Thursday, August 28, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

This just in - people add other people to social networking friend lists. No, really [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:28 AM CDT

I'm calling weak sauce - WEAK SAUCE, baby!


Well, I wanted to write about this when I saw it, but I was on holiday and too busy watching Batman punching people into walls to care.

But now I'm back in black, so I figure I can still rant about it. Are you ready?

As you'll have seen from the link above, it's all about how "computer security pros were vulnerable to scams". The scam in question? Pretending to be security researchers on social networking sites, then....adding themselves to the "targets" friend list, thus demonstrating how they "exploited their trust".

I mean, wait....what. That's it?

Okay, time to strap on the Cynicism-o-tron 3000 and get to work. For the purposes of this ramble, let's assume the site in question is Myspace. It could be Facebook or any of the others really, but let's go with Myspace because this gag relied on the people that ended up being used as fakes NOT having a real profile on the site in question.

From my experience, there are lots of real security people on Facebook. Myspace? Not so many.

1. I've been on Myspace for years. If someone wants to add themselves to my profile as a friend, great, go nuts. There's no personally identifiable information on there besides what I'm happy with being in the public domain on there anyway so it's not like some scammer just got his hands on the PG Goldmine. You'll find the same generic info on every webpage I'm currently lurking on.

The article makes no mention of exactly WHAT information the people who were duped into adding the fake security guys had on their page. Was it random crap? Was it anything more than generic info? Was it name, address, social security number? The login codes for thermonuclear destruction courtesy of the "Defense Industry Worker"? What? I think this is pretty important, personally. It would be like one of these guys adding me to their friend list then jumping up and down going YAHOO! ANOTHER ONE BITES THE DUST, BABY!

Meanwhile, I'd be doing this:

Yeah, it's the cat again. But WTF-Cat is used with good reason here.

2. This might come as an amazing surprise - or not - but most of the time, I have my page privacy settings wide open, because I use it to attract scumbags, bots and asshats.

I want to have Bots send me add requests. I want people who think they're a leet hax0r to make me their new favourite band in the world, ever. I love it when I get hit with random spam runs, because I know it's going to turn into something interesting. The flipside of this is, I don't assume anybody I have on my friend list is who they say they are. Sure, I can verify the people I need to verify through other channels - but for the most part, it doesn't matter who I have on my list, they're just names and faces and people I talk to. There are only a handful of people on anybodies Myspace friend list (or any other list, for that matter) who you actually need to verify as being who they are, either for work or some other purpose.

Again, if these guys had sent me a friend request pretending to be Bruce Schneier or whoever, would they be scoffing at my "level of trust", without realising that yes, I was actually suspicious in the first place at a security researcher wanting to be my friend and priming the Blog for another bizarre tale about fakes and frauds?

Of course, I wouldn't have had the chance because I'd have been one of the "chosen ones" in the AP article. Yay. I wonder how many people condemned to their fate of being social networking idiots weren't using their profiles for something similar - luring in bad guys?

3. There is an assumption here that these people are stupid. Why? Well, check out the quote where the guy says "Any of these people would happily click on a malware site or viewed our page with a data stealing application".

Really? Why would they? Did you actually try this? Or are we just assuming?

You know what happens when you click on an external link on Myspace these days? This:

Would someone involved in security actually manage to get themselves Phished (for example), or blindly go to a (plainly displayed) URL that says .EXE at the end of it after seeing that page? Stranger things have happened I guess, but who knows. As for the "data stealing application on the profile page", that's kind of tricky to pull off on Facebook (unless these guys started making rogue Facebook applications as part of their gag too, which seems unlikely), so again I'll have to roll with Myspace as that's about the most customisable social networking site where you could potentially get away with such a thing.

The most common "data stealers" (if you could call them that) on Myspace pages are geolocational trackers and the like, and you know what? Because of the way many of them are embedded on the page, there is NO way to know you visited a page with one on there unless you view source for every single page you ever visit on Myspace, ever. And once you've hit the page, it's already too late.

At this point, you need to make a choice - accept that there's a small risk from any page you could ever click on, ever, and live with it - or take the logic used here to its extreme point and never use any website or page, ever again, because it "might have had something on it".

4. There is an assumption here that random people involved in random aspects of security are necessarily going to be "experts" at all the ins-and-outs of social networking security tactics, which is simply not going to be the case. There's a large and fairly complex set of practices that the smarter 2.0 users employ to keep safe on these websites, and it makes no sense to be all happy that you "caught out" defense industry workers because the last time I checked, defense industry workers tended to specialise in creating electronics and making sure shit doesn't blow up, as opposed knowing which fake profile on their Myspace list was going to turn into Tubgirl and Lemonparty.

Education and advice might be more proactive here as opposed deriding them in AP articles (even when done anonymously), but that's just me.

5. What does this prove, really? Hell, with absolutely nothing more than a solitary EMail to Myspace Customer Service, it's possible to get an entirely legitimate profile deleted as long as you word it correctly. What did the people behind this actually do to their victims besides add them to friend lists? The article doesn't indicate that anything more was done than people saying they "could" have done this, or "could" have done that. So in effect (and unless it was stated otherwise at Black Hat), nobody got Trojaned, nobody got hacked, nobody got Phished, nobody had their data stolen by creepy applications.

What happened was, a bunch of people had some other people add them to their friend list. Excuse me for being dense, but isn't that what you're supposed to do on social networking sites?

ALERT from CERT about Linux and stolen SSH keys [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 07:20 AM CDT

we copy from the Internet storm center

The US-CERT is reporting that there is active attacks against Linux environments using stolen SSH keys.  There is a new rootkit out, Phalanx2 which is dropped by attackers which, among the usual rootkit tasks, steal any SSH key on a system.  The attackers then, presumably, use those stolen keys (the ones without passwords/passphrases at least) to get into other machines.

Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now.

The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use.  Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you.  If you have IPs, that would be good.

To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2".  /dev/shm/ may contain files from the attack as well.  Tripwire, AIDE and friends should also be able to detect filesystem changes

Wolfenghost [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:13 AM CDT

If you like to shoot Zombie Nazis in the face with a chaingun - and really, who doesn't - you might want to take a look at the coolest Flickr tool thing I've seen in quite some time. If you used to like playing Wolfenstein back in the day, then here comes Christmas - in the form of an explorable 3d Wolfenstein map that houses images selected from Flickr accounts of your choice in a pixellated fashion. Hence:


Is this supposed to be a gag? [ - A Revolution is the Solution]

Posted: 28 Aug 2008 07:12 AM CDT

You decide!

BGP crisis, ASN identification and the future of cyberwar [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 06:37 AM CDT

I have the impression that it is not clear to anyone why the BGP crisis is a crisis that is worthwhile treatening as a crisis and that should have a very high priority on the agenda of anybody who is responsable for critical infrastructure or networks.

The BGP's send traffic based on networks that are identified by ASN numbers. We have been trying to work with ASN numbers when we wanted to filter the Belgian hosts out of the long lists of phished websites in the phishtank. That doesn't work because ASN numbers seem to incorporate networks and links that aren't always very functional at the outset.

But another thing became apparent when we were looking for Belgian ASN numbers. We saw ASN numbers with the names of big banks, we saw ASN numbers for a firm that is responsable for the transportation of gas and so on,.......

I had the feeling than that this was risky, but that was just the logical reflection of a cybersecurity person who thinks that the less the attackers knows before he begins scanning (and being discovered) the better. But this exploit changes everything and the first question is if we shouldn't change the identification of ASN (make it secret or not linked to a name for example).

Now how can you control a BGP router ? If it ain't well secured you could do it by hacking it. You could enter or storm an Internet Exchange Point (Al Qaida cells in the UK had plans to blow up the London one) or you could own one (if you are a big network, ISP, country).

So what could you do with it afterwards. First you could use it spy or analyze the traffic to prepare your real attack in a way that nobody will notice. Imagine that you know all the traffic between country or network x and a big or governmental network. Than you could send all the traffic to these destinations to a blackhole (going nowhere) or you could just send it bouncing back and forward all over again. This last attack seems like a tapestry of ddos attacks knocking everything out on their way. What you do with it afterwards only depends on your imagination about how you are going to reroute it.

The people at the other side will say that it is possible to send new instructions to all the routers and that the effects can be undone in minutes. Maybe. But that was after one dedicated attack  or rerouting, this is maybe not the case in an coordinated sustained repeated attack on different routers at the same moment for a long time. And if you can tell me why people shouldn't do it, than I can accept that you have to do nothing special. But when people make botnets, DDOS the root DNS servers and poison other DNS servers or attack Cisco routers, than why wouldn't they use this technique ? Not because it is too difficult. It ain't. And not because they don't have the technical publication about how to do it. It is published. And not because we are in times of peace and love. We aren't.

belsecTV Police technology [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 06:00 AM CDT

And the Joomla hacking just continues even in .be [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 05:40 AM CDT

who would have thought that Joomla servers would be now be patched is just living in dreamland. Joomla servers are still sitting ducks waiting for any scriptkid passing by with the exploit in his tool to deface, manipulate or just enter it.

those who would have thought that Joomla or its socalled community would have by now alerted all or most of its users that they need to patch if they didn't want to be hacked and they surely would be hacked one day if they don't patch is also living in dreamland

those who have installed Joomla thinking that it was a professional service and that they would be sure secure and it would be easy to be patched or informed were also living in dreamland

those who now think that Joomla will not be attacked again and that the exploiters will not think that Joomla is - viewing its disasterous management of this crisis - the perfect tool and community to attack - surely if it would be a zero day - are also living in dreamland

those who say that they are professional and still are on Joomla or not moving away from it, take a risk for which they now will have to make the preparations

because Joomla makes me think of this hacked site  (I sell hot air)

another of the .be joomla sites that fell


FCCU wants (some of) you [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 05:21 AM CDT  Nederlands Français

two remarks

* not everybody that would be useful in such a center and has the experience has the necessary diploma

* is limited to people with belgian nationality

But the good news is that 18 people will be incorporated in the central computer crime unit of the Belgian polica ..... after 2 (yes TWO) years

THis means that they really have to make a difference between the functions that are specific to being a police officer and the admnistrative or purely technical functions. Preparing a technical file on a megaspammer can be done by whoever technical knowledgable. Making an official police file based on the collected evidence is another matter.

But whatever. If you are young and you would like to work for the good of the people, the country and be in the center of the computercrime fighting environment and work for Beirens (who comes over to me as a very engaged supercop :) ) than this is your chance. Don't say we didn't tell you.

We hope that if the police receve too many CV of other people that want to work for a public service that they will keep the others in a mailinglist to inform them of the hundreds of other administrations that are actively looking for computerpeople. If they have an interest for security and are security-aware from the first thing they do every day, than this is a big advacement (and economy).

Register your site for free with phishregistry if you are phishable [belsec] [Belgian Security Blognetwork]

Posted: 28 Aug 2008 03:15 AM CDT is a free resource provided by Secure Computing Corp. to help businesses know when they are at risk of being phished. monitors the content of your Website and alerts you when attempts to duplicate it have been detected. By registering your site on, you are able to receive notifications of online fraud attempts, and increase your Website’s visibility with Secure Computing and our anti-fraud partners. Additionally, you can use these threat alerts to actively inform customer of phishing attacks and to assist with other efforts to combat fraud.

There are two ways you can participate in First, by providing information about your organization's Website, Secure Computing is able to monitor the Internet for malicious copies of it and provide you with weekly reports about what we find.

You may also register other legitimate Websites of interest - for example, your bank. You'll only be able to receive notifications, however, for your own company.

Click on 'Register My Site' to register your organization with us. Click 'Register Other Sites' to register other sites you'd like us to monitor.

Web filtering - who and what to block? [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 28 Aug 2008 02:56 AM CDT

Kyle Northcutt posted this question on LinkedIn:

Who and what should the web filter block?

Obvious malicious, lewd and illegal content aside.... should mental diversions be limited or blocked from users? Social networking, youtube, gaming, news, etc can be very distracting and hamper production, but when used sparingly can boost morale, enhance creativity and act as an employee perk in the organization.

My question is, which(if any) of these activities should be blocked? Should everyone be affected by this policy or should engineering and executives be excluded? As a bonus, how does your company handle web filtering?

There are many interesting answers to his question - ranging from "Block them all, and only open those you need", to answers like Angelos Karageorgiou, who says:

"I do not think that you productivity will increase by throttling the employee's use of the internet! Slackers will find other ways to slack. To my experience when people spent an inordinate amount of time with diversions, is when they are either unhappy with their work or have lost focus. Both are afflictions caused by management or lack of thereof."

I like Angelos answer because it points to where the challenge really is - the humans. With the technology, we can do everything we can imagine. But humans. Now, that is a totally different manner. It takes a very non-technical manner to deal with those people.

In all my humbleness (right), I post my own answer below (as it is found on LinkedIn).

My LinkedIn answer:

In my experience, blocking access to internet resources soon turn your employers into a negative, less-productive bunch of unhappy sheep (lots of negativity in there, huh?)

Nothing is obvious when it comes to humans, and just blocking whatever one person finds obvious may very well upset someone else. As long as we are using technology to deal with human behaviors, we need to teach the same humans the reasons we choose to use technology instead of juts enlightening them.

There are only a few occasions I suggest using these kinds of controls:

* in controlled / secure environments where you must ensure 100% control of what is entering and leaving the area (then I always advice to set up a set of computers with access - as Internet now is a vital part of our communications)
* in restricted areas like jail and schools where motivation to follow policies are not that evident. But - this is also a very narrow path, as many kids today outsmarts the local IT-resource.
* in short time frames in departments dealing with sensitive information like annual results. Then we may close down all communication within a particular time - but never forget that there are phones, facsimiles and other techs you cannot control (that easy)

I am not a fan of closing down access. I believe that most employees are going to do their job as expected - as long as they get their perceived value in return. And face it - in today's workspace, most people will expect access to the Internet at their discretion.

Now, I am an advocate for employer controlled work environment - ie. the company set's the rules, and when you sign your contract, you agree to follow those very rules. But. As long as we are dealing with humans, we will reach much better results by understanding how psychology and organizations work and function. By using a mixture of positive incentives and negative incentives, and doing this in a clever manner, you will see much better results over time.

Face it, if you force a block, someone will be unhappy. You will start see people trying to work around those barriers. Your management will scream and expect totally different rules. Your day will become a nightmare. And what do you achieve? Less motivated, less productive employees.

I suggest the following approach that has worked a dream in the past:

* set up a QoS on your network, and on your outbound link. Tune down everything you do not like entering (streams, P2P, Skype etc). Set it so low that it is still possible to use it, but not practical anymore.
* Inform your employees regularly about how computers is a time thief (I mean, even for me now - I spend time writing this on the Internet instead of doing any productive work...), and give them tips on how to deal with it. Consider them humans and grown up, and it is amazing what you can get them to accept.
* Set up a network monitoring device, analyzing and capturing data traffic. These devices are able to tune in on, and capture only relevant data - triggered by rules and patterns you can define. Use this to figure out what is really going on, and to find that one or two rouge employees that you know are out there. Now you have evidence you can use to force this person to either follow the rules, or to kick him/her out of the organization.

In the end, you have a very efficient setup that does not intervene with day to day business, that does not make you vulnerable to updates and new "things to block", and that as a bonus makes you the hero of everyone in the organization (except the rouge ones, though...)

I have very good experience with this type of setup. Just keep in mind that you are dealing with humans - so treat them like humans to get the to do what you want!


What are your thoughts on webfiltering?

, ,

Thank you sir may I have another [StillSecure, After All These Years]

Posted: 27 Aug 2008 11:53 PM CDT

I was listening to some people on the Larry King show tonight talking politics.  I nearly choked when I heard some talk show radio host guest say that he was tired of people giving energy companies a hard time.  He said he was grateful every time he went to a gas station and was able to fill up his truck! The oil companies deserve these profits for the hard work they do in pumping oil out of the ground.  So for this they are entitled to windfall profits while they suck the marrow out of the bones of the rest of us? Was this guy for real?  I felt like I was watching Animal House and when the pledge is getting spanked with a paddle he is saying "thank you sir, may I have another".  Tell you what mister radio show host, if you are so grateful for the oil companies giving us gas, why don't you pay the bill the next time I pay 100 bucks to fill up my gas tank!

And please don't tell me that we all own the oil companies.  That is a bunch of propaganda put out by an industry association bought and paid for by big energy.  They are raking in record, obscene profits and that money is going to fund their corporate fat cat lifestyles (maybe we should sell them some NAC). 

I am not saying we should drill more or develop alternates faster, but don't sit here and insult me telling me we should be grateful every time we get shafted by big energy.

Reblog this post [with Zemanta]

Do Lawyers have the NAC? [StillSecure, After All These Years]

Posted: 27 Aug 2008 11:33 PM CDT

Let me say up front that this is not some bad lawyer joke. Instead I wanted to talk about some observations I made while at the ILTA conference Tuesday. As I wrote the other day, I was on a panel about NAC.  There were about 75 or so people attending our track session. In asking some profiling questions of the people there, the audience was largely from larger law firms with 250 or more employees.  There were in fact a decent number of firms with greater than a 1000 people. 

There was good news and bad news around NAC adoption. The bad news was that there was only 1 firm that had NAC already up and running.  The good news is that every other person in the room was there because they were interested in NAC thinking about implementing some flavor of NAC over the next 24 months.  Now, 75 or so people was not a majority of the people at the ILTA conference, but I thought it was significant in showing that as a vertical, the legal field has not yet adopted NAC, but are clearly looking at it now.

What is driving this interest in NAC by the legal field?  I was surprised at the answers I got at the show.  Unlike the rest of the commercial sector, compliance is just not the driver here.  Most law firms are not public entities, don't really do a lot of credit card transactions and are not financial transactions. So things like GLBA, SOX and PCI are just not the same drivers we see elsewhere.  Now I happen to believe that large firms like those at the show do have clients that are in fact subject to these rules and regulations.  Therefore as their attorneys and keepers of confidential data, the law firms have a duty as well.  So if not compliance what is it?

Guest access and confidentiality of data is what is driving NAC adoption in the legal field.  Both of these are buzzword issues that get the partners at these firms to shave a bit off of the fat, recession proof profits that goes in their pockets and shell out a few bucks for NAC.  But until the check is in the bank, who knows for sure. I will be watching to see if this interest in NAC actually translates into new NAC customers.  Until then, we won't know for sure if Lawyers get the NAC.

MetricsCenter Articles [Jon's Network]

Posted: 27 Aug 2008 10:57 PM CDT

MetricsCenter Articles

Stuff to read on security metrics.

Linux Still has to be secured [An Information Security Place]

Posted: 27 Aug 2008 08:56 PM CDT

I sometimes get sick of my fellow Computerworld blogger Steven J. Vaughan-Nichols, A.K.A. Cyber Cynic.  He is an avowed Linux-phile, which is fine with me.  But he is constantly going on rants about how secure Linux is and how it’s great and wonderful and how Windows is so insecure and both sucks and blows.

But in this article he actually ends up surprising me.  He talks about a bunch of Linux boxes getting attacked through compromised SSH keys.  He goes on to say how the Linux admins that didn’t fix the problems are idiots and how he would have fired them if they worked for him.  And he is where he surprises me.  He says:

Linux really is more secure than most operating systems, but, as the security mantra goes, "security is a process, not a product."

That statement seemed so painful for Steven to get out.  I think I actually felt him straining to get those words out (maybe Steven has been eating too much cheese lately).  He actually had to admit that an admin actually had to work to make Linux secure.  Of course, he couldn’t let that go without first saying that Linux "really is more secure than most operating systems", but at least he said it.

Seriously folks, I am not some Windows fan boy.  I know I have said that a million times, but it is true.  I don’t care what OS you use.  You are ALWAYS going to have to secure it by patching and hardening.  It is the nature of the beast.  You can make a Windows box just as secure as a Linux box if you harden it correctly.

Steven is right that security is a process.  You have to do your due diligence.  If you love Linux and hate Windows, then use Linux for your server.  But don’t let that cloud your brain when it comes time to lock that box down.


Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more... [Blue Box: The VoIP Security Podcast]

Posted: 27 Aug 2008 07:53 PM CDT

Synopsis:  Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

This posting includes an audio/video/photo media file: Download Now

Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more [Blue Box: The VoIP Security Podcast]

Posted: 27 Aug 2008 07:44 PM CDT

Synopsis:  Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #81, a 42-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 19MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on May 21, 2008.

You may also listen to this podcast right now:

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to '' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

Download the 5th Website Security Statistics Report [Jeremiah Grossman]

Posted: 27 Aug 2008 07:07 PM CDT

Whew, what a mountain of work! I'm ecstatic the complete 5th installment of our Website Security Statistics Report report (all 13-pages) is finally published and available for everyone to see – and comment. I'm also extremely proud that we're able to capture a measurable improvement in overall website security. Good news from inside InfoSec!? I know, weird huh!? We still have a long way to go, but these statistics show we're on the right path and doing the right things:
  • Find and prioritize all websites
  • Find and fix website vulnerabilities
  • Implement a secure software development process
  • Utilize a defense-in-depth website security strategy

Today's webinar went extremely well, slides are available for those interested. And some quick numbers:

Total Websites: 687 
Identified vulnerabilities: 11,234 
Unresolved vulnerabilities: 3,541 (66% resolved) 
Websites HAVING HAD at least one serious issue: 82% 
Websites CURRENTLY WITH at least one serious issue: 61%
Average vulnerabilities per website: 5

The shiny new WhiteHat Top Ten

Yes! CSRF finally make the list!

Also covered is:
- Collection methodology 
- Time-to-fix and remediation metrics 
- Industry vertical comparisons 
- Best practices & lessons learned

Feedback on what other numbers people would like us to report on in the future is very welcome.

Some new features of NMAP explained [Security4all] [Belgian Security Blognetwork]

Posted: 27 Aug 2008 06:53 PM CDT

Fyodor made several enhancements to the NMAP scanner. Daniel Miessler was one of the lucky persons which attended his latest presentation at Blackhat and posted an overview of some of the new features (


The --top-ports Scan Option

One of Fyodor's main focuses was improving Nmap's speed through improved efficiency. One of the best ways to do this is to allow for scans of fewer ports, but this requires that you choose those ports carefully so as to miss as little as possible. So what he did, through trial and error and tons of scans, was figure out the most frequently open ports on the Internet.

Here they are for each protocol:


  1. 80
  2. 23
  3. 22
  4. 443
  5. 3389
  6. 445
  7. 139
  8. 21
  9. 135
  10. 25


  1. 137
  2. 161
  3. 1434
  4. 123
  5. 138
  6. 445
  7. 135
  8. 67
  9. 139
  10. 53

Ok, so now that we know what the top 10 ports are, wouldn't it be cool to be able to scan based on them? And what if we wanted to scan the top 50? Or the top 100?

Fyodor has built this in with the --top-ports option. It's wicked nice, and you invoke it like this:

nmap –top-ports 100 $target

And of course, 100 is just an arbitrary number, so you could just as easily do this:

nmap –top-ports 3000 $target

As you increase this number you obviously gain more and more accuracy, but because the ports are organized according to the most commonly found on the Internet, you can scan relatively few and still have good chances of finding everything open.

Stats from his presentation on TCP port efficiency using --top-ports:

–top-ports 10: 48%
–top-ports 50: 65%
–top-ports 100: 73%
–top-ports 250: 83%
–top-ports 500: 89%
–top-ports 1000: 93%
–top-ports 2000: 96%
–top-ports 3764: 100%

This means for just curiosity scans I can go with --top-ports 1000 and get roughly 93% accuracy in a fraction of the time.

Read his full post for the other options.

BGP, DNS, SNMPv3 flaws. Is the internet hosed? [Security4all] [Belgian Security Blognetwork]

Posted: 27 Aug 2008 06:32 PM CDT

We have seen several issues this year. The SNMPv3 issue, the DNS issue and now the BGP issue (slashdot).

BGP stand for Border Gateway Protocol and is the core routing protocol of the Internet.
A good example of what can go wrong when someone can inject wrong or false routes into BGP is the story where Youtube became unreachable by the hands of Pakistan Telecom (Renesys blog).

Now how serious is this? Well, just like the DNS issue, it's not the first attack or issue we have seen. So let's not overhype this. There is no money to be made with bringing down the internet. And redirect routes through BGP is like working with a sledgehammer, it's not really subtle.

Dan Kaminsky has a very good article discussing the SNMP, DNS and BGP issue together and is a must read ( Like he said, it's 2008 and we need to look at some of our core protocols and the way they do authentication and encryption.

(Photo under creative commons from billaday's photostream)

SC Magazine: Application vulnerability assessment tools group test [Wouter Veugelen] [Belgian Security Blognetwork]

Posted: 27 Aug 2008 05:43 PM CDT

SC Magazine published a review of the following application vulnerability assessment tool.

  • Application Security, Inc.’s DbProtect 2007
  • Cenzic Hailstorm Enterprise ARC 5.5
  • Fortify Source Code Analysis Suite 4.5
  • HP WebInspect 7.7
  • IBM’s Rational AppScan 7.7
  • iSEC Partners Security QA Toolbar
  • Ounce Labs 5.0

SC Magazine evaluated the different products according to the following criteria: support, documentation and price. So they didn’t look at the amount of false positives, false negatives, or issues the application couldn’t find. Nevertheless if you are looking into evaluating one of these solutions this review might be a good starting point.

Keep a hand on your iPhone [IT Security, Windows Scripting and other matters]

Posted: 27 Aug 2008 02:20 PM CDT

Adam Dodge pointed me to this article on CSO Online this morning -
This afternoon a customer stopped by with an iPhone and was kind enough to let me test the hack out.
I was able to confirm that the simple tap sequence does work. But only if you have your home button set to go to your Favorites. My customer had his set to go to iTunes (go figure - he wanted to listen to the music on his iPhone).
So rather than remove all of your Favorites, set your home button to go to iTunes instead.
Be safe out there

Off to Black Hat [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:30 PM CDT

Let me run with the pack and put up my own "off to Black Hat" post.  I leave Tuesday actually and won't get there until Tuesday evening.  I will be on a red eye home Thursday night/Friday morning.  In this way I don't break my own three day rule on Vegas.  What is my three day rule?  Suffice to say that it prevents me from spiraling down into the bowels of degeneracy.

So what am I looking forward to at Black Hat?  The Dan K / DNS stuff should be fun.  I will be cheering on my boy Hoff and I always sit in on Jeremiah.  But lets face it, I am there for the party and catching up.  I am looking forward to throwing a few back with Rothman.  Seeing Martin, Mogul and the rest of the bunch.  There are always good parties of course and free drinks and food never hurts.

Of course I will also spend some time at the StillSecure booth shaking hands and kissing babies.  If you would like to say hello feel free to stop on by.

Also, a quick thanks to all of the members of the SBN for their support on our Black Hat affiliation.  The last few weeks have seen a bunch of blogs raising the buzz on the conference.

Zemanta Pixie

Black Hat wrap up - secure@microsoft, booth babes and bloggers [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:28 PM CDT

You can read plenty of other blogs about some of the great presentations at Black Hat.  So I thought I would take another angle and talk about some of the other stuff that may be important to you.


1.  Picture – This years hottest party was again the Microsoft party.  This year it was at the LAX club in the Luxor.  As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they "were one the list".  I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party.  As I wrote earlier, Microsoft is trying really hard on security.  But I couldn't help but notice the irony of this grainy, lousy picture of the DJ booth at the party.  If you can, notice the computers that the DJs are using. That's right they are Macs!

Edge_os_3 2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant.  Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year.  A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement.  I personally don't like exploiting woman to make that statement, but I understand.  However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them.  Come on guys!  You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class.  These girls looked like street walkers and do you and your company no favors.  Is that really the image you want to promote?  Grow up!

Authors note: I have received several requests to see a picture of the booth babes in question and judge for yourself. So I am including for you to make your own call


3.  The Security Bloggers Network – We are back!  With the end of the Black Hat show, the SBN is going back to being the SBN.  The old logo is back and our promotion with Black Hat is at an end.  However, I want to personally thank so many of you SBN members who blogged about Black Hat.  The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community.  Our network delivered big time with them and they are already thinking about ways we can work together next year.  I will keep you all posted on that.


securitybloggersWe have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons.  Next time we will work with the network members more closely in doing these affiliations.  Also, for any show like this we need to have an official bloggers get together.  Not because we don't want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us.  Security bloggers are big time. We have a great community of people who get together. Lets make it better.


I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.


Anyway, another year of Black Hat is in the books. It was a good one and I can't wait until next year!


Pedal to the metal NAC [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

OK, I am not really a big car racing fan.  I don't know, Long Island was not a NASCAR hot bed. Of course the Indy 500 was always big news.  In any event I have become much more of a race fan since Chip Ganassi racing became a StillSecure customer.  They are using a complete NAC solution that performs both pre and post connect testing. Racing today is not about some gearheads putting in spark plugs and changing tires.  It is high, hi-tech and their information security needs to protect their IP are high priority. 

Rather than the usual case study, our VP of marketing Jayson Ayers actually tried something new.  A video case study is what we have done.  I think it is pretty cool and in the spirit of the YouTube generation, am embedding it here.  You can read more about this on our site here.


This posting includes an audio/video/photo media file: Download Now

My excellent adventure at Black Hat [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

Yesterday was a great day at Black Hat. I would tell you all about it, but it seems Mitchell thinks that it best that we don't talk about what goes on here at Black Hat. Now, far be it from me to break "Cardinal Rules" (has anyone ever really thought about what exactly is a "cardinal rule"? Why not a Blue Jay or Falcon rule?) but if we can't talk about it, what good is it. I think Mitchell is confusing divulging the really juicy Vegas stuff, from just the mundane. So let me tell you about my excellent adventure yesterday at Black Hat.

I was one of the multitude standing in the back listening to Dan's DNS report. You probably have already heard that it is bigger and worse than originally reported. I than spent a lot of time with the Microsoft people talking to them about their security stuff. I will tell you that despite many who rail against Microsoft, these guys actually are doing a great job on security and in dealing with the security community. Much better than a certain company named for a fruit whose marketing people killed the presentation of their own security research team. After lunch I took a front row seat to watch Hoff present on virtual security. He has some very pretty slides, but the message was clear. Great presentation by Hoff. I spent most of the rest of the afternoon catching up with lots of security bloggers here. I am amazed by the number of us here at Black Hat.

Had a quiet dinner with Mitchell (I would tell you about it but you know about what happens in Vegas with Mitchell) and than went to the Breach party at the Shadow Bar (I love that place, but it was too hot last night). We than went over to the Fuente cigar bar and next thing you know we were joined by about 30 of our closest security blogger buddies. It was a great time and their are pictures floating around twitter somewhere of it. We talked and laughed into the late hours, winding up at the Augustus cafe again for an early breakfast.

Well it is back to the show today and another round of parties tonight. Ah, it is tough living the life ;-)

Zemanta Pixie

When the shoe is on the other foot [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

About to head over to morning sessions of Black Hat (OK, it started at 8am, but that is just an uncivil time for Las Vegas).  Before I do, let me give you a quick recap of my first night on Black Hat. I didn't get in until 10pm and got to my hotel about 11.  Looked up a few security twits and saw that Mitchell Ashley, Martin McKeay, JJ and Ryan Russell were at the Cleopatra Barge at Caesars.  I headed over there and met up.  The night was on!

pussycat-dolls-lounge We had a quick drink and then headed over to the club Pure, where Fortify was having a party.  Some how or another JJ, Ryan and I got to the VIP entrance and were headed in.  Martin had to go upstairs and change out of his shorts.  Mitchell that Colorado country bumpkin was not allowed in because he was wearing sandals.  What to do?  Leave Mitchell outside, all of us not go in? I went back to my old club hopping days for the answer. I went  in with JJ.  Went to the bar, took off my shoes and gave them to JJ.  While I stood there in socks, she brought the shoes out to Mitchell, who put them on and got in the club.  Watching JJ sneak out the shoes and Mitchell walk in holding his sandals was pretty funny.   But it worked.  We got away from the Fortify party as it was way too crowded.  We found ourselves in my favorite part of Pure, the Pussycat Doll Lounge.  Five minutes later out came the Pussycats.  They put on a very hot show that had us all dancing and shouting. 

After that we went to my usual late night spot at Black Hat, the Augustus cafe for breakfast.  We met up with the Mogul and Hoff, who joined us.  By now it was like 2:30am Vegas time (5:30 east coast time) and it was time for bed.  I am staying at Paris, so had a nice walk but they did give me a LeMans suite which is very nice.  I still get a little confused by rooms with bidets, but it is fun.

Well off to Black Hat for some learning!

Revisiting the good enough generation [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

Thats right, talkin' 'bout my, my g-g-g-generation. The generation where good enough, is . . . good enough. There is no sense of being the best you can be or going over and above. Just enough to get it done is the way of the world. So with Rothman revisiting Big is the New Small, I thought another look at the good enough generation was in order. It was just over two years ago, that I wrote the original "Is good enough security, good enough"

Now with hindsight it appears Mike and I were saying very close to the same thing. That the sad truth is that for most people having security that is good enough, is enough for them. Subsequently if the big guy has good enough, why bother with dealing with a multitude of vendors and tower of babel security infrastructure. So after all this time Mike is not entirely wrong.

However, I still believe that there is a percentage of the world that doesn't buy into the just good enough theory. For folks like that given the resources, being the best they can be is the way of the world. If I didn't believe that, I would not be as jazzed about building a company like StillSecure as I am.

Another fantasy fulfilled [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

landon and brad My Grandmother always told me that a lucky person can count the really good friends they have on one hand, but a small amount of good friends far outweigh having many acquaintances. That was proven to me once again this weekend.  Ever since before I had my 2 sons, I had dreams of taking my children to both a Pittsburgh Steeler game and a NY Yankee game. Last year I had a chance to take Landon and Bradley to Pittsburgh and see a Steeler game.  With this being the last year for the old Yankee Stadium, I wanted to take the boys to see the Yankees at home and in the old stadium. 

Getting tickets to a game at Yankee Stadium is not cheap.  In looking around StubHub, for a hundred bucks a ticket (which is all I was willing to pay), the best I was going to do was out in the bleachers somewhere. But I figured it was better than nothing and was going to go for it.  That was when I called my best buddy from college Tyler to see if he wanted to go with us.  Tyler still lives in NY, actually he has an apt in Trump Palace and works in advertising for a large company, handling one of the very biggest accounts.  When I told him what I was looking at buying he said to hold on and let him see what he could do.

Well Tyler came through big time.  Not sure which vendor he got them from, but we had 6th row box seats behind third base, tickets to the Stadium Club, free parking (didn't use it as we took the subway) and to top it off, Tyler was staying at his friends place and insisted we stay in his place at Trump. 

The boys and I had a blast hanging out in the city, going to Dylan's candy store, the Empire State Building and then heading up to the Stadium.  I am sure it will be a time both they and I will never forget.  Like the commercial says:

1. 3 round trip airline tickets from Florida to NY – $750.00

2. 1 night in a hotel in NYC - $400.00

3. 3 field box seats to a Yankee game - $1000.00

4. A fried like Tyler to make it all happen for free (I used miles for the airfare) and give the kids this kind of memory– PRICELESS!

Thanks Tyler!

Multiple Security LiveCDs combined in one DVD (and make it boot from your USB thumbdrive) [Security4all] [Belgian Security Blognetwork]

Posted: 27 Aug 2008 12:56 PM CDT

Some of the USB thumbdrives mentioned in my previous post are meant to replicate a part of Larry's Hacker Keychain (see Paultdotcom's shownotes). Now the following will maximize the use of my USB thumbdrives.

All credits go to Mubix for posting this on

MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It's a all-in-one multipurpose LiveDVD put together. There's something in it for everyone. I hope you enjoy it.

MultiISO LiveDVD Version 1.0 consists of :
  • Backtrack 3
  • Damn Small Linux (DSL) 4.2.5
  • GeeXboX 1.1
  • Damn Vulnerable Linux (Strychnine) 1.4 edition
  • Knoppix 5.1.1
  • MPentoo 2006.1
  • Ophcrack 1.2.2 (with rainbowtables 720MB)
  • Puppy Linux 3.01
  • Byzantine OS i586-20040404.

Download MultiISO LiveDVD here (torrent). Download it and help us seed this image!!!

Now I don't know if I heard it first on Hak5 or Pauldotcom's podcast, but you can use UNetbootin to boot various Linux distributions from an USB drive.

(Photo under creative commons from Nephiel's photostream)

No comments: