Saturday, August 2, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Wordpress on my iPhone [Network Security Blog]

Posted: 01 Aug 2008 10:41 AM CDT

I just found the Wordpress app for the iPhone and I’m sitting in a meeting tapping away while listening to the presenter. I doubt that I’ll be using it much since it takes so long to tap a post out, but when I need to make an emergency post, this will work ok.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Playing Catch Up This Weekend [Liquidmatrix Security Digest]

Posted: 01 Aug 2008 08:21 AM CDT

It’s a long weekend for me and I’m taking some time to catch up on posts that I’ve been meaning to get done. Also, I’ll be mucking about with our database but, it shouldn’t be so that anyone will notice. Mind you…
Have a great weekend folks. Check back for a (belated) wrap up from Last Hope.

In the meantime here is an amusing piece from Bruce Schneier on why people shouldn’t listen to him.

links for 2008-08-01 [] [Andrew Hay]

Posted: 01 Aug 2008 08:00 AM CDT

Always Take some time to research [An Information Security Place]

Posted: 01 Aug 2008 07:38 AM CDT

So this post is not exactly about security, though it has ramifications in the security industry as well as virtually every other industry.  As you may know, Accuvant is a security consulting / reselling firm.  However, as the trend continues towards convergence of the network and security, we become more and more involved in infrastructure consulting and reselling.  We have a bunch of people who know how to design and implement infrastructure projects and include strong security principles along with the solution, so it actually works well for us.

Well, one of our clients in the Dallas area has used us for the past couple of years to help them build out their infrastructure as they expand.  We designed the phase 1 of the infrastructure, and now we are moving into phase 2.  Part of that phase 2 involves them installing a SAN and VMware ESX servers.  Good move on their part.  We don’t do the SAN and VMware stuff, so he brought in another consultant, namely Dell.  Our client is buying a Dell Equallogic iSCSI box and using Dell to build it and the VMware servers.

The first thing our client told us was that he wanted to connect the SAN and the ESX servers directly to the core since he had plenty of ports, there was redundancy built in there already, and he wouldn’t need to buy more switches.  He doesn’t have a huge environment, but we advised that if he was going to do that, it needed to be in a phased approach, and he needed to put additional switches into his access layer for the SAN and ESX servers when he starts approaching the next phase of the expansion.  He decided to go ahead with that since we made the suggestion, so he started looking at which switches to use.

He is an Extreme Networks shop, so we made a couple of suggestions for switches.  He went to his storage consultants at Dell, and they told him that Extreme was not certified with Equallogic and that he would need to buy Dell or Cisco switches.  Obviously that was throwing a monkey wrench in the plans.  We really didn’t want to throw other switches into this mix.  Should it work?  Yes.  But why tempt the switching gremlins?

So before we started heading down that path, I decided to do a little research.  I sat down in front of my laptop expecting a good 30 minutes or so trying to see if anyone out there had put Extreme in with Equallogic iSCSI.  Well, it took me about 2 minutes with this search to find these two articles:

So Equallogic does support Extreme??  Looks like they do when you see this line in the second article:

EqualLogic supports Extreme Networks’ switches.

Can’t get much more definitive than that!

So the point is that you should not always accept the word of an "expert".  it always pays off to do some research.  Yes, you should be able to use the experts advice in making decisions.  But backing that up with your own research often pays off.  Of course, if I’m the expert, then you can absolutely trust anything and everything I say as completely and totally factual. :)


New Weblog - It’s Gonna Be Good: Risktical.Com []

Posted: 01 Aug 2008 06:51 AM CDT

From Chris Hayes at

I have the utmost respect for Chris as a risk analyst.  He’s big in (started?) the Columbus OWASP chapter (and I have to admit to not getting to a meeting yet because I’m a slacker), works, lives and breathes Information Risk, and if you want a pragmatic, practical view of risk within the context of a sophisticated IRM program, his blog is something you’ll want to read.

Also, he’s into the cello.  Which is cool.

New Advertiser [An Information Security Place]

Posted: 31 Jul 2008 04:45 PM CDT

I announced it a while back, but I wanted to announce again that I’ve recently added a new advertiser called Tradepub to my blog. It is the same advertiser that ISSA uses to offer publications to members and those interested in membership. 

They offer hundreds of free trade publications, all of which are completely free and offer valuable information that will help you stay on top of your respective industry.

TradePub offers more than 900 free business magazines, white papers, and webinars, all for the taking! Here are a few that my readers might be interested in:

    * Security Magazine - Focuses on ways to apply technology and services to solve security problems
    * eWeek Magazine - Essential technology information source for builders of e-business.
    * SC Magazine - Works to build relationships with all sectors of the information security industry.

The link is on the right of the posts, or you can go straight to


Coming Soon to a Movie Plot Near You… [Art of Information Security]

Posted: 31 Jul 2008 04:10 PM CDT

The problem with most video surveillance is that it is not actively monitored. It is recorded so that events can be reconstructed at a later date. While this may prove to be an effective deterrent in many situations, this does limit the effectiveness (and the cost of operation) of the surveillance system.

Of course, a major problem with that approach is that the “persons of interest” are long gone by the time the video shows that “yep, you can definitely see some guy cutting off that lock and stealing that…”.

Another problem is that unless the equipment is being checked on a regular basis, it may be defeated (or just broken) for a long time before any problems are identified.

In the photo to the right, an NYC artist William Lamson, has created an interesting photo of hacking (or blocking) a security camera with a helium balloon. This is such a simple and inexpensive attack on the video surveillance camera that I am shocked I haven’t seen this before. I am also certain that the appearance of this in a TV or movie plot is imminent. It would have been pretty simple to use two balloons to block the camera without providing the nice tether to “fix” the problem.

Digital photography is a hobby of mine, and I have a mild obsession for photographing physical security faux pas (which to date has not resulted in any ‘Imperial Entanglements’ ;-) ). So I am going to use Mr. Lamson’s photo to kick off a new category (and series) on Art of Information Security, called “Security faux pas” - stay tuned…

Cheers, Erik

Coming Soon to a Movie Plot Near You…

Kaminsky’s DNS Exploit Exposes the Internet’s Core Challenge [ARCHIMEDIUS]

Posted: 31 Jul 2008 02:41 PM CDT

John Markoff’s (New York Times) recent story on the DNS exploit will no doubt draw significant attention to what Cricket Liu called one of the most significant vulnerabilities of all time. A few days after the easy to launch exploit was published on the Internet,  evidence of attacks were soon reported, even against security experts [...]

CISA and CISSP Preparation [Art of Information Security]

Posted: 31 Jul 2008 08:14 AM CDT

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

  • Do I meet the spirit, and not just the letter, of the experience requirements ?
  • Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

  1. Perform an initial benchmark and assessment of your readiness
  2. Read a “survey” level preparation guide cover to cover
  3. Perform a secondary benchmark, and compare your readiness
  4. Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
  5. Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks
For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from

Survey Materials
I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials
There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts
Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Security Through Visibility - Montego, Lancope and NetFlow [Security In The Virtual World]

Posted: 30 Jul 2008 06:57 PM CDT

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments.  This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network.  The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment.  Take a look at the attached picture.  It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes.  Is it FTP traffic that is occuring at a high volume at an unuseal time of day?  If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it?  Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment.  Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated.  Having constant visibility can also ensure that other security products in the environment are performing as expected.  What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy.  One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach.  Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place.  Well, sure... You now have attack visibility but at the performance cost of your virtual environment.  Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones.  IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache?  Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern.  In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one.  So why do it virtual and have to pay a 60% CPU utilization tax?  Another solution is to IDS inspect only the things you care about.  Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL.  Its just a waste of compute cycles isnt it?  Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product).  Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow).  NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world.  NetFlow is lightweight.  Let me say that again, its light weight!  It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on.  Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator.  You'll see from playing with this ( ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records.  It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

<p><p>Slide 3</p></p> 
  1. Monitor and Alert network behavior of VMs
  2. Track Vmotion movement of VMs accross physical servers
  3. Monitor and Alert on communication between VMs
  4. Identify users accessing VMs
  5. Identify unauthorized or rouge VMs
  6. Monitor and Alert when VM's go online or offline
  7. Identify network services running on VMs
  8. Monitor Network / Application performance of VMs
    Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of.  A screen shot of their product is bellow:

Lancopescreen <- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session.  A high counter can be indicative of a security problem.  Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine.  Example:  Lets say you have a VM that has a BOT on it and is "owned".  The Lancope product is monitoring this long life session.  Let's say that session is established for several hours or maybe even days or months.  Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise.  Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior.  Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying:  Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY.  There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies.  Things like, helping you answer questions of:  How do I know what network applications are taking up the most bandwidth?  When should I move those applications over to a server with more horsepower?  When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur?  I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer.  Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

CPISM certification empowers merchants [PCI Blog - Compliance Demystified]

Posted: 30 Jul 2008 06:34 PM CDT

Congratulations to Walter Conway for his CPISM certification.  If you are not subscribed to his blog, please do so, especially if you are interested in Higher Education.  Rob is also one of the blogs that is syndicated via the Society of Payment Security Professionals.

The reason I congratulate him is because he has been working for years to do exactly what we do: educate and empower people about PCI compliance.  My mantra has always been to bring our expertise and education to empower those “across the table” from their auditor.  Have you ever felt frustrated because one auditor tells you one thing and another tells you something else entirely?  Perhaps this is just their variance in interpretation of the standard or personal risk tolerance.  The problem is that if you re-engineer your environment every time you get a different auditor you may go bankrupt!

So what can people do to learn what their auditor knows?  How can people empower themselves to understand the payment card industry so they can speak about it knowledgeably?  I’m not only an advocate, I’m also a member of the Society of Payment Security Professionals.  They have launched the Certified Payment-Card Industry Manager (CPISM) certification.  This certification and the training for it is geared at educating people about the payment card industry so they can speak with others (i.e. an auditor) knowledgably about it.

Someone called me up today asking about their call center and how one auditor said it was not in scope and another said it was in scope.  They had just finished re-architect their environment to make a secure payments area and now they were looking at re-engineering it to accommodate the requirements of this new auditor.  I told that person that they could always call upon me (as you all can via the email address and phone number on this blog), but that they would feel more confident if they empowered themselves.

It’s like the old proverb, “if you give a man a fish he will eat for a day, but if you teach a man to fish he will eat for a lifetime.”  This certification is meant to empower others to feel more confident about the decisions they make, because they invested the time necessary to learn the nuances of the industry.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

PCI Survey [PCI Blog - Compliance Demystified]

Posted: 30 Jul 2008 06:18 PM CDT

If you are not already subscribed to Rob Newby’s blog then maybe today is the day you do.  His is one of the few that is syndicated via the Society of Payment Security Professionals.  He has put online a survey on PCI DSS compliance that is meant to identify some of the roadblocks to compliance.

Since Rob is based in the UK this survey is targeted mostly at European companies, but I’d urge you all to participate.  The more information available to the public the more we can identify the roadblocks and remove them.

We already know that things such as Chip-PIN have had an ideological impact on PCI DSS adoption within the UK and Europe.  It goes a long way towards protecting cardholder data, but it alone will not protect merchants from exposing sensitive data.  Merchants must understand that integrated POS devices could retain “track equivalent data” which cannot be retained post authorization.

Other issues include the multi-acquirer relationships within Spain and Italy.  This power shift makes it harder for acquires to push for compliance within their merchant community.

Also, things such as Single Euro Payments Area (SEPA) may bring changes to how merchants see their PCI scope.  There are a number of things that companies must consider and an equal number of roadblocks.

In the end, excuses are just that.  If you choose to not wear a life preserver just because your neighbor isn’t then both of you will down when the ship springs a leak.  Ignorance is no excuse.

Also, if you’d rather read up on a Web App Sec survey check it out.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Oh oh, I use AT&T [Network Security Blog]

Posted: 30 Jul 2008 04:57 PM CDT

Not that I’m surprised, but it appears that a DNS server at AT&T has been the first high profile targets of the DNS vulnerability discovered by Dan Kaminsky. I’ve been testing my internet connection every once in a while since I called out AT&T to patch last week and as of Monday it appeared to be safe. Even the 3G connection I’m using right now appears to be safe. But at least one server in the AT&T network was vulnerable and HD Moore’s company BreakingPoint was the target. A little bit of delicious irony there, since HD is the creator of Metasploit and released a plugin to test for the DNS vulnerability last week.

I’m getting tired of writing about the DNS issue and hope that AT&T and other service providers make a lot better effort in patching for the vulnerability now that it’s in the wild and being exploited. Dan mentioned an interesting set of statistics last week: When he first put up his vulnerability test page 78% of all tests came back as vulnerable, while as of last week only 56% of the tests came back as vulnerable. I’m quoting these numbers from memory, so they may be off a little, but it’s still an impressive effort to patch. Not nearly good enough, but still impressive.

I hope this spurs a fresh round of patching by large service providers as well as smaller companies, but I’m not going to hold my breath. I wonder how many more tricks Dan has up is sleeve for his talk at Black Hat, because I don’t think we’ve seen the full extent of this vulnerability just yet.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Flash being used in spam emails [mxlab - all about anti virus and anti spam]

Posted: 30 Jul 2008 04:50 PM CDT

Spammers often include links in their messages directing to web sites. These links are most of the time in the form of a URL including .html, .htm, .asp, .php or something similar.

A new spam trick includes now to include an URL directing to an Flash animation with the .swf extension. Most browsers will play the Flash movie even if this one isn’t embedded in an .html page.

The Flash contains no animation but a redirect to a web site with the spammers offer.

Commtouch reports that the messages arrived in small quantities on Saturday, and by Monday, July 28, had become a massive outbreak. 7000 URLs have been created and used in millions of spam messages.

Malware round up, for now [mxlab - all about anti virus and anti spam]

Posted: 30 Jul 2008 04:35 PM CDT

The UPS trojan and malware that was distributed by an email was one of the latest highlights. In more than one occasion the attached zip was was extracted, openen and the trojan was executed. Anti virus engines had all the troubles to keep up-to-date and to provide some real protection.

Commtouch, our technology partner, have provided us with a graphic when the UPS trojan outbreaks appear per day based on the ups_invoice.exe  attachment.

As we also reported on this blog, the malware was send out in so called bursts: many emails with the virus in a short time. In the graph you can when some massive waves or bursts occured. By sending out viruses in burst you can have a better result regarding infections because you can reach many unprotected computers in a short time frame.

At the moment things have cooled down a bit but since this afternoon we see the variant ‘Buy your ticket online’ appear in our messages logs. This story isn’t over yet and we keep our eyes open.

OAUTH and OATH - confusing? [Mike Davies: Online Identity and Trust in EMEA]

Posted: 30 Jul 2008 07:38 AM CDT

Just read an excellent post about the difference between OAUTH and OPEN ID.

The reason for this post is that I wanted to make sure that there is no confusion between OAUTH and another standard called OATH which broadly fits in the same space.

Here is my understanding of OAUTH with an example shamelessly taken from their web site to explain:

OAUTH is a way for you to move from one site to another site and grant temporary access to the second site so that you can access the resources from the second site from the first site. Here is a good real life example:

"When a user wants to print a photo stored on another site, the interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site."

OATH on the other hand is a standard for sharing a second factor authentication token.

Imagine that you have 10 online relationships which are potentially interesting to a fraudster or contain sensitive personal information (such as Banking, Healthcare, Retail, Gaming, gambling, insurance etc.).

If each site provided you with a two factor authentication device (like a Vasco token or VIP Card) then you would need 10 tokens for your online relationships, obviously impractical and expensive at the consumer level.

OATH sets a standard where the consumer uses the same token across multiple sites.

The first factor of authentication (i.e. user name and password) would likely be different at each site and are not part of the OATH standards, and in fact hey guess what, this is where OPEN ID fits in.

A real live example of OATH working is the VeriSign VIP network (enough plugging already, if you want to read more go to the VeriSign Site).

My personal view on OPEN ID and OATH I have blogged before about, but here is a simple diagram explaining that relationship.


If I was to try and fit OAUTH into the diagram I guess it would kind of fit across both the SITE ID part and the 1st FACTOR part as it is establishing a standard where sites can ID themselves to each other and allow the consumer to use their first factor of authentication to enable the sites to share the resources.

Anyway, I see OAUTH and OATH and OPEN ID living side by side.

Meru Networks erects a "cone of silence" [StillSecure, After All These Years]

Posted: 30 Jul 2008 07:13 AM CDT

Coneofsilence Who doesn't remember the cone of silence from the original Get Smart TV series.  Whenever Max and the Chief had something important to discuss they would lower the cone of silence so that no one else could hear them or eavesdrop. So it is only fitting with the recent release of the Get Smart movie, Meru Networks has released a wireless cone of silence.

Meru is one of few stand alone wireless companies still hanging on out there.  So they need to be innovative to survive.  Their latest product, RF Barrier puts antennas around a physical plant to dampen and make it impossible to to listen in on wireless data exchanges.  They claim this is a first of its kind.  Thinking about it though, I don't see a big barrier to other companies having similar technology. I don't think you have to be a genius to broadcast traffic that puts out "noise" to hide legit traffic. I think the real special sauce is that this works in conjunction with Meru's other security products like wireless firewalls and secure access points.

With Motorola's recent purchase of AirDefense is having wireless IPS soon going to be table stakes in the wireless provider game?  I think it is and while Meru's RF barrier is a nice story, they are going to need to have some sort of IDS/IPS in their product line to keep up.

Zemanta Pixie

Security Briefing: July 30th [Liquidmatrix Security Digest]

Posted: 30 Jul 2008 07:12 AM CDT


I seriously need to address a few blog postings that I have in the can. They have been languishing for a couple weeks now and I hope I can get them posted this weekend. I hope everyone has a great day!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Online voter registration close to reality | San Francisco Chronicle
  2. Most Sensitive Data on Government Laptops Unencrypted | PC World
  3. Study raises data privacy and security concerns about telecommuting | LA Times
  4. Exploit Prods Software Firms to Update Their Updaters | Washington Post
  5. Olympics visitors warned of digital monitoring | Washington Times
  6. Nintendo files suit against five DS hacking firms | Engadget
  7. Motorola to Acquire AirDefense | Unified Communication Strategies

Tags: , , , ,

Trend Micro OfficeScan Web-Deployment Buffer Overflow [Liquidmatrix Security Digest]

Posted: 30 Jul 2008 07:03 AM CDT

This problem with Trend Micro was issued yesterday.

From Secunia:

Elazar Broad has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to compromise a user’s system.

The vulnerabilities are caused due to boundary errors in the OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class ActiveX control (OfficeScanRemoveCtrl.dll) on an OfficeScan client when attempting to display a list of configuration settings. These can be exploited to cause stack-based buffer overflows by passing overly long properties when a user e.g. visits a malicious web site.

Successful exploitation allows execution of arbitrary code, but requires that OfficeScan client was installed using web deployment.

I can only imagine that this same problem exists in Symantec’s antivirus.

Article Link

McKinnon Loses Extradition Appeal [Liquidmatrix Security Digest]

Posted: 30 Jul 2008 06:32 AM CDT

The last ditch effort by McKinnon to avoid extradition in the UK has failed. Now, his lawyers are taking the case to the EU courts.

From CNN:

Gary McKinnon, 42, faces charges in the United States for what officials say were a series of cyber attacks that stole passwords, attacked military networks and wrought hundreds of thousands of dollars worth of computer damage.

The decision by Britain’s House of Lords was his last legal option in this country, but his lawyer said she would appeal his case to the European Court of Human Rights in Strasbourg, France.

“The consequences he faces if extradited are both disproportionate and intolerable and we will be making an immediate application to the European court to prevent his removal,” Karen Todner said after McKinnon’s appeal was rejected. “We believe that the British government declined to prosecute him to enable the U.S. government to make an example of him.”

Well, of course they will make an example of him. They have to be sure to please/protect their alien masters.


Article Link

Blogging as therapy [StillSecure, After All These Years]

Posted: 30 Jul 2008 01:13 AM CDT

As some of you know, my friend Mitchell Ashley and his wife Mary Ellen have been battling against breast cancer for over 3 years now. It has been a roller coaster ride for both of them and I have seen first hand how much courage it has taken for Mitchell to deal with this scourge, let alone the courage that Mary Ellen has in battling this disease. Though Mitchell has never made a secret of it, he has not made it very public either. That has now changed with a new blog that Mitchell started call

Mitchell wants to share his experience as the "other" spouse in this life and death battle that too many couples face. He is looking to make it a resource for others faced with a similar battle. But there is part of doing this which is therapeutic for Mitchell as well. Talking about what he is feeling and going through helps him deal with the emotions and toll it takes. At the same time he is providing resources to those who may be in need.

I applaud Mitchell for being brave enough to come forward and face these demons publicly. Though we do not work together every day, Mitchell and I still speak almost every day. I know that he and Mary Ellen fight this each and every day and am constantly amazed at their faith in God and courage. If you get a chance, check out the blog and support Mitchell, Mary Ellen and the rest of the people who do battle with this terrible disease every day.

Zemanta Pixie

No podcast this week [Network Security Blog]

Posted: 29 Jul 2008 08:04 PM CDT

Rich and I are both incredibly busy, trying to get some work done before Black Hat and Defcon start. We’re planning on producing a podcast next week from the showroom floor at BH as well as a few microcasts from the both Black Hat and Defcon.

So tune in next week, I promise the audio will be better than episode 113’s was. Because you know it can’t get much worse than last week.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Google versus Microsoft: A Coming Cloud Computing Dogfight [ARCHIMEDIUS]

Posted: 29 Jul 2008 07:53 PM CDT

Steve Ballmer gets it.  While he discusses a strategic interest in search, his head is really in the clouds; in the coming transformation many are calling cloud computing.  I think he fully understands the cannibalization risk that Google is posing in the long term as it delivers increasingly sophisticated applications as a service.    Yet there [...]

Ah, the joys of blogging! [StillSecure, After All These Years]

Posted: 29 Jul 2008 05:12 PM CDT

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. "Networld" magazine didn't give me the boot within 3 months.  They never had the chance, as I never wrote for "networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don't take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn't appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

Reminder: WebEx Seminar on Risk Analysis []

Posted: 29 Jul 2008 12:56 PM CDT

Hey everybody!  Quick post this morning to remind you guys that Cisco has been kind enough to let us give a follow on WebEx presentation on  July 31, 2008 at 11:30 a.m. EDT.  The link to sign up is <<<here>>>.  There are only about 40 slots left.  It looks like it’s going to be a good crowd.

We’re calling this part II - and it’s being advertised as:

“How to conduct a risk analysis and produce a high impact deliverable to senior management.”

With topics:

  • The life-cycle of a quantitative risk analysis
  • Key control opportunities against targeted attacks
  • Getting senior management to understand the risk posed to the business

I got to do the Q&A backchannel on the last presentation, and there were great questions asked.  I think this presentation will be even more exciting, as it’ll cover both analyst and management considerations.

If you’re a regular reader of the blog, I don’t think you’ll have to have attended the last one for this one to be worth your while.


And if you missed it the first time, the playback of the first preso is here, and the slides are here.

Security Briefing: July 29th [Liquidmatrix Security Digest]

Posted: 29 Jul 2008 07:52 AM CDT

No comments: