe Weiss to preview his event in August - - and managed to wipe it out. Very sorry to Joe who was kind enough to spend time on the interview, but the podcast ends with a brief preview of Joe’s event and the PCSF annual meeting. These are two of the larger events in this space. Information on the events are available at:
Podcast Info: We have made it easier for you to get Digital Bond’s podcasts. Or you can subscribe to the Podcast RSS Feed. This posting includes an audio/video/photo media file: Download Now |
Insiders…. (Part One) [Ascension Blog] Posted: 22 Jul 2008 06:32 AM CDT My apologies in advance for this being such a long post. I've held off commenting on the case of a disgruntled San Francisco administrator who was jailed for launching his own denial of service attack on his employer. Initially the reason was that I didn't want to make a post that simply repeated what everyone else was saying. You see the Insider Threat is one that is personal to me. My wife lost her job as a result of what was very likely the work of a malicious insider. I'm interested in what motivates this type of individual, the patterns of behavior, and what companies can do to reduce the likelihood that a malicious insider can impact their business. I've spend the week or so since I've heard of this most recent case reflecting on the insider threat and reviewing some research material that I've come across over the years. I started a project a few years ago during my master program but have let it sit around since I graduated. Now may be the time to dust off the research and revisit the topic. This will be the first post in a multi-part series on the insider threat and possible how it can be managed within an organization. But first my story: When I first started in this business, my wife was able to get me a job with her company in the network support group. We worked for a medium sized company in the Washington D.C. suburbs. The support department was pretty small; only five people doing everything from answering the phone and running desktop support calls to server and infrastructure administration. We were it so we did it all. This is where I cut my teeth. Since no one else wanted the responsibility, I took over the firewalls, routers, and the security aspects of the company DMZ. I learned a lot in those days and ended up getting a GIAC certification to fill in some of the gaps in my knowledge. Things went well and when the company decided to migrate from Novell to Windows 2000 I was asked to prepare a security briefing for the IT steering committee. My boss and I worked on a strategy to segregate the company's information and control access via least privilege. (Pretty standard really) The problem is that we were shot down. The division heads wanted the free flow of information so that people could "collaborate." Everyone in their respective divisions could access any of the other work going on within the division and at times across divisions. As work on various projects would ebb and flow, resources were transferred from one project to another and back again necessitating the need to access different types of information. The division heads did not want to disrupt their ability to do this. We explained that this situation was normal and that while our plan would restrict access it wouldn't hamper anyone's ability to do their work. A request for a change in access could be responded to within one business day in most cases, two days in rare circumstances. We were still denied – nothing should interfere with the work being done. In hindsight I also think that they were uncomfortable with the fact that we could audit and track what was being done with their information. This was an organization that grew up from a "mom and pop" type beginning and grew organically. Everyone was trusted and any threat was perceived to be from outside. About four months prior to these discussions someone new showed up at work. This was an individual who had worked as a subcontractor for the company on one short term project and was known to a division head. He just started showing up every morning, got someone to let him in, and squatted in an office. Since the office wasn't being used at the time he received permission to use that office. They liked having him around "in case" work requiring his skills be required. Let's call him "Joe." “Joe” was a very nice older gentleman. He was soft spoken and apparently well liked among the staff on that floor. We found out that he wasn't an employee when he called in a trouble ticket for his computer not being able to print. The problem was that he didn't have a log in thus he wasn't able to map the print queue. We reported this to our boss and when he went upstairs to investigate the division head, a vice president, said we shouldn't worry about it. She apparently liked having staff that didn't impact her overhead when they didn't have work. So we documented this and moved on. "Joe" figured out how to map the printer directly so his issue was solved. (We were running Windows 98 workstations that allowed guest access and any device with an internal IP could surf the web. Yup, we lost those battles too. Again this was against corporate culture.) Within a year "Joe" was hired on full time and worked on some projects in the same division as my wife. As work would ebb and flow, he tried to get onto a few projects but apparently he had worn out his welcome because some projects preferred to work shorthanded rather than take him on. Nothing much was thought about "Joe" really and I had all but forgotten about him. After a few years I had progressed as far as I could and although I knew I'd miss my colleagues and the company it was time to move on. I moved on to a systems integrator across town to start my new life as a consultant. A few months after I left my wife and I found out that we were expecting our first born. We were excited and began planning on the future. My wife still worked at my former company. She was the Deputy Project Manager for a multi-million dollar government contract. The company was very family friendly and since the project was set up to pretty much run itself they agreed that it would be alright for her to step back from the project for a year and then come back. We were overjoyed. We trimmed our budget to the bare minimum so that we could save her paycheck. We needed to have some savings if she was going to stay at home to raise our son the first year. We made it eleven months as our son decided to show up a month early. While my wife was home with our son, the contract she was working for came up for its normal recomplete. The government had already awarded all of its option years and by law had to recomplete it. No one was concerned. Everyone at the government agency loved the work that was being done as well as the people working on the project. Everyone working with the federal government at the state and local level loved the work that was being done. The company went into this recomplete about as strong as any company could. Little did they know about what "Joe" was doing. You see "Joe" was apparently upset that he wasn't allowed to work on certain projects and that he wasn't promoted into a senior management position. He shared his frustration with management but when his concerns went unanswered he kept his feelings to himself. About the time the Request for Proposals (RFP) was released by the government, "Joe" resigned and went to work for another company in the next county. Surprisingly enough, this same company bid against my wife's company on the RFP although they had no previous experience doing that sort of work or working for this government agency. Apparently they had the right answers because they were able to successfully win the RFP with a slightly lower bid. Oh yeah, and while "Joe" wasn't named on their proposal response. He ended up having a senior position on that account. (According to unofficial sources from the government agency.) Coincidence? Perhaps but experience tells me that it was unlikely. The resulting aftermath was that most of the people that worked on that project were laid off. Had my wife still officially been on maternity leave they would have had to find something for her to do but she had changed that status two months previously to "on-call" for a reason that escapes me right now. Subsequently she was also laid off. Did "Joe" take valuable project information to his new company? Honestly, no one will ever be able to prove it. The principle of least privilege wasn't followed when setting up access. Everyone was pretty much given access to everything within the company. The network group wasn't allowed the resources to audit access to critical information. There are any number of plausible scenarios but the one that has "Joe" copying all the proprietary information on the project then leaving for a position with a competitor who ended up being awarded the work is the most plausible. What triggers this sort of behavior? I'm not sure anyone can say for sure but in the coming weeks I'll explore this concept. In Part Two I'm going to look at some research that has been conducted into the insider threat as well as how people act and learn in groups in an attempt to build a basis for Part Three which will deal with how these concepts can be applied to help an organization properly manage the insider threat. |
Posted: 22 Jul 2008 05:24 AM CDT OK, so the news is out. Someone has figured out what it is that Dan Kaminsky discovered in DNS that has so many people concerned. Now that we know what the problem is that means that the bad guys know. If the bad guys know it's only a matter of hours (quiet possibly by now) before a exploit is released into the wild. That is bad news. Even if you have patched your servers it could be bad news for you. Why? Because your DNS server relies on other DNS servers to tell it where web sites are. If your DNS server get bad information from a compromised DNS server it's game over. What are the chances that your DNS server will communicate with a unpatched, vulnerable DNS server? My guess is that the chances are pretty good. If you look at my little poll (which is a very small sampling of my readers and extremely small sampling of those who manage DNS servers worldwide) 42% have not patched their servers yet because they are still testing the patch. This number hopefully is smaller by now since they have had time to complete testing. What has me worried is all of those who manage DNS servers and don't follow blogs, tech news sites and other forms of communication that would get the word to them. How are they going to know to patch their servers? I've not seen anything in the main stream media talking about this. Vendors don't have a good way of communicating with customers when problems such as this arise, especially those who download free software that doesn't require registration. There is a lot of speculation around the release of the details of the issue. Should Halvar Flake have posted his speculations on his blog? Should the blogger at Matasano have posted his reply (which was promptly removed from the site)? People are arguing about whether or not Halvar was right or wrong in what he did. Others are complaining because Dan didn't release more details to the public. There is a place for all of this bickering and speculation but now is not the time. Now is the time to ensure that everyone patches their DNS servers and that we get the work out so that everyone knows that this needs to be done. So get on the phone, compose emails, use Twitter or any way you can to make sure that all of your friends and contacts who manage DNS servers know about this. Call you ISP and ask them if they have patched yet and if they haven't then consider using a DNS server that you know has been patched. You can use Open DNS or another ISPs DNS servers that you know have been patched. Those of you who manage DNS servers may want to consider clamping down on who you allow your DNS servers to communicate with. This is a standard good practice any way but now you may want to be even more careful. I'm not crying "the sky is falling" and I'm not trying to spread FUD (fear, uncertainity and doubt) but this has potential to be bad. It is something that needs to be taken seriously and dealt with. When you get this many people who are respected in the industry all saying the same thing then it needs to be heeded. When you get this many vendors working together to release a patch simultanously then we need to apply the patch. |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment