Saturday, August 16, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Links for 2008-08-15 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 16 Aug 2008 12:00 AM CDT

  • The Daily Incite - August 15, 2008 | Security Incite: Ding dong, SIM is dead? Yeah, not so much...
    My opinion is that the first generation of SIM didn't do what it needed to. It was too hard, too expensive, took too long to see value. There are lots of folks that are working on those issues. Of course, we still aren't there yet, but the industry is making progress. And the biggest reason I don't see the idea of SIM dying (although the implementation will clearly change and evolve) is because CUSTOMERS NEED IT.
  • Lets start the hype engine for 2009
    For the 5th year in a row, I suspect 2009 will be very much like 2008. We are still bailing out the leaky boat with a small cup. Sure, there are new and different attack vectors. And things like "the cloud" are causing us to revisit our general security architectures. And compliance certainly isn't going away as a key issue for security folks everywhere. BUT, maybe in 2009 we can start actually implementing the stuff we bought in 2006 and making sure we are more effectively doing the blocking and tackling that we all know can use some improvement.

The Cat is Out of the Bag [Andrew Hay]

Posted: 15 Aug 2008 07:16 PM CDT

After weeks of biting my tongue I can finally let everyone know that I have accepted a security analyst position in Bermuda and am leaving Q1 Labs. Over the past 3.5 years I learned more about log and flow management than I would have learned at any other job. My work at Q1 Labs inspired me to author 3 books, seek out new certifications, meet new and interesting people, and expand my overall knowledge of security.

Every now and then a career opportunity comes around that you simply cannot say no to. This job in Bermuda is just that kind of opportunity. My new role will allow me to attend more conferences and influence the development of security policies and training. Hopefully my new role will also allow me to enjoy some of my past accomplishments and provide new and exciting challenges.

Oh…and blog more :)

A Few More Words on DLP and Compliance [Anton Chuvakin Blog - "Security Warrior"]

Posted: 15 Aug 2008 04:51 PM CDT

Today I was thinking about DLP again :-) (yes, I know that "content monitoring and protection" - CMF - is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors "under-utilize" compliance in their messaging. In other words, they don't push the "C-word" as strongly as many other security companies. Compliance dog doesn't snarl at you from their front pages and it doesn't bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought.

For example, Reconnex that was recently absorbed by McAfee, touts "information protection" before compliance. Similarly, my friends from nexTier only mention "compliance" on a few pages. Even newly unveiled DLP resource  (DLP In-Depth portal) only contains a little bit  of information on how DLP solutions help with various compliance projects. People tout "data protection", " data security", "data governance" (aka "we know big words - bigger than you") or even "data risk management" (aka "we are confused about what we sell")

I decide to explore this curious phenomenon.

Initially, I thought that it was reverse compliance at work? People not wanting to know what content packs up and leaves their network. Then I thought that maybe DLP vendors just aren't "the bandwagon jumping kind" (yeah, right!) Then I thought that they are "beyond compliance" already :-)

But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)!  You know, DLP is newer than  most regulations (PCI DSS, HIPAA, FISMA, etc) and - what a shock! - the documentation for these mandates just doesn't mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!).

Also, PCI DSS directly and explicitly says "get a firewall", "deploy log management", "get scanned", "install and update AV" - but where is DLP? Ain't there...

Yes, Virginia, folks who "go by the book" and just "do the minimum" are missing out on the chance to procure DLP while their compliance budgets are still flowing. To me that means that many still don't get the "compliance+" model - buy for compliance -> use for security, operations, having fun, etc. Think what a good DLP solution  will do for you in discovering regulated data across the entire organization, blocking those pesky email with SSNs, PHI (hi, HIPAA) and CCs (hi, PCI) as well as solving plenty of other problems ...

StillSecure secures an IQ award [StillSecure, After All These Years]

Posted: 15 Aug 2008 04:20 PM CDT

For those who don't know StillSecure is headquartered in Superior, CO, which right outside of Boulder, CO.  Besides being a beautiful, funky college town nestled in the foothills of the Rockies, the Boulder area is a leading tech center

One of the more coveted local recognition awards is the Boulder County Business Report IQ awards. In this case IQ does not stand for how smart you are, but Innovation Quotient. StillSecure was just named the winner in the Computer category. This was just not security, but virtually computer technology. 

This follows my pal, Rajat Bhargava, StillSecure CEO, winning an entrepreneur of distinction Espirit award from the Boulder Chamber of Commerce as well.

Reblog this post [with Zemanta]

Cyber Mercenary [ImperViews]

Posted: 15 Aug 2008 03:24 PM CDT

cyber war upper.pngMany words were written about the cyberwar between Russia and Georgia. Georgia is accusing the Kremlin, and there were reports that the Georgians experienced cyber-attacks even before the invasion began. If you Google around, you'll get hundreds of related news stories.

Evgeny Morozov decided to report from a different angle. Probably intrigued by quotes stating that cyberattacks are inexpensive and easy to mount, he decided to join the war.
Protected behind the shields of his laptop and far from the dangers of the fights. The Slate brings his story.

If security is a circus, who are the clowns? [StillSecure, After All These Years]

Posted: 15 Aug 2008 03:09 PM CDT

bozo Linus Torvalds complains to Ellen Messmer about the "security circus" he sees. Linus is talking about the constant friction between the disclose immediately versus "responsible disclosure" crowd.  While I agree that the when to disclose arguments get tiresome, the long pole in the tent of this circus are the clowns who do a lot of the coding for the products that we use.

With the pressure of getting out code on time and on budget, there are just too many vulnerabilities in the products we rely on.  Racing to get the next greatest feature in this release or that must have functionality that was promised to the customer, too often pushes security and bullet proof code into the shadows.  Then when someone finds the all too often holes in the code, somehow the people finding it are wrong? 

Yes, it would be much better if the whole disclosure timing thing went away. I don't think that will ever happen. But if we had more quality control around code, perhaps it would not be so acute.  So, when talking about the circus, instead of blaming the security people, maybe take a good look at the clowns.

Cisco Security Advisory: Cisco WebEx Vulnerability [Infosecurity.US]

Posted: 15 Aug 2008 02:07 PM CDT

Cisco (NasdaqGS: CSCO) Security engineers have released notification of a vulnerability in the company’s WebEx Meeting Manager ActiveX Control.

On Idiots and Logs [Anton Chuvakin Blog - "Security Warrior"]

Posted: 15 Aug 2008 01:53 PM CDT

How on Earth can someone even utter the phrases "scalable log management" and "Microsoft Access for data storage" in one sentence? OMG, OMG, OMG...

MS Access, for God's sake! I wonder if they tried storing logs in Excel spreadsheets?


XKCD: Electronic Voting Machines [Infosecurity.US]

Posted: 15 Aug 2008 01:52 PM CDT

Applied Security Visualization [Roer.Com Information Security - Your source of Information Security]

Posted: 15 Aug 2008 01:34 PM CDT

The book Applied Security Visualization, by Raffael Marty (the SecViz) is available.

This book is particularly interesting to those of you who are into logging, and struggle to find a meaningful way to present and use your log data. I have put it on my reading-list, as I believe that logs are only as valuable as their presentation.

Fortify Hacking Challenge [ISIS Blogs]

Posted: 15 Aug 2008 01:03 PM CDT

I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:

The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.

Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:

I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..

I took screenshots of all the actual attacks below.

You had to recognize that they set an AuthType cookie when you logged in. Changing this cookie to 0 let you view and access a hidden admin panel.

Once in the admin panel, RTA triggered on a command injection vulnerability:

… and on cross-site-scripting the other admins:

The last attack was a SQL injection on the account details page:

My biggest problem was that I overthought the attacks they were looking for. Once I calmed down and stopped trying to become a millionaire/root-shell-0wner I realized they were probably looking for the basic web vuln trifecta: command injection, xss, and sqli. All in all, a really fun challenge. Thanks Fortify!

MOTD [ImperViews]

Posted: 15 Aug 2008 10:46 AM CDT

cyprus.png"Cybercrime was probably here to stay". Kypros Chrysostomides, Justice Minister, Cyprus

This quote is taken from an article in the CyprusMail, delivering the story of an IT consultant breaking into a former client, an international investment and finance services company, which the island's industry is based upon, and stealing customer data.

Looks like Cybercrime is everywhere, including the peaceful Mediterranean island. Only several years ago the paper quoted another official stating that "no one in Cyprus has ever been arrested or charged with any sort of cyber crime". But now, it's there to stay.

Shimel Returns! [Infosecurity.US]

Posted: 15 Aug 2008 09:39 AM CDT

Alan Shimel (Chief Strategy Officer of StillSecure) has returned to the security blogosphere after a brief hiatus (read his blog for details). We highly recommend his blog, and look forward to reading his keen insight again.

Will Exporting Netflow Impact My Device? [Andrew Hay]

Posted: 15 Aug 2008 09:37 AM CDT

One question I hear all the time is “If I enable the exporting of Netflow on my router or switch, will it impact performance?” Yes it will, but usually not by enough to discourage you from including Netflow datagrams in your network analysis plans.

According to this document, released by Cisco, if you have…

  • 10000 (ten thousand) active flows in the cache you can expect no more than a 4% increase in CPU utilization.
  • 45000 (forty-five thousand) active flows in the cache you can expect no more than a 12% increase in CPU utilization.
  • 65000 (sixty-five thousand) active flows in the cache you can expect no more than a 16% increase in CPU utilization.

Also, sampled Netflow will significantly decrease CPU utilization to the router. According to Cisco:

On average sampled NetFlow 1:1000 packets will reduce CPU by 82% and 1:100 sampling packets reduce CPU by 75% on software platforms. The conclusion is sampled NetFlow is a significant factor in reducing CPU utilization.

That being said, sampling Netflow won’t give you the whole picture, just a tiny piece of the flow puzzle.

More information can be found here and here.

links for 2008-08-15 [Andrew Hay]

Posted: 15 Aug 2008 08:00 AM CDT

Cyberwar or Media Hype? [Andrew Hay]

Posted: 15 Aug 2008 07:50 AM CDT

Note - I am not taking sides in the Georgia/Russia conflict as I think the governments on both sides are equally acting like children.

In reading this article entitled How I became a soldier in the Georgia-Russia cyberwar, I started thinking about the validity of so called Cyber Warefare. Is it media hype because it’s the new sexy topic to discuss (i.e. the new generations Cold War) or is it actually happening? We truly haven’t seen concrete results from either camp and I’m not sure if we ever will (*cough* WMD’s *cough*).

The article describes how easy it was for the author to find out how to attack the Internet infrastructure of a foreign nation. (I won’t even touch the topic of someone downloading a webpage and accessing it on their system - that’s another article entirely). From the article:

Not knowing exactly how to sign up for a cyberwar, I started with an extensive survey of the Russian blogosphere. My first anonymous mentor, as I learned from this blog post, became frustrated with the complexity of other cyberwarfare techniques used in this campaign and developed a simpler and lighter “for dummies” alternative. All I needed to do was to save a copy of a certain Web page to my hard drive and then open it in my browser. I was warned that the page wouldn’t work with Internet Explorer but did well with Firefox and Opera. (Get with the program, Microsoft!) Once accessed, the page would load thumbnailed versions of a dozen key Georgian Web sites in a single window. All I had to do was set the page to automatically update every three to five seconds. VoilĂ : My browser was now sending thousands of queries to the most important Georgian sites, helping to overload them, and it had taken me only two to three minutes to set up.

Now this really made me think. If there is a Cyber War going on in Georgia, how can we be certain that the attacks originate from Russia and not sympathetic expatriates in the Western hemisphere? How can we be sure that the attackers are not opportunistic attackers looking to exploit an attack vector that will be blamed on an entire nation? How can we be sure that the Georgian army isn’t taking their own infrastructure offline in order to draw sympathy to their cause?

From the article:

In less than an hour, I had become an Internet soldier. I didn’t receive any calls from Kremlin operatives; nor did I have to buy a Web server or modify my computer in any significant way. If what I was doing was cyberwarfare, I have some concerns about the number of child soldiers who may just find it too fun and accessible to resist.

The bottom line is that we can’t be sure of any of these issues without extensive network and system monitoring. I’m not talking about watching the traffic and logs for one or two sites, but rather a city-/region-/country-/nation-wide monitoring infrastructure with centralized consolidation of information for trending and situational awareness. This type of infrastructure allows nations to detect probing of their infrastructure (a.k.a. reconnaissance), help determine the source of the attackers (a.k.a. intelligence), and ultimately help mitigate the attack (a.k.a. digging in).

I’ve Been Laughing At This All Morning! [Andrew Hay]

Posted: 15 Aug 2008 06:54 AM CDT

Difference between InfoSec and Audit (Group Hug)? [RSA Conference - Blog]

Posted: 15 Aug 2008 05:07 AM CDT

TSA Security - Still an Oxymoron [and getting worse] [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 14 Aug 2008 10:44 PM CDT

The more of these I read, the more I will continue to express my opinion that I shared with an Army gentleman on my way home from Atlanta the other day - the TSA should be fired wholesale, and replaced by competent military personnel.

I can confirm, personally, that the TSA's facilities in SFO are horribly bad, as I walked past a screening point in the airport, past a door marked "Transportation Security Administration Staff Only" which was taped open (meaning, there was tape over the door lock)! Another door was propped open with a chair and a oscilating fan placed on it, presumably to cool off the room.

Now the above mentioned article indicates that an unencrypted computer for the CLEAR program was stolen and then put back into a locked cabinet... how does this happen? First off, how is it that the TSA and its partners are still not encrypting laptops? How does a laptop go missing from a locked cabinet, then get put back into that same locked cabinet without anyone noticing who took it or put it there. How bad is security at these places?

While I understand I may be subjecting myself to some "additional security screening (read: hassle)" I will be starting to take more pictures of the TSA "secure areas" with my trusty travel camera as I travel. Someone needs to expose this crap, and make the TSA accountable - I guess if it has to be me, so be it. While I'm not planning on getting myself into trouble, or taking pictures of anything that's a security breach (obviously, I travel enough to know safety is a concern)... someone has to keep these folks accountable for their absolute lack of knowledge, security, and concern.

More to come.

VMware CEO Apologetic After Patch SNAFU [Infosecurity.US]

Posted: 14 Aug 2008 04:27 PM CDT

Government Computer News reports the VMWare CEO, Paul Maritz, is rather contrite in the wake of the visualization company’s patch challenges from three days ago.

Air Force Hibernates ‘Cyber Command’ [Infosecurity.US]

Posted: 14 Aug 2008 04:11 PM CDT

NextGov reports the US Air Force’s Cyberspace Command has suspended work on their program building efforts.

Clear® CEO Stephen Brill Updates Registered Travelers Via Email [Infosecurity.US]

Posted: 14 Aug 2008 11:19 AM CDT

Verified Identity Pass, Inc., and Clear® CEO Stephen Brill has transmitted another pseudo apology and update letter to the company’s customers, detailing the current status of the company’s efforts to mitigate their current security blunders (for a security related company, this is a rather important issue, wouldn’t you agree?). Thanks to REDACTED for the letter body copy….and now, the letter, drum roll please…..

Clear CEO, Steven Brill <>



We re-opened Clear enrollment on Tuesday, which had been temporarily unavailable after a laptop containing a small part of some applicants’ enrollment data was taken from a locked office at the San Francisco Airport (though, as you know, the Clear lanes continued to operate normally nationwide). The laptop was recovered, and preliminary investigations revealed that no unauthorized person gained access to any of the information stored on that laptop. The data was protected with two levels of passwords, but was not encrypted, and it should have been.

Update on Security Enhancements to the Clear System
Clear has encrypted every enrollment kiosk and laptop computer containing personally identifiable applicant and member data. Ernst & Young independently performed an inspection and filed an audit report with the Transportation Security Administration (TSA) stating that all enrollment kiosks and all mobile devices are encrypted up to government standards. TSA also conducted its own on-site verification of encryption on all enrollment kiosks and mobile devices at randomly selected locations.

Beyond the encryption of these devices, Clear has also installed other security updates, including physical security enhancements. And, Clear will continue to enhance the security of our system with the latest technology and software security advancements as they become available.

Finally, Clear’s privacy ombudsman wrote in a letter posted on Clear’s website that he is conducting an independent review of Clear’s security processes on behalf of Clear members. He will post those results online once he has concluded his investigation. To review the letter, please go to

Please call Clear Support with any questions, comments, or concerns at (866) 848-2415. We hope you’ll complete Clear enrollment soon so you can speed through airport security at 18 airports nationwide.

Steven Brill
Clear CEO

This message was sent to Clear member ‘REDACTED. This email is about your Clear account, and you may not opt out of receiving such communications. You may choose to opt out of non-critical communications by going to
NOTE: If you opt out, you will not receive important updates offered by Clear. For more information on our privacy policy, please go to

Verified Identity Pass, 600 Third Avenue
10th Floor
New York, NY  10016

Black Hat 2008: Zen of Xen [Infosecurity.US]

Posted: 14 Aug 2008 08:04 AM CDT

Via BlackHat2008, TechWebTV has published another excellent interview video, this time discussing the Xen Hypervisor and the inherent security implications in virtualization, along with the now, nearly ubiquitous BluePill project.

On TV Warfare [Anton Chuvakin Blog - "Security Warrior"]

Posted: 13 Aug 2008 08:23 PM CDT

It is simply amazing that all the countries now "get it" that war happens primarily on TV (this vs this; many other examples are around). It is also amazing that there is NO way to know where "media reporting" ends and "psyops" begin. So, a burning tank with no clear markings that you see on TV might be:

  1. Tank belonging to warring side A
  2. Tank belonging to warring side B
  3. Just a tank that was passing by and got hit by mistake :-)
  4. Something that looks like a burning tank
  5. An archive shot that reporter added for visual impact

Same applies to the "primary weapon" of a modern TV war: "evidence of atrocities of the opposing side."

What's the truth? Who knows... progress brought us "TV wars," is this the first "YouTube war"? But if we cannot believe the media coverage, how can we believe a random video online? Well ... maybe the same way we often believe Wikipedia over Britannica.

In any case, if there was a better time to turn off the TV (and tune off the web news...), it would be now. Also, time to get the dust off my copy of Toffler?

Rant mode off :-)

UPDATE: fun article on that very subject (media vs psyops) - "Debating Domestic Proganda: Part I"

UPDATE: "A column of Russian military vehicles, including tanks and armored vehicles, was reported to be moving toward Tbilisi with a journalist from U.S. media giant CNN riding along and reporting live for U.S. television. [...] The fact that Russia now has U.S. journalists embedded with its military to report every move being made is key. " (source)

No comments: