Sunday, August 24, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Risk and CVSS (Post 1) [Risktical Ramblings]

Posted: 24 Aug 2008 05:02 AM CDT

I recently stumbled across the CVSS v2 vulnerability scoring method – as I was writing a post about risk vernacular. Per the CVSS v2 complete guide, "The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impact of IT vulnerabilities."  As I started highlighting parts of the guide that were thought provoking from a risk perspective, I realized this would probably result in at least two posts – maybe three. So off we go…

I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful "metric vectors" that provide a simple yet powerful way to analyze a vulnerability. In addition, I really like how they have a simple "scoring vector" – essentially a shorthand representation of all the individual "metric vectors". I could see how this could be really useful for archiving / documenting purposes but for also being to programmatically manipulating for other purposes.

Thought 1: One of the first things that stood out to me as I started reading the CVSS guide was on page three, where they talk about "prioritized risk". While I agree that their vulnerability score can be considered contextual and be used to compare variance in multiple vulnerabilities– I do not agree that it is representative of the actual risk to the organization.

Here is why.

No where in CVSS is there a metric for gauging how often assets within your environment - that have the vulnerability being analyzed- are being attacked let alone compromised. Now, I am not implying that the authors and maintainers of CVSS are trying to mislead security professionals – but I think this underscores a problem within our industry about knowing what risk is, the elements that make up risk, and risk vernacular.

Let's talk about vulnerability for a minute. Generally speaking, it can be something (noun, a weakness) or a state / condition (adjective, my application is highly vulnerable to x). It would appear that CVSS accounts for both because you use CVSS to determine how vulnerable you are to vulnerability. Sounds confusing – but not all is lost.

FAIR – the risk assessment methodology I use - accounts for vulnerability as a condition. Within FAIR, vulnerability is derived from "threat capability" (the percentage of my threat community that can overcome control resistance) and "control resistance" (the percentage of control resistance I have against the "threat population" as a whole; for FAIR, threat community is a subset of threat population). When you have and can leverage a methodology and risk taxonomy like FAIR – you can see how easy it is to not take for granted what I would call risk term generalizations – using terms without truly understanding how they should be properly used or not knowing what they really mean. Just to reiterate – vulnerability is an element of risk – not risk itself.

Thought 2: On page 6, section 1.7 of the guide "Quick Definitions", "threat" is defined as the "likelihood or frequency of a harmful event occurring". This is the closest to "threat event frequency" or "loss event frequency" that CVSS comes close to touching. Threat can be both a noun and verb – but I have yet to see a dictionary that includes likelihood in its definition. It may sound like I am splitting hairs on definitions and picking on the CVSS folks – this is not my intention; but some of the concepts being discussed are foundational to understanding risk.

To wrap this first post about CVSS, I would offer the following:

1.    That the CVSS-SOG consider participating in the The Open Group; specifically in the "Risk Management and Analysis Taxonomy" forum.
2.    Do not discount the useful of CVSS in analyzing a vulnerability or a state of vulnerability. Just because there may be some risk term short comings does not mean their metric vectors cannot be effectively used.

In the next CVSS related post, I will focus more on the CVSS Metric Groups and how these have forced me to take a step back and evaluate the rigor and consistency I apply to risk assessments.

Please help by filling out our survey [Episteme: Belief. Knowledge. Wisdom]

Posted: 23 Aug 2008 03:11 PM CDT

At our recent Defcon 16 talk on Careers, Lee Kushner and I released a survey on careers in the information security industry.

Lee and I have spent the last couple of years having a good number of conversations on the way that people navigate careers in this industry, and we have talked about it at a few conferences now. But we got really tired of not having any real data on the topic. There are a good number of “career” or “salary” surveys that are done every year, but all of them have a particular slant - whether they’re performed by a professional organization or a media outlet, there’s a particular audience that is served by the survey that tends to slant the results toward a particular segment of the industry.

Lee and I were lamenting this a few months back, and one of us said: “Man, wouldn’t it be fantastic if there was a survey that covered the entire breadth of the industry, with no particular audience as a target?

Since there wasn’t, we decided to create one. And, since we’re not great survey experts, we worked with Dr. Max Kilger, a Ph.D. from Stanford who has done great work with the the Honeynet Project. Max’s brilliant guidance helped us turn the survey into something useful for gathering real, unbiased data on what’s going on in the industry.

So, I’m asking - please help us out with this one by filling it out. We’d love to be able to come back at the end of 2008 and give some real data to the industry on what’s actually going on out there

Fill out the survey here.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Technorati Tags: , , , , ,

Red Hat Linux servers compromised [SecuraBit]

Posted: 23 Aug 2008 09:34 AM CDT

As announced on a Fedora mailing list, some Fedora servers were illegally accessed and “a small number of OpenSSH packages” were singed by the intruder. The servers were taken offline quickly after the breach was discovered. As a security precaution, Red Hat has changed the signing keys for Fedora, updated OpenSSH packages and also issued [...]


VRT challenge [Random Thoughts from Joel's World]

Posted: 23 Aug 2008 08:31 AM CDT

The guys and girls over in the VRT (Vulnerability Research Team) at Sourcefire want to give you a challenge. Read this post over here, and get your reverse engineering skills up to par. Have fun!

Subscribe in a reader

Dan Kaminsky loves SecuraBit and you should too! [SecuraBit]

Posted: 22 Aug 2008 09:08 PM CDT

We tossed him a shirt while he was at the IOActive party just before we ventured up to the Core Impact party in Ceasars Palace.  Thanks for your support Dan!


Latest tools from Defcon 16 [SecuraBit]

Posted: 22 Aug 2008 08:46 PM CDT

Thanks to Mubix for his posting on ZDNet, below you will find a link that describes all of the latest tools that were presented at Defcon 16.  Use them at your own discretion and make sure you have permission if using them on an enterprise network!  As Mubix has no control over the ZDnet posting, [...]


Privacy? What Me Worry? [Liquidmatrix Security Digest]

Posted: 22 Aug 2008 03:56 PM CDT

I’m always surprised (for some reason) when I wander into a new corporate environment. Walking from the front door to the conference room of the day I invariably pass workstations with Facebook, MySpace or something equally inane gracing the screen. To say nothing of folks who install P2P apps on their corporate systems.

Where’d their brains go? It’s not like they don’t get the riot act read to them when they start a new job. For that matter most environments provide regular “security awareness” training. Still it continues.

CIO has an interesting article on the enduring disregard that white collar folks have for privacy.

The telephone survey of 1000 "white-collar" employees conducted by the London-based IT security association found 65 percent of respondents are not very concerned or not at all worried about their privacy on work computers, while 63 percent were not worried about the security of information stored on their computers.

Peer-to-peer file-sharing programs were regularly used at work by 7 percent of respondents, and at least once by 15 percent. Up to 35 percent of respondents admitted violating corporate IT policy, however the survey did not reveal the details of the breaches.

How can we as security folks bridge the gap to help educate folks in a meaningful manner?

I’m going to take this box of chocolate bars and go for a walk.


Article Link

Diebold/Premier Voting Machines Crap Setting On 11 [Liquidmatrix Security Digest]

Posted: 22 Aug 2008 03:32 PM CDT

That purveyor of all things craptacular, as it pertains to electronic voting, is in the news again. Diebold Premier Election Solutions has admitted that there is a problem with the touch screen voting machines in Ohio. Originally the vendor had blamed antivirus software for the problems that they were experiencing.


From The Columbus Dispatch:

But in a letter Tuesday to Brunner, Premier President David Byrd admitted that further testing showed a source-code error that can cause votes not to be recorded when memory cards are uploaded to computer servers under certain circumstances.

“We are indeed distressed that our previous analysis of this issue was in error,” Byrd wrote.

Brunner is suing to recover the millions of taxpayer dollars spent to buy Premier touch-screens after she said an investigation this year showed that votes in at least 11 counties had been dropped in recent elections.

Recovering tax payer dollars for a start. What about auditing the results of past…oh, who am I kidding?

Silly me.

So, these machines that “lose” votes will not be fixed in time for the election? I say it’s time for one helluva refund for the State of Ohio. Get those pencils sharpened. Time to roll back to tried and true voting methods.

Article Link

Favorite Olympic Moments [The Falcon's View]

Posted: 22 Aug 2008 01:22 PM CDT

Now that the Olympics are at an end, I wanted to take a few minutes to reflect on some moments that I thought represented the best and worst of these Games. Top Moments 1) Michael Phelps - Talk about an...

SQL-Injection How-To [Roer.Com Information Security - Your source of Information Security]

Posted: 22 Aug 2008 11:58 AM CDT

SQL Injection attacks uses form inputs in order to manipulate the SQL-server. In these kinds of attacks, the hacker may get control over the server, and thus access information that should be protected.

In order to better control and protect yourself against such attacks, it is always nice to know more about how they work. Kassaras has made a very nice How-To, where he explains in detail how you can set up a test system and then try to manipulate it.

The post is well worth a read!

Red Hat’s Fedora Servers Breached [Liquidmatrix Security Digest]

Posted: 22 Aug 2008 10:37 AM CDT

It turns out that last week Fedora servers, including one that is used to sign packages, were compromised. Red Hat claims that the servers were taken offline as soon as the breach was “quickly” discovered.

The question lingers. When were they breached?


One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys.

Running Fedora? You might want to check your systems just to be safe. Also, the folks at Red Hat are asking for anyone that has information on this breach to contact their legal folks via “fedora-legal SHIFT2 redhat com”. They make a point of noting that the Fedora and Redhat servers are separate. The Red Hat servers also use a different key that was not accessed.

Article Link

DEFCON 16 – The Tools not the Toools []

Posted: 22 Aug 2008 09:37 AM CDT

Originally posted to the Zero Day blog on Ziff Davis:

This article was also referenced in a Dark Reading blog post by John Sawyer:

All updates will reside here as I have no control over the article on Ziff Davis.

    DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release. Before anyone has a chance to post “It’s all on the DEFCON CD dummy” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.

The DEFCON CD can be found here:

Think you are good enough? The binaries from Capture the Flag have been posted here:

 PE-Scambler by Nick Harbour

Packet-O-Matic by Guy Martin

  • Description: “A real time packet processor” - It extracts and can reinject packets. This includes VoIP calls in real time, Cable Modem (DOCSIS) traffic, and a whole host of others.
  • Homepage Link:
  • Email Address:

SA Exploiter by Securestate

Fast-Track by Securestate

Beholder – by Nelson Murilo and Luis Eduardo

The Middler – by Jay Beale

ClientIPS – by Jay Beale

  • Description: An open source inline “transparent” client-side IPS
  • Homepage Link:  (Online?)

Marathon Tool – by Daniel Kachakill

The Phantom Protocol – by Magnus Brading

  • Description: A Tor-like protocol that fixes some of Tor’s major attack vectors
  • Homepage Link:
  • Email Address:

ModScan – by Mark Bristow

Grendel Scan – by David Byrne

  • Description: Web Application scanner that searches for logic and design flaws as well as the standard flaw seen in the wild today (SQL Injection, XSS, CSRF)
  • Homepage Link:

iKat – interactive Kiosk Attack Tool  (This site has an image as a banner that is definitely not safe for work! – You have been warned) by Paul Craig

  • Description: A web site that is dedicated to helping you break out of Kiosk jails
  • Homepage Link:
  • Email Address:

DAVIX – by Jan P. Monsch and Raffael Marty

CollabREate – by Chris Eagle and Tim Vidas

  • Description: An IDA Pro plugin with a server backend that allows multiple people to collaborate on a single RE (reverse engineering) project.
  • Homepage Link:
  • Email Addresses: and

VMware Pen-Testing Framework – by John Fitzpatrick

Dradis – by John Fitzpatrick

  • Description: A tool for organizing and sharing information during a penetration test
  • Homepage:
  • Email Address:

Squirtle – by Kurt Grutzmacher

  • Description: A Rouge Server with Controlling Desires that steals NTLM hashes.
  • Homepage: (Live?)
  • Email Address:

WhiteSpace – by Kolisar

  • Description: A script that can hide other scripts such as CSRF and iframes in spaces and tabs
  • Download Link: DEFCON 16 CD

VoIPer – by nnp

  • Description: VoIP automated fuzzing tool with support for a large number of VoIP applications and protocols
  • Homepage Link:

Barrier – by Errata Security

  • Description: A browser plugin that pen-tests every site that you visit.
  • Homepage Link:
  • Email Address:

Psyche – by Ponte Technologies


Reputation Damage & Measurement []

Posted: 22 Aug 2008 09:33 AM CDT

Reputation damage can be one of the most difficult concepts to build measurements around.  In fact, it can be difficult to develop the actual metrics for the measurements, as well.  Damage to things like “corporate reputation” and “goodwill” and “brand equity” can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes - the almighty currency).

Complicating factors is the impact (or lack thereof) of incidents on stock price.  Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact.  I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!”  But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived.  With qualifications, of course.

So what would/should we make of this from

£12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients

Car hire firm Helphire have taken Google to court after a malicious email sent from a Gmail account saw their shares plummet £12million in a single day.

The Bath-based business who specialise in providing replacement cars to ‘no-fault’ drivers involved in accidents on behalf of car insurance companies, initiated legal proceedings against the search engine giant as part of their attempt to find out who is responsible for sending the defamatory mailing.

Google are now known to have complied with the court order and have controversially supplied details of the email account and ISP used by the meddler.

Written under the psudoname Peter Franks, the 1200 word email is know to have been sent from a gmail account that was opened specifically for this purpose and closed a few minutes after the damage had been done…

…The misdemeanour couldn't have come at a worse time for the struggling firm who have undergone a £45million rights issue and seen a 75% drop in the value of their stock already this year.

That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases.  It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down.  You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines.  You really do have to question the causality and correlation.  So in the Helphire case above - is this new drop in stock really because of the email sent?  If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price?

Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement - about the future, present or past.  The best we can do is use ranges, distributions, that are reasonable based on evidence and observation.

So it’s worth filing away this sort of datum for future use - while dutifully acknowledging the qualifiers we might place around it.

So the questions I ask here - what should we make of this new information, and how should we view the $24million drop - they’re not rhetorical.  I am very interested in your views and welcome your comments!

All I Need To Know About Project Management I Learnt From My Cats [The InfoSec Blog]

Posted: 22 Aug 2008 09:29 AM CDT

The most interesting, creative, fun and innovative people don’t run with the pack. You’re a leader because your team believes you are worth following, not because you are appointed leader. You don’t lead by giving orders, you lead by motivation. Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously. ‘Who’s to blame’ is the [...]

Fedora servers pwnd [Network Security Blog]

Posted: 22 Aug 2008 09:18 AM CDT

The servers at Fedora were attacked and compromised recently. The folks at Redhat are confident that none of the Fedora packages were compromised, but I’d be cautious for a while until the whole story is known.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

PaulDotCom Security Weekly - Episode 119 - August 21, 2008 [PaulDotCom]

Posted: 22 Aug 2008 09:16 AM CDT

Paul & Larry are back in the studio!


Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian


Direct Audio Download

Audio Feeds:

Are Mission Statements High Entropy? [The InfoSec Blog]

Posted: 22 Aug 2008 09:08 AM CDT

My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits. Hmm. A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy. No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with [...]

Billion and Billions. [The InfoSec Blog]

Posted: 22 Aug 2008 09:00 AM CDT

No, not a Google its a Sagan! I’m sure that like me you get mails that read something like From:Mr.John Lewis Phone No: 44-702 409 9061 This is to inform you that your funds of US$15 Million has been approved for immediate delivery to you. For the purpose of clarification,you are advised to reconfirm your Full Names,Direct Telephone Numbers,Physical Address with Zip Code [...]

A sign of the times [The InfoSec Blog]

Posted: 22 Aug 2008 08:48 AM CDT

It seems that many people in HR don’t realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful [...]

Security Briefing: August 22nd [Liquidmatrix Security Digest]

Posted: 22 Aug 2008 07:38 AM CDT


Starting the day off in the dentist chair. The bright side being that Friday has arrived. Have a great weekend everyone!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. FEMA’s Phone System Hacked | Information Week
  2. Personal Data on Thousands of Officials Leaked | The Dong-a Ilbo
  3. Thousands of criminal files lost in data fiasco | The Times
  4. PCI DSS: What to expect in October | The Tech Herald
  5. Security-conscious loses 4 million people’s data | MacWorld
  6. Congress: Terror database upgrade failing | Associated Press
  7. Essential Computer Tips for Parents and Teachers | Education World

Tags: , , , ,

Apple’s giving spammers a hand [Network Security Blog]

Posted: 22 Aug 2008 12:50 AM CDT

I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the and email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.

Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a address before and now I’m glad.

I hope you’re not using your or addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.

Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Pwnie Award Winners and Video Posted [...And You Will Know me by the Trail of Bits]

Posted: 21 Aug 2008 05:11 PM CDT

Congratulations to all of the nominees and winners of the 2008 Pwnie Awards.  We had a much larger turnout for the ceremony this year and we actually had people present to accept their awards and give acceptance speeches.

In case you missed the awards, you can see the list of winners at the Pwnie Awards site.  Or get yourself some fresh popcorn, a cold beer, and some nice buggy code to relax and watch the video that Alex Sotirov just uploaded today.  Be sure to mock the guy with the “I 3> Pwnies” t-shirt.

Many banks have design flaws that facilitate phishing [Tim Callan's SSL Blog]

Posted: 21 Aug 2008 04:25 PM CDT

The Street picked up some tips I published for people to protect themselves online. That fact got me reading the article originally, but what I want to call your attention to today is the other half of the article, which details some interesting research implying that online banks commit an awful lot of errors that enable phishing against their customer bases. States the article,

The study found that of the 214 U.S. financial institution Web sites that were analyzed, 76% of them had at least one design flaw which could compromise your financial data.

Unlike many studies that focus on the vulnerabilities of the coding of the Web sites, where hackers may be able to gain access to information, this study focused on design flaws of the banks' sites that made it easier for users to be tricked into giving up private information (phishing). The flaws include placing log-in boxes and contact information on insecure Web pages (47% of banks), putting contact information and security advice on insecure pages (55% of banks), redirecting customers to a site outside the bank's domain for certain transactions without warning (30% of banks), emailing security-sensitive information insecurely (31% of banks) and allowing easy-to-guess user IDs and passwords such as Social Security numbers or email addresses.

The first of these topics (placing logins on pages that are not secured by SSL) is a personal pet peeve of mine and something I've written about in the past. Fortunately it's getting better, and many online banks are correcting this bad behavior, but clearly based on this research many have not. I will dig into the research in more depth and give you a summary of what it says and my commentary on it.

AppleCare Support Call Foolishness [Liquidmatrix Security Digest]

Posted: 21 Aug 2008 03:08 PM CDT

Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail.

From spylogic:

“You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People's Republic of China or the U.S.”

Huh? People’s Republic of China? That’s nice. I couldn’t find any reference noting what Apple does with your personal “hard drive” data. They only mention your name, address, things you purchased, etc…

Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting.

Article Link

Surprise! Microsoft copies Apple, again. [Random Thoughts from Joel's World]

Posted: 21 Aug 2008 12:34 PM CDT

According to this article over on BBC News, IE8 will include a "Privacy feature" while browsing.  Something that has been in Apple's Safari browser for at least a couple of versions now.  I mean, it's obvious they were going to copy it, as it's a great feature...  but just wanted to point out the obvious right quick.

 Subscribe in a reader

Free online viewable magazines?! [SecuraBit]

Posted: 21 Aug 2008 12:15 PM CDT

We are going to approach this subject very lightly as I’m sure it’s clearly copyright infringement, however Lifehacker has a great post for a website called Mygazines. (which we won’t link to for legal purposes) Basically it’s a repository of scanned magazines encompassing just about anything and everything your heart desires, minus the pr0n. [...]


No comments: