Spliced feed for Security Bloggers Network

Black Hat wrap up - secure@microsoft, booth babes and bloggers [StillSecure, After All These Years] Posted: 08 Aug 2008 11:42 PM CDT You can read plenty of other blogs about some of the great presentations at Black Hat.  So I thought I would take another angle and talk about some of the other stuff that may be important to you. 1.  secure@microsoft.com – This years hottest party was again the Microsoft party.  This year it was at the LAX club in the Luxor.  As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they "were one the list".  I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party.  As I wrote earlier, Microsoft is trying really hard on security.  But I couldn't help but notice the irony of this grainy, lousy picture of the DJ booth at the party.  If you can, notice the computers that the secure@microsoft.com DJs are using. That's right they are Macs! 2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant.  Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year.  A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement.  I personally don't like exploiting woman to make that statement, but I understand.  However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them.  Come on guys!  You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class.  These girls looked like street walkers and do you and your company no favors.  Is that really the image you want to promote?  Grow up! 3.  The Security Bloggers Network – We are back!  With the end of the Black Hat show, the SBN is going back to being the SBN.  The old logo is back and our promotion with Black Hat is at an end.  However, I want to personally thank so many of you SBN members who blogged about Black Hat.  The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community.  Our network delivered big time with them and they are already thinking about ways we can work together next year.  I will keep you all posted on that. We have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons.  Next time we will work with the network members more closely in doing these affiliations.  Also, for any show like this we need to have an official bloggers get together.  Not because we don't want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us.  Security bloggers are big time. We have a great community of people who get together. Lets make it better. I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment. Anyway, another year of Black Hat is in the books. It was a good one and I can't wait until next year!

Pedal to the metal NAC [StillSecure, After All These Years] Posted: 08 Aug 2008 04:01 PM CDT OK, I am not really a big car racing fan.  I don't know, Long Island was not a NASCAR hot bed. Of course the Indy 500 was always big news.  In any event I have become much more of a race fan since Chip Ganassi racing became a StillSecure customer.  They are using a complete NAC solution that performs both pre and post connect testing. Racing today is not about some gearheads putting in spark plugs and changing tires.  It is high, hi-tech and their information security needs to protect their IP are high priority.  Rather than the usual case study, our VP of marketing Jayson Ayers actually tried something new.  A video case study is what we have done.  I think it is pretty cool and in the spirit of the YouTube generation, am embedding it here.  You can read more about this on our site here. This posting includes an audio/video/photo media file: Download Now

Did You Really Not Know DNS Problems Are Bad? [Articles by MIKE FRATTO] Posted: 08 Aug 2008 03:54 PM CDT This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members ...

Compensating Controls for Legit business cases [An Information Security Place] Posted: 08 Aug 2008 11:17 AM CDT Here’s one of those times (link NSFW) when doing something that seems contrary to good security practices because of a legitimate business need can cause you problems.  This guy had an email account get hacked by someone, and the offender sent out a nasty email to everyone.  But the email account was for a deceased employee who used to handle customer relations, and they needed to keep the address alive so emails could be forwarded to another employee.  OK, first, that would constantly creep me out if I was getting email addressed to a dead person.  But the real point is that sometimes legitimate business needs that go counter to good security practices can cause problems.  It sucks, but that is the way it is.  However, if there is a legitimate business need that could potentially cause security headaches, it is up to the security staff to put in a compensating control.  According to the poster, there was a real business need to have this email account alive.  So if that is the case, why didn’t they just create an alternate email address for the currently living employee instead of keeping the email account alive?  Maybe their software wouldn’t allow it, but I doubt it.  In this case, there was no compensating control. To me, it sounds like someone just did the easiest thing (though that can be argued because they had to setup a forwarding address, which is really just as much labor as setting up an alternate email) instead of making this secure.  It’s a lesson, though thankfully they didn’t cause any terrible harm (unless you are extremely offended by dirty pictures). Vet

LDAP Headache [BumpInTheWire.com] Posted: 07 Aug 2008 10:58 PM CDT I actually developed a headache today from trying to get our Citrix NetScaler demo unit to talk to a domain controller via LDAP.  I tried everything this side of the sun trying to get it to talk to the DC.  Perseverance paid off.  About 15 minutes ago (@ 10:30 PM no less) I was able to claim victory over the NetScaler beast.  The weapon that slayed the beast?  A damn reboot!  Now that that is behind us we can get serious about evaluating this device.  This afternoon I was thinking that I had never worked on a more frustrating piece of equipment in my entire career.  I no longer feel that way but with a headache from chasing my tail all afternoon that was the way I felt.  Not letting the computer win is one of my mottos and this one almost got me!! Its been an exhausting week and a huge night for change control.  Have a great Friday and weekend!

Defcon Day -1 [Alert Logic] Posted: 07 Aug 2008 09:10 PM CDT You guessed it; Alert Logic is at Defcon again. Normally we do not blog about our trips but I was feeling social and decided to share this year. We landed early today and spent some time hunting for the registration area. There were no signs or ay useful information, thankfully we found a guy with [...]

BlackHat Post [An Information Security Place] Posted: 07 Aug 2008 02:13 PM CDT Blackhat, Defcon, security conference, hacking, DNS vulnerability, DNS exploit, virtualization security, etc. There, I posted about BlackHat. Vet

Headline from the Future [BumpInTheWire.com] Posted: 06 Aug 2008 10:35 PM CDT California Woman Mauled by Five Pitbulls Karma.

The DNS Veil Has Been Lifted [BumpInTheWire.com] Posted: 06 Aug 2008 10:21 PM CDT Today was the day.  The veil was lifted on the DNS flaw, discovered months ago, at Black Hat.  I came across this article at TG Daily that gave some of the specifics of the flaw without going into so much gory detail that your head explodes.  At the very least it shed some light on the flaw to myself. If you head over to DoxPara Research, Dan Kaminsky’s (the Godfather of the DNS Flaw) personal blog, you’ll find a handy DNS checker to see if your DNS servers have been patched.  Probably not a bad idea to check your DNS servers against this tool.  While you’re there take a look around.  You’re almost guaranteed to learn something!

Last HOPE Session Videos - Seeded by AoIS [Art of Information Security] Posted: 06 Aug 2008 09:57 PM CDT To be honest, 2600’s The Last HOPE conference didn’t really catch my attention at first. But some of the sessions, especially  ”Crippling Crypto: The Debian OpenSSL Debacle”. That presentation, by Jacob Appelbaum, Dino Dai Zovi, Karsten Nohl is a winner. Not only do they provide a fantastic and detailed description of how OpenSSL’s random number generator was accidentally lobotomized, they also demonstrate how to leverage cheap cloud computing to generate the set of bad keys that resulted. (All of them!)  At any rate, legit torrents of the video presentations are available from The Last HOPE Video Tracker. Art of Information Security is seeding torrents, and plans to do so for the next 10 days. Check ‘em out. Cheers, Erik Last HOPE Session Videos - Seeded by AoIS

Security Breaches Are Still Happening [Alert Logic] Posted: 06 Aug 2008 06:08 PM CDT Anyone who combs the press for security breaches will quickly find out there isn't much going on. At least, nothing the press wants to write about. And who can blame them? Running the same old same old stories about how some company got compromised and customer data, social security numbers, shoe sizes, [...]

Yawn – Is It Over Yet? [Alert Logic] Posted: 05 Aug 2008 05:13 PM CDT If any one of you has read a paper or watched a newscast over the past couple of days, you probably heard about this little tropical storm we had heading our way to our hometown of Houston. Edouard, or so they call it. Now besides the fact that this was a real [...]

VERT at Blackhat / Defcon [360 Security] Posted: 05 Aug 2008 05:04 PM CDT Just wanted to let everyone know that a few of us will be down at BlackHat / Defcon. We'll be attending talks and working the nCircle booth. Feel free to find us if you're interested in getting together for a drink or whatever. As for talks (as mentioning what you are attending seems to be popular)... You'll find us at the DNS talk, and that's about the only guaranteed one. If I can recommend one, check out Bruce Dang's talk, I saw a version of this at RECon and it really is an incredible presentation. Feel free to fire me an email today if you will want to get together and I'll send you a cell number where you can call/text us.

Smackdown on data criminals [Data-Centric Protection and Management] Posted: 05 Aug 2008 04:05 PM CDT The long arm of the law finally flexed in a major indictment of criminals who were charged with hacking and stealing credit cards from major retailers. Eleven folks were charged with the crimes ranging from conspiracy, computer intrusion, fraud and identity theft. Interesting nuggets from the report: They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers... Apparently this is the single largest and most complex identity theft case ever charged in this country "While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," said U.S. Attorney Michael J. Sullivan. I agree with the US Attorney - we need better ways to prevent such hacking. But one point is clear again in this case - those who hack work for increasingly sophisticated criminal enterprises and will deploy significant resources to steal as long as the returns are worth it.

Clear program lost a laptop [An Information Security Place] Posted: 05 Aug 2008 01:36 PM CDT I just posted over at my CW blog about the lost laptop from the company running the Clear program.  Whiskey Tango Foxtrot, over? When you read, take a look at the quotes I found from their website.  Friggin’ classic. Vet

Privacy Dilemma: How to Protect Yourself Online [Dragos Lungu Dot Com | Security Tools And Tips] Posted: 05 Aug 2008 01:14 PM CDT Note : This is a guest post by a fellow blogger. The proliferation of the internet has knocked down barriers around the world.  Someone in New York City can do business with someone in Tokyo without ever seeing their face or hearing their voice through the internet.  With all the possibilities available on the web there are also dangers lurking out there as well.  It’s important that you protect yourself when you’re doing anything on the internet.  People are out there that steal other people’s identities through internet fraud.  While we’re not trying to scare you with these thoughts it’s important that you take the proper steps to protect yourself.  Here are a few tips for you to consider when you’re surfing the net: Be careful with attachments.  Under no circumstances should you open an attachment from an unknown sender.  Viruses can be hidden in attachments and when you open them up the virus will infect your computer.  Even when opening attachments from people you do know it’s wise to run it through anti-virus software before opening it up. Protect your passwords.  It’s important that you vary your passwords for you various online accounts.  Unsavory characters prey on people that use standard passwords.  It’s imperative that you keep these passwords secret and it’s also a good idea to change them to something new periodically. Install anti-virus software on your computer.  Viruses pop up everyday and can basically ruin your computer.  It’s vital that you stay on top of your anti-virus software.  Make sure you run all the updates that are offered at least once a week to protect your system. Set up a firewall on your computer.  Firewall restricts access to your system and is important if you have a cable modem or use DSL to get online.  Installing firewall onto your computer will disallow anyone unauthorized to gain access to your computer. Log off when you’re not going to be using the computer.  Your system is most vulnerable when you’re connected to the internet so make sure you log off when you’re not going to be using your system. Make sure you have plenty of back ups.  Make copies of your work so if your system fails you can have the back ups.  This is something you should do at least once a week.  Do this at work and at home to make sure you are covered in the event that your computer is stolen or corrupted. This article is contributed by Heather Johnson, who regularly writes on Comcast deals. She invites your questions and writing job opportunities at her personal email address: heatherjohnson2323 at gmail dot com. Share This

Defcon TCP/IP Drinking Game [NP-Incomplete] Posted: 05 Aug 2008 12:50 PM CDT I will be hosting the Defcon TCP/IP Drinking Game again this year. Drop by Friday night to see your favorite information security experts make fools of themselves.

Vegas [NP-Incomplete] Posted: 05 Aug 2008 12:45 PM CDT I will be in Las Vegas for the Blackhat and Defcon conferences this week. I hope to see you all there!

An Information Security Place Podcast - Episode 2 [An Information Security Place] Posted: 05 Aug 2008 07:30 AM CDT Here’s the second installment of the podcast.  Joining me is my cohort and cohost, Jim Broome.  Some of you may know Jim from his blog.  Jim is definitely one of the more technical bloggers out there, serving up all kinds of geek toy and hacking fun.  I hope to keep Jim around a long time since he has a whole lot of experience in the security field, and he is in no way shy to talk about it. :)  Also, Jim is doing most (if not all) of the mixing and production work on the podcast since he has a lot of cool toys and has experience in the broadcast industry.  So thanks Jim! Some show notes: Talk about the goals for the show News talk - all about BlackHat / Defcon (and how I am not going to be there - sheesh) Accuvant’s party Various and sundry talks that interest us Geek toys - ASUS EEEPC 1000H Consultant’s Corner - Rent the SUV… it’s cheaper! Stick with us as we get all the bugs worked out.  I hope to bring some new perspectives and liveliness to security podcasting. Vet

TASK Presentation - IPv6 Vulnerabilities [360 Security] Posted: 05 Aug 2008 01:37 AM CDT Last week, I did a lightning talk at TASK on some IPv6 vulnerabilities that I had comes across (previously posted here). I was asked a couple of times if I would be making the slides available, and while I forgot to do it last week, here they are. I was also asked if I would be investigating the effects of this on Vista and Server 2K8, while that is on my agenda, it will have to wait until after BH/Defcon. My email address is at the end of the slides, so feel free to contact me to discuss them. .

Database Security for Middle Market Companies [The IT Security Guy] Posted: 04 Aug 2008 10:21 PM CDT My article on database and data store security for middle market companies came out today on TechTarget's SearchCIO-Midmarket web site. I discussed access controls, monitoring, insider access and security architecture of data stores.

Why Bother? [BumpInTheWire.com] Posted: 04 Aug 2008 09:41 PM CDT This Computerworld article about the Countrywide breach struck a chord with me.  “Breach” isn’t really the correct word.  This was data stolen from the inside from a computer that was not secured like the rest of the computers.  Whether or not it was not secured intentionally is irrelevant.  Why?  Because every security policy that gets put in place has holes punched in it before it goes into effect.  There is always the “list” of people that the policy does not apply to.  So what is the point?  Those that have the security policy affect them can usually look around the office and have a good idea who the policy doesn’t affect.  If I had a dollar for every time I’ve heard ”so and so can do this so I had them try it for me” I’d have at least $30 in my pocket.  I’ve been in environments in the past where we would punch these holes for the CIO…the person that is supposed to be enforcing these policies!  Sometimes its an uphill battle.

An Interesting Afternoon [BumpInTheWire.com] Posted: 04 Aug 2008 09:07 PM CDT A quick thank you to everyone for their kind words after my dog died.  Those are always appreciated and don’t you worry…I’ll be just fine! This afternoon I had a photoshoot for a trade periodical.  I prefer the word periodical to magazine as it makes me seem older and it drives my wife crazy.  I also wear trousers and watch “programs on the picture box.”  We made the most out of the photoshoot because sometimes those deals can make you feel like you’re getting your senior pictures taken only you’re not in high school.  With El Sidekick kicking out hot tracks Stefan Hester really got me “working” the camera.  In fact during one of the songs I started to unbutton my shirt.  I kid!!  Anyway, it was my second shoot in the last couple of weeks so you might get to see my face in print in the upcoming weeks.  Now I get to joke about how BITW is going to take me out of this small town someday.  But like most midwesterners with a big dream I’ll probably end up in the Valley shooting pron.

You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610