Saturday, September 6, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Big Iron is Dead...Long Live Big Iron? [Rational Survivability]

Posted: 05 Sep 2008 11:42 PM CDT

Transformer Over the last 5 years or so with the pronounced emergence of inexpensive multi-core COTS compute platforms and the rabid evangelism of virtualization, I have debated many times with folks who continue to suggest that "big iron" -- high performance equipment in the compute, network, security and storage domains -- is now "extinct" and that nobody buys bespoke equipment any more.

Many of them argued "All you need is a COTS PC, package up OS/Applications and voila!  Instant appliance!  Ready for the edge, ready for the core."

Not surprisingly, many of the networking/security/application delivery companies that these folks worked for ultimately introduced custom-engineered hardware solutions, melding their software with custom hardware and COTS elements to produce a piece of big iron of their own...

About a year ago, I wrote a blog on this topic highlighted by a post titled "All your COTS multicore CPU's with non-optimized security software are belong to us," in which I extrapolated some very interesting points regarding Moore's law and the hubris surrounding the gluttony of compute power offered by higher density chipsets without the corresponding software architecture to take advantage of it.

This is a little tickler to that post.

I come from the land of servicing large enterprises, service providers, municipalities and nation states  and not the SME. 

While there are certainly exceptions to the "rule," and it's reasonable to suggest that my perspective is skewed, I've always been careful to ensure I framed my discussions this way, so debating/contrasting the architectural slants of an SME with a Fortune 10 doesn't really move the discussion along any.

So, sticking with the large enterprise theme, there are two interesting divergent themes emerging: the centralization of compute and storage with the distributed nature of connectivity and information.

Without muddying the water too much about how these scenarios are not all that mutually exclusive, let's stick with the "centralization" theme for a moment.

The mainstream adoption of virtualization as an enabler brings us full-circle back around to the centralized mainframe model* of compute, networking and storage.  Now that reasonably reliable, high speed and low latency connectivity is available, centralization of resources makes sense since people can generally get access to the assets they require and the performance to get from point A to point B is for the most part acceptable (and getting more so.)

Once again, the natural consolidation of functionality and platform architecture follows suit -- we're back to using big iron to deliver the balance of cost, resilience, performance and simplified management that goes along with squeezing more from less.

To wit, let's examine some recent virtualization-inspired, big iron plays:

Hpbladeserver Compute:

HP introduced [recently] the Proliant BL495c G5, the first blade designed to be a virtual machine-intensive host in a data center rack, along with other virtualization products to enhance the offerings of VMware and Citrix Systems.

As system administrators achieve savings by consolidating 8-10 virtual machines per server, HP is saying its new blade will host up to 32 virtual machines, based on each virtual machine needing a minimum of four Gigabytes of memory. When 16 of the blades are stacked in an HP C7000 enclosure, a total of 512 virtual machines can be run from a single rack, said Jim Ganthier, director of HP BladeSystem, its blade server division.

Cisconexus Network & Storage:

The Cisco Nexus 7000 Series is the flagship member of the Cisco Nexus Family, the first in a new data center class of switching products. The Nexus 7000 is a highly scalable modular platform that delivers up to 15 terabits per second of switching capacity in a single chassis, supporting up to 512 10-gigabits-per-second (Gbps) Ethernet and future delivery of 40- and 100-Gbps Ethernet. Its unified fabric architecture combines Ethernet and storage capabilities into a single platform, designed to provide all servers with access to all network and storage resources. This enables data center consolidation and virtualization. Key components of the unified fabric architecture include unified I/O interfaces and Fibre Channel over Ethernet support to be delivered in the future.

Crossbeamx80_2 Security:

The Crossbeam X-Series is a carrier-class modular security services switch.  The X80 platform is Crossbeam's flagship high-end security services platform for complete network, security.  The X80 provides up to 40 Gigabit Ethernet ports and 8 x 10 Gigabit Ethernet ports or up to 64 Fast Ethernet ports and up to 40 Gbps of full duplex firewall throughput.  Each network processor module features an integrated 16-core MIPS-64 security processor, a high speed network processor and a custom-designed switch fabric FPGA.  The X80 supports up to 10 application processor modules which are based on Intel technology running a hardened version of Linux supporting best-in-breed security software from leading vendors in highly resilient, load-balanced configurations.

These are just a few examples.

Each of these solutions delivers the benefits of hefty amounts of virtualized service, but what you'll notice is that they do so in massive scale, offering consolidated services in high-density "big iron" configurations for scale, resilience, manageability and performance.

In this period of the technology maturity cycle, we'll see this trend continue until we hit a plateau or an inflection point -- whether it is triggered due to throughput, power, heat, latency, density or whatnot.  Then we'll start anew and squeeze the balloon once more, perhaps given what I hinted at above with clusters of clouds that define an amporphous hive of virtualized big iron.

But for now, until service levels, reliability, coherence and governance are sorted, I reckon we'll see more big iron flexing it's muscle in the data center.

What about you?  Are you seeing the return of big iron in your large enterprise.  Perhaps it never left?

I for one welcome my new blinking dark overlord...



* There's even a resurgence of the mainframe itself lately.  See IBM's z/10 and Unisys' ClearPath for example.

TGIF? WTF, Feds take over Fannie Mae and Freddie Mac [StillSecure, After All These Years]

Posted: 05 Sep 2008 10:28 PM CDT

Well the good news about our economy just keeps right on rolling in.  First came word that unemployment rose to a 5 year high today at 6.1% (and for the first time I know security and IT people in that group who are finding it hard to find a job).  At the end of the day word came out that the Federal Government will announce a bailout/take over of the two mortgage giants, Fannie Mae and Freddie Mac.  This will result in just about all shareholders of these companies being wiped out and more importantly, you, me and the rest of US citizens are now guaranteeing and on the hook for all of those trillions of dollars of mortgages out there!

Fred Wilson says that this is the new MO of the fed.  Wait until after the markets close on Fridays to announce the really bad news. Ever the optimist, Fred thinks that this could be the beginning of the end for the bad news and may represent the bottom.  I say, things will get worse before they get better.

Brad Feld wrote today about cycles in the business world. Certainly the pendulum swings and what goes up, must come down.  But Brad says he is 42 and thinks he has seen it all when it comes to cycles.  I am 47 and realize that is not true either.  Yes, there are cycles but each one is different enough.  Yes things will get better some time, but the pain and damage being done is going to take a long, long time to recover from. 

Try owning a house in Florida, Michigan or some parts of California. Politicians talk of change, but I am not sure what fundamentally is going happen that will change our present predicament. The sheer numbers are just scary. 

I along with many others I am sure will be looking for signs that we are starting to pull out of this mess.  But like in cycles past, by the time it is obvious that we are, the smart money will already betting on the next cycle.

Xcon 2008 in Beijing! [The Dark Visitor]

Posted: 05 Sep 2008 04:39 PM CDT

My Xcon 2006 pass

Jumper sent me an e-mail about the upcoming Xcon 2008 Conference that will take place in Beijing from 18-19 October:

If you have any questions, comments, please shoot against Casper ;)
Though I am happy to forward it.

On Fri, Sep 5, 2008 at 4:40 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
> Got couple of emails with comments (language mistakes) and questions,
> Thanks guys!
> Actually XCon is held by XFOCUS guys (Casper and others), they wrote
> it up and I was just helping to post the CFP.
> If you have any questions regarding the schedule, the conferences,
> the hotel, etc.
> Welcome to XCon! Welcome to China!
> Best
> Sowhat
> On Fri, Sep 5, 2008 at 3:45 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
>> XCon 2008 Call for Paper
>> Nov. 18th ? 19th, 2008, Beijing, PRC (
>> XCon is wholeheartedly expecting papers from those who are passionate
>> about information security technique and their participation and sharing of
>> the conference.
>> Attenders
>> Anyone who loves information security, including information security
>> experts and fans, network administrators, network security consultants, CIO,
>> hacker technique fans, etc.

More details on the conference here at Security Focus.

For those of you who are unfamiliar with Xcon,  I’ll give you a little background.  The yearly host of the Xcon conference series is a group  going by the name Xfocus.  One of their 2007 conference attendees, XYZreg (Zhang Yi), a regular member of their security group,  claimed to have broken Kaspersky Anti-Virus Technology.  When I went to the conference in 2006, two of the major sponsors were Microsoft and NSfocus. NSfocus was one of the very first hacker sites in China, originally called the Green Army.  The organizaton has a very confusing history.

If anyone is planning on attending the conference, please drop me a line.


CPISM bootcamp and exam a success [PCI Blog - Compliance Demystified]

Posted: 05 Sep 2008 02:50 PM CDT

After long and arduous work on behalf of the SPSP and many others, and after several private classes of the CPISM, the very first public bootcamp and exam proctoring occurred in Salt Lake City, UT last week.  Even a short while after I see people updating their LinkedIn profiles with this designation.  There were some stumbling blocks involving printing issues, but I think it went off as a great success.

It was so successful that the SPSP immediately booked another class in Dallas in November for not only the CPISM, but also the new CPISA.  People have already been signing up and I expect these classes to sell out as well.  In fact David Bergert, author of Payment Systems Blog, has already blogged about his registration.

Every place I go people are asking how they can become a QSA.  The problem is, you cannot hold the designation of QSA unless you work for a QSA company, which requires a formal application and attestation to the PCI SSC.  And, if you ever leave the QSA company you work for you loose any right to call yourself a QSA.  This is why the SPSP has create the CPISA/CPISM for those “across the table from” the QSA.  So you can hold your own in conversations and discussions regarding the payments industry and compliance.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Washington Post: Atrivo Increasingly Isolated [Infosecurity.US]

Posted: 05 Sep 2008 02:22 PM CDT

The Washington Post’s Bryan Krebs reports via his SecurityFix blog of the increasing isolation of the reportedly scammer-laden ISP Atrivo (also reported on in the KnuJon and HostExploit report).

[1] Security Fix Report On HostExploit Report (read the user comments…fascinating)

[2] Security Fix - Atrivo Isolated Post

[3] HostExploit Report

Friday MustRead - ArsTechnica Perspective: KnuJon, HostExploit Report [Infosecurity.US]

Posted: 05 Sep 2008 01:19 PM CDT

ArsTechnica’s Joel Hruska posts an outstanding examination of the KnuJon and HostExploit report. Joel manages to bring the enormity of the situation in perspective with a clear and concise style.

We deem his story this Fridays’ MustRead.

We believe this entire scenario is indicative of why ICANN is broken. The evidence detailing the lack of responsibility the organization exhibits in policing Registrars is mounting.

Stay Tuned…

DIRECTI Responds To Knujon and HostExploit Report [Infosecurity.US]

Posted: 05 Sep 2008 09:45 AM CDT

The following information is an official statement from DIRECTI. In an email response from Sandeep Ramchandani the company’s Strategic Partner Manager, within which, DIRECTI has requested  publication to clarify their position regarding the KnuJon and HostExploit reports and investigations.

(Editors Note: It is our blogs’ policy to accommodate all requests to publish explanatory information related to information security matters, verbatim, and without modification, as requested by the author(s) of the material, when that material provides information of interest to our readers, when the submitted material meets our editorial standards.)

So, without further ado, here is DIRECTIs official statement:

Update: Directi disclaims all allegations in the knujon / hostexploit reports as baseless and factually incorrect"

Bhavin Turakhia, CEO, Directi has presented a strong challenge to all claims in the Knujon and Hostexploit report that falsely implicate Directi’s involvement with unethical online activities.

Knujon and Hostexploit had published online reports linking Directi to certain miscreants responsible for fraudulent activities on the Internet.

"It's reports and claims like these that are disappointing to any white hat, genuinely conscientious Registrar, wherein despite our continuous efforts, organizations such as Knujon and HostExploit publish libelous and false allegations without even attempting to verify facts. Even a basic common courtesy of contacting us was not extended prior to publishing these reports." said Bhavin Turakhia, CEO of Directi.

A post on Directi's Blog categorically refutes every single claim that links Directi to the reports, and requests the media to verify the facts before publishing, or drawing conclusions from either report. While Hostexploit is still to respond, the Knujon report has subsequently rectified some of the incorrect conclusions it drew about Directi's involvement in the illegal online pharmacy racket.

The reports speculate that Directi owns East European Registrar, EST domains. Directi has gone on record stating that it does not own, nor control the actions of EST Domains.

The reports claim amongst other things that Directi has a business association with Atrivo (a web hosting company which purportedly supports illegal activities on the internet). To this too, Bhavin has firmly stated, "Atrivo is not associated with Directi, not hosted with Directi, nor have they registered their domain name through Directi, nor are they a Customer or a Vendor of Directi. The Directi Group does not have, and has never had, any association with either Atrivo or their business practices. The report shows no evidence of any such association."

The reports make further claims with respect to the usage of Directi's privacy protection services by illegal websites. Bhavin asserts that the service safeguards millions of genuine domain owners from the very threats that KnujOn also actively combats. “Privacy protection ensures that miscreants cannot parse the contact information of genuine domain registrants for spamming them or launching a phishing attack,” says Bhavin. “While a certain number of miscreants can use the privacy protection services to mask their identity, this constitutes a very small percentage in comparison to genuine customers who use this service and are thankful for it. Our abuse department ensures that privacy protection is suspended for any domain proven to indulge in any abusive activity.”

The report further labels 48 Registrars belonging to Directi and its clients as 'phantom' and that 'none of them really exist'. An ICANN representative later confirmed that all of the registrars are duly incorporated, validly existing under law, with active contact details.

Bhavin pledges that Directi continues to be one of the most proactive Registrars in combating abuse and implementing strict AUPs. He also claims that Directi has made substantial investments to ensure that its services are not used for any nefarious purposes, and that its core values are based on the ideology of making the internet a safer and more secure medium for conducting business.

"While I applaud the efforts of volunteers such as Knujon and Hostexploit who spend their personal time to try and combat spam, I am personally quite saddened when the very individuals who we trust to combat spam and fraud, engage in publicity moves without consideration for the reputation of legitimate businesses." said Bhavin

About Directi
Directi ( is a 300+ million dollars group of Businesses, that develop innovative mass-market Web Products serving millions of Customers worldwide.

Directi businesses rank amongst the fastest growing businesses worldwide in their corresponding industry segments. The combined Product Portfolio of various Directi businesses includes - Communication and Collaboration apps, Social Networking software, Instant messaging, Context Analysis Engines, Antispam and Antivirus Solutions, Large scale Billing and Provisioning platforms, Traffic Monetization Solutions, Online Advertising Solutions, DNS Management Products, Linux and Windows Server Management Software, Web Hosting Control Panels and much more.

Shadowserver Foundation: Worldwide Botnets Experience Explosive Growth [Infosecurity.US]

Posted: 05 Sep 2008 09:38 AM CDT

The Register’s John Leyden posts a superb writeup on the worldwide sharp spike in growth of zombie personal computers, acting as members of botnets, from a report by the Shadowserver Foundation.

Sophos ISP DNS Whoops [Liquidmatrix Security Digest]

Posted: 05 Sep 2008 09:08 AM CDT

This morning customers that use the Sophos products weren’t able to get updates for a short spell. This was thanks to a “whoops” by one of the company’s ISPs.

From The Register:

Domain name system problems left some users of Sophos unable to get security updates on Friday. The same issue, blamed on a mistake by one of the security firm’s service providers rather than hostile action, left many surfers unable to access its main website.

Graham Cluley, senior technology consultant at Sophos, explained that an error by one of its service providers in updating DNS settings for the site has permeated across the internet, and will take a little while to untangle. “Some users have experienced problems getting updates because of these incorrect settings,” he explained. “No kind of DNS cache poisoning or any kind of hacking attack was involved.”

I can well imagine that people were speculating about the possibility of a DNS attack. But, sometimes the correct answer really is the simplest one.

Article Link

ACM Announces Awards Deadline [Infosecurity.US]

Posted: 05 Sep 2008 09:06 AM CDT

The Association for Computing Machinery (ACM) has announced a November 30, 2008 deadline for nominations for a slew of ACM Awards, noted after the jump.

Of course, in order to nominate you need to join the ACM

Awards with November 30, 2008 nomination deadlines

  • A.M. Turing Award
  • ACM - Infosys Foundation Award in the Computing Sciences
  • ACM/AAAI Allen Newell Award
  • Software System Award
  • Grace Murray Hopper Award
  • Paris Kanellakis Theory and Practice Award
  • Karl V. Karlstrom Outstanding Educator Award
  • Distinguished Service Award
  • ACM - IEEE CS Eckert-Mauchly Award
  • Outstanding Contribution to ACM Award

ACM’s Award Co-chairs on the importance of ACM Award Nominations Letter

ACM Award Nominations

ACM Awards site

How to Create and Remember Multiple Secure Passwords [SecurePuter]

Posted: 05 Sep 2008 08:28 AM CDT

Create and Remember Secure Multiple Passwords

I was asked by a co-worker how I keep track of so many passwords for so many accounts, all of which have to change annually. I told her I use a custom formula in my head that allows me to determine what a password is on a given account. I don't have to remember 100 passwords, only the formula.

Password Basics

Passwords are the oldest and most widely used form of authentication, but also the weakest. To get the biggest bang for your buck, you must choose a password that incorporates as many character variations and the longest length possible. That means numbers, letters (both uppercase and lower), punctuation marks, any symbols allowed by the system, and at least 8 characters in length. If you are logging into multiple systems or websites, varying your password is also recommended. If a password is compromised, you don't want the attacker to gain access to every account you own on a single password. Each account a user holds should have its own unique password.

You will want to develop a personal method of managing multiple passwords. That way you will only need to remember the method, not each individual password. To develop your personal technique, open your mind and create something easy to remember but hard to guess.

Create a Multiple Password Formula

This is an example. Design your own using any number of things. Take characteristics of your life that are static and some that are dynamic. Let's create a 10 character password that is different for each system or website, and will be changed every year. We'll need to create a formula that is simple to remember.

John Smith
Spouse: Kristen Smith
DOB: 04/12/1972

A fictitious password for a Fidelity account.

1st and 2nd character
The first and last letter of the computer or website's name.
"fy" for Fidelity
This should change for each account. If the computer is named Yoda the characters would be "ya"; if it was Bank of America "ba". Therefore, we have unique passwords for each account.

3rd character
A separation symbol
"." A period
Includes a non alpha numeric character to increase the number of password possibilities if attempted to crack.

4th and 5th characters
Capitalized initials, but the last letters
"NH" for John Smith
Adding capitalized letters doubles the password possibilities value of using alpha characters.

6th character
Another separator
"_" underscore

7th character
Last number of my year of birth plus the last two digits of the current year
"0" for '72 plus '08
Used as an easy mathematical equation that varies from year to year.

8th character
Capitalized first letter of Significant other's name
A simple & easy to remember letter

9th and 10th characters
The last 2 digits of the current year
Another revolving couple characters that are used when changing passwords yearly.

Now when John Smith logs into Fidelity he types in "fy.NH_0K08" which is much better than him using a birthday "04121972." Instead of just 10 to the 8th power in possibilities, this technique has given him much more security against password crackers due to the incorporation of so many character types.

Once you have a method of your own constructed, it will only be a short time until you have the formula memorized and it becomes just as simple as typing in a birthday. For John Smith all he has to remember is first and last letter of website, period, capitalized reverse initials, underscore, last number of DOB + year, capitalized K (note the ones that are capitalized are initials which is an easy association), and the current year.

You could get however extreme you want with your own technique. Maybe taking the first letter of the site "F", finding its place in the alphabet "6" and using that to determine which letter in your name to use. John Smith – 6th letter – "m". You see? This could get as difficult as you wish. Just make sure your not using the same password for each account and that it changes at least yearly.

Password Reset Concerns

If you had a password formula such as this, you would rarely need to have your password reset. The questions often asked for password reset authorization are, in reality, a second password. A fellow security blogger wrote an article titled, "A Different Approach to Password Reset" that effectively outlines such concerns. Below is an excerpt.

Mother’s Maiden Name - public record
Street you grew up on - can be findable.
Place of Birth - discoverable
Name of Pet - guessable (top list of pet names on Internet, or just check their facebook)

Do yourself a favor and create your multiple password formula now.

The Cisco energy tax? [StillSecure, After All These Years]

Posted: 05 Sep 2008 07:53 AM CDT

Saw a great commercial today while watching CNN. It showed people sitting in front of piles of cash and saying how much was in the pile.   Frankly with the kind of commercials you hear on CNN I thought it was going to be how these people saved paying the IRS buy hiring some tax service (aren't those commercials tiresome already). 

Instead it turns out that it is a commercial for Nortel touting how much money you will save on energy by using more efficient Nortel switches over Cisco equipment.  This is part of a whole series on the Cisco energy tax and I think pretty effective.  You can see the commercial here.

This posting includes an audio/video/photo media file: Download Now

PaulDotCom Security Weekly - August 2008 Monthly Summary [PaulDotCom]

Posted: 04 Sep 2008 03:32 PM CDT

The PaulDotCom Security Weekly Monthly Summaries are the recordings from the monthly Late-Breaking Computer Attack Vectors webcast. This month we I will discuss some of the latest attacks, including:

  • Post-exploitation techniques & defense
  • Fyoder scans the Internet, finds TELNET!
  • Attack between the client and the server
  • Social Networks - A tool for all attackers
  • Web Application Testing Tips
  • FAIL Of The Month (FOTM)

Direct Audio Download

You can download the slides to this presentation here:

August 2008 Monthly Summary Slides

Microsoft Releases September Security Notification [Infosecurity.US]

Posted: 04 Sep 2008 02:40 PM CDT

Microsoft (NasdaqGS: MSFT) has released their Security Bulletin Advance Notification for September 2008 with Minor Updates. Virtually every Microsoft mainstream OS, Media and Office product will be patched. Most issues revolve around the now, nearly ubiquitous  Remote Code Execution Vulnerability caused by flaws in VBScript, JScript, etc .

The full text appears after the jump.

Hash: SHA1


Microsoft Security Bulletin Advance Notification for September 2008
Issued: September 4, 2008

This is an advance notification of security bulletins that
Microsoft is intending to release on September 9, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for September 2008 can be found at

This bulletin advance notification will be replaced with the
September bulletin summary on September 9, 2008. For more information
about the bulletin advance notification service, see

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, September 10, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the September
Security Bulletin Webcast at

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:

Critical Security Bulletins

Windows Media Player Bulletin

- Affected Software:
- Windows Media Player 11 on
Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Windows Media Player 11 on
Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Media Player 11 on
Windows Vista and
Windows Vista Service Pack 1
- Windows Media Player 11 on
Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Media Player 11 on
Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation not affected)
- Windows Media Player 11 on
Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation not affected)

- Impact: Remote Code Execution
- Version Number: 1.0

Windows Bulletin

- Affected Software:
- Microsoft Internet Explorer 6 on
Microsoft Windows 2000 Service Pack 4
- Microsoft .NET Framework 1.0 Service Pack 3 on
Microsoft Windows 2000 Service Pack 4
- Microsoft .NET Framework 1.1 Service Pack 1 on
Microsoft Windows 2000 Service Pack 4
- Microsoft .NET Framework 2.0 on
Microsoft Windows 2000 Service Pack 4
- Microsoft .NET Framework 2.0 Service Pack 1 on
Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and
Windows 2003 Server x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and
Windows Server 2003 with SP2 for Itanium based Systems
- Windows Vista and
Windows Vista Service Pack 1
- Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation not affected)
- Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation not affected)
- Windows Server 2008 for Itanium-based Systems
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 2
- 2007 Microsoft Office System
- Microsoft Visio 2002 Service Pack 2
- Microsoft Office PowerPoint Viewer 2003
- Microsoft Works 8
- Microsoft Digital image Suite 2006
- QFE update for SQL 2000 Reporting Services Service Pack 2
when installed on Microsoft Windows 2000 Service Pack 4
- GDR update for SQL Server 2005 Service Pack 2
- QFE update for SQL Server 2005 Service Pack 2
- GDR update for SQL Server 2005 x64 Edition Service Pack 2
- QFE update for SQL Server 2005 x64 Edition Service Pack 2
- GDR update for SQL Server 2005 for Itanium-based Systems
Service Pack 2
- QFE update for SQL Server 2005 for Itanium-based Systems
Service Pack 2
- Microsoft Visual Studio .NET 2002 Service Pack 1
- Microsoft Visual Studio .NET 2003 Service Pack 1
- Microsoft Visual Studio 2005 Service Pack 1
- Microsoft Visual Studio 2008
- Microsoft Report Viewer 2005 Service Pack 1
Redistributable Package when installed on
Microsoft Windows 2000 Service Pack 4
- Microsoft Report Viewer 2008
Redistributable Package when installed on
Microsoft Windows 2000 Service Pack 4
- Microsoft Visual FoxPro 8.0 Service Pack 1
when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Visual FoxPro 9.0 Service Pack 1
when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Visual FoxPro 9.0 Service Pack 2
when installed on Microsoft Windows 2000 Service Pack 4
- Microsoft Platform SDK Redistributable: GDI+
- Microsoft Forefront Client Security 1.0 when installed on
Microsoft Windows 2000 Service Pack 4

- Impact: Remote Code Execution
- Version Number: 1.0

Windows Media Encoder Bulletin

- Affected Software:
- Windows Media Encoder 9 Series on
Microsoft Windows 2000 Service Pack 4
- Windows Media Encoder 9 Series on
Windows XP Service Pack 2 and
Windows XP Service Pack 3
- Windows Media Encoder 9 Series on
Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Media Encoder 9 Series x64 Edition on
Windows XP Professional x64 Edition and
Windows XP Professional x64 Edition Service Pack 2
- Windows Media Encoder 9 Series on
Windows Server 2003 Service Pack 1 and
Windows Server 2003 Service Pack 2
- Windows Media Encoder 9 Series on
Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Media Encoder 9 Series x64 Edition on
Windows Server 2003 x64 Edition and
Windows Server 2003 x64 Edition Service Pack 2
- Windows Media Encoder 9 Series on
Windows Vista and
Windows Vista Service Pack 1
- Windows Media Encoder 9 Series on
Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Media Encoder 9 Series x64 Edition on
Windows Vista x64 Edition and
Windows Vista x64 Edition Service Pack 1
- Windows Media Encoder 9 Series on
Windows Server 2008 for 32-bit Systems
(Windows Server 2008 Server Core installation not affected)
- Windows Media Encoder 9 Series on
Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation not affected)
- Windows Media Encoder 9 Series x64 Edition on
Windows Server 2008 for x64-based Systems
(Windows Server 2008 Server Core installation not affected)

- Impact: Remote Code Execution
- Version Number: 1.0

Office Bulletin

- Affected Software:
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 2
- Microsoft Office 2003 Service Pack 3
- 2007 Microsoft Office System
- 2007 Microsoft Office System Service Pack 1
- Microsoft Office OneNote 2007
- Microsoft Office OneNote 2007 Service Pack 1

- Impact: Remote Code Execution
- Version Number: 1.0

Other Information

Microsoft Windows Malicious Software Removal Tool:
Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:
For information about non-security releases on Windows Update and
update, please see:
* Microsoft Knowledge Base
Article 894199, Description of Software Update Services and
Windows Server Update Services changes in content for 2008.
Includes all Windows content.
* New,
Revised, and Released Updates for Microsoft Products Other Than
Microsoft Windows

Recognize and avoid fraudulent e-mail to Microsoft customers:
If you receive an e-mail message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious Web sites. Microsoft does
not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on


Version: PGP 8.1


Security Briefing: September 4th Late(r) Edition [Liquidmatrix Security Digest]

Posted: 04 Sep 2008 12:11 PM CDT


Well, I was on a bit of a roll this week. Didn’t quite wake up early enough this morning to post the news on time. On the upside we have the lion’s share of the speakers picked for this year. If you haven’t signed up yet please do so while there are spots available!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. ‘MythBusters’ co-host backpedals on RFID kerfuffle | CNET
  2. Public-data site under fire for planned sale | Chicago Tribune
  3. NHS Could Be Next Data Loss Fiasco | Sky News
  4. Chrome is a security nightmare, indexes your bank accounts | TG Daily
  5. Facebook tests New Jersey’s icon for reporting predators, pornography | Computer World
  6. Hackers buck negative image |
  7. Leak fears could set bosses spying on staff |
  8. Sony recalls 440,000 Vaio laptops | BBC News
  9. iPhone girl scared by attention | vnunet

Tags: , , , ,

TalkShoe Failure: TalkCast Rescheduled [The Security Catalyst]

Posted: 04 Sep 2008 11:24 AM CDT

Due to a talkshoe failure: service unavailable - I have to punt the effort. I’ll see if we can get it worked out and then try again.

Chinese Resarchers Use Heartbeats Against Implant Hacking [Liquidmatrix Security Digest]

Posted: 04 Sep 2008 10:14 AM CDT

One thing that has been starting to get more press are medical implants that are wireless. Researchers in China have devised a way to encrypt signals in these biometric devices using the patients heartbeat.

From Heise:

But the opportunities also increase the risks. Wireless implants are vulnerable to malicious attacks, which can be fatal. Experts say that signals must be securely encrypted. Now, researchers from the Chinese University of Hong Kong have presented their solution based on biometric features. The patient’s individual heartbeat, which can easily be measured from the person’s pulse, is used as the key for encryption. In their tests, 64-bit encryption works quite well, with the recognition ratio being nearly as accurate as with conventional fingerprint recognition systems. In the journal IEEE Transactions on Information Technology in Biomedicine, the researchers argue that heartbeat encryption is even safer because the constantly changing heartbeat cannot be mimicked by a recorded copy.

An interesting thought. But, could this also provide the key to break the crypto? Using a high powered parabolic microphone one could feasibly record the heartbeat of a target while they’re sitting at a sidewalk cafe.

Now imagine that the biometric device that you are looking to control is a heart monitor or insulin dispenser. This could potentially have horrific consequences. Sure the researchers say that it would be “impossible for attackers to use recorded data as a key at a later date”. Never say never. Of course this falls into the FUD category but, makes for an interesting movie plot line.

Article Link

Catalyst Live! - Today at Noon Eastern [talk shoe] [The Security Catalyst]

Posted: 04 Sep 2008 09:45 AM CDT

Today we venture together into new territory. I am eager to conduct our first “Talkcast” - to explore the way we make recommendations to our users about how they should be protecting their home computers.

The idea of a talkcast is to be more like a talk radio program. We are going to use: to host our effort.

The specific program starts here:

The program starts at noon. After a brief introduction, I’ll introduce our guest - Dave Cole from Symantec - and then we’ll get down to an interactive conversation.

Get involved!

The Register: Anonymous Domain Registration Terminated [Infosecurity.US]

Posted: 04 Sep 2008 09:25 AM CDT

The Register’s Dan Goodin posts a superb piece on the current hubbub (in the Internet Registrar world, that is) on the Indian sub-continent.

Also of interest is a fascinating report of cyber-criminal activities from INFOSEC researchers at Jart Armin, James McQuaid and Matt Jonkman, where they focus on the evidence of direct connections between and betwixt  a source of malware and illegal, internet based pharmacies and one of ICANN’s sponsors (apparently not vetted adequately at the ICANN offices in either Marina Del Rey, CA or in Brussels, Belgium)!

The entity is monikered LogicBoxes, of which,  ICANN has apparently noted as a sponsor for various meetings that occurred both in India and the United States (Los Angeles, California and Delhi, India, to be specific).

[1] HostExploit (Armin, McQuaid, Jonkman Report)

[2] The Register - Directi Strikes Back

[3] The Register - ICANN Cast As Online Scam Enabler

KNUJON Responds To Directi [Infosecurity.US]

Posted: 04 Sep 2008 08:50 AM CDT

In the ongoing saga (also relative to previously published demands made by DIRECTI to ‘takedown’ blog posts here at Infosecurity.US) ) triggered by research undertaken by anti-spam watchdog KNUJON. Garth Bruen, of KNUJON fires back a response to Directi , after the jump

(Editors Note: Garth Bruen’s comments are published with his consent.)

from    Garth Bruen at KnujOn
to    sandeep.r
cc    legal
date    Wed, Sep 3, 2008 at 11:43
subject    RE: Frivolous Accusations on

Hello Mr. Ramchandani,
Thank you for contacting me. I am sorry this has caused so much anxiety.
I received your email after business hours yesterday and did not read it
until this morning. I realize that you have gone a full business day in
India without hearing back from me, my apologies.

Let's address the points you bring up.

1.      (EstDomains) We did not say that Directi owns EstDomains. We know you
license software to them, this is a business relationship, an
"affiliation." While you may deal with "several thousand service
providers", EstDomains is highlighted on your site with only 4 other
companies which denotes a special relationship. However, we can clarify

2.      ("Phantom Registrars") There are a few issues here. First, we
never stated in our report that any of the 48 listed registrars had fake
pharmacy sites. The issue here is about disclosure and honesty. Your
affiliated registrars are listed with U.S. addresses, but you are in
India. No problem there, just fully disclose that you are in India.
Next, we were unable to locate Incorporation licenses for any of these
companies at the stated addresses in Oregon or New York. Is this

3.      (Atrivo) We did not state that Directi was linked with Atrivo, we
posted a brief from an article about this topic – you'll have to ask
that author.

4.      (PrivacyProtect) If you are no longer using we
applaud you!!! However, the question remains. Does Directi own
PrivacyProtect, or did it at any time (the company and/or domain name)?
If you tell me "no", I will believe you.

5.      (unsuspended domains) If you say it was a technical error, we will
post this information.

6.      (ISPs) If you claim you are cleaning up the Registry, I want to
believe you. However, our claim is not baseless. We observed illicit
domains being moved from one IP to another. I can understand how this
could happen because of the complexity of the Registrar world. Were
these illicit domain postings due to one of your resellers? If that is
the case, please tell everyone, it would help us all understand your
situation better and sympathize with you.

7.      (PrivacyProtect, again) I received all of your attempts to explain
the use of Privacy Protection and I responded to each of them. I
understand the point of privacy protection; just don't agree with its
use for business-related domains, especially ones selling narcotics. If
PrivacyProtect is not intended to harbor miscreants why do they? And why
so many? And why is PrivacyProtect's ownership a secret?

8.      (illicit domains) Once again, I want to believe you. However, when
the public observes a healthy portion of a registrar's business going
to illicit traffic, we start to wonder. Have you ever asked a registrant
to provide a pharmacy license before registering a pharmacy-related
business domain? This may all go back to the reseller question in #6.

9.      (ICANN RAA) You said: "the job of policing the internet cannot be
the sole responsibility of registrars", guess what, I AGREE WITH
YOU!!! However, the RAA (through the UDRP) states that registrants are
not allowed to register a domain name for an illegal purpose and the
Registrar, through its contract has to ensure this.

And, we are of course ready to discuss any of these further and glad you
are accepting the challenge to be a clean leader in the Registrar


> —– Original Message —–
> From: Sandeep Ramchandani
> To: ;
> Cc:
> Sent: Tuesday, September 02, 2008 5:44 PM
> Subject: Frivolous Accusations on
> Dear Garth,
> This is with regards to the numerous articles on your website - that frivolously implicate the Directi Group. Before I move to the specifics, I’d like to comment on the challenge you’ve thrown open to us, to take a lead in the endeavor of suspending every illicitly run domain name.
> Please understand that Directi continues to be one of the most proactive Registrars today in terms of combating abuse and implementing strict AUPs and we have a significant investment in terms of manpower and processes to achieve just this. We do so, not because we’re contractually obligated, or to protect our own business interests, but because we sincerely believe in the ideology of making the internet a safer and more secure medium for conducting business. It’s really unfortunate that your ‘analysis’ misrepresents the details, and conveniently ignores all of the active measures we take regularly against spamming, phishing and other forms of abuse activity on the internet. As a matter of fact, we have a ZERO tolerance policy towards unscrupulous activities, and therefore extremely shocked to learn about the baseless allegations made in your report.
> Given below, is a list of all the false information, conclusions and accusations that you have repeatedly made about our organization:
> 1.     EST is NOT affiliated to the Directi Group in any way: EST just happens to be one of the several thousand service providers that use our technology to provide domain registration services. Therefore all of the claims that EST is a part of our Group is grossly incorrect.
> 2.     Your claim that the accredited companies we own are: a) ‘Phantom’ Registrars (ex: Jumbo Names) that are not incorporated or ‘Do Not Really Exist’ and b) somehow involved in supporting the fake pharmacy business in some way, is not only grossly incorrect, but also seriously defamatory. You may not be privy to the strategic reasons why several of the top web services cos. need to invest in multiple registrar companies. However, there is absolutely no substance in suggesting that these companies are somehow involved in illegal activities. Not only do these registrars operate legitimately, but they also implement the strict AUPs for all sponsored domain names.
> 3.     You claim that the Directi Group is somehow closely linked with Atrivo, which probably is a false conclusion drawn from pt. 1. above.
> 4.     There are several other domain names that you have listed for various issues - software piracy, for instance - and claim that they are privacy protected. These domain names and their sponsoring registrar have not used privacy protection services for several months now; it is unfortunate that you did not choose to verify your data before making these accusations.
> 5.     The statement “While Directi claims they will suspend illicit domains, KnujOn has found on many occasions Directi sponsored domains being removed temporarily only to be restored after a brief period with the same content” is incorrect, but we do acknowledge a technical lapse that may have led you to believe this. The domain names that you’ve listed were not intentionally restored, but did not get suspended in due process because of a technical error. When vigilant netizens alerted us about the situation, the domain names were suspended immediately.
> 6.     The statement “If a consumer complains to Directi/PublicDomainsRegistry about these sites they simply direct them to the ISP host that serves the content. If and when the site content is closed by the ISP host, Directi/PublicDomainsRegistry just helps them set up at a new IP.” is baseless and seriously defamatory. We do not condone any abusive behavior using domain names registered through us, much less facilitate it. There are cases where we forward complaints to the host to pursue in accordance with their AUP, but in no circumstance do we enable purported abusive registrants to setup in any fashion.
> 7.     On several prior instances, we have attempted to explain to your organization the motives and mechanism behind Privacy Protection as a service. Privacy Protect isn’t intended to harbor miscreants, but to protect genuine domain owners from them. This service, provided through a network of registrars, is essentially free and has no affiliation with any domain names that use it.
> 8.     Also, as a Registrar, we must categorically state that we have no association with the domain names registered through us. The insinuation that we as a registrar benefit in any form through abusive domain names is grossly incorrect; on the contrary, we invest considerable resources toward mitigating such abuse of our services.
> 9.     During the Prescription Addiction Radioshow, you claimed that the registrar community is unable to effectively police illegal activities and hence most registrars are in violation of the ICANN RAA. This is factually incorrect since the job of policing the internet cannot be the sole responsibility of registrars, and the Registrar Accreditation Agreement doesn’t state any such obligation either. Most registrars, purely out of moral reasons, build AUPs to ensure that they proactively prevent their services from being used for any illegal activity.
> Based on all of these false assumptions, misrepresentations and factual inaccuracies, you have referred to our organization as ‘beastly’, ‘rogue’, ‘irresponsible’, ‘immoral’ and a ’supporter of the illegal narcotics industry’. I hope you understand that this sort of frivolous victimization and public abuse is intolerable for our organization, and always tackled with utmost severity. However, since we believe that your intentions are not wrong, we would like to resolve this amicably by requesting all necessary corrections to the information published. We would also need a public clarification which explicitly states that the Directi Group is in NO WAY harboring or, being in any way involved, in any form of illicit activity.
> On another note, I request you to understand the limitations registrars face in tackling these issues. Despite having a dedicated abuse complaints processing team, it is impossible for us to deploy the necessary resources and expertise to manually authenticate the legal status of each of the 4 million + sponsored domain names. A false positive could lead to a significant loss for an innocent customer, for which we will be squarely responsible. Things get even more difficult when other registrars that use our platform, are less sensitive towards their moral responsibilities. Sure - we’d like to pull the plug and permanently close our business with them, but how does one protect the several thousand innocent website owners that also happen to use their services?
> I believe you understand as well as we do that a true ‘cleanup process’ requires the concerted involvement of several industry participants including ICANN, registries, brand owners, law enforcement agencies and registrars. You can be assured that from a registrar standpoint we continue to extend our full cooperation to the community at all points in time. We have always taken this issue seriously and will always continue to do so.
> We’ll also be glad to clarify your doubts on the above mentioned facts, over a conference call which can include the relevant people from our side. We’re open to a constructive dialogue with you, and are all ears to any specific suggestion that you may have for us. If you’d like that, do provide us with an appropriate time and number on which you can be reached.
> Considering the defamatory nature of the content in your posts and the inaccuracy of several accusations, we hope that the requested corrective measures will receive utmost priority and reflect immediately on your website.
> Best Regards,
> Sandeep Ramchandani
> Strategic Partner Manager - The Directi Group
> Tel : +1 (832) 295 1535 Extn: 7624
> Fax : +1 (904) 369 0153

Catalyst Conversation Starter: The High Cost of “Freeware” [The Security Catalyst]

Posted: 03 Sep 2008 09:16 PM CDT

When it comes to protecting home computers, “Is freeware free?”

This is not a question aimed at the enterprise. Instead, this is a question that cuts to the heart of the advice that security professionals offer to those who depend on that experience and insight to guide them, be they parents, siblings, friends, co-workers or even people we met in passing. Professionals are often called upon to make quick decisions based on experience and training (we can argue later whether this is good or bad). While this may be an accepted business practice - does it work as well when it comes to advising families on how to protect their computers?

I think we need to step back and consider. If someone asks you if they should spend money for a paid software solution to protect their home computer or simply use “freeware” solutions - what is the best answer? What do you recommend today? Why?

To aid in the process, I offer for consideration a report that details my experience evaluating freeware through the lens of a consumer. The report is short. It is designed to be an opportunity to stop, think and engage in the conversation.

Based on a challenge, I stepped back and examined the situation in a manner different than normal for me. I worked to experience the process of finding, downloading, installing, configuring and using freeware solutions. I considered the time spent and took an effort to measure pop-ups, messages and potential frustrations. Taking the time to step back literally changed what I thought and what I recommend. It forced me to examine the “truths” I believed in favor of real experience.

Get the report here:

Come join the discussion in the Security Catalyst Community here:

(and join me for a live Talkcast on Thursday — Noon Eastern — to discuss this with special guest Dave Cole)

This posting includes an audio/video/photo media file: Download Now

FBI Opens Anti-Fraud Hurricane Gustav Hotline [Infosecurity.US]

Posted: 03 Sep 2008 03:23 PM CDT

The New Orleans, Louisiana Field Office of the United States Federal Bureau of Investigation (FBI) has announced the availability of a Disaster Fraud Hotline to report Hurricane Gustav related fraudulent activity.

From the FBI’s announcement: Members of the public can report fraud, waste, abuse, or allegations of mismanagement involving disaster relief operations through the Disaster Fraud Hotline at 866-720-5721, the Disaster Fraud Fax at 225-334-4707, or the Disaster Fraud e-mail at Individuals can also report criminal activity to the FBI at 1-800-CALL-FBI or the FBI site.

No comments: