Spliced feed for Security Bloggers Network |
| Visa deploys EV SSL [Tim Callan's SSL Blog] Posted: 12 Aug 2008 07:26 AM CDT Sorry for the gap in blogging. We got a blogging software upgrade and it's been two solid weeks of technical problems. I've been traveling a lot, and in the few moments I did have to blog the console was unavailable.
| ||
| The Daily Incite - August 12, 2008 [Security Incite Rants] Posted: 12 Aug 2008 06:52 AM CDT  August 12, 2008 - Volume 3, #68 Good Morning:
Top Security News What kind of parachute fits on a pwnie?
Top Blog Postings Too much GRC? It's more about tactical vs. strategic | ||
| Posted: 11 Aug 2008 11:20 PM CDT We’ve got a big week ahead of us. We are doing a disaster recovery test on Friday along with the installation of our new Nevis hardware on Thursday. The hardware we will be installing is a LANenforcer 2024 at each location for redundancy and two LANenforcer 1048 Secure Switches. Wednesday night we will be updating our LANSight Security Management Appliance to the latest code. This is a necessary first step in order to manage the two new LE 2024s that will have new code on them than the two appliances we currently have in production. Throw that on top of the DR test and this week should be quite an adventure. | ||
| Posted: 11 Aug 2008 07:03 PM CDT Defcon was awesome. I got to meet a whole lot of people who I wanted to say hello to, a whole bunch of people who I had never heard of but enjoyed hanging out with, and I was unable to hook up with some persons who I had really wanted to see. Oh well, there is always next year! I'm not going in much detail; if you were there you know what it was like and if you weren't, I don't think I would be able to convey the Con as a whole. This picture capture is fairly well though ;) 
| ||
| Boiling the DNS puddle [Security Incite Rants] Posted: 11 Aug 2008 04:46 PM CDT I'm still rather haunted by Dan Kaminsky's DNS presentation from last week's Black Hat conference. As I mentioned in my Day 1 wrap-up, you forget how pretty much everything you do is dependent on having trustworthy DNS. Dan showed that DNS is anything but trustworthy. Photo credit: "lake (or puddle?) of free boiling mud" originally uploaded by magtravels | ||
| The Network Security Podcast Pwns Black Hat And DefCon! [securosis.com] Posted: 11 Aug 2008 03:52 PM CDT No, we didn’t hack any networks or laptops, but we absolutely dominated when it comes to podcast coverage. This was our second series of microcasts since RSA, and we really like the format. Short, to the point interviews, posted nearly as fast as we can record them. We have 9 (yes 9) microcasts up so far, with about 2-3 more to go. A few people also promised us phone interviews which we plan on finishing as soon as possible. Here’s the list:
Don’t worry, there’s more coming. Stay tuned to netsecpodcast.com for an interview with the slightly-not-sober panel I was on (Hoff, David Mortman, Rsnake, Dave Maynor, and Larry Pesce) and some other surprises. -Rich This posting includes an audio/video/photo media file: Download Now | ||
| A Flaw in NoScript Firefox Plugin!!! [An Information Security Place] Posted: 11 Aug 2008 02:31 PM CDT There’s not really a flaw (that I know of), so sorry for the theatrics. Just thought that would be a good draw. But really, there is a human problem from which NoScript cannot protect you. What if you have setup a website as trusted through NoScript, then that site gets compromised? If there is malware in the compromised site, it is possible that your trusted relationship will allow that code to run and infect you. Yes, there are extra protections built into NoScript to protect against even trusted sites (see screenshots below), but this is still a problem if you have a site in the whitelist and it gets compromised. This seems obvious now that I see it, but I never thought about it until Alan’s blog got compromised. My advice would be to whitelist as little as possible and to use the temporary allow feature for everything that doesn’t cause you severe headaches. NoScript Advance options:
Vet | ||
| Timing is everything [Branden Williams' Security Convergence Blog] Posted: 11 Aug 2008 12:42 PM CDT So you all know (well the three of you that read this... Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won't need? Check. Log into my credit card account to make sure we're good? DOH! My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz. The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place. This is the only piece that annoys me is the inconvenience. Irrespective of their internal beliefs, companies that come into contact with consumer data should still do whatever they can to protect it, even if consumers are relatively insulated from its effects (such as with credit card theft). | ||
| What a difference a word makes. [NP-Incomplete] Posted: 11 Aug 2008 12:29 PM CDT I enjoy talking with reporters, and I do so quite frequently. It is part of my responsibilities at Cloudmark. Thankfully, most of the guys I talk to on a regular basis are extremely responsible, detail oriented, and diligent about the facts; a single omitted word can radically alter the meaning of a phrase. Chris Hoff, a very well seasoned speaker and media contact, is now experiencing the repercussions of such an error. By dropping the word "security" from the phrase "Virtualizing security will not save you money, it will cost you more.", a reporter changed Hoff's statement from a negative statement about the security to a negative statement about his employer. As you can imagine, this has caused a massive headache for Hoff and his employer. The only way to fix any misquote in the current media climate is to generate corrective content early and often, as I am doing with this post. | ||
| What to Buy, Part Two [securosis.com] Posted: 11 Aug 2008 10:03 AM CDT So we took the plunge at the Lane household and bought an iMac. That is the good news. The bad news: it was my wife, and not me, who made the purchase. My wife’s laptop performed the 25 month post-warranty belly flop while I was at DefCon. A few flickers on the monitor and nothing. A very cold no-boot followed. So off we went to Fry’s today and after an hour browsing she wandered by the Macs. She was looking at the iMac and asked. “Where is the box? Doesn’t this thing have a disk drive?”, to which I replied “The disk and processor are built into the monitor housing, so there is no box”. Her eyes opened a little wider and she stared for another minute or two. That was all it took, and she jumped in with both feet. I warned her there would be a learning curve with the new OS and software, but she was not deterred. I made the statement more for my benefit than for hers, as she is a type ‘A’ personality with a bullet, so patience is not usually a word used in her vicinity. However there is one consolation prize in this effort, as the phrase “I don’t know” is the correct answer. Let me explain what I mean by that. As many of you may have experienced, when you are the Computer Guy in the house, it is expected that for anything that goes wrong with anything that has electricity, YOU will fix it. You know what is wrong with any piece or hardware or software and exactly how to fix it instantly. Otherwise you get the “You call yourself a CTO”? jokes. Not only that, when you’re married, friends and family get to ask for IT tech support as well. This is one of my major annoyances in life. But when you know next to nothing about a Mac, the stream of questions directed at me always results in “I don’t know, why don’t you look it up?” This brings a wonderful, liberating sense of freedom from responsibility. “Why is Safari doing that?” “How do I ______?” and my personal favorite, “I am taking this &;@%”@%/ of *&@(;( back to the store if this does not, oh, wait, now it works.” And I have been smiling at the fact it is not my problem all day long. She has let me use the machine for a bit. All in all this is a seriously nice, well engineered and very cool looking piece of hardware. While the approach is different, everything is conceptually easy once you get used to the difference in perspective. She really likes it and I am very much looking forward to buying a MacBook for myself. In the meantime, I am going to fly off to California for the next couple of days until the swearing stops. -Adrian | ||
| Don’t Go There!!!! [BumpInTheWire.com] Posted: 11 Aug 2008 08:30 AM CDT Don’t visit StillSecureAfterAllTheseYears.com at work today. Seems Alan is having a little “trouble” the last couple of days. Hyperlink left off intentionally. | ||
| Surf Jack - HTTPS will not save you [SIPVicious] Posted: 11 Aug 2008 06:13 AM CDT Alert: this is not a VoIP security post. Just a repost from EnableSecurity. I just released a new paper and tool on the subject of web application security. Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself. And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed. | ||
| Surf Jack - HTTPS will not save you [EnableSecurity] Posted: 11 Aug 2008 02:37 AM CDT Say hello to a new security tool called “Surf Jack” which demonstrates a security flaw found in many public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. I’ve been working with two banks and some of the vulnerable sites to get this fixed before publishing my research. Mike Perry gave a talk at Defcon involving the exact same vulnerability - so there is no point in keeping this from the public. You can download the tool from here and a paper with more details on the subject. The following is a video demonstration of how this affects Gmail and how to prevent this from affecting your you.
        | ||
| New SIPVicious release 0.2.4 [SIPVicious] Posted: 10 Aug 2008 11:41 AM CDT Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-) Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable! Here's a link to the full Changelog. Grab the tarball or the zip file. To upgrade to the svn version simply run "svn update" as usual - enjoy | ||
| Booting OSWA on Eee PC with SD flash [Errata Security] Posted: 09 Aug 2008 07:53 PM CDT These are some notes for making a bootable SD flash card for my Eee PC from the "OSWA Assistant" bootable CD. A bootable or "live" CD is a popular way of distributing hacking tools. You just put the CD into any computer and boot from it (instead of your normal hard disk). You get a Linux desktop and pointers to a list of common programs. The most famous of these is probably the "Backtrack CD. Another one for wireless auditing is "OSWA Assistant". I've never used it before, but they were handing out CDs at BlackHat 2008 Vegas. The computer I want to use for this Asus Eee 2G Surf", a $299 disposable laptop. Everybody should probably have a handful of these around to play with. The problem with the Eee PC is that it doesn't have a CD-ROM drive, so I can't boot the OSWA CD. However, it does have three USB ports and one SD flash port. The SD port is especially nice for booting. You can get 2-gig SD flash cards for $7; they are hella cheap. To make a bootable SD card from the CD, I went through the following steps. Step 1: I copied all the files to the SD card. I first put the SD flash card into my Windows PC which became the "D:" drive. I downloaded the latest oswa-assistant.iso image from the OSWA website, opened it in WinRAR on my Windows PC, and extracted all the files to the "D:" drive. You can use pretty much any tool for extracting the files, I just happened to have WinRAR handy. I didn't even know that WinRAR could extract files from ISOs - I just assumed that is the sort of thing that WinRAR ought to be able to do. Step 2: I needed to make the flash bootable. Most bootable CDs use a tool called "isolinux" to go through the boot process. There is a sibling tool called "syslinux" for making bootable Linux flash devices, such as USB flash or SD flash. I downloaded the syslinux archive, extracted to "C:\syslinux". I opened a command prompt, went to "C:\syslinux\win32" and ran "syslinux.exe -ma D:" to make the SD card bootable. Step 3: I had to change the "isolinux" configuration to a "syslinux" one. I renamed the "D:\boot\isolinux" directory to a "D:\boot\syslinux" directory instead. I also had to rename the "isolinux.cfg" file in that directory to "syslinux.cfg". Step 4: I had to configure the Eee PC to boot from SD, otherwise it will boot from its own hard disk. When the system boots, I hit "F2" to go into the BIOS configuration, and change the boot order so that Removable Devices are at the top of the list. At this point, the system boots. However, there several problems. First, it complains "You passed an undefined mode number.", which refers to the fact that it doesn't understand something about the text mode screen. Simply hit When it reaches "Starting udev hot-plug hardware detection...", it will hang for a while with the message "Starting udev hot-plug hardware detection… udevd-event[2706]: run_program: '/sbin/modprobe' abnormal exit". Don't worry, it will continue on with the boot process after about 5 minutes. It's a bit annoying though. I wish I knew what was failing. Step 5: There was one fatal error. X Windows hangs looking for an AGP card. The In order to fix this, I had to edit the "D:\boot\syslinux\syslinux.cfg" file and put "noagp" on the second line: APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=oswa noagp Step 6: Profit!  | ||
| Reporters "hacking" at BlackHat [Errata Security] Posted: 09 Aug 2008 03:44 PM CDT I was there when this happened: "Reporters At Black Hat Get Bounced For Hacking" (Slashdot). The problem is the ying-and-yang of cybersecurity. On one hand, security is serious business. When you cross a line, people with guns show up at your door. On the other hand, learning about security is often playful and fun. The "Wall of Sheep" rides the controversial grey area between the two. They sniff passwords from the conference network and display them (or at least, the first three letters) on a screen. It's a playful way of reminding people about the chronic problem that they are sending their passwords unencrypted on the network. Whereas the primary BlackHat network advertised the fact that it was being monitored, different rules applied to the press network. A member of the French press didn't understand the difference between the two, pulled passwords from the press network, and attempted to submit them to the Wall of Sheep. There was not malicious intent here. The guy didn't understand the difference between the two networks. His intent was to join the playful education game, not to hack into somebody's account. I would suggest that CMP Media's response was a bit harsh. A private rebuke would be appropriate, but a public fuss goes too far. BlackHat is constantly mired in controversy between "education" and the often shady side of where that education comes from (vulnerability disclosure, revealing of trade secrets, etc.). I would prefer to see them err on the side of education, rather than erring on the side of "being serious about security". | ||
| FedEx Tracking number trojan [mxlab - all about anti virus and anti spam] Posted: 09 Aug 2008 11:48 AM CDT MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx. The content of the email has the same characteristics as the UPS trojan:
The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course. Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.         | ||
| links for 2008-08-09 [delicious.com] [Andrew Hay] Posted: 09 Aug 2008 08:00 AM CDT | ||
| Ubuntu: The Zealots are Coming [untangling the future...] Posted: 08 Aug 2008 02:25 PM CDT
I find this incident to be very troubling. Firstly, The rudeness and temper displayed have no place at LinuxWorld especially from Canonical paid staff. Secondly, Ubuntu has remained more religion-free of any linux distribution to date but the zealots may be endangering that. Ubuntu has managed to skate above most of the religion and licensing wars that typically envelope a linux distribution. Thats not to say that religion and licenses aren’t important and worth fighting for, but Ubuntu benefited from being more aligned to a typical user. Developers care passionately about licensing, but users don’t even know how the stuff underneath is licensed and just want it to work. So while Debian GNU/Linux has “IceWeasel,” Ubuntu still has “FireFox.” Ubuntu also has proprietary drivers which make certain hardware function correctly. Many decisions were made that went against the ideals of free software but ultimately were compromises that benefits normal “human beings.” Ubuntu’s community has also remained fairly zealotry free. Many open source communities will spank new users for not asking questions in the proper geek etiquette. While this has its place, it is not conducive to drawing in new members which don’t know the proper geek etiquette of asking for help online. The compromising aspects of Canonical and Ubuntu have been one of its strong points, but if Canonical continues to hire on more zealots it may endanger many of the elements which gave it success. An uncompromising strategy will also make commercial partnerships difficult for Canonical as zealots don’t typically like companies nor their commercial licenses. Furthermore, it makes me wonder if the Microsoft led software world is really so bad. Would Canonical be even more strong handed if given the chance? The irony is that I do run my laptop on Ubuntu, but that I still use windows when its the best tool for the job (games, photoshop, excel, powerpoint, etc). Some of the Canonical higherup’s came by and apologized for our treatment which gave me hope. I hope this incident is not a reflection of their future direction and culture, but actions can speak louder than words at times. | ||
| Compensating Controls for Legit business cases [An Information Security Place] Posted: 08 Aug 2008 11:17 AM CDT Here’s one of those times (link NSFW) when doing something that seems contrary to good security practices because of a legitimate business need can cause you problems. This guy had an email account get hacked by someone, and the offender sent out a nasty email to everyone. But the email account was for a deceased employee who used to handle customer relations, and they needed to keep the address alive so emails could be forwarded to another employee. OK, first, that would constantly creep me out if I was getting email addressed to a dead person. But the real point is that sometimes legitimate business needs that go counter to good security practices can cause problems. It sucks, but that is the way it is. However, if there is a legitimate business need that could potentially cause security headaches, it is up to the security staff to put in a compensating control. According to the poster, there was a real business need to have this email account alive. So if that is the case, why didn’t they just create an alternate email address for the currently living employee instead of keeping the email account alive? Maybe their software wouldn’t allow it, but I doubt it. In this case, there was no compensating control. To me, it sounds like someone just did the easiest thing (though that can be argued because they had to setup a forwarding address, which is really just as much labor as setting up an alternate email) instead of making this secure. It’s a lesson, though thankfully they didn’t cause any terrible harm (unless you are extremely offended by dirty pictures). Vet | ||
| CNN Alerts: My Custom Alert malware [mxlab - all about anti virus and anti spam] Posted: 08 Aug 2008 06:49 AM CDT After a very long outbreak based on the CNN Dailty Top 10 it’s now time for something different: CNN Alerts: My Custom Alert. This new version brings more of the CNN malware outbreak in a changed lay out but with the same tactics.
Again, the email itself is very nice CNN branded but contains a link that leads you directly to the malware. The senders address is spoofed and is not coming from cnn.com but this is not guaranteed for the future. The link behind Full Story - so don’t click on this one - brings you to a, in this case, Russian web site where you need to download the proper Flash player to view the video. When you accept the malware file adobe_flash.exe is downloaded.
The trojan has the same specs of the CNN Daily Top 10: Trojan-Downloader.Agent.EL. This trojan will create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.         | ||
| LDAP Headache [BumpInTheWire.com] Posted: 07 Aug 2008 10:58 PM CDT I actually developed a headache today from trying to get our Citrix NetScaler demo unit to talk to a domain controller via LDAP. I tried everything this side of the sun trying to get it to talk to the DC. Perseverance paid off. About 15 minutes ago (@ 10:30 PM no less) I was able to claim victory over the NetScaler beast. The weapon that slayed the beast? A damn reboot! Now that that is behind us we can get serious about evaluating this device. This afternoon I was thinking that I had never worked on a more frustrating piece of equipment in my entire career. I no longer feel that way but with a headache from chasing my tail all afternoon that was the way I felt. Not letting the computer win is one of my mottos and this one almost got me!! Its been an exhausting week and a huge night for change control. Have a great Friday and weekend! | ||
| Black Hat 2008 Day 2: Web 2.0 mayhem [Security Incite Rants] Posted: 07 Aug 2008 08:14 PM CDT As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport. Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally
And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.
| ||
| Black Hat: The Risks Of Trusting Content [securosis.com] Posted: 07 Aug 2008 06:03 PM CDT I’m sitting in the Extreme Client-side exploitation talk here at Black Hat and it’s highlighting a major website design risk that takes on even more significance in mashups and other web 2.0-style content. Nate McFeters (of ZDNet fame), Rob Carter, and John Heasman are slicing through the same origin policy and other browser protections in some interesting ways. At the top of the list is the GIFAR- a combination of an image file and a Java applet. Since image files include their header information (the part that helps your system know how to render it) and JAR (java applets) include their header information at the bottom. This means that when the file is loaded, it will look like an image (because it is), but as it’s rendered at the end it will run as an applet. Thus you think you’re looking at a pretty picture, since you are, but you’re also running an application. So how does this work for an attack? If I build a GIFAR and upload it to a site that hosts photos, like Picassa, when that GIFAR loads and the application part starts running it can execute actions in the context of Picassa. That applet then gains access to any of your credentials or other behaviors that run on that site. Heck, forget photo sites, how about anything that let’s you upload your picture as part of your profile? Then you can post in a forum and anyone reading it will run that applet (I made that one up, it wasn’t part of the presentation, but I think it should work). This doesn’t just affect GIF files- all sorts of images and other content can be manipulated in this way. This highlights a cardinal risk of accepting user content- it’s like a box of chocolates; you never know what you’re gonna get. You are now serving content to your users that could abuse them, making you not only responsible, but which could directly break your security model. Things may execute in the context of your site, enabling cross site request forgery or other trust boundary violations. How do manage this? According to Nate you can always choose to build in your own domain boundaries- serve content from one domain, and keep the sensitive user account information in another. Objects can still be embedded, but they won’t run in a context that allows them to access other site credentials. Definitely a tough design issue. I also think that, in the long term, some of the browser session virtualization and ADMP concepts we’ve previously discussed here are a god mitigation. -Rich | ||
| BlackHat Post [An Information Security Place] Posted: 07 Aug 2008 02:13 PM CDT Blackhat, Defcon, security conference, hacking, DNS vulnerability, DNS exploit, virtualization security, etc. There, I posted about BlackHat. Vet | ||
| Insurers Mining Consumer Data [securosis.com] Posted: 07 Aug 2008 12:30 PM CDT I saw this article in the Arizona Republic Monday about how the insurance companies are able to save money by gathering health care records electronically, make more accurate analyses of patients (also saving money) and be able to adjust premiums (i.e., make more money) based upon your poor health or various other things. You know, like ‘pre-existing’ conditions, or whatever concept they choose to make up. Does anyone think that they will be offered an option? The choice of not providing these electronically? Not a chance. This will be the insurer’s policy, and you can choose to not have insurance, or turn over your records. Does this violate HIPPA? To me it does, but since you are given the illusion of choice, their legal team will surely protect them with your ‘agreement’ to turn over these electronic documents. And why not, with all the money they saved through data analysis, they have plenty of money for their legal expenses. Does anyone think that the patient will be allowed to see this data, verify accuracy, or have it deleted after the analysis? Not a chance. Your medical data will most likely have a “half life” longer than your life span. That stuff is not going anywhere, unless it is leaked of course. But then you will be provided a nice letter in the mail about how your data may or may not have been stolen and how you can have free credit monitoring services if you sign this paper saying you won’t sue. It’s like watching a car wreck in slow motion. Or a Dilbert comic strip. Let me take another angle on the data accuracy side of this proposition. When I first graduated college, I walked down the street to open a checking account with one of the big household names in banking. For the next 12 months I received a statement each month, and not one of those banking statements was 100% correct. Every single statement had an error or an omission! My trials and angst with a certain cell phone provider are also well documented. Once again, charges for things I did not order, rates that were not part of the plan, leaked personal data, and many, many other things during the first year. I had one credit card for a period of 12 years, and like clockwork, a late fee was charged every 6-9 months despite postmarks and deposit dates which conclusively showed I was on time. I finally got tired of having to call in to dispute it, and just plain fed up with what I assumed was a dastardly business practice to generate additional revenue from people too lazy to look at their bills or pick up the phone and complain. I had a utility company charge me $900, for a single month, on a vacant home I had moved out of three months prior. One out of two grocery store receipts I receive is incorrect in that one or more prices are wrong or one of the items scans as something that it is not. Other companies who saved my credit card information, without my permission, tried to bill me for things I did not want nor purchase. Electronic records typically have errors, they are not always caught, and there may or may not be a method to address the problem. The studies I have seen on measuring the accuracy of data contained within these types of databases is appalling. If memory serves, over 20% of the data contained in these databases is inaccurate due to entry or transcription errors, is incorrect logic errors in transformational algorithms, or has become inaccurate with the passage of time. That later item means each subsequent year, the accuracy degrades further. There is no evidence that Ingenix will have any higher accuracy rates, or will not be subject to the same issues as other providers, such as Choicepoint. They say computers don’t lie, but they are flush with bogus data. Now think about how inaccurate information is going to affect you, the medical advice you receive, and the cost of paying for treatment! There is a strong possibility you could be turned down for insurance, or pay twice as much for insurance, simply because of data errors. And most likely, the calculation itself will not be disclosed, for “Pharmacy Risk Score” or any other actuarial calculation. If this system does not have a built-in method for periodically certifying accuracy and removing old information, it is a failure from the start. I know this is a recurring theme for me, but if companies are going to use my personal information for their financial gain, I want to have some control over that information. Insurance companies will derive value from electronic data sharing because it makes their jobs easier, but the consumer will not see any value from this. -Adrian | ||
| Black Hat 2008 Day 1: We're Screwed! [Security Incite Rants] Posted: 07 Aug 2008 11:39 AM CDT Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.
The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site. Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are Only in Vegas... |
smart folks spent some time doing the same. And they couldn't really see a tangible answer, so they are pushing towards source port randomization to at least minimize the likelihood that the DNS cache will be poisoned via a Kaminsky attack.
Canonical recently invited me to give a talk in their booth at LinuxWorld 2008. I agreed and sent them one of my standard talks “in PDF format” as requested, but told them I’d have to give the talk on my laptop as it includes a live demonstration of some of our software. They were fine with all this, but when I showed up at their booth to do the talk I got a different story.
chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today. 
catching a little late night breakfast at Caesars. Sitting right next to us is | You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment