Thursday, August 14, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Congratulations to Raffy! [Emergent Chaos]

Posted: 13 Aug 2008 10:54 PM CDT

security visualization.jpg His book, Applied Security Visualization, is now out:
Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.
I'm really excited, and look forward to reading it!

Black Hat 2008: Zen of Xen [Infosecurity.US]

Posted: 13 Aug 2008 10:34 PM CDT

Via BlackHat2008, TechWebTV has published another excellent interview video, this time discussing the Xen Hypervisor and the inherent security implications in virtualization, along with the now, nearly ubiquitous BluePill project.

Postini catching news Spam [An Information Security Place]

Posted: 13 Aug 2008 10:33 PM CDT

There has been a lot of "news" spam lately with subject lines that include "CNN" or "MSNBC".  Been kinda crazy.  Thankfully Postini, which I just signed up for, has caught all of that crap.



MBTA vs MIT Students Case Continues [Zero in a bit]

Posted: 13 Aug 2008 05:47 PM CDT

A hearing will be held in Boston tomorrow to decide whether or not the restraining order gagging the MIT students from talking about the vulnerabilities they have found should be lifted. Even though the Defcon presentation is widely available and the MBTA disclosed the “Confidential” memo from the MIT students in their court filings, they are seeking a permanent speech injunction. An august group of computer scientists has signed a letter which will be entered into the record for the case. This list includes: Dave Farber of Carnegie Mellon University, Steve Bellovin from Columbia University, David Wagner from UC Berkeley, Dan Wallach from Rice University, Matt Blaze from the University of Pennsylvania, and Bruce Schneier. An excerpt:

We write to express our firm belief that research on security vulnerabilities, and the sensible publication of the results of the research, are critical for scientific advancement, public safety and a robust market for secure technologies. Generally speaking, the norm in our field is that researchers take reasonable steps to protect the individuals using the systems studied. We understand that the student researchers took such steps with regard to their research, notably by planning not to present a critical element of a flaw they found. They did this so that their audience would be unable to exploit the security flaws they uncovered. . . .

The restraining order at issue in this case also fosters a dangerous information imbalance. In this case, for example, it allows the vendors of the technology and the MBTA to claim greater efficacy and security than their products warrant, then use the law to silence those who would reveal the technologies’ flaws. In this case, the law gives the public a false sense of security, achieved through law, not technical effectiveness. Preventing researchers from discussing a technology’s vulnerabilities does not make them go away - in fact, it may exacerbate them as more people and institutions use and come to rely upon the illusory protection. Yet the commercial purveyors of such technologies often do not want truthful discussions of their products’ flaws, and will likely withhold the prior approval or deny researchers access for testing if the law supports that effort. . . .

Yet at the same time that researchers need to act responsibly, vendors should not be granted complete control of the publication of such information, as it appears MBTA sought here. As noted above, vendors and users of such technologies often have an incentive to hide the flaws in the system rather than come clean with the public and take the steps necessary to remedy them. Thus, while researchers often refrain from publishing the technical details necessary to exploit the flaw, a legal ban on discussion of security flaws, such as that contained in the temporary restraining order, is especially troubling.

It will be interesting to see what arguments the MBTA uses to keep the students from speaking on a topic where all the important vulnerability information seems to have already disclosed. Sure the students haven’t presented a cookbook exploit tool but they have also stated they have no intention of doing so.

Perhaps the court will investigate what the MBTA’s and their technology vendors response has been to the MiFare card vulnerabilities that were disclosed responsibly. If there has been no vigorous response to responsibly disclosed vulnerabilities of many months ago how can they say with a straight face that are truly responding to new security information and just need more time.

ZDI Advisory: Microsoft Internet Explorer Vulnerability [Infosecurity.US]

Posted: 13 Aug 2008 05:18 PM CDT

ZDI has posted a new, serious Microsoft (NasdaqGS: MSFT) Internet Explorer exploitable vulnerability, this time targeting the XHTML Rendering subsystem of the browser.

New Advisories: Microsoft Windows & Office Vulnerabilities [Infosecurity.US]

Posted: 13 Aug 2008 05:00 PM CDT

SecurityWatch UK: First President of Information Security Forum Appointed [Infosecurity.US]

Posted: 13 Aug 2008 04:44 PM CDT

Alan Harten of SecurityWatch UK reports Professor Howard A. Schmidt (formerly the chief strategist for the US CERT Partners Program of the Department of Homeland Security) has been appointed President of the Information Security Forum (ISF). Professor Schmidt also possesses membership in the  Permanent Stakeholders Group (PSG) for the European Network Information Security Agency (ENISA), the International Advisory Board member to the International Multilateral Partnership against Cyber Terrorism (IMPACT), and the  High Level Experts Group for the ITU's Global Cyber Security Agenda. Professor Schmidt is also a member of the board of (ISC)2.

Passwords Suck! [Amrit Williams Blog]

Posted: 13 Aug 2008 04:16 PM CDT

So as many of the readers may be aware there was recently a series of “attacks” against some folks in the security industry, although details are light it appears that someone was able to compromise one system - say a blog - obtain the password and then use that same password to compromise other systems - say an email account.

I have been meaning to post on this since I often find myself signing up for various on-line things (porn, bittorent sites, and of course my “Breaking 2 Electric boogaloo” fan club group ) but I have a poor memory so I use the same password everywhere (in case you are curious it is hoff1 or chrishoff1, if it requires more than 5 characters) and realized, of course, that if I use that same password/uname to access some backwoods, hillbilly site, that site could be compromised and now the nefarious interlopers would have my access credentials for a whole host of systems.

Well I thought I had better change my behavior, but I was stuck with the same problem of having to remember multiple passwords, which became a pain, so I switched to passphrases to deal with my memory issues. passphrases are easier to remember, have higher entropy, and are more secure? Well that isn’t completely true, but hey 1 out of 3 ain’t bad - MSFT has some good discussion on passwords vs. passphrases (here), (here), and (here).

Ok so they are easier to remember, let’s test this out using passwords..

System 1  (this blog) password = hoff1

System 2 (my email) password = choffis2

System 3 (my other email) password = choffis3

System 4 (my bank) password = choffis@ss (need this one to be real secure)

See I quickly forget which is which and I am stuck with the problem of having to periodically reset them and then it screws up my whole game plan.

Quick anecdote: While I was with Gartner I was talking to one of the largest school districts in the country, at the time they had implemented a very draconian password policy - must be 8 characters minimum, must include alphanumeric, must be reset every 60 days, can never use the same password twice, account would lock out after 3 bad password attempts, etc..anyway the user population was, for the most part, only part-time computer users and were really struggling to come up with creative passwords for their various systems, additionally they found several of the faculty was writing the passwords down so they could remember - Bueller anyone? The result was a 40% increase in technical support calls to perform password resets (No they had not yet implemented single or reduced sign on and no they had not yet implemented a mechanism for a user to provision themselves or reset their own passwords) this was impacting budget and was costing real hard dollars, and they experienced no material improvement in security access controls, in fact they probably created more opportunities for compromise than they removed.

Anyway let’s see what happens when I switch to passphrases…

System 1  (this blog) password = hoffistheman

System 2 (my email) password = hoffisthemanforhotmail

System 3 (my other email) password = hoffisthemanforyahoomail

System 4 (my bank) password = hoffisthemanforallmybankingneeds

Although this doesn’t do much for my security, it does offer some benefits, one is it is a lot easier to remember, 2 if I need to make a change or reset I can simply change everything from “istheman” to “isnttheman” and I achieve goal #1, and 3 if someone compromises system 1 they are not automatically granted access to system 2, unless of course they have read this blog posting.

In the end passwords suck, they do little for security and create a lot of headaches, which of course is why even people in security tend to reuse the same password. In the 60’s hippie chicks rallied around a “burn your bra” mantra, perhaps it is time for a “burn your password” mantra - OK, I can rally around the bra thing, but as useless as passwords or passphrases are, we are still at their mercy for most of our computing practices.

Guest Post: OpenSphere Partner Crossbeam Systems on iBeam Certification Program [ImperViews]

Posted: 13 Aug 2008 12:48 PM CDT

Imperva launched its technology partner ecosystem called OpenSphere almost a year ago and one of the founding members is Crossbeam Systems.  What follows is a blog posting from Sanjay Raja, Sr. Product Line Manager at Crossbeam.  This is the first such posting from our partners and I hope to follow-up with many more value additions that are being developed as a part of OpenSphere.

-Rohit Gupta, VP Business Development, Imperva.


The reality of most large enterprises is that they need to support specialized classes of security applications on their networks to comply with regulations and protect against evolving threats. Often these security apps must be integrated within a layered security architecture.  Imperva's SecureSphere's application data security products are a perfect complement to existing Firewall and IPS technologies as they protect enterprise business data from the database, through the application.

The problem today is that companies are challenged to manage this growing sprawl of mission-critical security apps and associated security infrastructure without sacrificing the performance to ensure non-stop availability.

In the real-world - enterprises have to do extensive testing to make sure the mix of security applications they want to run are going to interoperate and work at the performance levels they demand.

This is where Crossbeam's iBeam program has become so critical - because it is extremely time-consuming and manual for customers to properly deploy, test or add new applications to their networks. They have to get these deployments staged and qualified, while addressing the complex and unpredictable scenarios that can arise during testing.

The iBeam program essentially takes Crossbeam's years of experience deploying best-of-breed security applications deep within carrier-class networks - and automates it. The result is that customers can leverage the network-virtualization and application-consolidation benefits of Crossbeam's Next Generation Security Platform to deploy the applications of their choice (such as SecureSphere) and scale them as needed.

iBeam mimics the complexity of these networks and runs a battery of interoperability tests and performance traffic through various permutations to ensure the success of security apps in every possible scenario. Ultimately, the goal is to let leaders like Imperva excel at delivering the best in security, while Crossbeam delivers the high-performance platform that enables enterprises to deploy and intelligently virtualize the security apps of their choice to meet the growing demands of business.

We give our ISV partners the tools to integrate, test and self-certify their apps on Crossbeam so they can control to anticipate the unpredictability of customer environments. The result is a frictionless partnering environment with ISV partners so that customers can deploy the combined solution with a high degree of confidence.

- Sanjay Raja, Sr. Product Line Manager at Crossbeam

Microsoft Security Response Center August Release [Infosecurity.US]

Posted: 13 Aug 2008 10:56 AM CDT

The MSRC has released their August 2008 Monthly Bulletin detailing a multitude of fixes, patches, and alerts:


· MS08-041 – Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617) – Critical

· MS08-042 – Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048) Important

· MS08-043 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066) Critical

· MS08-044 – Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090) Critical

· MS08-045 – Cumulative Security Update for Internet Explorer (953838) – Critical

· MS08-046 – Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954) Critical

· MS08-047 – Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733) Important

· MS08-048 – Security Update for Outlook Express and Windows Mail (951066) – Important

· MS08-049 – Vulnerabilities in Event System Could Allow Remote Code Execution (950974) Important

· MS08-050 – Vulnerability in Windows Messenger Could Allow Information Disclosure (955702) Important

· MS08-051 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785) Critical

We also revised the following bulletins to update detection changes

· MS08-022 – major revision, added XP SP3 detection

· MS08-033 – major revision, added XP SP3 detection

· MS07-047 – major revision, update detection

· MS08-040 – minor revision, update detection


· Release Advisory 955179

· Revised Advisory 954960

Pragmatic CSO Podcast #21 - Grass Roots Funding [Security Incite Rants]

Posted: 13 Aug 2008 07:11 AM CDT

Buy my stuff! Pleeeeeeeze.

It's time to wrap up Step 5: Selling the Story. We finish the discussion by talking about how to get funding, when the budget monkeys have told you no. Basically we have to take a "grass roots funding" approach to go to the business leaders directly, make the case, and get the funding we need. It's kind of like selling cookies door to door. We have to be persistent and make the case as to why it would be a good purchase.

This requires us to broaden our skills and likely move out of our comfort zone quite a bit. It's uncomfortable, but it's a good thing. Just remember to focus on the "customer" issues, and that the Reasons to Secure. The business leaders will respond to that. Ultimately you may not get the funding you need, but you won't go down like a whimpering puppy. You'll go down swinging, trying to do the right thing.

Running time: 6:29

Intro music is Jungle and I finish it up with Dire Straits "Money for Nothing," because that is an appropriate metaphor. There is no money for nothing. We have to work for it and sometimes that means being creative about the funding we can/should get. 

Direct Download: 21_Pragmatic_CSO_Podcast_21.mp3

SubscribeSubscribe in a reader

Photo Credit: weskimcom

DC16 Recap [SecuraBit]

Posted: 13 Aug 2008 05:27 AM CDT

I could spend hours talking about how much of a good time Chris Mills and I had at DC16 or I figured you all could just tune in for EP8 which we’ll be recording tonight.  There are a lot of people we need to thank for their hospitality as well as the free beer!  We [...]


VMWare Epic Fail [Amrit Williams Blog]

Posted: 12 Aug 2008 10:35 PM CDT

Thanks to Alex S for the heads up…VMWare licensing bug blacks out virtual servers (here)

“August 12, 2008 (Computerworld) A bug in VMware Inc.’s newest software update has blocked corporate users from starting their virtualized servers today, according to reports filed by users in the U.S. and elsewhere.

“Updated product bits with correct licensing will be made available for download as soon as possible,” the spokesman said, adding in a follow-up e-mail that VMware expects to have a patch available later Tuesday.”

Wow! Just when you thought patch Tuesday couldn’t  get any worse.

Trying to get bought, so quality drops? [An Information Security Place]

Posted: 12 Aug 2008 09:22 PM CDT

So there is a particular security product manufacturer that Accuvant sells that I cannot name since I will get in trouble (love ya’ Dan!) that has a good product, but their support has been horrendous lately.  Actually, even their product has been slipping, now that I think of it.  And it is starting to hurt the relationship we have with a couple of customers because we recommended the product back when they were kicking some major butt all around.  And it really just pisses me off because this started just a few months before they got bought by a big company.  Oops, man, that probably gave it away, didn’t it?  Huh?  Wadda mean there’s only been about 20 companies that fit that description?  Oh yeah…

As I was saying, this started just a few months before the announcement of their getting snapped up.  This just seems backwards to me.  Does management just get that distracted that their quality starts sucking wind?  Shouldn’t they be trying to concentrate more on quality?  Maybe the deal was pretty much done and they figured what the heck?  The new guys will clean up the mess? 

I experienced that back when Juniper bought Netscreen as well.  I was a customer, and their support went straight to hell for about a year, then it all came back together.  But I kinda expected that to happen.  That was a big deal.  The company I am talking about is not that big, so there should not be a drop in quality like that.  And the Juniper / Netscreen issues didn’t start until AFTER the buy out.  This is happening BEFORE the buy out.

So if there are any manufacturers reading right now, please think about this.  If you are getting ready to sell, please do everything you can to maintain quality in your product and support.  Don’t screw over your employees (don’t know if that is happening here, but the drive of the sales team seems to have dropped dramatically).  Because if your quality drops, I am going to quit recommending you, and so will a lot of people.  Of course, if you already have your money and are at the beach, you are probably not reading this and couldn’t give less of a crap anyway.


Twitter "Following" Limits: Smart. [NP-Incomplete]

Posted: 12 Aug 2008 08:49 PM CDT

The web has started commenting on twitter's decision to limit the number of accounts that a given user can follow. Having a hard limit is a smart move for multiple reasons. Not only does it allow you to more finely bound the computational load of the message passing architecture, it negatively impacts only two groups, namely spammers and the obsessive-compulsive. This is a good first step that I have pointed out in an interview once before. I suspect that Twitter will also be working on a throttling policy as well as an IP and content blacklisting technology as follow-on mechanisms to continue to battle spam.

Significant Number of Patched DNS Servers Still Vulnerable [Infosecurity.US]

Posted: 12 Aug 2008 07:01 PM CDT

The Register’s Dan Goodin reports large numbers (specifically BIND) of heretofore patched DNS platforms are still vulnerable. However, don’t be chicken little, just yet……then, again, the paranoid survive..

How to Create a GIFAR [RioSec]

Posted: 12 Aug 2008 06:05 PM CDT

At BlackHat, security researchers Billy Rios Nathan McFeters presented "The Internet is Broken" which contained information on GIFARs, a term meaning GIF image files combined with Java ARchives (JAR).  These files could be uploaded to sites that allow image uploading (such as many site's member photos), to run code in the context of that site - getting around the "same origin policy" that browsers impose.  This works because GIF images (along with many other file types) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.

The folowing video demonstrates this technique.

read more

BlackHat Recap [Zero in a bit]

Posted: 12 Aug 2008 05:43 PM CDT

Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the security community. I didn’t submit a talk this year, but nevertheless, fake Dan Kaminsky was still excited to see me.

My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned (here is a more accurate report). It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.

As for the girls? I can report first-hand that the ladies at TAO on Wednesday night were hanging on Alex’s every word. They were particularly impressed when he whipped out the laptop for a live demo. Unfortunately, none of the dozen iPhone owners in the immediate vicinity thought to snap a picture (too busy Twittering). Oh well.

I also enjoyed Hovav Shacham’s talk on return-oriented programming. Simply put, he described a generalization of the return-to-libc shellcode approach with the intent to demonstrate that one could achieve Turing-complete computation using “found code” in process images. By chaining together series of mini-computations ending in return (RET) instructions, it was possible to build higher-level programming constructs such as branches and loops. The nature of the x86 instruction set provides some flexibility because instructions are interpreted differently depending on how you align the instruction pointer (i.e. the old shellcode trick of searching the process image for any JMP EBX instruction and using that as your EIP). In RISC architectures such as SPARC, however, you don’t have that luxury; if your %pc isn’t aligned properly you get a bus error. So it was quite interesting to see that they were able to extend the concept to RISC. The practicality of the attack technique is limited by the fact that the shellcode is tuned to a particular binary image — if the shellcode was built using instructions extrapolated from glibc 2.3.5, it won’t work for a system running glibc 2.4.

I thought Scott Stender’s talk on Concurrency Attacks in Web Applications was interesting as well. In a nutshell, spewing thousands of simultaneous requests at web application transactions that are not thread-safe can create interesting problems. In the presentation, Scott ran his demo against a VM running on the attack machine. I found myself wondering how effective the same attack would be over the Internet — would it be significantly less reliable (or not at all)? Race conditions are generally easier to exploit locally than remotely due to more predictable execution conditions. Certainly this is an under-tested vulnerability class though.

One presentation I wasn’t able to attend but want to follow up on is Nate McFeters, John Heasman, and Rob Carter’s talk which discussed the GIFAR attack I’ve been hearing so much about lately. The gist is that you can create a file that is both a valid GIF and a valid JAR, then use some Java applet tricks to initiate HTTP requests on behalf of the victim.

Finally, the Pwnie Awards didn’t fail to disappoint. Drama ensued over the Most Overhyped award, but at least this year some of the winners showed up to claim their awards! Halvar rapping Symantec lyrics was also quite memorable.

All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.

P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!

Keyczar - Google’s Crypto Solution [Infosecurity.US]

Posted: 12 Aug 2008 05:42 PM CDT

Google (NasdaqGS: GOOG) has released it’s open source cryptographic toolkit, monikered KeyCzar, for non-crypto inclined developers.

New Whitepaper: Best Practices For Endpoint DLP []

Posted: 12 Aug 2008 05:34 PM CDT

We’re proud to announce a new whitepaper dedicated to best practices in endpoint DLP. It’s a combination of our series of posts on the subject, enhanced with additional material, diagrams, and editing. The title is (no surprise) Best Practices for Endpoint Data Loss Prevention. It was actually complete before Black Hat, but I’m just getting a chance to put it up now.

The paper covers features, best practices for deployment, and example use cases, to give you an idea of how it works.

It’s my usual independent content, much of which started here as blog posts. Thanks to Symantec (Vontu) for Sponsoring and Chris Pepper for editing.

Danchev - Russia vs. Georgia Cyberwar Analysis [Infosecurity.US]

Posted: 12 Aug 2008 12:31 PM CDT

Dancho Danchev’s thorough analysis is a fascinating snapshot of the cyberwar underway in the Republic of Georgia.

Kaminsky Video Posted [Infosecurity.US]

Posted: 12 Aug 2008 10:38 AM CDT

TechWeb TV has posted a fascinating video detailing the exploit discovered by Dan Kaminsky and his advice thereto.

Notice for Episode 8 [SecuraBit]

Posted: 12 Aug 2008 08:57 AM CDT

We will be recording Episode 8 on Wed, Aug 13th at 7pm.  The live stream will be up, join us on IRC for the url.


The Daily Incite - August 12, 2008 [Security Incite Rants]

Posted: 12 Aug 2008 06:52 AM CDT

Today's Daily Incite

August 12, 2008 - Volume 3, #68

Good Morning:
I forgot how cool the Olympics are.  I can hardly remember what I had for breakfast, the odds of remembering anything that happened 4 years ago is remote. On Sunday night, I remembered. Athletes from around the world, competing mostly for national pride. Not entirely, but mostly. I'll admit to getting caught up in the drama, the background stories, and ultimately the sacrifice that these athletes make for years at a time to chase one shining moment.
Take that Frenchies!
And if they screw it up, it's gone. Likely to never come around again. It's the ultimate drama.

By now, most (if not all) of you should have heard about the American 4x100 freestyle relay team. What a race! The Boss and I were literally screaming at the TV at midnight. Yes, we woke up the kids. And yes, we paid dearly for the hour after the race was over. The last time I got that fired up watching sports was the Super Bowl, and before that I can't even remember.

We were also totally engaged in the women's gymnastics preliminaries. Although "women's" is probably a misnomer. It seemed a bunch of those competing were girls. Little girls at that. But those girls can flip, turn, tumble, and vault like nobodies business. They are fearless and focused.

To me, the best part is to see the athletes dig deeper than they thought they could. They routinely do things no one thinks is possible - even themselves. They push through the limits and show the world what they are made of. I tip my hat to all the Olympians. Whether they take Gold or just show up and compete. It's a tremendous accomplishment.

The best seat in the house is usually right in front of my big ass HDTV. But I'm thinking the Olympics is something you should attend at least once, if the opportunity presents and fortune smiles upon you. By the 2012 Summer Games in London, the kids may be old enough to appreciate it. Hmmmm. I better start saving now.

Have a great day. 

Photo: "YEAH, USA!!!" originally uploaded by mbtrama

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today

Security Mike's Guide to Internet Security

Top Security News

What kind of parachute fits on a pwnie?
So what? - Have you ever seen a flying pwnie? You will. With Delta offering WiFi in the sky, there is no doubt some enterprising "researcher" will bust out xStumbler and WireShark to see what he/she can find. How would anyone actually catch them? A little spoofing action and they are in the clear. And it's not like the Air Marshals are going to be much help. Do you think Delta is going to give up a revenue seat for a security pro? Yeah, right. I know WiFi in the sky is probably good for their revenue, but it's bad for unsuspecting customers, who couldn't defend themselves from a grade school crook. So basically they are sending a bunch of lambs to potential slaughter. I guess the best news is that a bad guy can only compromise 200 or so people at a time. Though flying on the A380 could yield a fiesta. Let's just say I'll remain happy to do some unconnected writing on my flights. Even if I do have WiFi.
Link to this

Countrywide...You are the weakest link.
So what? - So now it seems the Countrywide data breach could/should have been averted because they had a policy (and even some software) to shut down the USB ports. Except on the machine the nefarious insider used to pilfer the data. And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn't worth the paper it's written on, if it's not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, "it only takes one." I guess Countrywide gets that now too.
Link to this

Yes, monitor your web apps too
So what? - I thought this new capability on Imperva's web application firewall to monitor the malicious inputs (amongst other things) and help provide actionable reports to developers as fascinating. You all know I'm a big fan of monitoring, and all other things being equal, I'll choose to monitor not just the network - but the servers, databases, and apps as well. As helpful as the monitoring info is to REACT FASTER, it would be great if you didn't actually have to react every time. So you could get attacked, find the issues in the application and then fix them. Of course, it's the "fix" part that is the most challenging because us security folk don't control that. So it still gets back to building and nurturing a good relationship with the development team and continue to evangelize why it's a good thing to eliminate issues before deployment, and this is just more data to make the point.
Link to this

The Laundry List

  1. JNPR plays into the eventual integration of network and security management by offering an integrated management console for the switches and the (former) NetScreens. - Juniper release
  2. MSFT introduces the "exploitability index" to protect consumers. So, a totally subjective index targeted towards a customer base that doesn't understand what "exploitability" means. Great. - Venturebeat coverage
  3. Guidance blows the quarter, stock get hammered and now it's time to change to a subscription model. It's hard to get off the perpetual license crack when the Street expects new growth. - Guidance earnings release
  4. Justice is served. You mean, the TJX hackers are brought to justice? Nah, now I'm forced to go buy some decent clothes, since I'm still boycotting TJX. - NetworkWorld coverage

Top Blog Postings

Too much GRC? It's more about tactical vs. strategic
Normally I wouldn't point to a vendor byline generally making the case for a GRC thingy. But Gordon Burnes of OpenPages makes a couple of good points in this article on the IT-Finance Connection blog. Basically his point is that "For each new regulation or risk discipline, organizations typically implement a new technology point-solution aimed at the specific mandate." Clearly there are problems with this approach. First you get no leverage. I know sometimes there are different operating groups that are responsible for different aspects of managing risk and ensuring compliance, but if there is no SINGLE coordinating point, what's the purpose. Remember that old story about the weakest link? Right, you have no idea what is weak or strong if you don't have a single view of the risk environment. The same can (and should) be applied to security (as if you can separate security from risk) in taking a SINGLE and holistic (hopefully not delusion) view of the security environment. That's why I push for the CISO to be focused on managing the program, as opposed to implementing and operating the controls. If he/she is too busy fighting fires, they miss the forest for the trees, and sooner or later they have to bring those fire department planes in to control the forest fire.
Link to this

A bug is a bug is a bug is a bug
Fortify's Roger Thornton rants a bit about this recent debate about open source security. I guess we just can't quite remember that every piece of software has bugs, and those bugs sometimes result in security issues. Roger's point is that open source is no panacea and is still going to have bugs. Yet, many in the open source community view these realities as personal affronts and strike back with venom and rage. Get over it. I agree with Roger that security issues are issues just like performance and functional issues. Especially if the application provides access to private data and/or intellectual property. But it's not sexy to focus on security issues and we security folk have to keep evangelizing the need to make the software better (over time) and focus on eliminating the defects sooner and better. And that goes for open source, commercial grade or home grown stuff. The attackers don't make a distinction and neither should you.
Link to this

Only the rear view mirror knows your potential
I'm going to wrap today with an off-topic post. One of the things that frustrates me most about some folks I know is they are pre-occupied with what everyone else thinks of them. Other peoples perception drives what they do and how they feel about themselves. I work very hard to not give a crap. I do what I think is best for ME and my family and if someone else doesn't like it... Oh well. This post on Penelope Trunk's blog really sums up the entire discussion. Her main contention is that our only purpose in life is to be kind, and she's right. I spent a long long time not being kind, rather chasing some arbitrary dollar figure and stepping on lots of folks in the process. I was grumpy and I felt like a failure because I didn't have a plane (don't laugh, it's true). Then I stopped worrying about it. I started worrying more about having fun than making money. I figured it would work out in the end, so I just did things that seemed right, as opposed to what was the consensus view of how to do things. And I will continue to do that. I suspect people will be constantly scratching their heads at the stuff I do. Just know, you opinion - though interesting - is irrelevant. I'm not worried about what anyone else thinks about my choices. Anyhow, I figure I'm in the win column already, since my kindergarten teacher figured I'd never amount to much of anything. So now I'm playing with the house's money. Just have fun and stop worrying about everyone else. It's a much better way to live.
Link to this

MBTA Vulnerability Released To Web. By The MBTA… [Infosecurity.US]

Posted: 11 Aug 2008 10:52 PM CDT

The MBTA (Massachusetts Bay Transportation Authority) has apparently been hoisted upon it’s own, bus… The MBTA filed (Case 1:08-cv-11364-GAO) a federal complaint, Friday, to prohibit MIT (Massachusetts Institute of Technology) researchers/students from divulging (during a talk to be presented at DefCon) exploitable vulnerabilities discovered in the payment architecture for Boston’s subway according to PCWorld.  The students: Zack Anderson, Russell “RJ” Ryan and Alessandro Chiesa all complied with US District Judge Douglas P. Woodlock’s  decision, based on advice from counsel - Jennifer Granick an attorney with the EFF (Electronic Frontier Foundation).

Here’s the twist to this story, the MBTA released the documentation themselves…in the complaint.

[1] PCWorld

[2] Wired’s Threat Level

[3] The Register

The Tip of The Iceberg? [ImperViews]

Posted: 11 Aug 2008 07:05 PM CDT

iceberg.pngLast week, the US Justice Department charged 11 people with stealing more than 40 million credit- and debit-card numbers from nine retailers, calling it the largest U.S. identity theft prosecution.  Kudos for all that were involved in this operation. The Chronicles of Dissent blog (One of the best sources of privacy related sources) identified that some of the retailers mentioned did not disclose the breach earlier.

No comments: