Spliced feed for Security Bloggers Network |
Picviz 0.2 is out! [Security Data Visualization] Posted: 07 Aug 2008 07:33 AM CDT From release notes: Picviz is a parallel coordinates plotter which enables easy scripting from Picviz helps you to create, automate and understand parallel coordinates plots. Its primary goal is to graph data in order to be able to quickly analyze The language is designed to be close to the graphviz graph description Picviz features a language to describe your graphs; An engine producing images You can download the program from its project page. |
Security Briefing: August 7th [Liquidmatrix Security Digest] Posted: 07 Aug 2008 07:28 AM CDT Finally catching up with things! Leaving for Defcon in a few hours. A nice recharge for my brain as I get excited about this stuff again. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
Blogging Blackhat, Day One [Digital Bond] Posted: 07 Aug 2008 02:42 AM CDT Day one of Blackhat has come to a close and all in all it was a pretty good day of presentations. A few were a bit lacking, but I’ll focus on the two that I enjoyed most, other presentations and panels were good, but a bit more rehashed information that I would have liked. First was the Highway to Hell presentation that I mentioned in a previous post. Nate not only he do a very good job speaking, but the material was very interesting, essentially the FasTrak system has some potential issues with their system, both the integrity of the components themselves, and potential misuse. There are a lot of undocumented features/code in the devices and potential to clone these devices. Definitely potential for unsavory use with that and Lawson is attending to work with authorities/vendors but hasn’t had a lot of luck, as such the details of how to do anything malicious was left out of the presentation. There is still a lot of research to do in this area, including the EZ-Pass system used primarily on the East coast. Secondly, the presentation on Temporal Reversing Engineering really got me excited, but I’m a sucker for things involving visualizations. The research dealt mostly with unpacking malware, and seeing the flow of a program, using the graphing techniques they had developed the unpacking procedures were very clear. I could see this being applied to other parts of reverse engineering in the future, and easily seeing program flow, calls to networking functions, etc. Graphs were made with Oreas GoVisual Diagram Editor which looks to be a powerful graphing tool if you’re looking for one. Other than that the only thing to report is that SCADA systems seem to be getting more attention from traditional IT security companies, but for the moment I don’t think that they’re quite sure how to handle it. Right now it seems like “SCADA” is just ink on marketing material without a lot of business or knowledge to back it up, with a few exceptions that are easy to see.
|
Black Hat : Got2 Luv the H8ers [Jeff Jones Security Blog] Posted: 07 Aug 2008 12:07 AM CDT So, this afternoon, I'm in the Microsoft booth at Black Hat when this guy comes up (badge hidden of course) and starts talking to some of my colleagues. Right away, it was pretty obvious that he was antagonistic. I will refer to him as "h8er" from here on out. Though I am paraphrasing a bit, this is based upon a true story. It gave me a chuckle, so I thought I'd share. h8er: So, how does it feel to work for a company that has made so many bad security decisions. MSFT guy: Well, I feel lucky to be in a position to try and influence good security decisions going forward - are there any specifics you want to give me feedback on? h8er: All those prompts irritating people, for example. MSFT guy: Oh, so you don't like that aspect of UAC. We've gotten a lot of feedback on that, but the UAC security changes in Windows Vista encompass a pretty wide range of options designed to make it easier for most users to run as non-admin. Plus, we've incorporated some of the feedback into SP1 and I think it is a lot better. Have you tried SP1? h8er: <crickets chirping in the silence> MSFT guy: (still trying) Let me ask it a different way. A lot of folks have said that after the first few weeks, the UAC prompts tapered off, have you not found that to be the case? h8er: <crickets chirping in the silence> MSFT guy: What about some of the other changes in Windows Vista - I think the addition of ASLR, for example, was a good decision and raises the bars for attackers developing exploits. non-MSFT guys standing nearby: He has probably never even tried Vista - I bet you run Linux and just heard the prompt stuff second hand. h8er: I don't run Linux ... I run a Mac! (NOTE: This seemed to rattle him, so he went on the offensive.) h8er: Don't you feel embarrassed working for Microsoft knowing that 40% of your customers are infected with Malware? MSFT guy: Actually, based upon research in the latest Security Intelligence Report, less than 1% of machines have malware and need corrective action - plus, recent research in the same report has shown that most of that is on older platforms and Windows Vista has an even lower incidence. 40% is a pretty high number, what source did you hear that from? h8er: <crickets chirping in the silence> (NOTE: Need a new tack, better try something different.) h8er: Well, I feel a lot safer running my Mac and knowing the malware writers aren't targeting me. MSFT guy: Oh, threat landscape is a different topic than the security of the software, but I can't really agree anyway. Many of the folks I talk to are more concerned about spearphishing or targeted attacks specifically against their valuable data. Recent data shows that Mac OS X has quite a higher incidence of security vulnerabilities that other comparable systems. That means that if an attacker did target them, he'd have a lot more options to choose from. In that case, I feel much more comfortable using or recommending Windows Vista than I would using your Mac. He left shortly after that, but not before giving the Microsoft guy an invite to his company's party - I won't tell you which company it was, but it makes the story even funnier. To cap it, a few minutes later, one of the bystanders came by and said "so, did the Mac fanboy get tired of harrassing you and leave?" Having lots of fun at Black Hat 2008 ~ Jeff |
Last HOPE Session Videos - Seeded by AoIS [Art of Information Security] Posted: 06 Aug 2008 09:57 PM CDT To be honest, 2600’s The Last HOPE conference didn’t really catch my attention at first. But some of the sessions, especially ”Crippling Crypto: The Debian OpenSSL Debacle”. That presentation, by Jacob Appelbaum, Dino Dai Zovi, Karsten Nohl is a winner. Not only do they provide a fantastic and detailed description of how OpenSSL’s random number generator was accidentally lobotomized, they also demonstrate how to leverage cheap cloud computing to generate the set of bad keys that resulted. (All of them!) At any rate, legit torrents of the video presentations are available from The Last HOPE Video Tracker. Art of Information Security is seeding torrents, and plans to do so for the next 10 days. Check ‘em out. Cheers, Erik |
Live from the ?Configuresoft? Conference [Jeff Jones Security Blog] Posted: 06 Aug 2008 08:47 PM CDT I thought I'd share a quick story from Black Hat. So, I went Caesar's and headed back to the conference area to register and get my badge. As I neared the escalators, I started seeing a lot of folks with badges on that said "Configuresoft." I thought, hmm, there must be another conference going on here at the same time - which would be weird, since Black Hat filled the areas last year. Anyway, I trudged on, found registration and got my badge for Black Hat. Here is a picture:
Duh. Look for more updates as the conference progresses. ~Jeff |
Just assume your identity has already been stolen [Online Identity and Trust] Posted: 06 Aug 2008 07:50 PM CDT by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
|
Security Breaches Are Still Happening [Alert Logic] Posted: 06 Aug 2008 06:08 PM CDT Anyone who combs the press for security breaches will quickly find out there isn't much going on. At least, nothing the press wants to write about. And who can blame them? Running the same old same old stories about how some company got compromised and customer data, social security numbers, shoe sizes, [...] |
Malware Survey [CTO Chronicles] Posted: 06 Aug 2008 05:45 PM CDT Blackhat's underway, and while Kaminsky's DNS vulnerability continues to garner the lionshare of attention, there are other interesting malware-related developments that I thought would be worth surveying here. This is not an exhaustive list, of course. Just ones that caught my eye for one reason or another. For all the Facebook/MySpace lovers out there, blackhat researchers are due to demonstrate a file that the web server treats as a Gif, but the endpoint processes as a jar archive. Kaspersky as also identified a worm that is spreading through MySpace and Facebook. Storm continues to chug along and find ways to add people to its botnet. The latest is attempt is via an "FBI vs Facebook" spam. Given Storm's history of looking to capitalize on events around the world, I'd look for more as the Summer Olympics gear up. In a development that surprises none of us, but is a bummer for all of us, Information Week has an article on a recent Websense survey that 75% of sites serving malicious code are legitimate sites that have been compromised. According to the article this is a 50% jump over the previous 6 months. Finally, Twitter has apparently reached a level where it is now also worthy for use as an attack vector, prompting users to download malware disguised as an updated codec for Adobe Flash player. What's any of this to do with NAC? It highlights two points that I've drummed on before: (1) the critical importance of a post-admission security and detection strategy, and (2) the importance of isolation and cleanup of infected hosts. |
Black Hat Day 1: Kaminsky, Hoff, NetSecPodcast, and Broken Elevators [securosis.com] Posted: 06 Aug 2008 04:28 PM CDT I’m sitting in Hoff’s Virtualization Securiy presentation, and he’s running at 200 MPH, so this will be a short one. A few bits for the day:
Time to listen again… then get to work on my hangover for tomorrow… UPDATE: More from Hoff- virtualizing security will cost more; you have to buy a lot of new stuff, can’t drop the old stuff, and it doesn’t all even work. UPDATE 2: If you test this stuff it will not meet your performance requirements. UPDATE 3: How about Vmotion? Will your virtsec policies move with the virtual machine? Okay, I’m done. You really need to see his presentation. |
ISCI Call for Input [Digital Bond] Posted: 06 Aug 2008 02:37 PM CDT The ISA Security Compliance Institute [ISCI] announced a Call for Input to their Embedded Controller SA conformance specification on the SP99 list last week. We will link to it when it is up on the ISA site. At the last ISA99 meeting in West Palm Beach, I raised some red flags about a pay to play organization dictating an ISA standard’s structure and schedule. Well this Call for Input is another red flag. Why would any non-ISCI member want to contribute to this effort? It costs at least $5,000 a year to even participate in an ISCI technical meeting, and the price goes up based on company size. Would you contribute to an unproven, fledgling effort that then makes you pay to even get in the room to work on the specification? Who owns the intellectual property [IP] of the contributions? ASCI/ISCI has made a point in presentations that the test specifications and certification programs they will develop have value and are ISCI’s IP. And this is wise because creating effective test specs and programs is difficult. But how can ISCI take another company’s input and say they own the resulting IP? I would be amazed if the two prominent vendors in this space, Mu and Wurldtech, would hand over their IP. [FD: Wurldtech is a current advertiser and past Digital Bond consulting client]. As the ISA>ACSI>ISCI efforts have rolled out it appears to me they made two fundamental mistakes. 1. Perhaps the fatal mistake was they started too early. If ISA99 or some other control system security standard that had testable requirements was available they could apply resources to build a test spec and certification program. We are not close to this so now ISCI needs to develop a set of ISCI proprietary requirements and the test spec. 2. ISA viewed this as a significant new revenue source - - my speculation. It is one thing to raise money to cover efforts, but the pay to play aspect is another. First, why did they need all that money? They have not hired a team to write test specs; they are relying on volunteers from member companies. If I’m a member seeing year two dues coming up I’m asking some hard questions. Also, how would it be viewed if Mu or Wurldtech or Digital Bond or Industrial Defender said everyone contribute non-trivial upfront money to our commercial effort. Not only do we own the IP, but the efforts and results from your benevolent contribution will not be available to the control system community unless they pay up. Admittedly I’m biased as part of a commercial entity, but I’m continually amazed at how non-profit organizations, labs and academia are considered pure when in fact they are equally greedy and ‘commercial’ as everyone else. Nothing wrong with their motives but the illusion of purity . . . |
Network vs. Application Security [securosis.com] Posted: 06 Aug 2008 01:30 PM CDT Should network and application security proceed along separate, independent tracks? Should software security focus solely on the in-context business issues concerning security, and have network security focus on not allowing the software and infrastructure to be undermined? This is one of those concepts that has been brewing in the back of my mind for some time how. Different data, different availability, and different contexts provide different value propositions and I am not sure they are effective surrogates for one another. A bunch of Hoff’s posts add fire to this thought, and the whole Kaminsky debate shows the value of competition. We willfully merge network, sever and application security concepts as one and the same, and quite often use one to band-aid the other. It’s not working very well. If competition makes us stronger, maybe we should just stop cooperating and start pointing the finger of blame at one another. Maybe we need a good turf war to generate security competition between IT & Development groups. The network Hatfields vs. the application McCoys, each working harder to make sure they’re not responsible for the next breach. -Adrian |
Exploitability Index - More Information for Customers [Jeff Jones Security Blog] Posted: 06 Aug 2008 11:20 AM CDT Yesterday at Black Hat 2008, along with some other stuff, we announced that we will be adding some new information to Security Bulletins - an "Exploitability Index" for each of the vulnerabilities addressed by the bulletin. Based upon talking with Microsoft customers over the past five years, they are always looking for that little bit of extra information to help make prioritization decisions. An obvious example of this is the severity attached to the vulns. However, as explained by Mike Reavey of the the Microsoft Security Response Center (MSRC) over on the Ecostrat blog today, customers are also very interested in which vulnerabilities already have exploit code or sample exploits available. According to our analysis in the most recent Security Intelligence Report (SIR), only about 30 percent of the vulnerabilities we fix each year have exploit code released. Why is it not 100% ? Some are not interesting to attackers, sure, but some are simply more challenging to develop a consistent exploit against. It seems like it would be practically useful if this sort of information could be analyzed and published for customers. How does one come up with an Exploitability Index?
The idea of the Exploitability Index is to provide more information to help customers prioritize Microsoft security updates. This Index will reflect our best estimate, scrutinized by MAPP partners, of the likelihood of a functional exploit being developed for a given vulnerability. If you are interested, I did an interview with Mike Reavey a while back, where we discuss what sort of information customers want that isn't yet in Security Bulletins. FYI, the video is about 15 minutes long and the early part focuses on Mike, how he got into security and how he ended up at Microsoft before we get to the Security Bulletin discussion ... if you want to get right to the Security Bulletin discussion, skip forward to about 08:40. If you like these sorts of videos, click on Regards ~ Jeff |
Isolation And Consulting [Liquidmatrix Security Digest] Posted: 06 Aug 2008 11:07 AM CDT One of the most difficult things I have had to deal with in recent years is my transition from a 9 to 5 office to a consultant working from home. While on the surface it may seem like the ideal scenario, and it has its obvious perks, there is a downside. The isolation is overwhelming at times. Sure I work for a large shop and I’m part of a ‘team’ but, regrettably that is a team in a virtual sense. I almost never see my team members and occasionally converse via email. At no time however does this afford for a team building interaction. After 6 and half years with a medium sized shop it is difficult to be suddenly alone. This is not to say that I don’t have friends and family to talk with. This is the absence of co-workers. The absence of a team dynamic. Never thought I would say this but, I really do miss that collegial interaction. I have received some advice from Hoff, myrcurial and others and I thought I would share this with folks who are newly minted (or re-minted) into the consulting space.
Now, this by no means an exhaustive list. So, this is where you can help out. What helps/helped you maintain your sanity when faced with the isolation that comes with consulting? Feel free to share your experiences or tips so that other folks can benefit from it. Thanks! |
Hilton Responds to McCain Ad :) [The Falcon's View] Posted: 06 Aug 2008 11:00 AM CDT |
When the shoe is on the other foot [StillSecure, After All These Years] Posted: 06 Aug 2008 10:16 AM CDT About to head over to morning sessions of Black Hat (OK, it started at 8am, but that is just an uncivil time for Las Vegas). Before I do, let me give you a quick recap of my first night on Black Hat. I didn't get in until 10pm and got to my hotel about 11. Looked up a few security twits and saw that Mitchell Ashley, Martin McKeay, JJ and Ryan Russell were at the Cleopatra Barge at Caesars. I headed over there and met up. The night was on! We had a quick drink and then headed over to the club Pure, where Fortify was having a party. Some how or another JJ, Ryan and I got to the VIP entrance and were headed in. Martin had to go upstairs and change out of his shorts. Mitchell that Colorado country bumpkin was not allowed in because he was wearing sandals. What to do? Leave Mitchell outside, all of us not go in? I went back to my old club hopping days for the answer. I went in with JJ. Went to the bar, took off my shoes and gave them to JJ. While I stood there in socks, she brought the shoes out to Mitchell, who put them on and got in the club. Watching JJ sneak out the shoes and Mitchell walk in holding his sandals was pretty funny. But it worked. We got away from the Fortify party as it was way too crowded. We found ourselves in my favorite part of Pure, the Pussycat Doll Lounge. Five minutes later out came the Pussycats. They put on a very hot show that had us all dancing and shouting. After that we went to my usual late night spot at Black Hat, the Augustus cafe for breakfast. We met up with the Mogul and Hoff, who joined us. By now it was like 2:30am Vegas time (5:30 east coast time) and it was time for bed. I am staying at Paris, so had a nice walk but they did give me a LeMans suite which is very nice. I still get a little confused by rooms with bidets, but it is fun. Well off to Black Hat for some learning! |
HD Moore’s Company BreakingPoint Suffers DNS Attack [Darknet - The Darkside] Posted: 06 Aug 2008 04:01 AM CDT *Aside - I’ll be away on holiday for 3 weeks from tonight so updates may be intermittent!* It’s somewhat ironic that shortly after the Kaminsky DNS bug went wild and almost immediately got ported into Metasploit that it was then used to attack HD Moore’s very own company BreakingPoint. It happened just a couple of days... Read the full post at darknet.org.uk |
UMG Piracy Trial [securosis.com] Posted: 06 Aug 2008 12:30 AM CDT The piracy trial is getting interesting. Vivendi SA’s Universal Music Group won a $222,000.00 verdict against defendant Jammie Thomas for making songs available via Kazaa. The problem is that no one downloaded the songs; they were only discovered by MediaSentry. The entire case hangs what constitutes “making available”, and how it differs from distribution. The judge in the case actually stated he may have committed a “manifest error of law” by instructing the jury that making files available is the same as distribution. Oops. What happens if I leave partition open on my computer accidently, and that partition has music on it? Accidentally or otherwise, does this fall under Torts? I forget the exact statistic, but if memory serves, it is a matter of minutes on average before unprotected computers on the Internet are discovered and infected with viruses, so there is no reason to suspect that content could not be located just as quickly. If partitions were made available to a file sharing virus, are you making it available? Kazaa offers some facilities for locating content and makes it easier to discover shared content, which may be the only way to “demonstrate” intent to distribute, making it fairly weak argument IMO. Many office and home computers are shared. And the security is poor. So whose music is it, and is there a willful act of distribution or just bad security? We already know that we can fool MediaSentry, either by masking content it is looking for, or by poisoning the content is collects with bogus information. Now all we need to render this totally useless is a Trojan variant of music sharing programs, both taking and delivering content. It might actually be good for the security industry at large, as Vivendi might put real pressure on the makers of AV to actually detect trojans and spyware, but I digress. Don’t get me wrong, I do think UMG’s intellectual property needs to be protected. But this is a really tricky problem. There is no way to keep data confidential if the person who has access to it wants to make it public. There are simply too many ways, digital and analog, to leak this information (music). But my feeling is that public lawsuits designed to frighten the general public are not the most economically efficient way to accomplish this goal. Perhaps they have decided this is their best course of action, but I am left scratching my head as to why lowering the price and increasing availability is not their answer. -Adrian |
Yawn – Is It Over Yet? [Alert Logic] Posted: 05 Aug 2008 05:13 PM CDT |
VERT at Blackhat / Defcon [360 Security] Posted: 05 Aug 2008 05:04 PM CDT Just wanted to let everyone know that a few of us will be down at BlackHat / Defcon. We'll be attending talks and working the nCircle booth. Feel free to find us if you're interested in getting together for a drink or whatever. As for talks (as mentioning what you are attending seems to be popular)... You'll find us at the DNS talk, and that's about the only guaranteed one. If I can recommend one, check out Bruce Dang's talk, I saw a version of this at RECon and it really is an incredible presentation. Feel free to fire me an email today if you will want to get together and I'll send you a cell number where you can call/text us. |
Clear Database Stolen [securosis.com] Posted: 05 Aug 2008 02:32 PM CDT Nice! The Clear database was on a laptop that was stolen at SFO. What a great database breach to shed light on this implied-security-related-but-really-not revenue opportunity known as Clear. I guess I am chuckling about this, but as I don’t know what is contained in that data set, I do not know how dangerous this leak is to the members who signed up for it. Since this really does not have much to do with security or official identity, is it really a crime if you create a fake version of this Clear card to cut to the front of the line? Is it any different than faking a “sandwich of the month” card? Will UAL jackboots drag me off for interrogation? I will probably find some cabbie in Orlando selling them for $20 next week. Too bad, as I am on my way to the airport for Black Hat now. If anyone out there is part of this program, would you be kind enough to share the letter you recieve from Verified Identity Pass? I am curious to see what they have to say and how they respond to the issue. -Adrian ## Update 3:00pm: CBS has updated the article … seems the laptop was found. |
Security Briefing: August 5th [Liquidmatrix Security Digest] Posted: 05 Aug 2008 12:22 PM CDT OK, that was a much needed rest over the weekend. Been seriously out of sorts lately. Hoping to recharge at DefCon. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
Apple Releases iPhone 2.0.1 Software Update [Security-Protocols] Posted: 05 Aug 2008 12:18 PM CDT |
July Commenter of the Month Competition Winner! [Darknet - The Darkside] Posted: 05 Aug 2008 04:22 AM CDT Competition time again! As you know we started the Darknet Commenter of the Month Competition on June 1st 2007 and it’s been running since then! We have just finished the fourteenth month of the competition in July and are now in the fifthteenth, starting a few days ago on August 1st - Sponsored by GFI. We’ve successfully... Read the full post at darknet.org.uk |
TASK Presentation - IPv6 Vulnerabilities [360 Security] Posted: 05 Aug 2008 01:37 AM CDT Last week, I did a lightning talk at TASK on some IPv6 vulnerabilities that I had comes across (previously posted here). I was asked a couple of times if I would be making the slides available, and while I forgot to do it last week, here they are. I was also asked if I would be investigating the effects of this on Vista and Server 2K8, while that is on my agenda, it will have to wait until after BH/Defcon. My email address is at the end of the slides, so feel free to contact me to discuss them. |
Safe browsing - Websense says fuggetaboutit! [Last In - First Out] Posted: 04 Aug 2008 10:14 PM CDT It would sure be nice if an ordinary mortal could buy a computer, plug it in, and safely surf the web. Websense doesn't think so. I don't either. Apparently neither does CNN. According to Websense:
It's 2008. So now that we have the wonderful world of Web 2.0, Websense says: The danger is that users typically associate the content they are viewing from the URL in the address bar, not the actual content source. The URL is no longer an accurate representation of the source content from the Web page. (Emphasis is mine.)So even the wise old advice of simply making sure that you pay attention to your address bar is of limited value. Your address bar is really just he starting point for the adventure that your Web 2.0 browser will take you on without your knowledge or consent. Obviously it is true that some people, some of the time, can surf the web with a mass produced, default installed operating system and browser. But for the general case, for most users, that's apparently not true. One of my security mantras is 'if it can surf the web, it cannot be secured'. In my opinion, if your security model assumes that desktops and browsers are secure, your security model is broke. You still need to do everything you can to secure your desktops and browsers, but at the end of the day, after you've secured them as best as they can be, you still need to maintain a healthy distrust toward them. Of course when security vendors report on the state of security, we need to put their data into the context of the increase revenue they see when everyone panics and buys their product. (via Zdnet ) |
You are subscribed to email updates from Black Hat Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Black Hat Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Black Hat Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment