Saturday, July 26, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Links for 2008-07-25 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Jul 2008 12:00 AM CDT

SecuraByte Episode 2 [SecuraBit]

Posted: 25 Jul 2008 03:58 PM CDT

Last night we decided to discuss a little more on the DNS vulnerability issue that’s been the hot topic everywhere in terms of detection and defense.  Thanks to guest Chris Wilson for his invaluable insight into the snort signature we were provided by alexkirk in #snort on We also discussed detection of encrypted traffic on [...]


This posting includes an audio/video/photo media file: Download Now

Yes Virginia there really are HIPAA police [StillSecure, After All These Years]

Posted: 25 Jul 2008 03:01 PM CDT

One of the things that I have always not understood about HIPAA is what teeth do these regulations have and who is going to enforce them.  There are plenty of firms willing to take your money and rubber stamp you HIPAA compliant, but who is going to say your not HIPAA compliant and why should you care. Finally reading this article in Security Bytes it looks like the federal government has stepped up to enforce HIPAA and have put some bite behind the bark. Providence Health in Seattle was fined 100k by US Department of Heath and Human Services for losing data containing patients information. 


I say good for the HHS!  A few well publicized fines where people had to pay real money will go further in getting people to take HIPAA seriously than all of the other dog barking and warnings that have taken place to date.  The same goes for other regulations and statues on compliance as well.  Lets hear about some financial sanctions or penalties around PCI and you will see a drastic rise in compliance there as well.  Rules and regulations without enforcement serve no purpose at all and hurt more than they help.

Zemanta Pixie

OpenPacket [SecuraBit]

Posted: 25 Jul 2008 12:40 PM CDT

I came across these guys a month or so back when I was looking at topics for one of our shows, and I don’t remember whether I touched on them or not, but this project is definitely worth a second look.  Their community seems small right now, but the idea behind what they’re doing seems [...]


Going to Blackhat? join the “impromptu” onTour Tailgate [The Security Catalyst]

Posted: 25 Jul 2008 11:51 AM CDT

With more details to come soon, we launch the next Catalyst onTour Adventure on Tuesday. After a quick stop at Hershey Park, we’re heading through Ohio to pick up some books and then into KC for the weekend. We’ll arrive in Vegas on Monday.

A few of us have been kicking around pulling together an informal, low-key, low-stress gathering while in BH. Since we’re bringing the RV (the whole point of the onTour approach), this is a good time to work out the “onTour Tailgate” series. 

Since my Tuesday event got cancelled, I am looking at hosting people at our location on Tuesday, 4-7p. This allows time for BH and the evening parties - but also a chance to unwind and meet new people, make some friends, unwind. Depending on when people come in, I’d be happy to consider Wednesday or Thursday, too. (note: if you cannot make it Tuesday but want to meet/speak - shoot me a note and we’ll connect).

I know there are a lot of parties, events with booze and such. I see this as a chance to pull together, meet each other and have some time to kick back. There are no sponsors for the tailgate (though I wouldn’t refuse ‘em); instead, this is a self-supported event where everyone brings something and makes new friends. 


Unless otherwise noted (or encouraged to go a different direction), plan for Tuesday 4pm. Here:


Companies Coming to Vegas

I am working on publishing a criteria list for pitches. I like learning about different solutions - but I want to make it easier to pitch me and explain the value. Look for something in the next 10 days. Meantime, if you’re going to be at BH and want to share your vision - shoot me a note and we’ll connect. I’ve already declared where I’m staying - and happy to meet anyone at the “rolling office.”

So ... Am I? Maybe I Am! [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Jul 2008 10:19 AM CDT

Now, a lot of people who work for small businesses called me an idiot for this.

And you know what? Maybe they are right :-)

When I was a sole sysadmin for a small ISP, I didn't share my passwords with management either. They never asked ... but that is not the point. I would not have passed "a bus test", which is "will a business still run if a sysadmin is hit by a bus" [or, "goes rogue", by whatever definition of "rogue"]

Keeping all this in mind, will you accept if you bank closes doors until they can figure out what the password is on their database? Didn't think so ...

So, my point was that, in my opinion, it is an unacceptable risk for all but the smallest organizations to have one person who have the power to control access to critical systems AND to place no controls (neither monitoring, auditing nor preventative) on his activity.

AND that is why, back in my ISP days, one day a boss came to me with an old ragged notebook and said "write down the passwords here." I did. The notebook went back into his pocket (and then, presumably, in some more "secure storage," like the back of his closet at home or something :-))

Friday News and Notes [Digital Bond]

Posted: 25 Jul 2008 08:38 AM CDT

  • Dave Teumim has been a lonely evangelist for rail cyber security for a few years, so it is good to see his efforts gain some traction. The American Public Transportation Association has established a Control and Communications Security working group that is well into drafting a “Recommended Practice for Securing Control and Communications Systems in Transit Environments”. A draft for review is planned by year end. Dave is on my podcast interview list for PCSF so stay tuned for more.
  • Wonderware gets nominated for a pwnie award in the Lamest Vendor Response category. I would have nominated Citect over Wonderware.
  • ISA99 is slogging through the difficult work in Part 4: Technical Requirements for Industrial Automation and Control Systems. This is where specific and testable security requirements in ISA99 are located. It looks like Part 4 will be split into multiple parts so something can be issued in the next year. Ballot is out now and is likely to pass.
  • An addition to Digital Bond’s Vulnerability Disclosure Policy: Digital Bond May Disclose To Affected Clients - - We have asset owner clients in a variety of critical infrastructure vertical markets. After security assessment, architecture, policy and other engagements we know their systems well. Digital Bond may disclose vulnerabilities to affected asset owner clients under a NDA that prevents further disclosure.

Security Briefing: July 25th [Liquidmatrix Security Digest]

Posted: 25 Jul 2008 07:19 AM CDT


Good morning. The end of a strange week. I hope to be back to full stride next week with the postings. News is brief this morning but, I’ll update it later on today. In the meantime have a great weekend everyone!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Drivers licences with chips spark heated debate | CBC
  2. SF Mayor Gets Hacker’s Password in Jailhouse Visit | ABC News
  3. Hacking Caller ID: unblocking blocked phone numbers | CNET
  4. Probe Starts on Hanmail Data Leaks | Korea Times
  5. Saint Mary’s warns patient database compromised | Union Tribune

Tags: , , , ,

Links for 2008-07-24 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Jul 2008 12:00 AM CDT

An Interesting Read []

Posted: 24 Jul 2008 11:00 PM CDT

I came across this the other day and bookmarked it so I could write about it.  This is a short list of some of Mark Cuban’s rules for startups.  I’ve never started a company and to this point of my career have never been involved in a startup.  I’m sure somebody reading this has and might find this useful. Its a little old but interesting just the same.

DNS Sploit Weaponization [Liquidmatrix Security Digest]

Posted: 24 Jul 2008 08:24 PM CDT

Yeah, a little dramatic

So, unless you’ve been hiding under a rock for the last little while you’ll know that Dan Kaminsky broke DNS in a rather big way.

And you’d know that the gory details hit the tubes of the internet a couple days ago.

Hell, there was even a poem about the whole mess. (bless you Hoff)

Now, the DNS ’sploit has been weaponized. HD Moore and company over at Metasploit have released it. For a full write up on it check out our friend, Nate McFeter’s, blog posting on the DNS exploit. Yes, it is being actively exploited.

This storm has of course reignited the inevitable (and tiresome) disclosure debate. Let me save you the trouble and cut right to the chase…


Consider yourselves warned…again.

OK, I’m tired talking about this subject. What else is going on in the world?

Tags: , , , , ,

More than 60% of Recursive Name Servers Unpatched- CERT [ARCHIMEDIUS]

Posted: 24 Jul 2008 06:46 PM CDT

The DNS vulnerability drum beat goes on.  Based on a recent CERT Report published today at least 2/3 of Austrian recursive name servers have not yet been patched.   The conclusions are rather grim so far – more than two thirds of the Austrian Internet’s recursive DNS servers are unpatched while at the same time the upgrade adoption [...]

SecuriKey Professional Edition 2.1 [Network Security Blog]

Posted: 24 Jul 2008 05:23 PM CDT

Thanks to Rich, I had an opportunity to write a review of SecuriKey Professional for MacWorld. They sent me the USB key fobs, I played around with it for a couple of weeks on my MacBook Pro, and I generally liked the product. The only thing I wish they’d do is enable whole disk encryption, which may be a future feature. In any case, give it a look and tell me what you think.

By the way, SecuriKey has a Windows version too.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

DNS Vulnerability and Process Control [Digital Bond]

Posted: 24 Jul 2008 04:28 PM CDT

In case you haven’t heard yet of the massive DNS vulnerability discovered by Dan Kaminsky (US CERT advisory here) don’t forget that DNS is as common in process control environments as they are in Enterprise IT and this advisory affects us just as keenly as our corporate cousins.  How many control systems use DNS to resolve the addresses of PI servers and other infrastructure? Be sure to check and patch your DNS servers!

For reference, the Microsoft patch for this vulnerability is MS08-037 and was released with the July patchset.

On Doomsaying (Terry Childs case) [Anton Chuvakin Blog - "Security Warrior"]

Posted: 24 Jul 2008 02:48 PM CDT

Maybe I should call it "on stupidity" and add it to my "Nobody Is That Dumb... Oh Wait" series?

Really, when I've heard about it first, I was like "ah, come on, I am sure the journalists are just mis-reporting it; nobody is that dumb in their approach to system security."

Well, they really were that dumb.

Honestly, from the "blatant disregard of common sense", this is very, very high on the list (many in security agree, some in IT disagree). This is where the words "a huge data security risk" really sound like a mild understatement. 

But you know what is the most scary about this case? The fact that there are MANY organizations who manage their networks the same way: one admin with ALL the access and NONE of the monitoring.

One person + ALL access + NO accountability = you are screwed!

Also, in light of this, do you still think that "insider attacks" is some kinda security vendor propaganda? Well, go tell Terry Childs that :-) Even though some people still think that he is a good guy (more on that on Slashdot)

What also caught my attention is that some retard called his bail ($5m) "ridiculously high." Well, if he was an outside hacker, say a Romanian script kiddie, jailed for hacking SF network, would they release him for $5m? Maybe not!  Now, do you get that this case is actually MUCH WORSE! Hacker might have gained access to many assets; this guy did have access.

So, think, think, think: CAN YOUR SYSADMINS "0WN" YOUR BUSINESS? (BTW, some people think that IT "owns" you already!)

Are you OK with it?

If not, do something - start logging and monitoring (and then controlling) their actions! If you think you cannot control them, then just monitor; if you think you can neither control nor monitor, then at least log them so they will know that there will be enough good evidence to let them rot in jail for many years ... Or, if you prefer an easier alternative, stop calling your business YOUR business.

Possibly related posts:

On Releasing PoC/'Sploit Code For Near Zero-Day Vulns [Rational Survivability]

Posted: 24 Jul 2008 01:55 PM CDT

One of my responsibilities as security cruise ship entertainment director is to distill the most complex things down into bite-sized digestible nuggets of chewy informative goodness whilst ensuring a good time is had by all.

It is in this spirit that I offer this gem regarding the release of PoC/Exploit code by supposed "whitehats" immediately after the disclosure of a nasty vulnerability.  This post is random, of course, and is in no way a reference to any current event.

This quip was brought to you via Twitter which managed to stay up and functional long enough for me to tweet it:

POC code for near-zero day 'sploits is like SPAM advertising penis-extending drugs...the only dick it's helping is the one writing it...

That is all.


DNS 'sploit - Irresponsible? [Andy, ITGuy]

Posted: 24 Jul 2008 01:24 PM CDT

This whole DNS issue has become a "circus" to put it in the words of Chris Hoff. First there was the ruckus around the fact the Dan Kaminsky was only releasing some details of the vulnerability. People called him names and said unkind things about him. Then he met with a group of people and gave them details. They agreed with him that it was a bad thing and that we needed to patch now. Those who said things about him apologized. Then people started publically speculating about what the problem could be. Those that knew were sworn to secrecy. The rest of us were left to make our own guesses or talk about what we heard others say it might be. Then Havlar Flake put his cards on the table and the guys at Matasano confirmed his speculation. That opened up a whole new series of discussions. Why did Matasano have a post read to go? Why did they post it and then retract it? Was it an accidental posting or done purposefully? Some got mad at them and others praised them for giving us the details.

Now HD Moore has released an exploit for Metasploit. This makes it much easier for script kiddies and others to now use this against unpatched DNS servers. It also makes it much easier for the bad guys who don't already have a exploit to get one to use against the rest of us. All of this has led to lots of discussion on the internet and twitter. Should HD Moore have released an exploit? But the bad guys probably already have one so what does it matter. If he didn't do it someone else would. Etc... Some of the comments are valid and some are just stupid. Some are speculating that HD, the Matasano team and others are trying to steal Dan's BlackHat spotlight. Then there is the whole arguement as to wether or not Dan should even have a BlackHat talk planned on this.

I am a proponent of tools such as Metasploit and Core Impact. I think that they serve a good purpose for those of us in information security. I use Metasploit myself to test my systems. Even if they can be used for bad that doesn't mean that they don't have their place in the world of technology. If we didn't have them to test our systems with then we wouldn't really know how vulnerable we are. But I think that HD stepped over the line with releasing this exploit at this time. There is NO valid reason for it to be released. There are LOTS of other ways to test if your system is vulnerable. You can go to Dan Kaminsky's site and test it there. If it's a windows machine you can run windows update. If it's a *nix system you can check to see when the last patch was applied. Lots of ways besides using Metasploit. Not to mention that it hasn't been that long since the patches were released. Lots of companies haven't patched yet due to testing, apathy, ignorance of the issue, etc.. From all I can tell AT&T still hase lots of unpatched servers used by the IPhones and DSL service. @Techdulla on Twitter commented that he called his ISP to ask them why they hadn't patched and one of their engineers said "What Patch are you refeering to?" I'm afraid that is the response of lots of DNS admins.

As security professionals we have to be responsible in how we practice our profession. If not then we are putting ourselves and our users at risk. We are even putting others at risk with our actions when we are irresponsible. Just as the guys at Matasano were irresponsible for having a ready to go post with details on the DNS vulnerability HD acted irresponsibly by releasing a exploit for this. We can't just do something to be the first on to do it. We have to act in a responsible manner or we risk losing the credibility that we have built within the community of other information security professionals.

Now I'm going to ask your opinion. I'll put up a poll shortly that I'd like you to participate in. Here is the question and the answer choices.

Should HD Moore have released an exploit for the DNS Vulnerability?
A. Yes, we deserve to have it
B. Yes, if he didn't someone else would
C. Yes, the bad guys already have their own
D. No, it was irresponsible of him to do so
E. No, it's too early and several people haven't patched their servers yet.
F. No, we don't need WhiteHat exploits.

More on Logging and Accountability [Anton Chuvakin Blog - "Security Warrior"]

Posted: 24 Jul 2008 01:05 PM CDT

Here is a very fun web conference on logs and logging by ISC(2); all sections are interesting, here is what mine is about:

"There are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if your IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending? The presentation will cover how logs can be used organization-wide to establish accountability of users, power-users, other IT as well as partners and others accessing systems and using your information. How to you make sure your users are accountable for their actions? How can you track their activities, if needed? How can auditors review the audit trails of various activities? Broad organization-wide log collection and analysis is the way to solve these and other problems related to accountability."


Latest Snort signature to detect DNS vulnerability [SecuraBit]

Posted: 24 Jul 2008 12:40 PM CDT

As many of you already know this DNS vulnerability has taken the community as a whole by storm. For you snort guys out there, here is the latest DNS signature that may help you detect such activity.  Props to alexkirk from the #snort channel for hooking us up! Implement at your own risk! [...]


Yes, AT&T, we mean you! [Network Security Blog]

Posted: 24 Jul 2008 10:24 AM CDT

There’s little or no excuse for someone as big as AT&T to not be patched yet!

Mubix took a shot of his iPhone as proof that AT&T is screwing the pooch on this one. It was suggested recently that the IP shown there might actually be the public IP of the iPhone. Has anyone done any research into this?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

It’s all out there [Network Security Blog]

Posted: 24 Jul 2008 09:59 AM CDT

As everyone knows, Matasono accidentally released confirmation of the DNS vulnerability. And rumor has it there’s been unstable code to take advantage of it since last week and stable code since earlier this week. And HD Moore has released a Metasploit plugin for the vulnerability. It’s in the wild, it’s starting to be used, and if you haven’t patched already, you need to get it done ASAP. I’ll be the first to state I’m not a DNS expert, but the people I’ve talked to that are say patch immediately.

I have talked to a number of people about Dan’s DNS vulnerability and even most of the people who initially said this event was being overblown are now starting to say patch as quickly as you can. My employer, Trustwave, takes this event seriously enough to send out an alert to our clients, something I haven’t seen them do before. We have some very talented engineers and if they’re taking this seriously, you should too. So quit reading this post and go patch already!

As an aside, Thomas Ptacek and the crew from Matasano were at ChiSec last night, and they’re feeling, or at least acting, very mollified for their part in this debacle. There are a dozen ways they could have handled this better and they know it. But sometimes stuff happens. I gave Thomas a hard time to his face last night, now I’m done harping on him. As Chris Hoff was Twittering last night, there’s a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible. And that’s not likely to change any time soon. It’d be nice if it did, but there are too many people who rely on this sort of publicity to fuel their businesses and their egos. Such is human nature.

If you’re still reading this, you better be patched already. And if you work at AT&T, why haven’t you patched the servers my iPhone uses yet?!

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Security Briefing: July 24th [Liquidmatrix Security Digest]

Posted: 24 Jul 2008 07:40 AM CDT


Thursday and I’m finally getting back into the swing of things. The bug that was good enough to take up residence and wreck the place seems to have moved on for the most part. Sorry about the low volume.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. DNS Exploit in the Wild | Wired
  2. Facebook to help some programmers, punish others | Associated Press
  3. Is Web 2.0 Security’s Achilles Heel? | Tech NEws World
  4. Pwnie Awards celebrate best and worst of security | The Register
  5. How Secure Is Your Network? NIST Model Knows | Physorg
  6. Most Bank Sites Are Insecure | Information Week
  7. Hackers Attack Businesses, Blogs and Web 2.0 Sites | iStock Analyst
  8. Hong Kong urges tougher controls on patients’ data | Monsters and Critics
  9. Exposing Bush’s historic abuse of power | Salon

Tags: , , , ,

Pwnie Award Nominee [GNUCITIZEN]

Posted: 24 Jul 2008 07:36 AM CDT

Yesterday a friend of mine let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie Awards.

ponies dyed YELLOW!

At first I thought “oh, that’s cool”, but then I learned the category my research had been nominated to: Most Overhyped Bug. At first I had kind of mixed feelings whether or not I should be happy about it, but to be honest, there is nothing negative about their comments:

GNUCITIZEN and pagvac initiated a media blitz over this vulnerability which allows a malicious web page to use a CSRF attack to bypass authentication and modify the settings on the most popular home DSL router in the UK. This could allow a remote site to disable your firewall, modify your DNS server settings, or enable remote administration of your router. The bug was real, but it was accompanied by such a massive media campaign that it surely deserves a nomination.”

Fair enough, it received a lot of media attention which is true, but we did not actually PR these findings (believe it or not), but rather answered questions formulated by the media mainly via email.

If you are not familiar with the Pwnie Awards, it’s an informal ceremony organized by several known researchers which attempts to highlight the events during the last year in the Infosec industry. This year is only the second edition of the awards. The ceremony is meant to be a bit humorous, as in “making fun of the infosec industry” kind of thing. The winners announcement actually takes place during the BlackHat Vegas briefings. I will definitely do my best to attend the ceremony as Alexander Sotirov told me I was invited. Sweet!

My favorite quote from the Pwnie Awards site is from the “Lifetime Achievement Award” category which states:

Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30.

Are we Outrunning the Bear? [Last In - First Out]

Posted: 24 Jul 2008 06:45 AM CDT

Or wasting our time trying?

Amrit's latest post has me thinking about what's been one of our brew pub round table topics lately.

There is an old joke about the hikers who cross paths with a grizzly bear. The first hiker immediately takes off his hiking boots and puts on his running shoes.

The second hiker: "why are you doing that - you can't out run the bear".

First hiker: "I don't need to out run the bear, I only need to outrun you".

In a sense, if hacking today is focused on profit rather than challenge or ego, as perhaps it once was, then the miscreants will likely follow the least cost or least resistance path to their goal (marketable data, marketable botnets). If that is true, our goal needs to be to outrun the other hikers, not the bear.

Fortunately there appears to be a limitless supply of slow hikers (clueless developers, sysadmins, security people and their leadership, or more likely - competent developers, sysadmins and security people led astray by clueless leadership).

We need to focus on out running them, not the bear.

No comments: