Spliced feed for Security Bloggers Network |
[Chinese]安全投入回报ROSI [Telecom,Security & P2P] Posted: 09 Sep 2008 07:32 AM CDT 著名安全专家Bruce Schneier在CSO杂志上发表他关于安全投入回报的一个篇文章。我想这也就是Andrew在安全度量中提到的观点。读过这篇文章,事实上,Bruce并没有完全反对安全投入回报分析。他只是提醒安全经理小心使用安全厂商们的回报模型和数字,因为其中可能有很多水分,并不可靠。 Bruce也举了若干个例子来说明一般的财务ROI分析模型以及ALE(就是CISSP培训中的那个术语annualized loss expectancy )不适用于小概率、巨损失的情形。而很多安全风险和投入就属于这一类。 Bruce的例子很有趣。ROI模型在小概率、大损失的场合不太适合使用,因为没有足够多的样本和数据可以用来统计。大家来看一下Bruce的例子。机场的安全检查新措施大概给每位旅客增加了半个小时的等待时间,按照统计数字,2007年美国一共有7.6亿人次旅客登机,这样总共的等待时间达到了惊人的43000年,假设人均寿命是70岁,就相当于这种安全检查每年杀死大概620个人。很令人吃惊吧!如果考虑到消耗的时间全部是清醒的时间、登机旅客的经济工作能力等,这个人数可能要达到上千人。好了,现在的问题来了 - 这样的安全检查措施值得吗?ROI分析需要证明如果不要安全检查的话,恐怖主义至少会杀死更多的人。 坦白说,这样的判断并不难做,911事件改变了很多人的看法。但是在互联网和IT系统中,这个判断和分析就不那么容易了。 | ||
Is The NSA Snooping Your Cell? [Liquidmatrix Security Digest] Posted: 09 Sep 2008 07:30 AM CDT Short answer, apparently yes. Chris Soghoian has a rather interesting article that he posted yesterday where he dug deeper into the warrantless wiretaps. From CNET:
To read a demo of the product there is this link as well as mirrors at Harvard and here. A very interesting read. I recommend checking out the full piece. | ||
The Daily Incite - September 9, 2008 [Security Incite Rants] Posted: 09 Sep 2008 05:51 AM CDT September 9, 2008 - Volume 3, #75 Good Morning:
Top Security News Security? Nah, not a problem
Top Blog Postings Anything relentless is good by me | ||
SpamAssassin – What Is It & How Commtouch’s Plug Works With It [Commtouch Café] Posted: 09 Sep 2008 03:28 AM CDT SpamAssassin™ was first introduced by Justin Mason in the Open Source software site SourceForge.net in April 2001. Since then, it has been adopted by many small-medium sized businesses, service providers and integrated by value-added resellers (VARs) to be used as their core infrastructure. The beauty of SpamAssassin is in its infrastructure rather than in the technology [...] | ||
Wordpress 2.6.2 Released - PHP Exploit Negated [Infosecurity.US] Posted: 08 Sep 2008 11:55 PM CDT Wordpress’s Ryan has announced the release of Wordpress 2.6.2, a security related point release of the popular blog server platform. This update reportedly negates issues with open registration vulnerabilities and randomly generated passwords. Additional issues still exist with other PHP apps (see the quote from Wordpress after the jump). Download Wordpress 2.6.2 and upgrade as soon as possible.
| ||
US-CERT: SCADA Exploit Code Publicly Available [Infosecurity.US] Posted: 08 Sep 2008 07:13 PM CDT SCADA EXPLOITUS-CERT has released notification of public code availability targeting an exploitable vulnerability in CitectSCADA. This is an arbitrary code execution issue. US-CERT encourages CitectSCADA administrators to examine the specified US-CERT Vulnerability Note (link published after the jump) and apply the patch as described therein. [1] Vulnerability Note VU#476345 | ||
WASC Web Application Security Statistics 2007 [Jeremiah Grossman] Posted: 08 Sep 2008 07:10 PM CDT For those hungry for more web application security vulnerability data, WASC has released its Web Application Security Statistics report for 2007. Under the leadership of Sergey Gordeychik and the broad participation by Booz Allen Hamilton, BT, Cenzic, dblogic.it, HP, Positive Technologies, Veracode, and WhiteHat Security – we've combined custom web application vulnerability data from roughly 32,000 websites totaling 70,000 vulnerabilities. Methodologies include white box and black box, automated and manual, all reported using the Web Security Threat Classification as a baseline. Excellent stuff. Vulnerability frequency by types The most prevalent vulnerabilities (BlackBox & WhiteBox) Sergey did a masterful job coordinating all the vendors (whom we thank), compiling the data, and generating a report in a nicely readable format. I'd like to caution those who may read too deeply into the data and draw unfounded conclusions. It's best to view reports such as these, where the true number and type of vulnerabilities is an unknown, as the best-case scenario. There are certainly inaccuracies, such as with CSRF, but at the very least this gives us something to go on. Future reports will certainly become more complete and representative of the whole as additional sources of vulnerability data come onboard. | ||
Posted: 08 Sep 2008 06:17 PM CDT | ||
Hack With Old People [ImperViews] Posted: 08 Sep 2008 05:37 PM CDT Hacking with new people is passe. It's now trendy to hack with old guys. Even though Sarah Palin is not a hacker, some stories and buzz around previous-life hackers have been recently uncovered. After reading the TechCrunch story of MySpace co-founder and real life 1980s WarGames hacker, Tom Anderson, I searched for known "old" hackers that changed their course of life. During the research I found a | ||
SCADA Exploit Gets Metasploited [Liquidmatrix Security Digest] Posted: 08 Sep 2008 05:31 PM CDT Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done. OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal. From The Register:
This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you. But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished. | ||
FBI Names New Assistant Cyber Division Director [Infosecurity.US] Posted: 08 Sep 2008 05:11 PM CDT Today, via an official press release, the United States Federal Bureau of Investigation Director Robert S. Mueller, III has announced the appointment of Shaun Henry as the Assistant Director of the Bureau’s Cyber Division.
| ||
SecurityFix Performs Deep EST Domain Analysis [Infosecurity.US] Posted: 08 Sep 2008 04:58 PM CDT The Washington Post’s SecurityFix blogger Brian Krebs posts news of his efforts to analyze (evidently successful) the depth and breadth of EstDomains Inc. [the alleged rogue registrar, and ATRIVO's reportedly largest customer, see here] domain registration landscape.
[1] Washington Post SecurityFix - Atrivo aka InterCage [2] Washington Post SecurityFix - ESTDomains | ||
Posted: 08 Sep 2008 02:18 PM CDT Many of you may have received this in your email inbox - Audiocodes and Interactive Intelligence are jointly sponsoring a TMCnet webinar on Thursday, September 11, 2008, at 12noon US Eastern time called “Do You Know Who is Listening? – The Truth of Enterprise SIP Security The abstract is here:
Obviously it is a vendor presentation with the associated perspective, but for those wishing to attend, you can register online. [VOIPSA is a vendor-neutral organization and we do not endorse or recommend solutions from any particular vendors. However, as our interest is in elevating the level of discussion about VoIP security issues in general, we are glad to post notices here about upcoming vendor presentations.] Technorati Tags: | ||
Google Files Patents -> Floating Data Centers [Infosecurity.US] Posted: 08 Sep 2008 01:32 PM CDT Google (NasdaqGS: GOOG) has filed patents focused on data center technology. This time, a particularly fascinating scheme - Data Centers Floating in Sea Water, thereby taking advantage of cold sea water for cooling, as well as energy production via wave motion. [via Engadget] [1] Engadeget - Google Files Patent For Floating Data Center | ||
Best Practice [Infosecurity.US] Posted: 08 Sep 2008 11:43 AM CDT | ||
“Statement of fees” malware [mxlab - all about anti virus and anti spam] Posted: 08 Sep 2008 09:22 AM CDT Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days. Contents of the email:
The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer. The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1. Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625. When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe. http://www.******.com/images/kashir.exe No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer. Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80. | ||
Tim Wilson Dark Reading DNS article [StillSecure, After All These Years] Posted: 08 Sep 2008 09:02 AM CDT I recently spoke to Tim Wilson over at Dark Reading about the DNS debacle and what if anything companies like StillSecure can do about it to help. Though we can certainly find DNS servers not patched, the fact is short of changing how DNS works, there is no bullet proof way to plug this hole. In any event, there are people much smarter than I working on this problem. Lets hope sooner than later we can finally lay this one to rest. You can read more about this in Tim's article here. | ||
Rise up against Mediocrity [Security Incite Rants] Posted: 08 Sep 2008 08:42 AM CDT A few folks (Emergent Chaos, Risk Analys.is) pointed to probably the best Dilbert I've seen in a long time. A lot are funny, but this one really struck home. Photo: "mediocrity" courtesy of Despair, Inc. | ||
Friday MustRead - ArsTechnica Perspective: KnuJon, HostExploit Report [Infosecurity.US] Posted: 08 Sep 2008 08:19 AM CDT ArsTechnica’s Joel Hruska posts an outstanding examination of the KnuJon and HostExploit report. Joel manages to bring the enormity of the situation in perspective with a clear and concise style.
| ||
Security Briefing: September 8th [Liquidmatrix Security Digest] Posted: 08 Sep 2008 07:32 AM CDT It’s Monday morning. Sipping coffee and perusing the news. Will today be a good day? Hope springs. Click here to subscribe to Liquidmatrix Security Digest!. And now, the news…
Tags: News, Daily Links, Security Blog, Information Security, Security News | ||
Researchers Warn Of Facebook Malware [Liquidmatrix Security Digest] Posted: 08 Sep 2008 07:14 AM CDT Social media as an attack vector is not a stretch. A group of researchers from Greece have created a tool that can be used to attack users. From vnunet:
This type of thing has been discussed for a while in the media and with talks such as Shawn Moyer and Nathan Hamiel’s “Satan is on my friends list” at Black Hat last month. Not entirely new on the face of it but, interesting nonetheless. | ||
DEFCON London - DC4420 Meet [Liquidmatrix Security Digest] Posted: 08 Sep 2008 06:58 AM CDT For our London readers, Major Malfunction will be providing a wrap up of his trip to Defcon 16 along with others this Thursday, September 11. From Full Disclosure:
The meeting starts at 1900 and the talks will begin shortly after that. Check it out if you’re in the area. | ||
Maltego 2 and beyond - Part 1 [Room362.com] Posted: 08 Sep 2008 12:09 AM CDT EDIT: This and the following posts are also show notes for the Season 4 premiere of Hak5 So Maltego 2 has been released and all I have to show for it are these images stolen from paterva.com and a bit of an explination also stolen from their site: But you aren’t here for what you can find on their site. You are here to find out why Maltego is fun, useful, and something you might want to recommend your boss/secretary/parents to buy. Maltego is hard define because of it’s open nature. It is designed to be whatever that information gatherer wants it to be. But before we go into Maltego’s super powers, lets define the differences between it’s two versions, Full and Community editions. Full is just as it implies. Unfettered. You can make it fly. But it’s 400 bucks a year per client. (Or your organization can talk straight to Paterva about their server/client platform) Community Edition is free, but you are locked down quite a bit. Community Edition is bundled with Back|Track 3 which is don’t by the awesome guys over at Offensive Security. Here are the nags:
However, if you do have one full version client, you can open saved investigations (mtg files) with it and manipulate it all you want. So that is just one of my tricks and now that we have a baseline down (kinda like getting done with all of your base classes in college), in the following segments of this post I will be showing of some of the electrolyte driven goodness of Maltego and some of the hacks/tricks that will make you look wonder just what you can’t do with Maltego. | ||
The Analyzer Redux… [Infosecurity.US] Posted: 07 Sep 2008 07:31 PM CDT CyberCrime & Doing TIme’s Gary Warner speculates on the apparent return of Ehud Tennenbaum, aka The Analyzer. [1] CTV Video [2] Haaretz | ||
Posted: 07 Sep 2008 07:10 PM CDT So, instead of doing this the right way, which is submitting a bug report to google, I am going to do this the blogger way:
Actually thats a lie, here is what I reported to Google after I wrote the above statement: This problem only happens in a specific sequence of events, but can be easily reproduced.
This can easily be fixed by reverting via revision history to the “newer” version, but also can easily go unnoticed. A suggestion for a fix would be a nice popup on User 1’s screen saying that there is a newer version of that document available. If you have a fix, please leave a comment. I would really hate to find out that this is a simple preferences setting. | ||
Asking The Cisco Systems IPICS Expert: Questions 26-30 [Voice of VOIPSA] Posted: 07 Sep 2008 04:38 PM CDT Welcome to the 6th installment of “Asking The Cisco Systems IPICS Expert” — security questions derived from publicly available information and Cisco IPICS documentation. Still no official response from the ipicsasktheexpert@cisco.com email, though my email from another account of mine has not bounced yet. All of my previous email bounced within a couple of days. In my previous post, “Asking The Cisco Systems IPICS Expert: Questions 21-25″ recall that question 21 focused on the Danville, VA RFP for "IPICS Maintenance and Operability." I was a bit surprised to see that the RFP had been removed from Danville’s website later in the week. Perhaps my insights into the security issues I noted in the RFP garnered some attention? Google cache you say? Nope. Gone from there too. Spooky. Whatever the case, I sincerely hope that Danville’s RFP process for their IPICS doesn’t go into “security by obscurity” mode. In fact, assuming that they are revising the RFP, I’m happy to offer a review of the new document on my “own time, own dime” if they are interested. Other interesting things are also going on with several of the links in the “Asking The Cisco Systems IPICS Expert” blog posts. There seems to be some scrubbing of information going on with some of the content I’ve linked to, such as the Boulder County, CO IPICS video; not to worry, I’ve found another copy that you can view on Youtube here. Also gone missing is a TelephonyOnline article on the new IPICS managed service offering from Verizon that was replaced with this article on 5 August. What was really interesting is that the article published by TelephonyOnline on 4 August quoted Verizon’s Charles “Chuck” Vick, manager of emergency communications, saying something along the lines of “can’t be breached” — oh well, no love on the Google cache there either. Extra-Spooky. Well, maybe a copy of it will turn-up someday. Moving on… Question 26: Recently, RedHat issued a critical security advisory relating to tampered SSH packages from a compromise of RedHat’s servers. As the IPICS is based on RedHat (Cisco Linux) and uses SSH as a server, does this advisory apply?
Question 27: Concerning the usage of opensource software in the IPICS, can you definitively state that all of the associated opensource license agreements (BSD, GPL, etc.) are indeed being followed and honored, including the public release of source code?
Question 28: As mentioned in question 22, the IPICS platform is available in two hardware profiles, the IBM MCS (MCS-7845-H1-S31) rack-mounted and the Panasonic Toughbook CF-30 mobile version (IPCM1-P30). Concerning the IPCM1-P30, VMware is used to run the IPICS software. As Cisco and VMware have an established alliance, are any of the VMware hardening guides either already applied or able to be applied to the IPICS IPCM1-P30 models?
Question 29: Cisco postings for IPICS developer positions have no mention of security expertise or knowledge of secure coding practices required. For the Physical Security Business Unit (PSBU) not to specify these skills in coding a system as important as the IPICS is…interesting. Is there any engineer security training, vetting, requirements, etc. prior to production-level coding that you can make a statement to about these positions?
Question 30: As IPICS deployments are completed, leadership in various organizations will need to provide updates, presentations, milestones, etc. to document and inform others of their interoperability status, accomplishments and future goals. However, in doing so these organizations can place their IPICS and interoperability at risk from attackers by disclosing what some might call sensitive information in certain contexts. For a brief example, in a Danville, VA slide presentation entitled Piedmont Regional Voice over IP Pilot Project” slide number 11 shows a screenshot of the Danville, VA IPICS console that an attacker could theoretically glean information to be used maliciously. Specifically (but not completely), this information includes the IP address of the IPICS console, usernames, IPICS software version in use, programmed VTGs (virtual talk groups), anti-virus software used on the PC to access the IPICS, email client on the PC used to access the IPICS, etc. Other slides detail on a high level network topography and geographical coverage. While providing support and training to IPICS users to prevent these kinds of sensitive information disclosure is arguably outside of the Cisco IPICS Expert’s purview, I strongly suggest that it is worth considering given the importance of interoperability deployments — that is, it in in all of our interests to provide public safety personnel the information and support to minimize their risk exposure and empower them to exercise their training and expertise to accomplish what they are best at doing. To this end, I suggest that the Cisco IPICS Expert reach out and support organizations that can provide insight and security training to avoid these types of issues, as well as a host of others. One that comes to mind is the Center for Infrastructure Assurance and Security based at the University of Texas at San Antonio — tangible and direct support from Cisco to CIAS in the form of TAC accounts, full CCO access and IPICS and interoperability systems could enable CIAS to proactively engage, educate, inform and support public safety officials’ IPICS deployments in a vendor-agnostic manner above and beyond the profit/marketshare/image-motivated goals of Cisco.
Again, I thank you for your time and look forward to your answers to these questions as well as the previous unanswered 25 questions. Shawn Merdinger | ||
Notepad is a virus [Room362.com] Posted: 07 Sep 2008 03:22 PM CDT Original Article: http://sunbeltblog.blogspot.com/2008/09/how-to-make-notepadexe-malicious-file.html Alex Eckelberry over at Sunbelt got an itch to see which virus vendors were just using packer signatures instead of emulating the defaltion process and detecting the virus inside. This is a shortcut that can yield false positives such as demonstarted in Alex’s experiment, but is done due to the overhead such an undertaking would introduce, I assume, to the client software. I bring this up here because I recently conducted a somewhat similar test, although I admittedly know very little about packers. I submitted a couple of No-CD cracks that I got from a unnamed source (GameCopyWorld.com) and tested it with VirusTotal.com to see if they had viruses, and all of them came back positive. I doubted these finding since they were mostly labeld “Trojan.Downloader” and similar generic names. I then used Sunbelt’s very own CWSandbox and a few local tools to determine of the trojan downloaders I had were actually that. All tests came back stating non network connections, packed by UPX, and made minimal DLL calls which were all used to disply windows GUIs. Alex’s article and my recent research renewed my want to learn more about packers. Where to start? Wikipedia. Nope! Wikipedia’s article on runtime packers hasn’t been written yet. I haven’t stopped searching for a good resource on the topic, but if anyone knows one, please leave a comment and a link. Thanks | ||
Google’s Picasa Abused By Spammers [Infosecurity.US] Posted: 07 Sep 2008 12:51 PM CDT HeiseSecurityUK posts a report from MessageLabs detailing a Spam Scam targeting Google’s Picasa users.
| ||
McAffe AVERT LABS: Directi LogicBoxes Service [Infosecurity.US] Posted: 07 Sep 2008 12:19 PM CDT McAfee AVERT Labs Chris Barton posts an excellent explanatory piece pertaining to the LogicBoxes product from DIRECTI. We invite comments, corrections, etc.
[2] Knujon [3] HostExploit |
You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 |
No comments:
Post a Comment