Monday, September 1, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

11 october worldwide action day against surveillance society [belsec] [Belgian Security Blognetwork]

Posted: 01 Sep 2008 04:30 AM CDT

A broad movement of campaigners and organizations is calling on everybody to join action against excessive surveillance by governments and businesses. On 11 October 2008, concerned people in many countries will take to the streets, the motto being "Freedom not fear 2008". Peaceful and creative action, from protest marches to parties, will take place in many capital cities.

For Belgium you should contact for more information about actions that day (you are free to send that info to here for republishing.... and some pics afterwards)

Please contact: Liga voor Mensenrechten, http://mensenrechten.be/

Document of the day : delision of net neutrality and online video streaming [belsec] [Belgian Security Blognetwork]

Posted: 01 Sep 2008 03:45 AM CDT

Abstract.

If service providers are to derive significant revenues and profits by exploiting freedom from net neutrality limitations, they will need to engage in much more intrusive control of traffic than just provision of special channels for streaming movies.

Service providers argue that if net neutrality is not enforced, they will have sufficient incentives to build special high-quality channels that will take the Internet to the next level of its evolution. But what if they do get their wish, net neutrality is consigned to the dustbin, and they do build their new services, but nobody uses them? If the networks that are built are the ones that are publicly discussed, that is a likely prospect. What service providers publicly promise to do, if they are given complete control of their networks, is to build special facilities for streaming movies. But there are two fatal defects to that promise. One is that movies are unlikely to offer all that much revenue. The other is that delivering movies in real-time streaming mode is the wrong solution, expensive and unnecessary.

The delusions of net neutrality

Andrew Odlyzko -

School of Mathematics, University of Minnesota  Minneapolis, MN 55455, USA - Revised version, August 17, 2008

 

hacked nobody wants ICT to be that open.... [belsec] [Belgian Security Blognetwork]

Posted: 01 Sep 2008 02:30 AM CDT

belsecTV anti terrorism policy in UK [belsec] [Belgian Security Blognetwork]

Posted: 01 Sep 2008 02:15 AM CDT

Dispatches - Spinning Terror - 48 mn - 10 mars 2006
Channel4 - Dispatches

With Britain facing the greatest terrorist threat in our history, the nation trusts the government to devise policies to protect the nation. But Dispatches reporter Peter Oborne reveals that our trust may be misplaced. He presents the case that the government has reacted to the London bombings by rushing through anti-terror policies motivated by the desire to ward off tabloid criticism, gain electoral advantage and make the government look strong. - Welcome in the New World Order agenda everyone.

freeware of the day Active Ports 1.4 [belsec] [Belgian Security Blognetwork]

Posted: 31 Aug 2008 11:45 PM CDT

Active Ports - easy to use tool for Windows NT/2000/XP that enables you to monitor all open TCP/IP and UDP ports on the local computer. Active Ports maps ports to the owning application so you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you to detect trojans and other malicious programs.

http://www.download.com/Active-Ports/3000-2085_4-10062969.html?cdlPid=10121832

Microsoft patent of the day [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 31 Aug 2008 11:32 PM CDT

On August 19, 2008, Microsoft was granted a US-Patent:

"a method and system in a document viewer for scrolling a substantially exact increment in a document, such as one page, regardless of whether the zoom is such that some, all or one page is currently being viewed".

Dave Lewis claims this means that Page-up and Page-down is hereby patents owned by Microsoft. I think Microsoft now also have patented using arrows to navigate - if you use your arrow-up or arrow-down in MS Word, you are taken one line up or down - or you are "scrolling a substantially exact increment in a document...".

The same happens using the elevator shafts - moving left/right, or up/down. It may also apply to the shortcuts to jump forward/backward to pages, columns, tables and images.

I agree with Dave that the US Patent system is long overdue for a revision. If it continues like this, anyone with a bit of cash and a way with text can claim patents for anything and everything.

What does this mean to your business? You may risk that someone shows up one day and ask you to pay a license fee for using things you take for granted - like your keyboard. But the most likely scenario is for someone to take your technology - the technology you have spent time, money and effort on developing - and register a patent on it. Using that patent, they own the rights to the technology you developed, and they will cash in on it.

How can you avoid this scenario?

Be sure to register your patents as you go. Spend the money - as it is the only way to ensure that no-one else does it. To SME's the cost of patents may seem high, but consider it an investment - if you fail to register, the whole value of your development is gone (since if your technology have any chances for making money, someone will register it as a patent, and you will pay them to use your own technology...).

What are your experiences with patents?

Sources:
ZDNET
Liquidmatrix (Dave Lewis)

, , , ,

Gustav sure is pretty… [An Information Security Place]

Posted: 31 Aug 2008 07:23 PM CDT

…but deadly.

Vet

Help us. CCC is still looking for (security) talks for 25C3. [Security4all] [Belgian Security Blognetwork]

Posted: 31 Aug 2008 06:41 PM CDT



If you think you can give an interesting talk for the 25th Chaos Computer Congress, please submit it to the CFP. Help us make this 25th edition a special one !!!!!

You still have lots of time to hand in your talks for the 25th Chaos Communication Congress, as submissions are due October 5th, 2008 (Midnight UTC). Then again, you may not want to wait too long.

We currently have about 70 submissions in our queue and there is definitely room for more. Some of the proposals for talks we received are very good and will probably make it into the final program of the Congress. However, some make us scratch our heads: With nothing more than a title and a name of a speaker entered, it's rather tricky to decide if the submission is any good.

Please take your time and read through the submission guidelines carefully. At the very least, we need a description and an abstract for both the talk and the speaker. We also love to see pictures of the speaker and maybe a nifty title graphic for the talk. The more complete your submission is, the better. Now go and hand in that presentation that will change the lives of 25C3 visitors forever. The deadline is only a bit over one month away… (Source CCC Event Blog)

The Chaos Computer Congress is the annual four-day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.First held in 1984, it since has established itself as "the European Hacker Conference" attracting a diverse audience of thousands of hackers, scientists, artists, and utopists from all around the world.

We want you to join and be a part of this unique event which serves as a public platform for cross-culture inspiration and borderless networking. 25C3 is fun!

Related posts:

(Photo under Creative Commons from antenne's photostream)

Twitter Weekly Updates for 2008-08-31 [/dev/random] [Belgian Security Blognetwork]

Posted: 31 Aug 2008 04:59 PM CDT

  • back home… flooded by mail, rss, twits, … Heeeeelp! #
  • Barbecue time! (before the thunderstorms) #
  • PPP/LCP suxx! Grrrrrr #

CISSP Seminar in MALTA [Malta Info Security]

Posted: 31 Aug 2008 02:43 PM CDT


We are pleased to announce that Computer Domain will be holding a CISSP Seminar details of which are below:

Date : Monday 27th October - Friday 31st October 2008

Time: 0830hrs and 1730hrs

Download Application Form

Download CISSP syllabus information

We were advised that this course is fully covered by myPotential scheme. More information can be obtained by directly contacting Computer Domain. Remember that should your inquiry originate from Maltainfosec, you will be eligible for a special discount on the course.

UPDATE: Computer Domain are now offering an early bird registration discount of €350 for those who apply and pay before the 15th September 2008.


"Under European rules, every plane must carry a “contingency” load of about 5%..." [Security Circus]

Posted: 31 Aug 2008 11:08 AM CDT

Under European rules, every plane must carry a "contingency" load of about 5% of a trip's fuel, and enough to divert to an alternative airport. Across the airline industry, captains also have a duty to anticipate delays from headwinds, storms and rerouting, and to request extra fuel to cope with this. Pilots at Ryanair, Europe's largest low-cost airline, must now abide by a limit of 300kg of extra fuel, costing £180. This provides about five minutes of extra stacking time for a Boeing 737. Evan Cullen, a pilot with 19 years' experience and president of the Irish Air Line Pilots' Association, said commercial pressure on pilots to pare down the fuel they carry was compromising safety. –Ryanair fuel ration angers pilots - Times Online

It's all about presentation. [Security Circus]

Posted: 31 Aug 2008 09:05 AM CDT

2123_9d3c_400

It's all about presentation.

Reposted from terrorobe via ver0nika

This posting includes an audio/video/photo media file: Download Now

Credit-card companies killed Mythbusters segment on RFID vulnerabilities [Security Circus]

Posted: 31 Aug 2008 08:58 AM CDT

Olympic streaming of video numbers [belsec] [Belgian Security Blognetwork]

Posted: 31 Aug 2008 08:45 AM CDT

In one of the single most ambitious media projects in history, NBC presented more than 3,600 hours of broadcast coverage during the 17-day event. Viewers of NBC's coverage of the Beijing Olympic Games used their PCs and laptops to access 2,200 hours of video that they could play back on demand, as well as 3,000 hours of highlights, rewinds, encores and scoring results. Individuals are also watching video and viewing results on their smartphones. Here are some of the record-breaking NBCOlympics.com video traffic statistics:

  • Video Streams: 75.5 million for Beijing, 10.8 million for Athens and Torino Games combined (+601%)
  • Unique Users: 51.9 million for Beijing, 25.2 million for Athens and Torino Games combined (+106%)
  • Page Views: 1.24 billion for Beijing, 561.1 million for Athens and Torino Games combined (+122%)

my comment So lets conclude, the number of viewers only doubled and they only viewed double the number of pages, but they clicked on 6 times more streams. The problem is that these numbers don't differentiate between live streaming and hosted video so the network impact isn't that clear. Secondly it is not clear if they used proxies and mirrors or embedded videos with it.

How true!!! (via Rehabilitating Mr. Wiggles) [Security Circus]

Posted: 31 Aug 2008 06:18 AM CDT

2579_50b1_400

How true!!! (via Rehabilitating Mr. Wiggles)

This posting includes an audio/video/photo media file: Download Now

Monkey puzzle [IT Security: The view from here]

Posted: 30 Aug 2008 05:11 AM CDT

1. A new project comes in, a business analyst (BA) takes the requirements of the business, turns this into a business requirements document (BRD) and sends it to the architecture team.

2. An application architect takes a look at the BRD and maps out the general plan, making notes of how this would best be turned into an architectural plan. This architectural requirements summary (ARS) is passed to an implementation team, who are contracted to the company.

3. The ARS comes back with timescale plans and an idea of how much the project will cost, and the architecture team, including a security architect, look at the plans and turn it into an architectural requirements document (ARD).

4. The ARD is passed back to the implementation team and turned into a 100% solid gold project which works seamlessly and without issue, thus generating business and money and fairy dust.

3, 2,1... and you're back in the room, where an architect has just sent you an ARS for which no BRD existed. A vendor came in and showed a business team a solution to a problem which did not exist and they decided that it had to be purchased because their Mum knows one of the vendor guy's Mums and they're all going on holiday together (not sure that bit actually happened). The BA engaged the implementation team directly who grudgingly engaged the architects, telling them it had to be done this way, and could they help write a BRD which it would fit?

As a security architect you sit there and lap up the challenge. You run to the application architect and tell him that the solution is a load of crap, and you know a better solution, hell you've worked for companies which made better solutions as recently as last month. The architect agrees wearily, and says that it will never happen because the business has already decided that this is the requirement. Confident that you can make a difference you go to the infrastructure architect and say that from a strategic point of view using point solutions for each project is crazy and there is a better solution available that will touch on every project you currently have running. He agrees, and wearily explains the politics which prevent him from changing anything. Not discouraged, you call a meeting with the BAs from the business and the implementation team (an outsourcer) who explain that they understand the situation, and can you help them write the BRD for the business...
"What if we find that the solution doesn't meet the BRD?", you ask.
"Well, you'd better have a really good reason."
"?"
So you're obviously confused at this point. Do you toe the line and write the BRD, risking an insecure solution but pleasing the business for the short term, or do you write an impossible BRD which presents really good reasons not to buy and risk pissing everyone off?

--------------------------------------------------------------

"It's like the monkeys in the lab and the banana", explained my sage friend John, "do you know the story?" I had to admit that the story about monkeys that I knew didn't seem to quite fit.

"If you put 10 monkeys in lab conditions", he started, "with a banana at the top of a tree, eventually one will start climbing to get it." I agreed, so far it sounded plausible, except maybe this being "lab conditions".

"Now, if you start to spray the ones at ground level with water each time one climbs up for a banana, they will club together to stop him, because they don't want to get wet."

"After a while, they all stop trying to get the banana, and when you introduce a new monkey, even though you stopped spraying water a long time ago, they'll just stop him from getting the banana like they always have done before..."

"Ah, OK" I said, realising I had just been compared to a monkey, "that's not quite the story I had in mind, but it amounts to the same thing."

"How so?" - John again.

"We're all monkeys in trees, it just depends on where you look. It doesn't matter how far up the tree you go, if you look down you see a sea of smiling faces, if you look up it's just arseholes."

-- Boom boom --

Thank you ladies and gentlemen, I'll be here all night.

Links for 2008-08-29 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 30 Aug 2008 12:00 AM CDT

How To Become A Security Blogger? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 29 Aug 2008 01:07 PM CDT

I know, I know. Some might say that it is a silly question since you rarely seek to become a blogger - you just become one.

However, I got a few emails from my readers asking me something along these line, thus this post. For example, I got asked "Should I focus more on targeting security professionals or general IT users?", "Any pitfalls I should be aware of?" as well as general questions about how to start, what content is best, etc all the way to "How did I profit from my blog?"

 

Q: Who should I blog to?

A: Blog to colleagues first i.e. infosecurity pros. Blogging to IT or general public is - in some sense - harder or - gasp! - will turn you into a journalist (someone who knows nothing about everything BUT writes about it as an "expert" :-)) Maybe you can broaden it later. Even better, write for YOU (!)

Q: What area of security I should focus my blogging on?

A: Focus on the area of security that you like the most or know them most: IDS? Patching? PIX administration? Linux? AD esoterica? Logs, maybe? :-) Then broaden if you feel like it or as you learn new areas

 

Q: Any advice on site design, themes, etc?

A: Site design, themes, etc will all come later; just pick something basic and FOCUS on content, not on SEO, design, etc. MUST have RSS feed; make it highly visible (HTML is out, RSS is IN :-))

 

Q: Any security blogging pitfalls that I should avoid? Any other tips?

A:

  • Don't stick to only long, deep posts? Unbelievably, people often prefer shorter posts or a mix of short/shallow and longer/deep posts (that came as a shock to me early on!)
  • Tips on how to do whatever useful work well; comments on hot issues (that you understand) works too for a shorter post.
  • Definitely comment on other bloggers posts (more often early on, later - as you wish...)
  • Avoid long breaks in blogging (>7 days); it will  lead to reader loss (you should only care about it later - focus on fun content first!)
  • Join Security Bloggers Network (drop an email to Alan Shimel for it)

Q:  Has blogging in this niche generated any income for you? If so, how much?

A: Exactly $0. The reason is that I never wanted to "monetize" my blog;  I don't have banners, etc. This is by design.

Q: How did it help your professional career in a significant way?

Yes, I think it helped my career and connected me to a lot of fun people! I sure hope I am not "known only as as blogger", but blog can definitely make one much more known professionally, especially if you create fun and/or useful content.

Overall, blog is a time commitment, but it is also a passion. It does help your career, but "forcing " yourself to do it just for "career benefits" is,  IMHO, a wrong approach.

Yo, my fellow bloggers; help the newbies out, will ya?! Let's start a series of posts on "how to be a good security blogger!"

Don't Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements [Rational Survivability]

Posted: 29 Aug 2008 10:53 AM CDT

Here is some of the recent press coverage on topics relevant to content on my blog: Microphone

  • Information Week: Virtualization Has A Security Blind Spot
  • Information Week: Securing Virtualization, or is that Virtualizing Security?
  • Network World: Black Hat speakers expose virtualization, OS security gaps (**NOTE: Please see here, VERY important)
  • Network World/Computerworld: Black Hat spotlights virtualization, DNS issues (**NOTE: Please see here, VERY important)
  • SearchSecurity (Australia): Could securing virtualised environments destroy ROI?
  • SearchSecurity: Initial virtualization costs could outweigh benefits
  • Computer Zeitung: Today's Security Products Aren't Ready For Virtualised Data Centres
  • Wall Street Journal: Hackers On the Move
  • Baseline: Managing Mobility In the Enterprise
  • ITWorld: Pros and Cons of VMware's New Security Guide

Podcasts/Webcasts/Video:

I am confirmed to  speak at the following upcoming events:

I will be attending the following events:

/Hoff

This posting includes an audio/video/photo media file: Download Now

Password reset unsafe! Personal information easy to discover! [Security Karma]

Posted: 29 Aug 2008 10:30 AM CDT

Ok, I admit... the typical reader of Scientific American are probably not the most Internet-savvy folks out there and I actually loved Herbert H. Thompson's article "How I Stole Someone's Identity." Mr. Thompson does a good job explaining how to footprint a person online and begin compromising account after account of theirs simply by using the password reset feature and "security questions" that are used to validate identity.
For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.
To someone that has been around information security for a while now, none of this is news. This is actually a little old-school footprint and crack. The problem is: in the old days, the hacker would have to go through great lengths to investigate their marks. As this article shows, those days are gone and now with a simple web search we can find out almost everything about a person. All of our digital shadows are getting longer and keeping track of every account we've signed up for is getting more and more difficult.
It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.
Great article and well worth the read.

I'll be posting more about the new risk model in the 2.0 world soon.

What Isn't Best Western Telling Us? [Sunnet Beskerming Security Advisories]

Posted: 29 Aug 2008 12:11 AM CDT

Reports of a recent data breach at Best Western were vigorously refuted by the company, but is there something else going on in the background that is not being acknowledged by the company?

From the initial reports, more than 8 million Best Western customers may have had their details captured following unauthorised system access. Best Western's assertions that only one hotel and 13 records being affected didn't attract many supporters, and their assertion that their adherence to PCI DSS requirements ensured customer safety was even less well received.

At the moment all that is happening is that the Glasgow Sunday Herald (and their source at Prevx) and Best Western have made contrasting claims on the incident and neither has provided much more by way of evidence of their claims. Claims that it is the World's biggest cyber heist, when it isn't by a long way, would put the burden of proof on the Sunday Herald.

The difference between 13 records and 8 million is significant, but is does raise the question as to how Best Western knew that it was only those few records that had been accessed. 13 just isn't the sort of number that people tend to make up when they are making vague claims about quantities. As reported by Best Western, it was antivirus software that managed to identify the trojan horse that had been installed to try and capture credentials at a single European Best Western hotel.

There are questions being asked about Best Western's claims that recorded credit card details are destroyed after a period of time and whether this claimed breach indicates a failure to adhere to Level One PCI DSS requirements (assuming they are top level PCI DSS), particularly the requirements for a Data Security Assessment and Quarterly Network Scan. Perhaps the rapid discovery of the breach and limited account access claimed by Best Western was achieved through adherence to this requirement, but there are not many who place much faith in this idea, or in the PCI DSS auditing requirements.

There is also the possibility that any breach was targeted at Identity Theft first, financial theft second, so the PCI DSS requirements aren't going to do much to stop that from happening.

How can Best Western ease a lot of concerned observers fears? If they re-issued their press release (or even a new one) identifying when and how the compromised system was identified and taken offline, and then acknowledged that the PCI DSS is only one means to protect sensitive data and forms part of a layered defence strategy then it would go a long way to achieving this goal.

It isn't often that the benefit of the doubt is given to a company involved in a data breach, but in this case it is leaning slightly towards Best Western. At the end of the day, Best Western has been tarnished by their response to this issue and if they can not adequately address the concerns identified above, then there is little else to do but assume that he worst outcome reported by the Sunday Herald is what happened. Of course, if the evidence of the attack is released by other means, then that, too, would validate the claims of one side.

Links for 2008-08-28 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 29 Aug 2008 12:00 AM CDT

Remember the BBS? [spylogic.net]

Posted: 28 Aug 2008 08:43 PM CDT

BBS where did you go?

Some of you should remember what a BBS is (Bulletin Board System)...

I grew up a child of the 80's and when I got my first computer (actually an Apple ][e)...all the rage for geeks was connecting to your local BBS and checking out the awesome text based games and reading messages from other users on the BBS (believe me, it was fun back then!). All of this was at a blazing 1200 baud...and that was if you were lucky to own the latest technology (I had started with a 300 baud modem...couldn't fork out the cash for a 2400 baud modem...woo hoo)! Some of you in the Cleveland, Ohio area might remember the "Cleveland Free-Net" which was part of the Free-Net project. Cleveland Free-Net was the first community BBS of it's kind in the country. Funny thing was that I got really into it and ended up running my own n00b BBS called "The Laughing Goblin Inn" with my own dedicated phone line that I convinced my parents that I needed! I also got myself a massive 40 MB (yeah, that's megabytes) external hard drive to hold all my Apple "warez".

Via Hack a Day:

"[Lief Bloomquist] was in need of some geeky nostalgia. He thought making a BBS server on a Commodore 64 would fill that need perfectly. He used a PC running some routing software to make the BBS server available over the net, without any long distance charges. Anyone with an Internet connection can telnet to the BBS and join the fun."

The setup this guy is using is really simple. It's basically a Windows PC that is used to bridge between the Internet and the Commodore 64. The PC and Commodore are connected through a null modem cable and a VIC-1011A Terminal adapter. A simple program runs on the PC, listening on tcp port 23. He has the software and links to everything you need via his web site.

So if you ever ran a BBS or was ever involved in that world back in the day you should check it out (even if you didn't know what the hell a BBS was...check it out to see what it used to be like)...it brought back some memories for me. Even the slooowness of 1200 baud was there!

Fire up a terminal and connect to bbs.jammingsignal.com port: 23 Enjoy!

No comments: