Spliced feed for Security Bloggers Network

BGP Attack Vectors [Infosecurity.US] Posted: 29 Aug 2008 07:44 AM CDT Wired’s ThreatLevel blogger Kim Zetter posts an excellent piece on the purported BGP Attack vector. An update to this article has also been posted.

Friday News and Notes [Digital Bond] Posted: 29 Aug 2008 07:27 AM CDT The “news” that an attacker with network access could upload firmware to many controllers came out this week. This FOUO report has been floating around, and it seemed hard to believe it was FOUO. It is common knowledge in the control system space, not to diminish the fact it is another serious widespread control system security flaw. In fact, firmware uploads have been on the Quickdraw event list almost from the start because it sure would be nice to know when this has happened. If you want to read some of the leaked document and additional info check out the liquidmatrix blog entry. DHS’s Control System Security Program issued a Recommended Practice for Creating Cyber Forensics Plans for Control Systems. Joe Weiss wrote a white paper including recommendations for the Blue Ribbon Commission on Cyber Security. This Commission will be providing a set of recommendations for the next US President. The paper is available after registering on the Control site.

belsecTV reverse engineering to find bugs [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 05:00 AM CDT Reverse engineering techniques to find security bugs: A case study of the ANI - 61 mn - 22 mai 2007 Google EngEDU Google Tech Talks May 21, 2007 ABSTRACT Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques...suite » Google Tech Talks May 21, 2007 ABSTRACT Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest techniques in reverse engineering software to find vulnerabilities. Particularly, he'll discuss his technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista). Alex will describe the tools he uses for reverse engineering and show how he reverse engineered ANI Bug. He will continue to discussed Windows security mechanisms (ASLR, /GS) and describe how ANI exploit bypasses them.«

Belgacom infected mailservers ? [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 04:00 AM CDT well if there is no reason for this, than you should clean your reputation, especially if you say that your clients do not need the in the law foreseen free antivirus because you protect them enough on your network and servers ; http://www.trustedsource.org   and   It is not because you are not on any blacklists (yet) that you are safe and clean and secure (and responsable)

just a small thanks to all my readers [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 03:43 AM CDT the ads don't bring in any money (you don't click) the books don't sell (maybe on christmas or maybe if you are a school or enterprise, buy them through me, thanx) the free magz and whitepapers aren't read (too boring ?) so why do you do it ? To serve my public which I thank because being among the 30th popular blogs (the 13th last week 8th yesterday) between hundreds of other blogs that write about so many other popular things that is just feeling so good. Makes you feel good.     First in september a few things will change around here, maybe some big things but that I can't tell you right now. For the readers here a few new things will be added. Tips and information can still be send to my mailaddress. We are looking here for project sponsers, to sponser some projects and ideas we have. It isn't that much so if you are interested as a project sponser, you can contact me. If you are interested to write - effectively write on some regular basis here - you can contact me also. There are also some stupid but interesting things to do and if you would like to take those on your shoulders, you are welcome (the weekly update freeware list for example or the belsectv section or any other interesting daily or weekly segment..... ). There are also other things you can do - correct my english :) or get a weekly summary out. You are welcome. We are soon to be one year, on november the 11th. And we have passed 100.000 pageviews for thid blog and more than 300.00 on the blogfeed of the Belgian Security Bloggers of which we are part. If you have a security blog in Belgium contact us and maybe you can become part of our family. Our family is meeting soon around a big meal, contact us if you would like to be invited. And if you have a site or a blog you can use our feed and some parts of our articles if you respect the copyright and aren't just a made for adsense site.

Energy news of the day [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 03:15 AM CDT Klik hier

Joomla hacking just continues day after day [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 02:39 AM CDT anyone still thinking about Joomla as CMS ? anyone co-hosting on the same server with some Joomla ducks ?

internal phishpage by changing the external links on the site [belsec] [Belgian Security Blognetwork] Posted: 29 Aug 2008 02:33 AM CDT So here the hacker changed the page to which an external link would lead. It doesn't lead to the external site but to his page. Well this is quite interesting because imagine if you could do this with a phished page on the website for paypal for example. I am sure that it would be even more effective than all those mails and that few people would even notice it (and I am sure many admins would have no clue whatsoever). This is what the hacker did in his defacements, he changed the link to an external site with his own page. But that proof of concept could be used for anything. Who said that hackers weren't dangerous ? That defacement is just kiddie game ? source HACKED BY AdReNaLin HACKED BY AdReNaLin ... www.belgian-international.be/index. php?option=com_banners&task=click&bid=12 - 2k - Cached - Similar pages - Note this

What Isn't Best Western Telling Us? [Sunnet Beskerming Security Advisories] Posted: 29 Aug 2008 12:11 AM CDT Reports of a recent data breach at Best Western were vigorously refuted by the company, but is there something else going on in the background that is not being acknowledged by the company? From the initial reports, more than 8 million Best Western customers may have had their details captured following unauthorised system access. Best Western's assertions that only one hotel and 13 records being affected didn't attract many supporters, and their assertion that their adherence to PCI DSS requirements ensured customer safety was even less well received. At the moment all that is happening is that the Glasgow Sunday Herald (and their source at Prevx) and Best Western have made contrasting claims on the incident and neither has provided much more by way of evidence of their claims. Claims that it is the World's biggest cyber heist, when it isn't by a long way, would put the burden of proof on the Sunday Herald. The difference between 13 records and 8 million is significant, but is does raise the question as to how Best Western knew that it was only those few records that had been accessed. 13 just isn't the sort of number that people tend to make up when they are making vague claims about quantities. As reported by Best Western, it was antivirus software that managed to identify the trojan horse that had been installed to try and capture credentials at a single European Best Western hotel. There are questions being asked about Best Western's claims that recorded credit card details are destroyed after a period of time and whether this claimed breach indicates a failure to adhere to Level One PCI DSS requirements (assuming they are top level PCI DSS), particularly the requirements for a Data Security Assessment and Quarterly Network Scan. Perhaps the rapid discovery of the breach and limited account access claimed by Best Western was achieved through adherence to this requirement, but there are not many who place much faith in this idea, or in the PCI DSS auditing requirements. There is also the possibility that any breach was targeted at Identity Theft first, financial theft second, so the PCI DSS requirements aren't going to do much to stop that from happening. How can Best Western ease a lot of concerned observers fears? If they re-issued their press release (or even a new one) identifying when and how the compromised system was identified and taken offline, and then acknowledged that the PCI DSS is only one means to protect sensitive data and forms part of a layered defence strategy then it would go a long way to achieving this goal. It isn't often that the benefit of the doubt is given to a company involved in a data breach, but in this case it is leaning slightly towards Best Western. At the end of the day, Best Western has been tarnished by their response to this issue and if they can not adequately address the concerns identified above, then there is little else to do but assume that he worst outcome reported by the Sunday Herald is what happened. Of course, if the evidence of the attack is released by other means, then that, too, would validate the claims of one side.

The Hazards of Not Using RFC 1918 [Emergent Chaos] Posted: 28 Aug 2008 10:50 PM CDT RFC 1918 is a best-current-practicies RFC that describes network address ranges that we all agree we won't use globally. They get used for private networks, NAT ranges and so on. There are three ranges: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 They are thus the Internet equivalent of the American phone system not using the exchange 555, only more useful. If you need to give an example IP address, you can use one of those without causing anyone consternation or irritation. An example of why you want to use one of these addresses can be found (at least for the next few minutes) at Microsoft's site for the IE 8 beta. One of the IE 8 features is the "SmartScreen Filter" which can tell you IP addresses you're best not going to. An example is the picture accompanying my post. If you check out that address, 207.68.196.170, at ARIN Whois, you find out that it's owned by Microsoft themselves. I suppose that using one of your own addresses as a hazardous address is better than using someone else's, but immature people like Your Friendly Author will titter over it and point it out to other people as well. There's a reason RFC 1918 exists, and this is one of them. Oh, by the way, be sure to look at RFC 2606, which reserves the domains example.com, example.net, and example.org. It also reserves the top-level domains .test, .example, .invalid, and .localhost. Remember them.

PCSF: Day Three, Thursday [Digital Bond] Posted: 28 Aug 2008 05:26 PM CDT UPDATE: 6:30PM, Dale Final Thoughts PCSF is not perfect, but it is my favorite event in the control system security space by far. One main reason is the number, variety and quality of attendees. The lunch, evening, break discussions were highly interesting and even three days had me scrambling to talk with all the people I’d like to. The venue and schedule helped maximize opportunities for these discussions. The program was mixed. I was not a big fan of the all day plenary session on Tuesday. Some of the panels had format challenges. The quality of the sessions may have been down slightly, but that is subjective. There were some very strong sessions, and I even missed some of the more highly reviewed sessions, and the days when there were 3 or 4 tracks usually meant something interesting was going on. There may be a need to spice up the next events, more shorter presentations, perhaps PCSF classic presentations for newcomers, more livelier debate and discussion sessions, etc. I believe it is essential that PCSF continue and grow mainly because there isn’t a good alternative and starting over would be difficult. The information exchange and education at PCSF is needed. 200 people from 17 countries with little notice the week before Labor Day is impressive. Four tracks on Wednesday; three tracks on Thursday that were easily filled as submissions exceeded time. Hopefully whatever issue prevented DHS from attending will be resolved, and whatever format PCSF ends up in the future can focus on how to make this annual event and other events even stronger. ——- UPDATE: 6PM, Dale The Vulnerability Disclosure Workshop followed up the panel. There is never a shortage of opinions on this subject. Not sure we made any progress. It was interesting that Daniel and I from Digital Bond were the only ones in the room that would disclose a vuln to anyone besides the vendor [we disclose to US-CERT and Core had left]. Back to the Plenary to wrap up. A report by PCSF Brazil - - not directly affiliated with PCSF, but there have been interesting discussions about PCSF Europe and other international locations. ——- Home stretch. Jason Holcomb, Bandolier I started the morning going to Jason’s Bandolier presentation at 8AM for support. Nice job and the presentation will be posted on our site shortly. Included in the presentation is the updated list of planned Bandolier security audit files. It is great that we were able to add Areva, Emerson Ovation and others to the list. We will update the SCADApedia page shortly. Vendor Panel I moved over to the vendor panel in progress, interesting group with smart guys and gals from ABB, Emerson, Honeywell, Invensys, Siemens, Telvent, and Yokogawa. Doing a little liveblogging during the Q&A - Love the point of needing to move by Secure by Default from the ABB rep - The Honeywell rep indicated the lifecycle may need to be reduced from 15 years to 10 years. - Maybe it is no longer realistic to expect to have a control system with equipment and applications from 20 different vendors, Invensys rep. - Don’t touch your switches, update IOS after installed and working??? Hello, McFly, won’t attribute that comment. - Interesting comment from Telvent that some of the customers have them physically disable, burn out, the USB ports and other unused ports so they can never be used even if enabled in software. - Discussion on encryption, not sure why because as one of the panelists noted integrity is much - They asked my question “Do vendors have any obligation to provide security vulnerability mitigation for customers who do not have a current support contract?” Invensys says definitely. Siemens frames it well, out of warranty, no support contract, not current contact info . . . talks about User Group, we will always help them in an emergency - - vague but it sounds like they will help on a time and materials basis or some other cost basis. They move on to the next question. - Do you have 3, 5, 10 year plan? Telvent focused on 5 year plans and defined a bit. Interesting they have a plan on how to bolster legacy systems until they are replaced.

Putting the Genie Back Into the Bottle [Digital Bond] Posted: 28 Aug 2008 04:47 PM CDT As a flurry of emails (about an as of yet not officially released control system vulnerability) show this morning, once a document goes online the damage is done. It is eternal, and it is virtually impossible to stop the dissemination of the document, or put the genie back into the bottle. This applies to any critical document be it vulnerability disclosures, network topologies, control system diagrams etc. Google hacking is a powerful tool. Some interesting results: FOUO filetype:pdf  shows the number of FOUO documents (pdf only try it on doc and see what you find) available via google. scada filetype:doc shows just how easy it is to find critical control system information. Such a document can be seen at: Sedapal – Water Treatment Plant – Jaime G Uchuya with diagrams and screen shots. And don’t even get me started on what you can find when you start drilling down into a specific asset owner via google. Why do I bring this up? Well, it serves as a reminder that we need to exercise discretion in who we share documents with, and how we make them available. Share a document with someone who is not as responsible as they ought to be and you might as well put it up on the internet yourself. Even if there isn’t a direct link to a document it still may be available to the world if the web server’s directory permissions are permissive. The sheer amount of information available succinctly defining and diagraming critical infrastructure both here in the US and abroad is staggering. I have seen entire power distributions and generation systems’ scada, and topology diagrams available online.

Lessons for security from "Social Networks" [Emergent Chaos] Posted: 28 Aug 2008 11:49 AM CDT There are a couple of blog posts that I've read lately that link together for me, and I'm still working through the reasons why. I'd love your feedback or thoughts. A blogger by the name of Lhooqtius ov Borg has a long screed on why he doesn't like the "Social Futilities." Tyler Cowan has a short on "fake following." I think the futility of these systems involves a poor understanding of how people interact. The systems I like and use (LinkedIn, Dopplr) are very purpose specific. I really like how Dopplr doesn't even bother with a friend concept--feel free to tell me where you're going, I don't have to reciprocate. It's useful because it doesn't try to replace a real, complex relationship ("friendship") with a narrowly defined shadow of the world. (In this vein, Austin Hill links a great video in his Facebook in Reality post.) In information technology, we often replace these rich, nuanced concepts with much more narrow, focused replacements which serve some business purpose. Credit granting has gone from an assessment of the person to an assessment of data about the person to an assessment of the person's data shadow. There are some benefits to this: race is less of a factor than it was. There are also downsides, as data shadows, blurry things, get confused after fraud. (Speaking of credit scoring, BusinessWeek's "Your lifestyle may hurt credit score" is not to be missed.) We've replaced the idea of 'identity' with 'account.' (I'll once again plug Gelfman's Presentation of Self for one understanding of how people fluidly and easily manage their personas, and why federated identity will never take off.) Cryptographers model people as Alice and Bob, universal turing machines. But as Adi Shamir says, "If there's one thing Alice and Bob are not, it's universal turing machines." Many people have stopped Understanding Privacy and talk only about identity theft, or, if we're lucky, about fair information practices. So the key lesson is that the world is a complex, confusing, emergent and chaotic system. Simplifications all come at a cost. Without an understanding of those costs, we risk creating more security systems as frustrating as those "social networks." [Update: It turns out Bruce Schneier has a closely related essay in today's LA Times, "The TSA's useless photo ID rules" in which he talks about the dangers of simplifying identity into intent. Had I seen it earlier, I'd have integrated it in.]

PCSF: Wednesday,Day Two - Solution Day [Digital Bond] Posted: 28 Aug 2008 11:00 AM CDT UPDATE: Next day, Dale Peterson I missed the Waterfall Solutions Unidirectional Connectivity presentation but caught up with them at the evening exhibit. They have a product that through hardware, I heard the term diode and optical communications, only allows one way communication. Hence they use the term unidirectional. It is an interesting concept that could be useful if you are pushing data from a more secure zone to a less secure zone, such as control center to DMZ. It is purely one way, so there are no acks, resend, recovery, etc. Where is this a good option? —— UPDATE: 4PM, Dale Peterson I also attended the RISI / incident database talk. I’m convinced it can work, because it has worked. The question is whether there is enough interest to do this pro bono or receive funding. Interestingly, I was thinking why would a business want to go through the effort to collect and maintain this database. Maybe one with a portal strategy??? Maybe we should talk to Mark Fabro and Eric Byres. Bryan Singer of Wurldtech had the long slot after lunch to talk about Achilles inside. [Full disclosure: Wurldtech is a past client and current advertiser]. Actually have a few comments about this. After the 1:30 presentation I still can’t tell you what Achilles Inside is. I asked a few others, and they couldn’t either. Perhaps it was to avoid commercialism, and it could be the greatest thing ever, but the message needs some work. There were some interesting parts of the presentation such as “Safety does not deal with intentional actions” and the impact of bridging the traffic for monitoring. Wurldtech had to be specify their own hardware to minimize the impact of monitoring during testing. A bit of discussion on vulnerability disclosure as well. Wurldtech will not release vulnerability information and is very sympathetic to the problems of patching. —— UPDATE : Morning Recap, Jason Holcomb Several good presentations and side conversations so far today. I attended the first one “Are You Compliant or Liable? Industrial Security and Compliance Using the Holistic Lifecycle Model” with a bit of a personal agenda. I assumed those attending might also be interested in our Bandolier project so I wanted to listen any issues that may be relevant. (Side Note: This was presented by Clint Bodungen of CIDG, Chris Paul of Joyce and Paul, and Jeff Whitney of Berkana Resources Corporation). I do appreciate the holistic approach to compliance (CIDG’s model). In fact, I have worked on something very similar for another organization only we called it the “security framework”. Not sure if I’m convinced on all the legal arguments made by attorney Chris Paul but IANAL, as they say. He talked a lot about potential criminal or civil liabilities based on security negligence. I’m just not sure if avoiding a lawsuit is the right motivation for control system security but I suppose it can help get the attention of some. Next up for me was Eric Byres’ and Mark Fabro’s presentation about the Repository for Industrial Security Incidents (RISI). This is a spinoff of the work Eric did at BCIT with ISID (Industrial Security Incident Database). Here’s the overview: You will need to submit an incident to the database in order to have full access (this is the same policy used with the ISID) The difference with this system is there will be online access There will be a paid quarterly newsletter that will provide summary information from the database — statistics, sector-specific data, etc… There will be somewhere between 75 and 150 incidents in the database from the beginning They are actively gathering input on if and how to carry out this project so I’m sure they would love to hear from you if you have an opinion. There will be some challenges for them but I am definitely curious to see what this looks like in final form. I rounded out the morning with “Control Systems Threat Awareness” by Robert Huber and Sean McBride of INL. These guys have used various data collection points to help understand the current threat and trends over time. It was a good follow-up to yesterday’s presentation by Stephen Gill of Team Cymru. It was a well-organized compilation of threat data. They’ve taken many of the things you’ve heard, such as control system presentations at hacker conferences,  and plotted them in a measurable way that illustrates an increasing “adversary interest”. One of the really interesting slides did a comparison of how control system application vendors make their security contact information available versus that of the big traditional IT software companies.  It measured the percentage of the two groups that had a /security web page and a dedicated e-mail address for security issues, a standard of sorts for interfacing with the security research community. As you might imagine, the results showed tat only a very small minority of the control system application vendors followed the practice. —- Thinking back on day one, the highlights for me were Phyliss Schneck’s keynote and Mark Fabro’s closed to press presentation. Plenary sessions are tough because it is hard to calibrate the presentation to a large audience with very different experience and interest levels. Day two is called solution day. There are four tracks going on and then an exhibit tonight. I find these sessions more interesting than the plenary event. There are more details and more focused. When Good Traffic Goes Bad: When is Application Traffic Too Much? Daniel Peck from Digital Bond joined Tom Maufer of Mu Dynamics and Kevin McGrath of ABB in this presentation. Interesting denial of service examples from Brown’s Ferry Unit 3 Scram [too much traffic to a PLC], Amazon S3 [too many logins], and Ralph Langner’s OPC DoS paper from S4. Ralph showed how very long group names and too many client connections could exhaust all resources and cause a DoS. The OPC applications did not have any limits. Vendors can improve the situation through rate limiting, syn cookies and source filtering, as well as beefing up their logging. Asset owners should consider quality of service measures, and maybe there is a case for looking at load balancing rather than purely redundancy? Lots of good talk on the importance and methods for vendor testing, followed now by Mu doing a demo of some testing options with their product. Guess what - - the demo didn’t work - - may have been for the best as the Q&A was more interesting.

Knujon Investigates Rogue Registrar [Infosecurity.US] Posted: 28 Aug 2008 10:47 AM CDT Knujon has released a report detailing the illicit activities of a rogue internet domain registrar (sanctioned by ICANN no less) that is apparently responsible for a statistically significant amount of illicit internet traffic. The registrar in question is monikered Directi Group. Phantom Registrars, Fake Pharmacies, and the Secret Infrastructure Garth Bruen said, “In our continuing effort to shed light on the dark corners of the Internet we have produced this report on the Directi Group, a fairly large player in the Registrar world. We have highlighted their use of the controversial service PrivacyProtect.org, their association with EstDomains, their continued sponsorship of fake pharmacy domains, and their apparent ability to get Registrar accreditation’s for 48 Phantom Companies.”

Fortinet Retains Certification [ICSA Labs - Network IPS Testing] Posted: 28 Aug 2008 10:00 AM CDT ICSA Labs Network IPS testing is not a once-and-done test. Instead products must maintain their certification once attained. There is an annual test as well as testing after the vulnerability set is updated. Fortinet's annual testing recently completed and they retained their certification for their FortiGate models. They are now in the midst of testing against the latest vulnerability set. See the report from annual testing.

BGP Security, a fragile foundation? [Phillip Hallam-Baker's Web Security Blog] Posted: 28 Aug 2008 09:41 AM CDT So yet again we have a round of press concern about the security of the Internet infrastructure. This time the concern is BGP. And yet again the press is asking why nobody knew about it &ct. &ct. And yet again the answer is that this problem was known and work has been underway to fix it for a very long time. I discuss the problem of fixing BGP security in my book The dotCrime Manifesto. I have been in meetings discussing BGP security at the IETF and elsewhere over the past four years. As with the DNS security issue, there is a real vulnerability that we need to fix, but the significance of the vulnerability is much less than is being made out. The criminals have also known about the vulnerability and have found it less profitable than other techniques. The biggest risk from a network layer attack is that the perpetrator would redirect traffic going to a bank site or an online store to their own site. This particular risk was addressed in 1995 when SSL was introduced. We knew then that the DNS and the BGP layers might be compromised and SSL security was designed to be secure even if an attacker had complete control over those layers. Public key cryptography is a very powerful tool, we do not have to secure the lower network layers in order to achieve security at the application level. There is a residual risk from a network layer attack, while banks and online stores are usually protected by SSL, many popular sites are not. If an attacker redirects one of those sites they could drop malware such as a keystroke logger onto incorrectly configured machines attempting to visit the site. What is to be done? Well in the first place, people must take care to only accept requests to install software on a machine if the code is signed by a trustworthy provider. And if you are running Windows, upgrade to Vista and take advantage of the six years of extra effort Microsoft have put into security design since XP. The Vista code base is much more robust than XP in my experience: I have run it for over a year now and the only issues I have had have been caused by faulty hardware.

Update on the Aircell / VoIP-on-a-plane prohibition - and an Aircell response [Voice of VOIPSA] Posted: 28 Aug 2008 09:06 AM CDT After my two posts on Tuesday explaining how Aircell was probably blocking VoIP and then why the Phweet/Tringme worked (temporarily), there have been a number of other posts that should be mentioned here: Om Malik posted “Aircell: On U.S. Planes, VoIP Will Be Muted” where he relayed a conversation with an Aircell spokesperson that included this classic quote: “we are doing our best to make VoIP services unusable.” Some of the comments on Om’s post are quite good, too. Om also relayed that Aircell indicated that Phweet/TringMe will no longer work on their service. As I expected, they blocked the traffic pattern of the service. Aircell will engage in the Whack-A-VoIP-Call and over time they will build up an increasing number of patterns that they will block. The folks at Tringme posted “TringMe Conversations (Phweet, Aircell & TringMe Traffic Patterns)” which includes this interesting part (my emphasis added): TringMe uses TCP and it was a conscious decision. We developed a sophisticated congestion control and packet handling algorithms which allowed us to achieve the advantage of UDP over a reliable TCP connection at good extent. As Dan and others would have noticed, we send traffic in varying small and larger blocks depending on network conditions which is way different from a typical VoIP traffic patterns. This kind of pattern was not meant to break any VoIP blockages, however the goal was to get the best quality even on slower or congested links & we were able to meet the design goal successfully. What is interesting here to me is that they do vary the pattern that they use. While this certainly could happen with other VoIP solutions depending upon codec selection, etc., I haven’t seen much variance in actual deployments (outside of Skype, which does vary according to how it is punching through a firewall). The TringMe folks go on to talk about the advantages of TCP (with of course a bit of a sales pitch for why you might want to use their client). Dean Foust at Business Week posted “You CAN make VOIP calls on airplanes. Joy.” expressing his curmudgeonly view that VoIP-on-a-plane was not at all desirable. (As I said in P.S. to my 2nd post, I definitely think there are larger societal/cultural issues that we need to work out about whether or not VoIP on a plane is something we really want to have.) Irwin Lazar posted on the Enterprise 2.0 blog “American Airlines Aircell Reaction” and made the comment: Dan York suspects that this will lead to an arms race as Aircell fights VOIP users. I think he's right, but I don't think more than a handful of users will care enough to fight the battle. To a certain degree, Irwin’s probably right. Some small % of users will actually care enough to try to find ways around Aircell’s blocking. Most folks won’t and will just accept that they can’t use VoIP. Irwin also has some good comments about the impacts of VoIP availability on virtual workers and eliminating the “escape from the office” time that flyers have today. (Some people will want to be “always-on” while others will not.) Andy Abramson posted “From the Department of Stupid Is as Stupid Does-Aircell” pointing out that Aircell sells VoIP solutions for airplanes and thus it is a bit strange to see them also saying “No VoIP on planes!” (Although their position is that this is the policy of their customer, American Airlines.) AIRCELL RESPONDS Speaking of Aircell’s position, I did receive a nice note from someone with Aircell’s PR firm that stated this: Thanks for your informative posts about Aircell and the use of VoIP on Gogo today - good reading. We’ve been asked by many outlets for an official response to the VoIP attempts on Gogo so in case you are interested, here is Aircell’s official statement: It is against American’s policy and Gogo’s terms of service to use VoIP. Aircell has multiple protocols and practices in place to prevent the use of VoIP. Obviously, it is extremely difficult to stop every instance of VoIP but Aircell is monitoring and working constantly to enforce American’s policy and Gogo’s terms of service. To a certain degree, this statement reminds you that at the end of the day Aircell is simply the service provider implementing the policy of the customer. So it’s really the American Airlines policy that has the VoIP prohibition….. but…. I could go along with that except for one minor little detail. The Gogo Terms of Service very clearly state the VoIP prohibition. The ToS also states very clearly that the Gogo Inflight Internet Service is provided by Aircell LLC. There is no mention at all in the ToS of American Airlines. Is this Gogo service provided ONLY to American Airlines? Was it created for only American Airlines? Will it not be sold to any other airline? If it was only created for American Airlines and will only be used by American flights, then sure, the Gogo ToS line up with the customer’s policy. If this is intended to be a generic service and American just happens to be the first customer then I think it’s a bit unfair for Aircell only to be pointing to American. It is, after all, Aircell’s ToS. But perhaps that’s getting too far down in the semantic weeds… Technorati Tags: voip, voip security, travel, air travel, aircell, gogo

Palestinian Al-Fatah Hackers Attack Hamas Military Web Site [Infosecurity.US] Posted: 28 Aug 2008 09:03 AM CDT yNet’s Roee Nahmias (with contributions from Niv Lillian and Erez Ronen) reports an attack on one Palestinian factions’ web site by an opposing faction. This time, evidence points to Fatah hackers defacing an Hamas military site. [1] yNet News [2] Fatah [3] Hamas

Blue Box Podcasts #81 and #82 now available for download… [Voice of VOIPSA] Posted: 28 Aug 2008 08:17 AM CDT After a long hiatus, I’m finally starting to get Blue Box episodes flowing again. I’ve just put up two in the past two days: Blue Box #81: iSkoot vulnerability, OFCOM legislation, VoIP security news and more (recorded back in May) Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more… (recorded back in June) And I have some more special editions I’m looking to put out soon. This summer was a bit chaotic for me with a physical move from Vermont to New Hampshire, but I’m hoping things are now settled down enough that I can get back into regular production of these episodes…. Technorati Tags: bluebox, blue box, danyork, dan york, jonathan zar, voip, voip security, security, podcasts

iPhone Passcode Lock Security Flaw [Vincent Arnold] Posted: 27 Aug 2008 10:45 PM CDT Well that didn’t take long… Enabling your passcode lock and setting up a certain home key shortcut could expose your iPhone if you’ve upgraded to version 2.0.2 Source

Best Western: 10 Guests Suffered Data Loss, Not 8 Million. [Infosecurity.US] Posted: 27 Aug 2008 06:14 PM CDT Computerworld’s Jaikumar Vijayan reports Best Western now claims only 10 guests have suffered data loss in the recent exploit perpatrated against the hotel chain.

You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610