Tuesday, September 9, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

[Chinese]安全投入回报ROSI [Telecom,Security & P2P]

Posted: 09 Sep 2008 07:32 AM CDT

著名安全专家Bruce Schneier在CSO杂志上发表他关于安全投入回报的一个篇文章。我想这也就是Andrew在安全度量中提到的观点。读过这篇文章,事实上,Bruce并没有完全反对安全投入回报分析。他只是提醒安全经理小心使用安全厂商们的回报模型和数字,因为其中可能有很多水分,并不可靠。

Bruce也举了若干个例子来说明一般的财务ROI分析模型以及ALE(就是CISSP培训中的那个术语annualized loss expectancy )不适用于小概率、巨损失的情形。而很多安全风险和投入就属于这一类。

Bruce的例子很有趣。ROI模型在小概率、大损失的场合不太适合使用,因为没有足够多的样本和数据可以用来统计。大家来看一下Bruce的例子。机场的安全检查新措施大概给每位旅客增加了半个小时的等待时间,按照统计数字,2007年美国一共有7.6亿人次旅客登机,这样总共的等待时间达到了惊人的43000年,假设人均寿命是70岁,就相当于这种安全检查每年杀死大概620个人。很令人吃惊吧!如果考虑到消耗的时间全部是清醒的时间、登机旅客的经济工作能力等,这个人数可能要达到上千人。好了,现在的问题来了 - 这样的安全检查措施值得吗?ROI分析需要证明如果不要安全检查的话,恐怖主义至少会杀死更多的人。

坦白说,这样的判断并不难做,911事件改变了很多人的看法。但是在互联网和IT系统中,这个判断和分析就不那么容易了。

Is The NSA Snooping Your Cell? [Liquidmatrix Security Digest]

Posted: 09 Sep 2008 07:30 AM CDT

Short answer, apparently yes. Chris Soghoian has a rather interesting article that he posted yesterday where he dug deeper into the warrantless wiretaps.

From CNET:

A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom–all of which sell “passive probing” data-mining services to governments around the world.

ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company’s mobile-phone location and call-record data-mining software. Want to determine a suspect’s “community of interest”? Easy. Want to learn if a single person is swapping SIM cards or throwing away phones (yet still hanging out in the same physical location)? No problem.

To read a demo of the product there is this link as well as mirrors at Harvard and here. A very interesting read. I recommend checking out the full piece.

Article Link

The Daily Incite - September 9, 2008 [Security Incite Rants]

Posted: 09 Sep 2008 05:51 AM CDT

Today's Daily Incite

September 9, 2008 - Volume 3, #75

Good Morning:
Should you be totally psyched or appalled when it seems your kids are going to become sci-fi tools like their parents? That's right, one of my first memories of going to the theater was to see the original Star Wars, back in 1976. My Dad, brother and I saw it twice, since it was a bit much for an 8 and 5 year old to get. I'm sure I saw movies before then, but I don't recall being consumed with the Apple Dumpling Gang.
Darth Vader drawing
So when the kids showed an interest in seeing the Star Wars movies, I was hugely fired up. The Boss is into Sci-Fi as well (Twilight Zone is her favorite TV show, EVER), so we figured they were old enough to see the light saber battles and deal with the mature themes of planets blowing up.

So where to start? Do we start with Episode 1, at the beginning? Or do we push them down the path we followed - seeing Episodes 4, 5, and 6 before delving into the prequels? Ultimately we are staying true to the history and started with A New Hope (Episode 4). I forget how great a movie it is, and the kids just loved it.

They were asking questions and trying to understand how the speeders and light sabers and spaceships worked. It provided us a great opportunity to explain about reality vs. imagination and also to reinforce that whatever they dream can be turned into reality, if they work hard enough and don't violate too many laws of physics. It's really just amazing to see how the same movies are having the same effect in expanding my kid's horizons, as they had on me over 30 years ago.

We give them pennies each day when they behave correctly (beatings out by the wood shed are frowned upon by social services nowadays) and all the kids have already allocated their next gift to buying Star Wars toys. I can't wait to see my boy running around with the Darth Vader helmet on and the kids in the middle of a epic light saber battle on the guest bed. It's not hard to see how George Lucas is a billionaire, given the reach and timelessness of his stories.

Have a great day and may the Force be with you. 

Photo: "Hi! I'm Darth Vader" originally uploaded by Official Star Wars Blog

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Security? Nah, not a problem
So what? - Have I mentioned lately how much I like surveys? I've spoken to a lot of CIOs over the years, and I can't remember even one telling me that security isn't an issue. It wouldn't be politically correct, now would it? They need to pay lip service to the security gods, lest they get nailed for not taking the threats seriously. So seeing this CompTIA survey that, amazingly enough, pinpoints that security is the top concern among 33% of the respondents.  What are they going to say? Even more interesting is the survey Forrester did which says security is now 10% of the IT budget, which is up. Even better (especially if you are a security sales person) is that things seem to be poised to remain strong. I still don't get it. The global economy is going to hell and a hand basket and security is going to remain strong? That would be great, but I'm still a bit skeptical. It's not that I think the CSOs are telling the truth, but I suspect they may not be totally clued into budget gyrations. CSOs not totally in the loop? Never heard of that either.
Link to this

How about running security as a business?
So what? - I remember back to my META Group days, and the ideas about strategic sourcing and running IT as a business were first starting to percolate. I hadn't thought of that term in quite a while, but when I read this column talking about the "limitations" of this philosophy, I remembered the context. Given the drive towards strategic outsourcing, the executive suite started pushing the IT group to benchmark their operations versus what it would cost someone else to do it. 10 years later, it seems the approach has been hit and miss. In some cases, the business mentality has helped provide a more service-oriented perspective. In other cases, it crushes morale because the true inefficiencies of some IT groups become readily apparent. Will this kind of thing help a security group? Ah, not so much because it's not like the IT group is going to really "buy" someone to make their life more difficult. And that kind of "service" mentality could also be dangerous because security isn't about keeping the customer happy, it's about making sure they do the right thing. So IT
Link to this

Let's hear it for Big Art(emis)
So what? - Sometimes you read a release and wonder what are these folks thinking? Evidently yesterday McAfee "reinvented computer security." That's exciting, no? What did they do, come up with a god-box? A Rosetta Stone to decrypt everything (like in Sneakers)? What could it be? Oh, it's a different list of stuff in the cloud that they are calling a slick name called Artemis. So if you don't have a signature and a file seems "suspicious," then they check the cloud and see what's up. Uh, OK. Sounds like PrevX to me. I'm sure it's different and different from the stuff Trend and Panda are doing. It's "reinventing security" after all. Basically, it's still a losing proposition. Banging on the network every time you see something you don't recognize isn't the way to utilize bandwidth effectively and doesn't help performance of the application. But I don't want to be too critical without having the crack testing teams of folks like ICSA and Consumer Reports to bang on it, since they know everything, no?
Link to this


The Laundry List

  1. Does security ROI matter? Probably not, but Schneier makes a couple of good points about keeping the results of the analysis in context. - Schneier blog
  2. Shavlik jumps on the virtualization security bandwagon. Is it more than just the same old stuff, just more and faster? Not according to Hoff, but it's still not clear how this will shake out. - Shavlik release
  3. Blade Server now the panacea? IBM thinks so, and does new innovative things like run Check Point on it. Yep, innovation in the flesh. - IBM release
  4. Jay Chaudhree gets Jayshree to sit on zScaler's board. The 200 page powerpoint announcing the move is on their web site. - 451 security blog

Top Blog Postings

Anything relentless is good by me
Reading Alex's latest series about Hansei-Kaizen brought me back to a time long ago in a place far away. Well, not that far away, rather upstate NY when I was in college. I studied Industrial Engineering and we spent quite a bit of time thinking about Japanese manufacturing techniques (even if they were modeled after a great American business thinker). The Kaizen (constant improvement) aspect of Alex's thinking is a no-brainer. Figuring it out and quantifying it, not as much of a no-brainer since it's not clear what type of metrics will yield the greatest impact from an outcome standpoint. I'll talk about that a bit more on Thursday. But let's zero in on the idea of "relentless reflection" or Hansei and it's an interesting idea. I liken it to one of my mantras - Question Everything. And I mean everything. We can't assume that something is right because the world is too dynamic and attacks are evolving too quickly. So we've got to constantly be reassessing and making sure defenses are where they need to be continuously. I know, it's much better from a job satisfaction perspective to be able to just finish a job and leave it in the rear view mirror, but you work in security - so that's not an option.
http://riskmanagementinsight.com/riskanalysis/?p=393
Link to this

Kind of sounds like "change" to me
The Hoff rants a bit about misuse of the term "next generation" from many of the security marketers out there. He'd give them a 15-yard personal foul, if he could. Maybe even suspend them for 4 games for violating the league's good marketing taste policy. Yet, many of the companies out there have no choice. They need to position their stuff as new and exciting, and at the same time position their competitors as old and stodgy. But then the competitors come back and try to take the high ground using your own words against you. They try to position the shiny new thing as dangerous and not viable. They may be gone tomorrow because they don't have the longevity and the track record to be the safe choice. No I'm not talking about the US Presidential Election - really. But if you want to learn anything about competitive marketing, you should pay attention. Regardless of your affiliation and emotions about the topic, the way both campaigns try to dominate the news flow and constantly position their opponents are great lessons in how to do marketing. It may make you crazy, but for better or worse it works. Because like the US electorate, many of the "customers" out there are ill-informed at best, and mostly dim bulbs so they'll respond to a negative attack. It may not be right, but it's reality.
http://rationalsecurity.typepad.com/blog/2008/09/the-most-overus.html
Link to this

Learning to love evolution and reinvention
Interesting post here by Patrick Foley about the need to constantly reinvent ourselves. That's right, the world is a dynamic place and the skill set you have today probably won't be that useful tomorrow. Especially since you've chosen to go down a technology career path. It wasn't that long ago when COBOL skills were in high demand or Pascal or Fortran (yes, three programming languages I learned way back when). Now, not so much - except to maintain those old systems they just can't turn off. Same goes with your security skill set. You may be a killer firewall analyst, but at some point that will become reasonable automated. You may have some serious pen testing kung fu, but the technical attacks are also showing up in free tools. Of course, that means you need to figure out what isn't automated now and what VALUE you add to the organization and which skills will be most desirable in a few years time. It's kind of like investing, you need to look at the market and figure out the macro trends. Then you need to position your personal skills "portfolio" to be in demand and rising a few years out. But you aren't done, because as with investing, it's easy to buy - but much harder to sell. So you've got to be figuring out when a position needs to be unwound and what other "assets" should be invested in. Yes, you need to manage your own portfolio probably quite a bit more aggressively. They call that career management.  
http://www.bloginfosec.com/2008/09/03/so-why-do-we-need-security-professionals-anyway/
Link to this

SpamAssassin – What Is It & How Commtouch’s Plug Works With It [Commtouch Café]

Posted: 09 Sep 2008 03:28 AM CDT

SpamAssassin™ was first introduced by Justin Mason in the Open Source software site SourceForge.net in April 2001. Since then, it has been adopted by many small-medium sized businesses, service providers and integrated by value-added resellers (VARs) to be used as their core infrastructure. The beauty of SpamAssassin is in its infrastructure rather than in the technology [...]

Wordpress 2.6.2 Released - PHP Exploit Negated [Infosecurity.US]

Posted: 08 Sep 2008 11:55 PM CDT

Wordpress’s Ryan has announced the release of Wordpress 2.6.2, a security related point release of the popular blog server platform. This update reportedly negates issues with open registration vulnerabilities and randomly generated passwords. Additional issues still exist with other PHP apps (see the quote from Wordpress after the jump). Download Wordpress 2.6.2 and upgrade as soon as possible.

From Wordpress: “Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand()

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user's password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit…

Other PHP apps are susceptible to this class of attack.  To protect all of your apps, grab the latest version of Suhosin.  If you've already updated Suhosin, your existing WordPress install is already protected from the full exploit.  You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.”

US-CERT: SCADA Exploit Code Publicly Available [Infosecurity.US]

Posted: 08 Sep 2008 07:13 PM CDT

SCADA EXPLOIT

US-CERT has released notification of public code availability targeting an exploitable vulnerability in CitectSCADA. This is an arbitrary code execution issue. US-CERT encourages CitectSCADA administrators to examine the specified US-CERT Vulnerability Note (link published after the jump) and apply the patch as described therein.

[1] Vulnerability Note VU#476345

WASC Web Application Security Statistics 2007 [Jeremiah Grossman]

Posted: 08 Sep 2008 07:10 PM CDT

For those hungry for more web application security vulnerability data, WASC has released its Web Application Security Statistics report for 2007. Under the leadership of Sergey Gordeychik and the broad participation by Booz Allen Hamilton, BT, Cenzic, dblogic.it, HP, Positive Technologies, Veracode, and WhiteHat Security – we've combined custom web application vulnerability data from roughly 32,000 websites totaling 70,000 vulnerabilities. Methodologies include white box and black box, automated and manual, all reported using the Web Security Threat Classification as a baseline. Excellent stuff.

Vulnerability frequency by types


The most prevalent vulnerabilities (BlackBox & WhiteBox)


Sergey did a masterful job coordinating all the vendors (whom we thank), compiling the data, and generating a report in a nicely readable format. I'd like to caution those who may read too deeply into the data and draw unfounded conclusions. It's best to view reports such as these, where the true number and type of vulnerabilities is an unknown, as the best-case scenario. There are certainly inaccuracies, such as with CSRF, but at the very least this gives us something to go on. Future reports will certainly become more complete and representative of the whole as additional sources of vulnerability data come onboard.

Fun with Ike [Alert Logic]

Posted: 08 Sep 2008 06:17 PM CDT

Well it's that time of the year again and we have a solid hurricane candidate for Houston. Ike will either hit south of Houston, exposing it to the "dirty" side of the hurricane or hit Houston directly. The NHC expects Ike to be a category 3 with maximum winds of 115mph once it [...]

Hack With Old People [ImperViews]

Posted: 08 Sep 2008 05:37 PM CDT

kevin Lee Poulsen, Kevin Mitnick, Adrian Lamo.pngHacking with new people is passe. It's now trendy to hack with old guys. Even though Sarah Palin is not a hacker, some stories and buzz around previous-life hackers have been recently uncovered. After reading the TechCrunch story of MySpace co-founder and real life 1980s WarGames hacker, Tom Anderson, I searched for known "old" hackers that changed their course of life. During the research I found an ancient 1984 TIME magazine article titled Let Us Now Praise Famous Hackers.

SCADA Exploit Gets Metasploited [Liquidmatrix Security Digest]

Posted: 08 Sep 2008 05:31 PM CDT

Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done.

OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal.

From The Register:

The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.

This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you.

But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished.

Article Link

FBI Names New Assistant Cyber Division Director [Infosecurity.US]

Posted: 08 Sep 2008 05:11 PM CDT

Today, via an official press release, the United States Federal Bureau of Investigation Director Robert S. Mueller, III has announced the appointment of Shaun Henry as the Assistant Director of the Bureau’s Cyber Division.

Assistant Direct Henry is a 19 year FBI veteran Agent, rising from the ranks of Special Agent at the Washington Field Office.

Congratulations to AD Henry.

SecurityFix Performs Deep EST Domain Analysis [Infosecurity.US]

Posted: 08 Sep 2008 04:58 PM CDT

The Washington Post’s SecurityFix blogger Brian Krebs posts news of his efforts to analyze (evidently successful) the depth and breadth of EstDomains Inc. [the alleged rogue registrar, and ATRIVO's reportedly largest customer, see here] domain registration landscape.

Editors Note: This information is directly related to the HostExploit report detailing cybercrime activities in the domain registrar arena.

UPDATE: In a Monday 9/7/2008 SecurityFix blog reporter Brian Krebs delves deeper into the underworld cybercrime history of EstDomains.

[1] Washington Post SecurityFix - Atrivo aka InterCage

[2] Washington Post SecurityFix - ESTDomains

[3] Spamhaus - Cybercrime’s U.S. Hosts

Webinar on SIP Security on Thurs, Sept 11, by Audiocodes and Interactive Intelligence [Voice of VOIPSA]

Posted: 08 Sep 2008 02:18 PM CDT

Many of you may have received this in your email inbox - Audiocodes and Interactive Intelligence are jointly sponsoring a TMCnet webinar on Thursday, September 11, 2008, at 12noon US Eastern time called “Do You Know Who is Listening? – The Truth of Enterprise SIP Security The abstract is here:

Session Initiation Protocol (SIP) has emerged as the predominant protocol for VoIP deployments. While SIP is gaining headway in the IP communications market, any new technology brings with it some inherent security challenges. In this webinar, we discuss these challenges, the misconceptions surrounding SIP Security, and examine the tools available to counter them. This session will also explore robust solutions that not only tackle security threats, but also empower businesses to proactively protect their networks from current and future attacks. Included in this webinar, we will examine the Interactive Intelligence suite of products as a communications platform case study that empowers businesses to tackle security threats while maintaining affordability and performance.

Obviously it is a vendor presentation with the associated perspective, but for those wishing to attend, you can register online.


[VOIPSA is a vendor-neutral organization and we do not endorse or recommend solutions from any particular vendors. However, as our interest is in elevating the level of discussion about VoIP security issues in general, we are glad to post notices here about upcoming vendor presentations.]

Technorati Tags:
, , , , , ,

Google Files Patents -> Floating Data Centers [Infosecurity.US]

Posted: 08 Sep 2008 01:32 PM CDT

Google (NasdaqGS: GOOG) has filed patents focused on data center technology. This time, a particularly fascinating scheme - Data Centers Floating in Sea Water, thereby taking advantage of cold sea water for cooling, as well as energy production via wave motion. [via Engadget]

[1] Engadeget - Google Files Patent For Floating Data Center

[2] Engadget - IDS To Offer Floating Data Centers

Best Practice [Infosecurity.US]

Posted: 08 Sep 2008 11:43 AM CDT

Dilbert.com

via Emergent Chaos, and (of course) Dilbert

“Statement of fees” malware [mxlab - all about anti virus and anti spam]

Posted: 08 Sep 2008 09:22 AM CDT


Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days.

Contents of the email:

Please find attached a statement of fees as requested, this will be posted today. The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gretchen 

The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer.

The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1.

Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625.

When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe.

http://www.******.com/images/kashir.exe
http://www.******.de/bilder/kashir.exe
http://www.******.de/neuhomebilder/kashir.exe

No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer.

Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80.

Tim Wilson Dark Reading DNS article [StillSecure, After All These Years]

Posted: 08 Sep 2008 09:02 AM CDT

I recently spoke to Tim Wilson over at Dark Reading about the DNS debacle and what if anything companies like StillSecure can do about it to help.  Though we can certainly find DNS servers not patched, the fact is short of changing how DNS works, there is no bullet proof way to plug this hole.  In any event, there are people much smarter than I working on this problem. Lets hope sooner than later we can finally lay this one to rest.

You can read more about this in Tim's article here.

Rise up against Mediocrity [Security Incite Rants]

Posted: 08 Sep 2008 08:42 AM CDT

A few folks (Emergent Chaos, Risk Analys.is) pointed to probably the best Dilbert I've seen in a long time. A lot are funny, but this one really struck home.


When people asked me what I did for a living for a long time my standard response was: "Fight against mediocrity." And that's kind of how I fancied myself. A crusader against all lameness. Someone who wouldn't just accept "that how we do it," when doing it that way was just stupid.

Part of it is naive idealism. Another part is actually wanting to make a difference.

But over time, you get beaten down. Many incentive systems reward for mediocrity. For doing just enough. And if you consistently don't get rewarded for going the extra mile, after a while you'll stop. No one is so self-motivated that they outperform their peers and blast expectations for an extended period of time without some kind of reward and recognition.

That's why I think change is so important. Changing what you do, maybe who you do it for, what your goals and aspirations are, who you hang out with - anytime you start to feel stale. Stale = mediocre.

We in the security business are particularly guilty of accepting mediocrity. Our brand of mediocrity flies buy under the term compliance, which are basically the best practices that we should adopt - or have our executive officers suffer the mythical perp walks.

One of the things I mention in the P-CSO is the importance of thinking differently and not doing what everyone else is doing from a defense standpoint. Dilbert makes the risk of the lowest common denominator approach abundantly clear. If you do what everyone else does, then your adversaries know what that is, thus THEY KNOW HOW TO BEAT YOU.

I love those old movies like "Home Alone," where the bad guys stumble and bumble into every trap. The little kid set a bunch of non-traditional traps and the bad guys didn't know what to do about it. That's exactly how we need to start thinking about computer security as well. As fun as it would be to spray a hacker with honey and then dump them into a pile of feathers, we need to find the digital equivalent of that.

That's why I continue to beat the drum for Security FIRST! as a mantra. If you do security correctly, then I'm pretty confident you won't have much trouble with compliance.

It's too easy just to push the compliance button and figure everything will be OK. To figure that compliance is the end goal, the finish line. Folks we work in security, THERE IS NO FINISH LINE. Compliance is the lowest common denominator. It's something that everyone is doing (or should be doing) and it represents mediocrity.

And who wants to go through life settling for mediocrity?

Photo: "mediocrity" courtesy of Despair, Inc.

Friday MustRead - ArsTechnica Perspective: KnuJon, HostExploit Report [Infosecurity.US]

Posted: 08 Sep 2008 08:19 AM CDT

ArsTechnica’s Joel Hruska posts an outstanding examination of the KnuJon and HostExploit report. Joel manages to bring the enormity of the situation in perspective with a clear and concise style.

We deem his story this Fridays’ MustRead.

We believe this entire scenario is indicative of why ICANN is broken. The evidence detailing the lack of responsibility the organization exhibits in policing Registrars is mounting.

Stay Tuned…

Security Briefing: September 8th [Liquidmatrix Security Digest]

Posted: 08 Sep 2008 07:32 AM CDT

Researchers Warn Of Facebook Malware [Liquidmatrix Security Digest]

Posted: 08 Sep 2008 07:14 AM CDT

Social media as an attack vector is not a stretch. A group of researchers from Greece have created a tool that can be used to attack users.

From vnunet:

In a paper entitled Antisocial Networks (PDF) the researchers demonstrated an application that causes Facebook users to unknowingly participate in denial-of-service (DoS) attacks against other sites.

The ‘Facebot’ tool was disguised as a National Geographic ‘picture of the day’ application which users install into their Facebook profile page, thus allowing it to access account information and request new photos.

This type of thing has been discussed for a while in the media and with talks such as Shawn Moyer and Nathan Hamiel’s “Satan is on my friends list” at Black Hat last month.

Not entirely new on the face of it but, interesting nonetheless.

Article Link

DEFCON London - DC4420 Meet [Liquidmatrix Security Digest]

Posted: 08 Sep 2008 06:58 AM CDT

For our London readers, Major Malfunction will be providing a wrap up of his trip to Defcon 16 along with others this Thursday, September 11.

From Full Disclosure:

yes, we’ve recovered enough from the rigours of DC16 to be able to
scrape together another London meet, this Thursday, at the Glassblower…

http://www.beerintheevening.com/pubs/s/20/2081/Glassblower/Piccadilly

as usual, we have our own room with it’s own bar (1st floor, with it’s
own entrance from the street or from the back of the downstairs bar).

The meeting starts at 1900 and the talks will begin shortly after that.

Check it out if you’re in the area.

Article Link

Maltego 2 and beyond - Part 1 [Room362.com]

Posted: 08 Sep 2008 12:09 AM CDT

EDIT: This and the following posts are also show notes for the Season 4 premiere of Hak5

So Maltego 2 has been released and all I have to show for it are these images stolen from paterva.com

 

and a bit of an explination also stolen from their site:

But you aren’t here for what you can find on their site. You are here to find out why Maltego is fun, useful, and something you might want to recommend your boss/secretary/parents to buy.

Maltego is hard define because of it’s open nature. It is designed to be whatever that information gatherer wants it to be. But before we go into Maltego’s super powers, lets define the differences between it’s two versions, Full and Community editions.

Full is just as it implies. Unfettered. You can make it fly. But it’s 400 bucks a year per client. (Or your organization can talk straight to Paterva about their server/client platform)

Community Edition is free, but you are locked down quite a bit. Community Edition is bundled with Back|Track 3 which is don’t by the awesome guys over at Offensive Security. Here are the nags:

  •  A 15second nag screen
  • Save and Export has been disabled
  • Limited zoom levels
  • Can only run transforms on a single entity at a time
  • Cannot copy and paste text from detailed view
  • Transforms limited to 75 per day
  • Throttled client to TAS communication

However, if you do have one full version client, you can open saved investigations (mtg files) with it and manipulate it all you want. 

So that is just one of my tricks and now that we have a baseline down (kinda like getting done with all of your base classes in college), in the following segments of this post I will be showing of some of the electrolyte driven goodness of Maltego and some of the hacks/tricks that will make you look wonder just what you can’t do with Maltego.

The Analyzer Redux… [Infosecurity.US]

Posted: 07 Sep 2008 07:31 PM CDT

CyberCrime & Doing TIme’s Gary Warner speculates on the apparent return of Ehud Tennenbaum, aka The Analyzer.

[1] CTV Video

[2] Haaretz

[3] Wired’s ThreatLevel

Google Docs Bug [Room362.com]

Posted: 07 Sep 2008 07:10 PM CDT

 So, instead of doing this the right way, which is submitting a bug report to google, I am going to do this the blogger way:

  1. Publish article to blog about problem in product
  2. Wait for traffic to rise on blog
  3. Become giddy at rise in traffic due to outstanding title
  4. Watch as traffic falls within days
  5. Become angry and write retort (in said blog, still not contacting the company) getting mad about the STILL unfixed problem

Actually thats a lie, here is what I reported to Google after I wrote the above statement:

This problem only happens in a specific sequence of events, but can be easily reproduced. 

  1. User 1 opens Google Doc that is collaboratively edited.
  2. User 1 closes browser (with save session ability)
  3. User 2 opens Google Doc and makes an edit to that same document
  4. User 2 saves the new edits (through AutoSave or save/close or save)
  5. User 1 at any point after this save (User 2 doesn’t have to have the document closed), opens his saved session browser and it opens the old version of the doc. If user 1 then waits long enough for AutoSave to do its thing or save/closes it, then the document is saved in its old status.

This can easily be fixed by reverting via revision history to the “newer” version, but also can easily go unnoticed. A suggestion for a fix would be a nice popup on User 1’s screen saying that there is a newer version of that document available.

 If you have a fix, please leave a comment. I would really hate to find out that this is a simple preferences setting.

Asking The Cisco Systems IPICS Expert: Questions 26-30 [Voice of VOIPSA]

Posted: 07 Sep 2008 04:38 PM CDT

“Everything is connected, everything is a point of attack, everything must be defended.” — John Chambers, CEO, Cisco Systems

Welcome to the 6th installment of “Asking The Cisco Systems IPICS Expert” — security questions derived from publicly available information and Cisco IPICS documentation. Still no official response from the ipicsasktheexpert@cisco.com email, though my email from another account of mine has not bounced yet. All of my previous email bounced within a couple of days.

In my previous post, “Asking The Cisco Systems IPICS Expert: Questions 21-25″ recall that question 21 focused on the Danville, VA RFP for "IPICS Maintenance and Operability." I was a bit surprised to see that the RFP had been removed from Danville’s website later in the week. Perhaps my insights into the security issues I noted in the RFP garnered some attention? Google cache you say? Nope. Gone from there too. Spooky. Whatever the case, I sincerely hope that Danville’s RFP process for their IPICS doesn’t go into “security by obscurity” mode. In fact, assuming that they are revising the RFP, I’m happy to offer a review of the new document on my “own time, own dime” if they are interested.

Other interesting things are also going on with several of the links in the “Asking The Cisco Systems IPICS Expert” blog posts. There seems to be some scrubbing of information going on with some of the content I’ve linked to, such as the Boulder County, CO IPICS video; not to worry, I’ve found another copy that you can view on Youtube here.

Also gone missing is a TelephonyOnline article on the new IPICS managed service offering from Verizon that was replaced with this article on 5 August. What was really interesting is that the article published by TelephonyOnline on 4 August quoted Verizon’s Charles “Chuck” Vick, manager of emergency communications, saying something along the lines of “can’t be breached” — oh well, no love on the Google cache there either. Extra-Spooky. Well, maybe a copy of it will turn-up someday.smile

Moving on…

Question 26: Recently, RedHat issued a critical security advisory relating to tampered SSH packages from a compromise of RedHat’s servers. As the IPICS is based on RedHat (Cisco Linux) and uses SSH as a server, does this advisory apply?

Cisco answer

Question 27: Concerning the usage of opensource software in the IPICS, can you definitively state that all of the associated opensource license agreements (BSD, GPL, etc.) are indeed being followed and honored, including the public release of source code?

Cisco answer

Question 28: As mentioned in question 22, the IPICS platform is available in two hardware profiles, the IBM MCS (MCS-7845-H1-S31) rack-mounted and the Panasonic Toughbook CF-30 mobile version (IPCM1-P30). Concerning the IPCM1-P30, VMware is used to run the IPICS software. As Cisco and VMware have an established alliance, are any of the VMware hardening guides either already applied or able to be applied to the IPICS IPCM1-P30 models?

Cisco answer

Question 29: Cisco postings for IPICS developer positions have no mention of security expertise or knowledge of secure coding practices required. For the Physical Security Business Unit (PSBU) not to specify these skills in coding a system as important as the IPICS is…interesting. Is there any engineer security training, vetting, requirements, etc. prior to production-level coding that you can make a statement to about these positions?

Cisco answer

Question 30: As IPICS deployments are completed, leadership in various organizations will need to provide updates, presentations, milestones, etc. to document and inform others of their interoperability status, accomplishments and future goals. However, in doing so these organizations can place their IPICS and interoperability at risk from attackers by disclosing what some might call sensitive information in certain contexts. For a brief example, in a Danville, VA slide presentation entitled Piedmont Regional Voice over IP Pilot Project” slide number 11 shows a screenshot of the Danville, VA IPICS console that an attacker could theoretically glean information to be used maliciously. Specifically (but not completely), this information includes the IP address of the IPICS console, usernames, IPICS software version in use, programmed VTGs (virtual talk groups), anti-virus software used on the PC to access the IPICS, email client on the PC used to access the IPICS, etc. Other slides detail on a high level network topography and geographical coverage.

While providing support and training to IPICS users to prevent these kinds of sensitive information disclosure is arguably outside of the Cisco IPICS Expert’s purview, I strongly suggest that it is worth considering given the importance of interoperability deployments — that is, it in in all of our interests to provide public safety personnel the information and support to minimize their risk exposure and empower them to exercise their training and expertise to accomplish what they are best at doing.

To this end, I suggest that the Cisco IPICS Expert reach out and support organizations that can provide insight and security training to avoid these types of issues, as well as a host of others. One that comes to mind is the Center for Infrastructure Assurance and Security based at the University of Texas at San Antonio — tangible and direct support from Cisco to CIAS in the form of TAC accounts, full CCO access and IPICS and interoperability systems could enable CIAS to proactively engage, educate, inform and support public safety officials’ IPICS deployments in a vendor-agnostic manner above and beyond the profit/marketshare/image-motivated goals of Cisco.

Cisco answer

Again, I thank you for your time and look forward to your answers to these questions as well as the previous unanswered 25 questions.

Shawn Merdinger
Security Researcher

Notepad is a virus [Room362.com]

Posted: 07 Sep 2008 03:22 PM CDT

Original Article: http://sunbeltblog.blogspot.com/2008/09/how-to-make-notepadexe-malicious-file.html

Alex Eckelberry over at Sunbelt got an itch to see which virus vendors were just using packer signatures instead of emulating the defaltion process and detecting the virus inside. This is a shortcut that can yield false positives such as demonstarted in Alex’s experiment, but is done due to the overhead such an undertaking would introduce, I assume, to the client software.

I bring this up here because I recently conducted a somewhat similar test, although I admittedly know very little about packers. I submitted a couple of No-CD cracks that I got from a unnamed source (GameCopyWorld.com) and tested it with VirusTotal.com to see if they had viruses, and all of them came back positive. I doubted these finding since they were mostly labeld “Trojan.Downloader” and similar generic names. I then used Sunbelt’s very own CWSandbox and a few local tools to determine of the trojan downloaders I had were actually that. All tests came back stating non network connections, packed by UPX, and made minimal DLL calls which were all used to disply windows GUIs.

Alex’s article and my recent research renewed my want to learn more about packers. Where to start? Wikipedia. Nope! Wikipedia’s article on runtime packers hasn’t been written yet. I haven’t stopped searching for a good resource on the topic, but if anyone knows one, please leave a comment and a link.

Thanks

Google’s Picasa Abused By Spammers [Infosecurity.US]

Posted: 07 Sep 2008 12:51 PM CDT

HeiseSecurityUK posts a report from MessageLabs detailing a Spam Scam targeting Google’s Picasa users.

From the post: The Intelligence Report says that, with emails containing embedded links to Google, the usual spam filters have a hard time trying to discriminate between the legitimate and the malicious. These are after all legitimate URLs, so blocking emails containing Google URLs would probably do more harm than good.

McAffe AVERT LABS: Directi LogicBoxes Service [Infosecurity.US]

Posted: 07 Sep 2008 12:19 PM CDT

McAfee AVERT Labs Chris Barton posts an excellent explanatory piece pertaining to the LogicBoxes product from DIRECTI. We invite comments, corrections, etc.

From the post: “LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I'm deliberately withholding for now) prove that it's software combined with a backend service and Directi are involved at every stage of the game via it's service-layer even though it looks on the face of it like they aren't.”

[1] McAfee AVERT Labs

[2] Knujon

[3] HostExploit

No comments: