Posted: 19 Aug 2008 07:26 AM CDT
....considering it took about five minutes in MS Paint (and managed to hat-tip everything from Olive Oyl to The Matrix amongst other things), I think it's a pretty damn good gorilla / robot slapfest. Once you've worked out what order the panels read, of course.
Anyway, I can't think of anyone else that announces a week long holiday with gorilla-on-robot action. You too should draw your own battle of the titans and post a link here. When I return, I'll post a bunch of them up because, hey, robots are awesome.
Gorillas less so, but they have their place (being smacked up by robots, mostly).
Posted: 19 Aug 2008 03:23 AM CDT
How ironic - malware distributors are using the vulnerabilities inherent in IE (and other browsers) to distribute malware purporting to be an Internet Explorer update! The spammers did a few things to make the message appear to be legitimately from Microsoft, spoofing a Microsoft from address, and copy-pasting the MSN text into the bottom. Of course, [...]
Posted: 18 Aug 2008 11:27 PM CDT
I promised in an earlier article on my frustrations in dealing with web companies that I would talk about my most frustrating experience of all. Without a doubt, hands down the absolute worst company to deal with is Yahoo!
I have been a Yahoo customer since at least 1996 or 1997. I remember when Yahoo was a plain gray page and all they had was search. I have used MyYahoo as my home page since it first came out. I had a Yahoo email account (most people know that now), used Yahoo for fantasy football and for most of my personal email. Though the world went to Google, I stayed with Yahoo.
Though by 72 hours after the attack I had everything else back under control, here we are over a week later and I still don't have my Yahoo account back. It is shut down because the attackers sent out disgusting porn to people in my Yahoo address book. Of course this was mostly parents of the little league baseball, football and soccer teams I coach. But that is indicative of the quality type of people who were involved in this attack.
I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don't ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won't give me the question they want to answer. I sent them the hackers post bragging about getting my email account.
Finally on Sunday I received an email that if I would call with the 8 digits of the credit card on file with my Yahoo wallet (I didn't even know I had a Yahoo wallet. Again, if you fill something out, keep a copy and record of it somewhere) I could have my account back. I called and left a message. I called again and left a message. I called again, and again and again. I have called about 12 times in 2 days and have not gotten one call back or even an email response. What does it take?
At this point I don't know if and when I may ever get my Yahoo account back. What a shame, all of that data and history lost. In the meantime I have made Google my homepage and am using iGoogle. I have to say, it is better than Yahoo. I have my gmail account. I am registering for new fantasy football on other sites. I am done with Yahoo. They are not a company I want to do business with anymore. a
For a web giant, they should have better process and procedures in place to deal with an account being hijacked like this. Shame on me for having this happen, but shame on Yahoo for just not being a company that values its customers.
Posted: 18 Aug 2008 09:05 PM CDT
Image by Amarand Agasi via Flickr
Christopher Beam wrote a short article for Salon last week with an attention-getting title: Hack the Vote - Five ways hackers could tamper with the 2008 elections over at Slate. After wasting five minutes of my time reading the article I thought I would waste another five minutes of my time writing a short summary of how "hackers" can "tamper" with the elections this fall. Please note that Mr. Beam has the word "hackers" in his title but consistently refers to them as "tricksters." Mr. Beam's short list of ways hacker-tricksters (hicksters?) can sabotage the vote are:
That's not to say these Internet tricks will upset the election—or even dent it. There are plenty of bright mischief-makers out there, but how many of them want to screw up elections? (Elect John McCain for the lulz!) And it may turn out that traditional methods of voter manipulation—such as, say, paying busloads of homeless people to pass out inaccurate sample ballots—will prove more effective. Plus, one smear campaign probably equals a thousand polling-place misinformation campaigns.
Posted: 18 Aug 2008 07:38 PM CDT
ZDNet’s Ryan Narraine and Dancho Danchev report an Adobe Flash exploit, targeting the clipboard feature on Windows, MAC and LInux has cropped up in in the wild. Notwithstanding my missive to be careful, evidently, the hack is also evident on mainstream sites, and based on the blog post, those sites are Newsweek, Digg and MSNBC.com.
Posted: 18 Aug 2008 05:32 PM CDT
It’s been a busy summer here at Napera and I plan to get back into the blogging habit later this month. In the meantime, a couple of weeks ago I had the chance to chat with Mike Vizard of eWeek about managed security services, and the podcast is now up on the eWeek website.
Mike and I spoke during Seattle’s annual Seafair celebration, and if you listen real close to the audio you can hear the Blue Angels roaring over the Napera offices on Mercer Island on their practice flights!
Posted: 18 Aug 2008 04:58 PM CDT
Posted: 18 Aug 2008 04:24 PM CDT
Posted: 18 Aug 2008 02:40 PM CDT
Photo credit: "berlin_my little pony" originally uploaded by madchenkrawall
Posted: 18 Aug 2008 02:09 PM CDT
Posted: 18 Aug 2008 01:02 PM CDT
I'm a geek at heart so I take part in alot of geek-related activities. One of the ones I've gotten into within the last few years is boardgaming. Not your typical games like Monopoly, Scene-It or Risk (although I love Risk), but euro-games which, IMO, have a lot more strategy in them. It is because of this hobby I was at a LFGS the other night playing games with the local boardgaming group.
We were playing a game of Arkham Horror and in between turns one of my fellow gamers and I were talking about the laptop he had just brought and was playing with. He said it was mostly set up, but he had to go out and buy the latest AV suite to make sure it was protected. I mentioned that there were free AV software available which, IMO, were just as good as the commercial software. His response was that he had used them before, had liked them, but wanted the assurance he felt when he purchased the AV software. I was a little dumbfounded by his comment.
From his perspective, he felt safer paying $50+ for an AV suite of software than using free AV software which, to his own admission, would protect him just as well. I've seen this mentality in the corporate world as well. Corporations would rather shell out large amount o' cash for security suites or devices than use, just as good or better, free software because they felt safer paying for it. After all, if they are paying for it and it fails, they have someone to sue.
This post isn't meant to start a fight on commercial vs free software. I'm just confused by the perception out there in the corporate, or in the first case, the user world that paying for something will get you more protection that using free software. I guess I'm just surprised that this point of view is taken by end-users as well.
Has anyone else seen examples of this? Any good stories to share?
Posted: 18 Aug 2008 12:40 PM CDT
The folks over at Darknet just threw up a blog post entitled “OpenVAS - Open Vulnerability Assessment System (Nessus is Back!).” Finally! I won’t go into too much detail but was just excited to see this posted. Too bad BackTrack 3 just recently came out. It would have been nice to have this version of Nessus, I mean OpenVAS, on the CD. There’s always the next version…
Posted: 18 Aug 2008 12:08 PM CDT
My friend Tyler Reguly of nCircle and computerdefense.org is conducting some research on denial of service attacks, peoples perceptions of them, etc. He posted a request for help on the nCircle360 blog here. The actual very short (did I say very short) survey is on computerdefense.org here. If you have 30 seconds to spare (it should not take you more than that) could you take the survey for Tyler? You don't have to be a security whiz and the survey is open to everyone.
I thank you, Tyler thanks you, yada, yada.
Posted: 18 Aug 2008 11:22 AM CDT
I've seen a lot of different mailinglist posts where people ask what kind of report they should write for a penetration test/web application assessment/vulnerability scan/other audit related activity. We all probably agree that the report is an important factor for showing the results of whatever task you've been assigned with.
The answer I have is: It depends. By that I mean that it is a lot up to the customer to decide the level of reporting you have to do. This should be decided upon the planning phase of the assessment. If the customer does not have a clue then you can always suggest your own "template". If you have no clue, like the people who ask what kind of report they should write, this could be a small guideline for you:
It is not rocket science, as long as you modify everything to suit the target audience. If you try to make yourself important and knowledgeable with lots of buzzwords and other stuff, you might be successful in that. But is that beneficial to your customer if it doesn't understand your report?
If you are required to log all your actions and give those for the customer, then you need to have a solid way of logging your actions and might also be required to do a full verbal writeup of what has been done, when and so on. In such cases tool logs and/or tcpdump and other things might prove valuable.
Posted: 18 Aug 2008 11:19 AM CDT
CNET (recently purchased by the CBS Corporation (NYSE: CBS) reports Massachusetts authorities have filed briefs with the court stating, unequivocally, student information security researchers do not possess the right of free speech. Flagrant disregard for Constitutionally Guaranteed Rights, or fear of the truth of incompetent State Transportation officials. Don’t forget this is the agency that actually released the exploit to the web during brief filings with the Court. Not exactly evidentiary proof of information security competency…
 The Register
Posted: 18 Aug 2008 10:57 AM CDT
As you all probably known since version 3 Nessus turned to a proprietary model and started charging for the latest plugins locking most of us out. Now we finally have a new, properly organised forked development with the name of OpenVAS - at last a decent and free Vulnerability Scanner! OpenVAS stands for Open Vulnerability Assessment...
Read the full post at darknet.org.uk
Posted: 18 Aug 2008 10:07 AM CDT
The Race to Zero results are in. And the winner was a group of three consultants from iMandiant Security. While I've only read a single report of the results, it sounds like the Mandiant guys really had their stuff together and used a combination of custom packing code and manual modification of binaries. They may not have been the quickest team to complete the race, but they were the most detail oriented and were able to pass all ten challenges presented to them. Kudos go to these guys and their hard work.
If you recall from a previous blog post, I suggested a "simple" idea of creating a "new" packing routine and simply using that to modify and thus pass the AV checks in the race. Well it turns out the fastest team to compete did exactly that. Team "retem" from the security firm Damballa, finished the contest in 2 hours and 25 minutes making them the fastest team in the competition. They were able to pass 7 of the 10 challenges using their custom packing solution.
"You can take any malware sample and pack it with an original packer, go to VirusTotal and get zero of 32 detections," [Paul Royal of Damballa] said.
I'm still not sure of the why of this competition, however it appears as if some good may be coming from it. If the end result is that companies and the general public don't rely on AV as a silver bullet, then maybe there was indeed a silver lining to the event. I doubt it's going to get the AV industry to attempt to work any harder at creating new methods of detection (they presumably are already researching new techniques as hard as they financially can), but if a single organization stops relying on AV as a sole layer of security, then the effort has been worthwhile.
Posted: 18 Aug 2008 09:32 AM CDT
Posted: 18 Aug 2008 08:21 AM CDT
Wired’s ThreatLevel blogger Ryan Singel posts a fascinating story of AT&T’s (NYSE: T) efforts to redirect privacy scrutiny by congressional investigators. In a written statement filed recently, they apparently tattle on Google’s (NasdaqGS: GOOG) privacy policies and procedures. Problem is, the telecom conglomerate may be right…
Posted: 18 Aug 2008 07:48 AM CDT
Ok. I’m going to break the rules. I always tell the team be clear on the facts, explain your opinions, you own what you write, and above all avoid personal attacks on the blog.
I actually held back when I saw Joe Weiss’s blog post, which followed a Walt Boyes blog, castigating DHS, DoE, and a slew of other organizations for not attending Weisscon a few weeks back. There are a lot of events now. PCSF, SANS, ISA Expo, sector events, vendor user groups, … People have to make choices, and it is competitive. Obviously they didn’t feel the event made the cut. Maybe it was the agenda? the anticipated attendees? Repetition from previous years? Maybe it was the time or place? The price? Who knows in each case, but obviously they did not feel compelled to attend. The deal was not closed.
We put on an event, the SCADA Security Scientific Symposium S4 - - note the call for papers is open through Sept 15th. We believe it is the premier research event in the control system security space, but it is our job to convince others via a killer agenda, attendees who are leaders in this area, great environment, fun, right price, right place and so on. Like most event organizers we would like it to be the hot ticket that all the leaders in this area feel they can’t miss. That said, I can’t imagine calling out organizations who did not attend. They made a choice. Try to improve either the content or event marketing for next year.
Now the real petty part of this post. Joe’s latest blog post states we lack “a fundamental understanding of control systems and impacts of computers on system performance”. I know there are multiple repeat consulting clients which run many of the largest control systems in their sectors who would disagree, and equally important our research results, SCADApedia, blog, presentations, podcasts, etc. are easily available. Bandolier, the project he references, is in fact well on its way to being wildly successful. Control system vendors and asset owners are thrilled that they will have an easy and much safer way to audit the multitude of security settings on control system workstations and servers. Quickdraw, the PLC passive security log generator, is well on its way as well and in the next month you will see the first 25 security events. I’ll leave it at that, and let others evaluate based on our very open trove of information on the site.
The main point is the community needs to get away from this trend of pointing fingers and “saying you’re not qualified to participate” in this space. Stick to the facts, and let’s focus on the results. The control system security space still has so much work that needs to be done that it is easy to find a place to contribute. If something can be done better. Great. Do it. We feel frustrated sometimes that there are not more success stories to highlight in the blog, although there are some like Secure DNP3, Procurement Project, etc. Let’s stop the carping on generalities and get to developing and analyzing specific solutions, tools, guidelines, standards and other resources. Contribute to the effort and put your results out there for sale or pro bono.
Ok. That’s it. You won’t be hearing further back and forth from me or Digital Bond on this petty issue.
Posted: 18 Aug 2008 03:35 AM CDT
I recently started working with OSISoft’s PI ACE for use in the Portaledge project. Kevin and I put together a sample Meta-Event involving snort events, a key logger and uploading new firmware to a PLC. The code below is an example of an ACE library that will run every 5 minutes and iterate through the past 15 minutes of data. Due to the nested for loops, this may not be the most efficient method but it works as a proof-of-concept.
Public Overrides Sub ACECalculations() Dim Syslog_PtOneValue, Syslog_PtTwoValue, WEL_PtOneValue, WEL_PtTwoValue As PIValue Dim Syslog_PtOneValArray, Syslog_PtTwoValArray, WEL_PtOneValArray, WEL_PtTwoValArray As PIValues Dim AttackIP As String Syslog_PtOneValArray = Syslog22.Values("*-15m", "*", 0) For Each Syslog_PtOneValue In Syslog_PtOneValArray If StrMatch(Syslog_PtOneValue.Value, "NMAP Scan") Then AttackIP = GetIP(Syslog_PtOneValue.Value) WEL_PtOneValArray = WEL_22.Values(Syslog_PtOneValue.TimeStamp, "*", 0) For Each WEL_PtOneValue In WEL_PtOneValArray If StrMatch(WEL_PtOneValue.Value, AttackIP, "Xwin Login", "|") Then Syslog_PtTwoValArray = Syslog22.Values(WEL_PtOneValue.TimeStamp, "*", 0) For Each Syslog_PtTwoValue In Syslog_PtTwoValArray If StrMatch(Syslog_PtTwoValue.Value, AttackIP, "CorpNet to FEP") Then WEL_PtTwoValArray = WEL_22.Values(Syslog_PtTwoValue.TimeStamp, "*", 0) For Each WEL_PtTwoValue In WEL_PtTwoValArray If StrMatch(WEL_PtTwoValue.Value, "", "Firmware Upload", "|") Then PortaledgeTemplate_Alert.Value = "Portaledge MetaEvent Detected"
I am going to look into triggering ACE libraries from events, allowing one ACE library to trigger another ACE library. On the plus side, stacked libraries can use more generic code and will permit increased levels of severity. Negative aspects to stacked libraries include increased initialization time, additional complexity and libraries not being initialized. I will be talking with a few people from OSIsoft to determine the most efficient path. Stay tuned.
Posted: 17 Aug 2008 09:03 PM CDT
Posted: 17 Aug 2008 06:00 PM CDT
Censorship in China? No in Italy
You know I'm italian and I'm not used to talk about security in my home country since basically there's no such a field in italy and the only news you can get is about someone being fined for downloading music.
Posted: 17 Aug 2008 04:27 PM CDT
Well another reason for you guys (and gals) to avoid social networks, a new worm is spreading. Again they are using the same ploys that have been leveraged for years on e-mail and instant messaging. Trust is gained as the message or link/video/etc comes from a known source so people are more likely to click/open/play it [...] ShareThis
Read the full post at darknet.org.uk
Posted: 17 Aug 2008 10:15 AM CDT
Alan Shimel (CSO of StillSecure, respected security blogger and recent victim of a web hijack by miscreants unknown) tells his side of the story. Key to this debacle is the apparent (and I can personally attest to this) ineptitude and convoluted support structure at Godaddy (to say nothing of the issues he had with TypePad). Bob Parsons (sole investor of GoDaddy Group, Inc), are you listening?
Posted: 16 Aug 2008 04:27 PM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|