Sunday, July 27, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Wine Review: 2006 Cellarmaster's Riesling from Columbia Winery [The Falcon's View]

Posted: 26 Jul 2008 10:17 PM CDT

I tried a new Riesling this week, the 2006 Cellarmaster's Riesling from Columbia Winery. Overall, it was decent, though a bit on the sweet side even for me. The bottle says that it "offers fragrant honey, pear and apricot aromas"...

Oh boy, jet lag! [Liquid Information]

Posted: 26 Jul 2008 06:08 PM CDT

Nothing added value in this message, just venting my jet lag frustration.

I have been traveling for almost two weeks in the US. Finally back at home. I fell asleep around seven in the evening and got woken up at eleven. Now I don't feel like going back to sleep anymore, even thought my head is a total mess due to the jet lag. It is around 2 o'clock in the morning and I'm just staring at the screen. Wish I wouldn't have been woken up. It would have been much better to wake up at 3-5 in the morning and try to adjust from there than stay up at this hour.

Oh well, trying to "fix" things by drinking a few beers, even thought it probably makes things worse ;)

In overall, the trip was a success and I hopefully added the required value to the business reason I was in US. It would have been cool if I could have extended the trip to BlackHat Las Vegas and DefCon, but because of normal life appointments and the length of that journey it would have been pretty crazy. Only thing I reveal about the trip is that I had some pizza and bagels in New York and found out that in all the "chaos" there was a certain rhythm which made total sense. I also asked for a NYC specific drink and was given a Cosmopolitan. It was in my opinion quite good, but isn't that more like a girl drink? *shrugs*

Web Application Security Survey Results [Infosec Events]

Posted: 26 Jul 2008 04:06 PM CDT

A couple weeks ago, Jeremiah Grossman put together a survey for web application security professionals, and now the results are posted. There were 17 questions, ranging from your general background to rating web vulnerability scanners. There were some funny questions like the HackerSafe one… Safe from Hackers, Safe for Hackers, or Other?

Jeremiah also posted his thoughts on the results on his blog. The full report is also online thanks to Robert "RSnake" Hansen. It also has all the comments from the web application security professionals survey, and they are quite interesting to read. Thanks to Jeremiah for putting together the survey, and thanks to all that participated.

Down For Maintenance... [PaulDotCom]

Posted: 26 Jul 2008 12:28 PM CDT

Between Larry on vacation and me moving my office around in the house and doing some general clean-up, we will have to skip this week's podcast. I was also traveling to SANSFIRE to do some teaching, which made the week a bit hectic as well.

We will be back to our regular security monkey selves this coming week.

However, check me out on the Typical Mac User Podcast this Sunday, where I will be discussing how to secure Mac OS X!

PaulDotCom

Symposium On Usable Privacy and Security [Infosec Events]

Posted: 26 Jul 2008 01:26 AM CDT

The three day Symposium On Usable Privacy and Security finished today. We were not able to attend this event, but from the program information, there was some interesting research on usability revealed during the symposium. The majority of the research papers and slides are now online for your viewing.

One of the most talked about presentations was from three students at the University of Michigan. Their paper was called Analyzing Websites for User-Visible Security Design Flaws. While analyzing 214 web sites which were mostly banks, they found 76% of them having a design flaw that would confuse users or even cause problems for security-savvy users. The CUPS blog has some good notes from this presentation, and there is some decent discussion points on Slashdot.

Some other topics that I found interesting:

Results: Web Application Security Professionals Survey (July 2008) [Jeremiah Grossman]

Posted: 25 Jul 2008 01:10 PM CDT

The survey concluded this morning with a simply amazing turn out! A total of 340 respondents -- well over double the previous. Thank you to everyone who helped get the word and of course to those taking the time to fill out the form. This information is invaluable. Since there were so many responses, and hence comments, I'm only able to post the report graphs below. The full report containing all the comments, probably the best part, is available for download (xls). The upside of so much data is I was also able to run reports on people classifying themselves as "Security vendor / consultant", "Enterprise security professional", and "Developers" individually to see how they differed, if at all. If you want to the entire package of reports, here ya go. Big hat tip to Robert "RSnake" Hansen for the bandwidth.

And now for my interpretation of the results…

Question #1 – 3
Shows that we have a nicely diverse set of individuals with varying backgrounds and years of experience. It looks like I should have had more granular answer options for Q2 though, note for next time.








Question #4
In the matter of browser security I figured just about everyone is using something above and beyond a default install, which is just plain crazy now days and the results confirmed. What astonished me though is the percentage of people across the range using virtualization, roughly 25%! Think about this. 1 in 4 web security people assume their browser and/or OS has a high likelihood of getting owned. Military intelligence, congressional ethics, browser security.




Question #5
In retrospect I should have asked a better PCI-DSS related question, the answers were unsurprising. People in the certain business sectors were influenced by PCI-DSS when it applied to them and they weren't when it didn't. What I really want to know is what ARE the driving factors behind why organizations are investing in web application security. I'll try to figure out a better way to get to that answer set.




Question #6
These answers I found to be really interesting because they were split roughly down the middle and the comments were all over the map. Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We're still trying to figure things out and convince ourselves that we have the right answer. Or that someone does. I think there is a lot still to be learned in this particular area and I plan to ask more questions on the topic going forward. This also might be an area where we should bring individual experts and practitioners to together to discuss the various issues.




Question #7
I purposely kept the term "vulnerability scanner" vague to see how they performed as an entire category. It doesn't appear that vulnerability scanners have improved much or at least peoples impressions of them since the last survey. They performed dismally in Web 2.0 technologies including Ajax, Flash, and Web services. What surprised me is how well the scanners performed in the persistent XSS category, on par with the non-persistent. I can't say I agree, but it is what it is. Could be an artifact that people don't understand the difference and figure if the tool didn't find it that its not there. The other interesting thing is that developers have a better opinion of scanners than security vendors and enterprise professionals.

I plan on digging into this area even more in the future and separate out scanner types, asking for product names, and overall impressions.




Question #8
I was fairly impressed with these results. 1/3 of the respondents said they'd either recommend a WAF, already have a WAF, or had a WAF on the road map. Then half of everyone said they were "Skeptical, but open minded" as compared to a sparse 15% expressing a level of negativity. This should be a huge market indicator for WAF vendors, industry analysts, VARs, and systems integrators. That 50% category represents a huge opportunity to demonstrate a WAFs value and long-term viability. In the next year we'll know which way the trend is heading.




Question #9
Cmon, I had to poke a little fun at RSnake. I mean you gotta know web security is becoming mainstream when you can't automatically win an online Chihuahua beauty contest poll in Austin without getting out haxored at the last second. ;)




Question #10
OK, that settles it. Web security people have little to no respect for McAfee's HackerSafe brand and even that's putting it mildly if you read the comments. I was confused on what the large "other" responses wanted for an option though. There is also a quite unnerving statistic with developers as their answers were split in thirds. Could it be that 1/3 of developers believe HackerSafe means security?




Question #11
And there we have it, web security people don't trust Google, roughly 75% of them anyway. The kicker is most still use them in some way or form anyway. Maybe in many ways we are just like the average user. We'll tend to sacrifice security for convenience just like they do.




Question #12
Some like the idea, some hate it, and others have a love-hate relationship. Either way it appears there's enough people interested in a certification that its time for someone to do it and do it well. Sooner or later there will be 1 or perhaps 2 industry acceptable certifications. Who will it be!? Probably the first one to do it right will.




Question #13
The answers were all over the map and I don't think I asked this question in the best way. Still the majority of C-level executives are at least giving the web security problem a good look. What I'd really like to know, similar to question #5, is what exactly is causing people to care and dedicate more resources. Maybe it's an incident, industry regulation, keeping up with the jones, who knows! I aim to find out.




Question #14
80% of us figured the industry noise was tolerable or we've become number to it. The rest, well, they are not long for the industry anyway. You must get used to it or you'll go crazy, maybe some of us already have.




Question #15
Who's winning? Few think it's the good guys. What more can we say here but that this is really sad and we have our work cut out for us.




Question #16
The forced ranked list. Some were close in the center, but this is what we got. Awareness is still a HUGE issue and I tend to agree.

1) General awareness and education
2) Implementation of an security inside the SDLC
3) Source code analysis
4) Black-box vulnerability assessment / pen-testing
5) Web application firewalls
6) Enforcing industry regulation




Question #17
Read the comments, it's worth it. :)


WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company's flagship service, provides continuous web applications vulnerability assessment and management.

Randy Pausch died today [Episteme: Belief. Knowledge. Wisdom]

Posted: 25 Jul 2008 12:40 PM CDT

I’m sitting in a cafe getting client work done when I looked at my Gmail and the little news ticker across the top had the notification: Randy Pausch died today.

I had heard of, but hadn’t seen Pausch’s Last Lecture video when I picked up the audiobook of the Last Lecture and found myself laughing and crying through a long bike ride one Sunday.

If you haven’t seen it or heard about it, definitely check it out. His story is pretty incredible, and the message is pretty amazing too. Actually, to abridge it perfectly, there’s a quote in the Yahoo story above:

We don’t beat the reaper by living longer, we beat the reaper by living well and living fully.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

The Daily Incite - July 25, 2008 [Security Incite Rants]

Posted: 25 Jul 2008 09:48 AM CDT

Today's Daily Incite

July 25, 2008 - Volume 3, #64

Good Morning:
The DNS flaw exploit code is in the wild. And people are surprised, chagrined, angst-ridden, and otherwise all up in a tizzy about it. Some folks are lashing out via their blogs. The Mogull questions why, Hoff figures a way to work wand extensions into the discussion. But Martin waters down the discussion to it's very core.
It's all about me!
"...There's a serious problem with the security researcher community where being the first to discover and disclose an incident like this is more important than getting the problem solved for as many companies as possible."  (from Network Security Blog)

Why are we surprised? Researchers are researchers are researchers. This has been a problem relative to healthcare research since the beginning of time. It took someone like Mike Milken (yes, the infamous Drexel Burnham banker) to bridge the gap and start getting cancer researchers to work together and partner with industry

And how'd he do that? MONEY. That's right, tradeable hard currency. Which by the way is one of the major problems with "research" or let's say basic research at it's core. There's very little money it. Medical researchers toil away, trying to kill (or heal) rats for years to isolate a compound that very likely will have no impact on anything. Many of them have to hump the legs of governments, charities, and anyone else to fund their life's work. That's time they aren't researching.

If they do find something, maybe they can start a company and maybe then they can make some money. That's a big maybe. So in the absense of clear financial gain, researchers will usually opt for public recognition and fame. Some have sufficiently big egos, that money aside, it's still all about them. So you think some of these ego-maniacs are going to let someone else take the credit for years of toil in dark, dingy laboratories.

Fat chance.

It gets even better because some researchers have such huge egos that they can't let anyone else be successful. They treat it like a zero sum game. Either trying to talk down the findings or figuring out a way to piggy back on the research to get their attention fix. It's sad really, and since this is not only precedent in healthcare research, but typical behavior. Why do we think security researchers would be any different?

Human nature tends to evolve in eons, so accept the game for what it is. But that doesn't mean you have to like it or even accept it. If by chance you find yourself in a position to do the right thing, then do so. You can't control any one else's actions - but you certainly can control your own.

It all starts with one person. One person can change the world. Don't ever forget that. Have a great weekend. 

Photo: "It's all about me." originally uploaded by Monceau

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Greene continues the NAC pile on
So what? - The challenge in being a beat reporter is that you are kind of beholden to whatever news peg shows up in the inbox. These folks are the ultimate flip-floppers. Some days they are talking about how great a technology is, and the next they focus on the issues. Tim Greene of NetworkWorld is no exception. He tends to regurgitate whatever study, survey, or nebulous product announcement comes his way. By the way, this isn't meant to be critical of Tim - that's his job. The tech trades basically serve to aggregate the news, but how we interpret that news is up to us. It's called PR folks. This week, Tim highlights an Infonetics survey about delayed NAC deployments. Since they talked to 242 users, that is representative of the mass market. Uh huh. Whatever. He also points out that NAC is still pretty complex, and finds some users to verify that. Remember that bad news makes much better news than good news. And generating page views is their business. It's much harder to find success stories, but at least try to have a balanced view of what you read, and don't believe it all. That's why I read so much and varied stuff. It allows me to see the trends and draw conclusions from a wide swath of territory. Not just from 1 opinion piece or a statistically insignificant survey. 
Link to this

How often do you meet with the CEO?
So what? - Does the CEO know you name? Do they know what you do? Have you gotten their opinion about what's important to protect? If the answer to any of those questions is no, then you have a lot of work to do. The InformationWeek folks have done yet another survey about CEO visibility, but they asked the CIOs - where presumably they'd have a lot more visibility with CEOs than a security professional. Most tend to either see the CEO weekly or monthly (70% of the total). Is that a lot or a little? It depends on what you are trying to do. I guess another way to ask the question is how often does the senior security professional meet with the CIO? Is it weekly, is it more often? There are no right or wrong answers here, but if you don't feel you are getting enough face time, then start to agitate to get more. Whining about it or complianing about how you can't get anything done because you have no executive support isn't really a good answer.
Link to this

Banks shoot themselves in the online foot
So what? - One of the issues with the Compliance First mentality is that you open yourself up to the law of unintended consequences. Two years ago, all financials were aflutter about FFIEC's mandate for mutual authentication. So they spent a bunch of money to make that happen. And then they thought their work was done and they'd get back to doing things like counting money or something. But some folks from U of Michigan analyzed 214 online banking sites and found that 76% had design flaws. Some were serious (secure login box on insecure pages, improper use of SSN, redirect to 3rd party sites) and some not so serious, but the issue the researchers had was that the banks are providing mixed messages to their customers. We've got to train consumers to be more security aware and if their banks can't even do it right, it's hard to see how we are going to make progress. Since there is no mandate for decent web design, this is what we are stuck with.
Link to this


The Laundry List

  1. One spammer enter, another leaves. Soloway gets 47 months (tell Vick we said hello) and Eddie Davidson escapes. Guess he was having a bad case of email withdrawal. Ed Dickson wonders if any of it matters.
  2. Intrepidus launches PhishMe, which tests your employees ability to figure out an attack from legit email. I'm a big fan of testing, so I hope these guys do well with this. - Intrepidus release
  3. Check Point announces 2Q results. You can also check out the conference call transcript. - Check Point release
  4. EMC also announces results. RSA growing at a slower rate (15% to $144 million top line) than the entire company. That can't be good. - EMC earnings release

Top Blog Postings

Remember about Plan B
This post is old, but it's so good I just couldn't let my vacation schedule hinder my ability to highlight it. Shrdlu talks about the "Power of Fail," and it really is a key tool in the bag of the security professional. It's really about having the security mindset. We have to constantly be thinking about how we can get killed. What can go wrong, how would a bad guy/gal use something for nefarious purposes. It's a tough job because most people don't think this way, and that's why they are constantly surprised when things go wrong. Of course, you can't examine every single combination and permutation of an outcome - BUT in reality there are only a few reasonably likely failure scenarios and they have to be considered and planned for. If you hit one of the edge cases? Then you focus on REACTING FASTER.
http://layer8.itsecuritygeek.com/layer8/the-power-of-fail
Link to this

One person can change the world (or lock you out of your house)
I actually found the SF network fiasco to be rather entertaining. A rouge employee gets pissed off and locks everyone out of the network. Ooops. He won't spill the beans from jail until the Mayor goes and kisses his ass. As Shrdlu points out, this is about narcissism. Plain and simple. So find these folks and throw them off the bus quickly, and make sure you remove their access BEFORE they know what's going to hit them. Martin brings up a number of good, derivative points about logic time bombs. But ultimately, you have to wonder how could this happen. How could one password control all of the keys to the kingdom? Crappy design, and inability to think about FAIL (see above). But entertaining nonetheless. 
http://www.mckeay.net/2008/07/16/why-no-one-person-should-control-it-all/
Link to this

Think different and maybe survive
RSnake highlights some ideas about whether it makes sense to use common defenses to protect your web apps. I think of this as being a lemming, in terms of using similar tactics (usually the easy, path of least resistance kind) to everyone else. The Snake points out that this is a huge liability. As the man says: "That's why it's critical that we throw best practices to the wind unless it comes down to compliance issues. Sure, we don't want to go to jail for not being compliant, but if you follow best practices to the letter of the law, it will only make you as weak as all the others who did the same." But just being compliant isn't going to help you be secure. Let's use a football analogy because summer camps have opened up. If everyone knows what defense you are going to run, they can design an attack to shred you. So you have to be a bit like Belichick and be constantly changing up schemes, trying new stuff and keeping your foes on their toes. And having a video recording of your competition doesn't hurt either. HA!
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=159324
Link to this

The Metasploit DNS vulnerability exploit [Kees Leune]

Posted: 25 Jul 2008 08:58 AM CDT

Andy IT Guy posed an interesting question and added a poll to it: Should HD Moore have released a Metasploit exploit for the recent DNS vulnerability? I starting my response as a comment to Andy's post, but since my comments tend to run long, I figured I'd make it a post of itself here. Many people have responded:
If you can tell, with absolute certainty, that systems are vulnerable to an exploit without needing to test the mechanism, what good is served by releasing weaponized attack code immediately after patches are released, but before most enterprises can patch? Source: Rich Mogull
POC code for near-zero day 'sploits is like SPAM advertising penis-extending drugs...the only dick it's helping is the one writing it...
Source: Christopher Hoff
My principal feeling on this issue is that it is indeed a good thing to have the exploit available in Metasploit. However, Andy's question has two components: 1) should metasploit have the DNS exploit (YES!), and 2) Was the timing to release it correct. I already answered the first part of the question. The answer to the timing being correct revolves around one thing: adding an exploit to Metasploit after it has been seen in the wild is one thing, but taking the lead in developing it is not the wisest thing to do. Metasploit has developed into a platform that is so well-built and easy to operate that it has become very dangerous to put a new sort of ammunition in it. If the exploit was out in the wild already, and that fact was indeed confirmed, HD Moore's decision to release was valid. If the exploit wasn't out in the wild yet, the release was irresponsible. By releasing the code, we made the lives of the bad guys easier and that is not our job. I have no doubt that the exploit would have been available soon if HD Moore had not released his, but when a platform such as Metasploit reaches so many people, giving them the necessary tools to do bad things is not the most responsible form of full disclosure. Being in the public spotlight brings consequences, and sometimes that means that you have to be the responsible person.

De-ice.net pentesting live CD's [Kees Leune]

Posted: 25 Jul 2008 07:46 AM CDT

I have always admired the skills of people who are really good at penetration testing. Trying to gain access to a machine through not-so-obvious ways is something that requires a high degree of technical knowledge, proficiency with tools and a good dose of creativity. I have never been in a situation where I was commissioned to pentest a box myself, but I've dabbled enough with it lately. My first exposure to it came when I took the SANS 504 course on Hacker Techniques, Exploits and Incident Handling. The class ends with a capture-the-flag session that I enjoyed a lot. Since then, I've been keeping an eye open for some other challenges, and I found one at The Last HOPE. One of the speakers mentioned that www.de-ice.net hosts some bootable CD images that are used to teach people pentesting skills. They author of the CD's did a nice job and grouped them in different levels of difficulty. The de-ice CD's are designed to be breakable with the tools included on the Backtrack Live CD. After downloading the images, I was hooked. Unfortunately there are only three CD's out at the moment, but I am proud to say that I managed to win all three challenges. I also admit that I needed some help getting the last one; I was unfamiliar with one of the tools used and needed a little hint. With that last hint, I was able to solve the third and final challenge. If you're into pentesting, or if you would like to get started, I wholeheartedly recommend taking a look at www.de-ice.net. While all the hackable images are Linux-based (due to licensing), they are very informative and fun to do. Don't bang your brains too hard; they progressively get more difficult!

More DNS Cache Poisoning Testing Tools [Infosec Events]

Posted: 25 Jul 2008 12:20 AM CDT

Now that public exploits are available for the DNS cache poisoning attack, now is good time to patch your DNS servers if you haven’t already.

Some new tools also came out to test if your DNS server is vulnerable to DNS cache poisoning. The web-based DNS randomness test by DNS-OARC is very good, and it outputs pretty graphics. For those that like the command line, you can also use dig and nslookup with the DNS-OARC test.

 dns-oarc

$ dig @IP-of-GOOD +short porttest.dns-oarc.net TXT

$ nslookup -type=txt -timeout=30 porttest.dns-oarc.net IP-of-SERVER

Update: IBM’s Internet Security Systems blog has a good summary post called ‘Responding to the DNS vulnerability and attacks‘.

Update #2: Dan Kaminsky talked about the DNS vulnerability more in a Black Hat Webcast.

Related Link: Is Your DNS Server Vulnerable To Cache Poisoning?

The ARP Lowdown [CTO Chronicles]

Posted: 24 Jul 2008 05:09 PM CDT

Likely the single most controversial part of the Mirage NAC product involves its use of ARP.  Stiennon referred to "ARP twiddling" as our means of quarantine during our recent, er, discussion on the usefulness of NAC.  As tempting as it was to respond to the comment in the thread, I thought perhaps it was better to leave it for its own post.  So, what's up with our use of ARP?  Why do we do it this way and why haven't we moved more quickly to one of the more common means of quarantining endpoints?  Here's the lowdown that before has been kept more on the down-low.

More than just quarantine.

One of the first discussions we (at least I) end up having with prospects surrounds the notion of device state.  The knowledge of network entry and exit forms the bookends of the NAC process.  Any NAC solution must have this basic notion in order to provide the necessary governance.  To be sure, many options exist.  Some solutions take alerts from the switching infrastructure (SNMP traps, Syslog messages, whatever) based upon either the link state of the port or the population of the bridging tables.  Others may have a RADIUS hook, on the assumption that any device that's connecting is authenticating in one way or another.  Still others may have a DHCP hook and use address assignment as the state trigger.  Finally, some of the inline solutions simply wait to see traffic flow through them.  There are three basic reasons we like ARP for this:  First, and most importantly, it's immediate since it's part of the initial stack initialization.  Second, it's independent of the switching infrastructure, in that it works the same way regardless of downstream switches, whether the switches can send traps, etc.) Third, it's independent of endpoint characteristics, such as OS type and whether the address is statically assigned or dynamically assigned.

But also quarantine

Yes, we use ARP for quarantine.  The marketing side of the house prefers "ARP Management" to "ARP Poisoning" or "ARP Twiddling."  I don't especially care.  The best way to enumerate why we do it this way is to back up and review, at a slightly higher level, what we think quarantining should be and mean:

Quarantining should be fast

This almost seems like it could go without saying.  Whether effected for the purposes of device-specific remediation or more generalized network protection, time is both money and risk.  A quarantining method that takes, for example, seconds to put in place is, at least to us, a non-starter.

Quarantining should be holistic

One of the fundamental disagreements I have with Stiennon's notion of network security (rant alert) is that packet (as opposed to endpoint connection) dropping is sufficient as a mitigation method.  With a threat blended into, say, a bot (with an https control channel), a file-sharing based worm, a keystroke logger that may be logging data but not sending it, and a spam relay, the very notion of separating "good" traffic from "bad" traffic is silly.  Take even one of the highly outdated threats (and quaint, by today's standards) threats like Blaster and Welchia.  The "bad traffic" in those cases was Windows networking traffic, whose primary usage was *inside* the infrastructure.  So then a "good traffic/bad traffic" policy removes windows networking functions from the connection, which removes access to both file shares and (assuming Exchange) corporate email.  Now then, how useful, really, is that endpoint's connection?  Well, they can get their stock quotes.  And they can get to internal portal-based applications.  Boy, there's a great idea.  "I see, Mr/Ms user that you're infected with malware; welcome to my Oracle Financials application."  How does that idea pass muster with anyone?

Quarantining should be full-cycle

This may or may not be a point of debate, but we continue to believe that a quarantine mechanism that is only available at admission time is wholly inadequate.  This is the "main" thing keeping us from leveraging 802.1x as a quarantine mechanism (the lack of this capability in 802.1x environments has been a rant of mine before, since the RFC that would allow for this is 5 years old).  As much as I like the idea of enforcement at the point of access, I simply do not see how it's workable unless and until it's possible to revoke previously granted access based on policy.

Quarantining should be transparent

I put this last since I think it's one with the largest amount of wiggle room.  The thing I always liked the least about SNMP and CLI based VLAN moving is that there remains the need to get the endpoint to go request a new address as a result of the VLAN change.  Similarly, the best that DHCP can offer is to play around with the timing elements, but that's not the same as the ability to do quarantine on-demand per policy.  Not to beat a dead horse or anything, but RFC 3576 would get us there if the switch vendors would just implement it.  Did I mention that the RFC is 5 years old?

So, there you have it.  We use ARP for state because it's fast, robust and hard to bypass.  We use ARP for quarantine because, quite frankly, we've yet to see any other quarantine mechanism that can fit the bill.

PS

I almost forgot.  The main knock against our "ARP twiddling" approach, beyond just the philosophical objection, is that it's easy to bypass.  Is it?  Some methods may be.  Ours is not.  Not from our own internal testing, and not from installations spanning 550 customers across 38 countries.  And, yes, we thought of the static cache-entry trick already.

Going to defcon after all [Kees Leune]

Posted: 24 Jul 2008 02:33 PM CDT

It turns out I'm going to DefCon after all. It will be my first DefCon and my first trip to Las Vegas. As a matter of fact, it will be my first trip to Pacific Time ;-) I'll get in Thursday evening late (midnight) and I will leave again Sunday evening (9pm-ish). I am also looking forward to meeting some of the people I've been talking to online for a long time now! T minus two weeks and counting.

Buone ferie... [varie // eventuali // sicurezza informatica]

Posted: 24 Jul 2008 12:03 PM CDT

Mi assenteró per qualche tempo per il meritato riposo estivo. Non dico il blog sará "chiuso per ferie", ma certamente daró piú segni di vita su twitter che qui. Un saluto ai lettori, ai colleghi, agli amici, agli amici blogger, agli amici che leggono perche é il mio blog anche e non s'interessano di sicurezza, ai commentatori anonimi e quelli col nome. Come al solito, non metto l'out of office autoreply alle email quindi saluti anche quelli che stanno leggendo qui perche non ho risposto a qualche email e si chiedono se sono vivo.

Extended Laundry List - July 24, 2008 [Security Incite Rants]

Posted: 24 Jul 2008 07:36 AM CDT

Good Morning:
The travel gods conspired against me last night, so I decided to do another extended laundry list, as opposed to a full TDI this morning. I'll wrap up with a TDI tomorrow morning.

Addam's Family Laundry

The Extended Laundry List
  1. PCI is a priest? Why not a Rabbi? OK, Newby isn't talking about real religion, but many practice security as more mysticism than science. Personally, I think doing it right involves a lot of art, but Rob brings up some decent points. - Rob Newby's blog
  2. I guess we really can't get away. The Mogull rants in his Dark Reading column about how consumerization is attacking the business world and how that will impact security - Mogull Dark Reading column
  3. A rehash of the old immune system metaphor for security. It's still as effective as ever. But at the end of the day, most folks don't take care of themselves, what makes us think they'll take care of their security? - NetworkWorld coverage

  4. Curphrey figures GRC isn't interesting, but the framework to integrate people, process and technology are. The wonderful thing about an acronym is that GRC can mean anything to anyone at anytime, and it usually does. Do you need ERP for compliance? That's the crux of the GRC debate. - Curphrey blog

  5. Is it better to build or buy security monitoring? No religion or dogma here. I don't care. Just make sure you monitor. - SearchCIO-midmarket coverage

  6. Why use the old thing, when you can have a shiny new object? Lonervamp asks the question, but I suspect he already knows the answer. Security sales reps need new BMW's - that's why! - Lonervamp blog

  7. MXLogic introduces a paid research service to help stay "ahead" of the bad guys. If I've said it once, I've said it a million times. It's much more lucrative to apply a crystal ball to the financial markets. So if you have one, why waste time in security? - Enterprise Systems Journal coverage

  8. Clearswift bolsters DLP capabilities on their email gateway. Is it "good enough?" Depends on who you ask. I suspect the DLP vendors have a million reasons why you need a costly, hard to integrate dedicated infrastructure. - Clearswift release

  9. New computer: $600. Cost to clean it up after it's been on the network, unpatched for 5 minutes: $2000. The fact that some people still connect unpatched machines to the network: priceless. That's right - 5 minutes to pwnage. I wonder if the XP service pack downloads that quickly? - NetworkWorld coverage

  10. Mitnick gets a tell-all book deal. He'll detail how many ways you can use KY in the slammer. And maybe a bit about social engineering. I can't wait to hear what tale of woe has resulted in his "issues." Maybe he wasn't hugged enough as a kid. - Silicon Alley Insider

  11. Even the "red team" can get better. Of course they can. We all can improve in what we do. I like the fact that the Government has people responsible to test defenses. If you aren't testing, you'll be surprised and security folk hate surprises. - Veracode blog

  12. The chum is in the water. After Enrique basically tells the channel he's going to screw them, it seems there are a few options for VARs to consider besides the Big Yellow. You think? - CRN slideshow

Photo credit: "The Addam's Family Laundry" originally uploaded by DanielaNob

Assessing your Organization’s Network Perimeter (pt. 3) [BlogInfoSec.com]

Posted: 24 Jul 2008 06:00 AM CDT

Welcome once again to the risk rack. This time on the risk rack we will be continuing our review of how to assess your organization's network perimeter.

As a reminder the identified steps were:

In Part I we reviewed tips and tricks for step 1 "Define the functions and purposes of your network perimeter" and started a spreadsheet.

In Part II we looked at tips and tricks for Step 2: "Assess the technology used along the perimeter of your network."

In Part III we will be looking at tips and tricks for step 3 "Assess the Processes used to support your network perimeter."

Processes are an important element of any program and provide the overall framework and ongoing guidance to ensure the program operates as prescribed, and effectively. Formal processes to specifically support the network perimeter are often integrated with other processes and almost never centralized to ensure that there is a cohesive flow. Since the network perimeter is often the most vulnerable point of an organization's operating environment it is important that the processes that support its operation and security are developed with a focus to ensure that they are comprehensive and performed effectively. When doing a review of processes it is important to speak to the key personnel that either own or support the network perimeter and ask them what they do to support the network perimeter. During the conversations you should ask them

(...)
Read the rest of Assessing your Organization's Network Perimeter (pt. 3) (1,220 words)

© Frank Cassano for BlogInfoSec.com, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!

these tubes are quick [extern blog SensePost;]

Posted: 24 Jul 2008 04:57 AM CDT

Kaminsky's thunder has all but evaporated into a fine mist, and Ptacek has gone all silent. In the meantime, the MetaSploit crowd put their heads down and produced:

http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

DNS poisoning for the masses.

(If anything ever deservered the tag 'infosec-soapies', this would be it!!!)

Metasploit Bailiwick DNS Exploit Adds Domains [RioSec]

Posted: 24 Jul 2008 01:13 AM CDT

Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect.  Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them.  Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments!

read more

When your flight is DOA [StillSecure, After All These Years]

Posted: 24 Jul 2008 12:04 AM CDT

Last night I wrote about my first day of this weeks road trip and my hotel which doubled as a funeral parlor. Now it is Wed night and I am live blogging from the runway of DC Regan-National airport, on board a Delta flight which has been on this same runway and not moved for the past 2 and a half hours. 

I say I am live blogging this, but of course you are not live reading this.  That is because I have no way to upload this to my server.  You see the iPhone 3G for all the coolness, has no Internet sharing that I am aware of. My old windows mobile phone had Internet sharing and if I still had that you would be reading this live right now.  But no, not with the iPhone. 

I was scheduled to connect in Cincinnati right about now.  I am obviously missing that connection.  I was flying from there to Columbus and driving about an hour and half from Columbus.  I have a 9am meeting tomorrow.  So unless I feel like renting a car and driving 4 hours whenever it is I land, I am pretty much missing my meeting tomorrow as well. 

What to do?  a). Should I break out of this plane, run to the terminal and try to get on a flight home to Florida  b). Go postal or c). Grin and bear it and try to remember that I love what I do and that is what flying in the summer is all about (actually that summer thing is full of beans, it is no better in winter with weather either!).

So here is the update, we sat on the runway for 4 hours!  Finally took off and landed in Cincinnati at midnight. I had no connection.  Could not get a flight out in the morning, not rent a car and most hotels sold out. I am writing this from the coffee shop of the lovely (and I do mean lovely) Drawbridge Inn. I will miss my meeting in the morning and am booked on a flight home tomorrow.  Ah, the life of a road warrior!

We should all be this bad - Microsoft is dead, long live Microsoft! [StillSecure, After All These Years]

Posted: 23 Jul 2008 11:57 PM CDT

I have written before about what a joke I think it is when people write that Microsoft's best days are behind it and that their corporate grave is already being dug.  Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure.  Don Dodge had a good article up the other day about Microsoft's recent end of FY numbers.  The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before!  They dropped 17.6 billion (again with a b) to the bottom line.  To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year.  Microsoft grew 9 billion in revenue last year.  That is they grew organically more than a whole Yahoo.  You can check out Don's article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down?  If you were a betting person, would you be betting against this monster?  I would not be.  Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)