Posted: 09 Sep 2008 07:32 AM CDT
Bruce也举了若干个例子来说明一般的财务ROI分析模型以及ALE（就是CISSP培训中的那个术语annualized loss expectancy ）不适用于小概率、巨损失的情形。而很多安全风险和投入就属于这一类。
Bruce的例子很有趣。ROI模型在小概率、大损失的场合不太适合使用，因为没有足够多的样本和数据可以用来统计。大家来看一下Bruce的例子。机场的安全检查新措施大概给每位旅客增加了半个小时的等待时间，按照统计数字，2007年美国一共有7.6亿人次旅客登机，这样总共的等待时间达到了惊人的43000年，假设人均寿命是70岁，就相当于这种安全检查每年杀死大概620个人。很令人吃惊吧！如果考虑到消耗的时间全部是清醒的时间、登机旅客的经济工作能力等，这个人数可能要达到上千人。好了，现在的问题来了 - 这样的安全检查措施值得吗？ROI分析需要证明如果不要安全检查的话，恐怖主义至少会杀死更多的人。
Posted: 09 Sep 2008 07:30 AM CDT
Short answer, apparently yes. Chris Soghoian has a rather interesting article that he posted yesterday where he dug deeper into the warrantless wiretaps.
Posted: 09 Sep 2008 05:51 AM CDT
September 9, 2008 - Volume 3, #75
Top Security News
Security? Nah, not a problem
Top Blog Postings
Anything relentless is good by me
Posted: 09 Sep 2008 03:28 AM CDT
SpamAssassin™ was first introduced by Justin Mason in the Open Source software site SourceForge.net in April 2001. Since then, it has been adopted by many small-medium sized businesses, service providers and integrated by value-added resellers (VARs) to be used as their core infrastructure. The beauty of SpamAssassin is in its infrastructure rather than in the technology [...]
Posted: 08 Sep 2008 11:55 PM CDT
Wordpress’s Ryan has announced the release of Wordpress 2.6.2, a security related point release of the popular blog server platform. This update reportedly negates issues with open registration vulnerabilities and randomly generated passwords. Additional issues still exist with other PHP apps (see the quote from Wordpress after the jump). Download Wordpress 2.6.2 and upgrade as soon as possible.
Posted: 08 Sep 2008 07:13 PM CDT
US-CERT has released notification of public code availability targeting an exploitable vulnerability in CitectSCADA. This is an arbitrary code execution issue. US-CERT encourages CitectSCADA administrators to examine the specified US-CERT Vulnerability Note (link published after the jump) and apply the patch as described therein.
 Vulnerability Note VU#476345
Posted: 08 Sep 2008 07:10 PM CDT
For those hungry for more web application security vulnerability data, WASC has released its Web Application Security Statistics report for 2007. Under the leadership of Sergey Gordeychik and the broad participation by Booz Allen Hamilton, BT, Cenzic, dblogic.it, HP, Positive Technologies, Veracode, and WhiteHat Security – we've combined custom web application vulnerability data from roughly 32,000 websites totaling 70,000 vulnerabilities. Methodologies include white box and black box, automated and manual, all reported using the Web Security Threat Classification as a baseline. Excellent stuff.
Vulnerability frequency by types
The most prevalent vulnerabilities (BlackBox & WhiteBox)
Sergey did a masterful job coordinating all the vendors (whom we thank), compiling the data, and generating a report in a nicely readable format. I'd like to caution those who may read too deeply into the data and draw unfounded conclusions. It's best to view reports such as these, where the true number and type of vulnerabilities is an unknown, as the best-case scenario. There are certainly inaccuracies, such as with CSRF, but at the very least this gives us something to go on. Future reports will certainly become more complete and representative of the whole as additional sources of vulnerability data come onboard.
Posted: 08 Sep 2008 06:17 PM CDT
Posted: 08 Sep 2008 05:37 PM CDT
Hacking with new people is passe. It's now trendy to hack with old guys. Even though Sarah Palin is not a hacker, some stories and buzz around previous-life hackers have been recently uncovered. After reading the TechCrunch story of MySpace co-founder and real life 1980s WarGames hacker, Tom Anderson, I searched for known "old" hackers that changed their course of life. During the research I found a
Posted: 08 Sep 2008 05:31 PM CDT
Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done.
OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal.
From The Register:
This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you.
But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished.
Posted: 08 Sep 2008 05:11 PM CDT
Today, via an official press release, the United States Federal Bureau of Investigation Director Robert S. Mueller, III has announced the appointment of Shaun Henry as the Assistant Director of the Bureau’s Cyber Division.
Posted: 08 Sep 2008 04:58 PM CDT
The Washington Post’s SecurityFix blogger Brian Krebs posts news of his efforts to analyze (evidently successful) the depth and breadth of EstDomains Inc. [the alleged rogue registrar, and ATRIVO's reportedly largest customer, see here] domain registration landscape.
Posted: 08 Sep 2008 02:18 PM CDT
Many of you may have received this in your email inbox - Audiocodes and Interactive Intelligence are jointly sponsoring a TMCnet webinar on Thursday, September 11, 2008, at 12noon US Eastern time called “Do You Know Who is Listening? – The Truth of Enterprise SIP Security The abstract is here:
Obviously it is a vendor presentation with the associated perspective, but for those wishing to attend, you can register online.
[VOIPSA is a vendor-neutral organization and we do not endorse or recommend solutions from any particular vendors. However, as our interest is in elevating the level of discussion about VoIP security issues in general, we are glad to post notices here about upcoming vendor presentations.]
Posted: 08 Sep 2008 01:32 PM CDT
Google (NasdaqGS: GOOG) has filed patents focused on data center technology. This time, a particularly fascinating scheme - Data Centers Floating in Sea Water, thereby taking advantage of cold sea water for cooling, as well as energy production via wave motion. [via Engadget]
Posted: 08 Sep 2008 11:43 AM CDT
Posted: 08 Sep 2008 09:22 AM CDT
Emails with the subject “Statement of fees 2008/09″ contains an attached .zip archive with a file Fees_2008-2009.cod.exe. Subject and file names may vary. MX Lab have seen an increased activity regarding the distribution of this malware over the last few days.
Contents of the email:
The malware can be described as a debugger that is injected into the execution sequence of a target application. This ‘debuuger’ can then be run everytime an application is started on an infected computer.
The malware creates a file wuauclt.exe, edits a few registries and can make a connection with an host http://********.ru/load4/ld.php?v=1&rs=13441600&n=1&uid=1.
Virus Total permalink and MD5: 36c6d7dbe4595f60ea1bda77ce879625.
When investigating this URL I found a web site that has showed me three more links towards a file named kashir.exe.
No automated download or anything else was executed but this host is supposed to service the malware on the computer. The kashir.exe file is known as an Adware.Agent.ZO that lowers some IE security settings and downloads RogueAntiSpyware without user’s permission. This program creates the files braviax.exe, delself.bat , beep.sys and figaro.sys in the Windows %System% and a system request is initiated to shut down and then restart the computer.
Virus Total permalink and MD5: 069b3a2a8b203f6fbbf0147517ab6f80.
Posted: 08 Sep 2008 09:02 AM CDT
I recently spoke to Tim Wilson over at Dark Reading about the DNS debacle and what if anything companies like StillSecure can do about it to help. Though we can certainly find DNS servers not patched, the fact is short of changing how DNS works, there is no bullet proof way to plug this hole. In any event, there are people much smarter than I working on this problem. Lets hope sooner than later we can finally lay this one to rest.
You can read more about this in Tim's article here.
Posted: 08 Sep 2008 08:42 AM CDT
Photo: "mediocrity" courtesy of Despair, Inc.
Posted: 08 Sep 2008 08:19 AM CDT
Posted: 08 Sep 2008 07:32 AM CDT
It’s Monday morning. Sipping coffee and perusing the news. Will today be a good day? Hope springs.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 08 Sep 2008 07:14 AM CDT
Social media as an attack vector is not a stretch. A group of researchers from Greece have created a tool that can be used to attack users.
This type of thing has been discussed for a while in the media and with talks such as Shawn Moyer and Nathan Hamiel’s “Satan is on my friends list” at Black Hat last month.
Not entirely new on the face of it but, interesting nonetheless.
Posted: 08 Sep 2008 06:58 AM CDT
For our London readers, Major Malfunction will be providing a wrap up of his trip to Defcon 16 along with others this Thursday, September 11.
From Full Disclosure:
The meeting starts at 1900 and the talks will begin shortly after that.
Check it out if you’re in the area.
Posted: 08 Sep 2008 12:09 AM CDT
So Maltego 2 has been released and all I have to show for it are these images stolen from paterva.com
and a bit of an explination also stolen from their site:
But you aren’t here for what you can find on their site. You are here to find out why Maltego is fun, useful, and something you might want to recommend your boss/secretary/parents to buy.
Maltego is hard define because of it’s open nature. It is designed to be whatever that information gatherer wants it to be. But before we go into Maltego’s super powers, lets define the differences between it’s two versions, Full and Community editions.
Full is just as it implies. Unfettered. You can make it fly. But it’s 400 bucks a year per client. (Or your organization can talk straight to Paterva about their server/client platform)
However, if you do have one full version client, you can open saved investigations (mtg files) with it and manipulate it all you want.
So that is just one of my tricks and now that we have a baseline down (kinda like getting done with all of your base classes in college), in the following segments of this post I will be showing of some of the electrolyte driven goodness of Maltego and some of the hacks/tricks that will make you look wonder just what you can’t do with Maltego.
Posted: 07 Sep 2008 07:31 PM CDT
Posted: 07 Sep 2008 07:10 PM CDT
So, instead of doing this the right way, which is submitting a bug report to google, I am going to do this the blogger way:
Actually thats a lie, here is what I reported to Google after I wrote the above statement:
This problem only happens in a specific sequence of events, but can be easily reproduced.
This can easily be fixed by reverting via revision history to the “newer” version, but also can easily go unnoticed. A suggestion for a fix would be a nice popup on User 1’s screen saying that there is a newer version of that document available.
If you have a fix, please leave a comment. I would really hate to find out that this is a simple preferences setting.
Posted: 07 Sep 2008 04:38 PM CDT
Welcome to the 6th installment of “Asking The Cisco Systems IPICS Expert” — security questions derived from publicly available information and Cisco IPICS documentation. Still no official response from the email@example.com email, though my email from another account of mine has not bounced yet. All of my previous email bounced within a couple of days.
In my previous post, “Asking The Cisco Systems IPICS Expert: Questions 21-25″ recall that question 21 focused on the Danville, VA RFP for "IPICS Maintenance and Operability." I was a bit surprised to see that the RFP had been removed from Danville’s website later in the week. Perhaps my insights into the security issues I noted in the RFP garnered some attention? Google cache you say? Nope. Gone from there too. Spooky. Whatever the case, I sincerely hope that Danville’s RFP process for their IPICS doesn’t go into “security by obscurity” mode. In fact, assuming that they are revising the RFP, I’m happy to offer a review of the new document on my “own time, own dime” if they are interested.
Other interesting things are also going on with several of the links in the “Asking The Cisco Systems IPICS Expert” blog posts. There seems to be some scrubbing of information going on with some of the content I’ve linked to, such as the Boulder County, CO IPICS video; not to worry, I’ve found another copy that you can view on Youtube here.
Also gone missing is a TelephonyOnline article on the new IPICS managed service offering from Verizon that was replaced with this article on 5 August. What was really interesting is that the article published by TelephonyOnline on 4 August quoted Verizon’s Charles “Chuck” Vick, manager of emergency communications, saying something along the lines of “can’t be breached” — oh well, no love on the Google cache there either. Extra-Spooky. Well, maybe a copy of it will turn-up someday.
Question 26: Recently, RedHat issued a critical security advisory relating to tampered SSH packages from a compromise of RedHat’s servers. As the IPICS is based on RedHat (Cisco Linux) and uses SSH as a server, does this advisory apply?
Question 27: Concerning the usage of opensource software in the IPICS, can you definitively state that all of the associated opensource license agreements (BSD, GPL, etc.) are indeed being followed and honored, including the public release of source code?
Question 28: As mentioned in question 22, the IPICS platform is available in two hardware profiles, the IBM MCS (MCS-7845-H1-S31) rack-mounted and the Panasonic Toughbook CF-30 mobile version (IPCM1-P30). Concerning the IPCM1-P30, VMware is used to run the IPICS software. As Cisco and VMware have an established alliance, are any of the VMware hardening guides either already applied or able to be applied to the IPICS IPCM1-P30 models?
Question 29: Cisco postings for IPICS developer positions have no mention of security expertise or knowledge of secure coding practices required. For the Physical Security Business Unit (PSBU) not to specify these skills in coding a system as important as the IPICS is…interesting. Is there any engineer security training, vetting, requirements, etc. prior to production-level coding that you can make a statement to about these positions?
Question 30: As IPICS deployments are completed, leadership in various organizations will need to provide updates, presentations, milestones, etc. to document and inform others of their interoperability status, accomplishments and future goals. However, in doing so these organizations can place their IPICS and interoperability at risk from attackers by disclosing what some might call sensitive information in certain contexts. For a brief example, in a Danville, VA slide presentation entitled Piedmont Regional Voice over IP Pilot Project” slide number 11 shows a screenshot of the Danville, VA IPICS console that an attacker could theoretically glean information to be used maliciously. Specifically (but not completely), this information includes the IP address of the IPICS console, usernames, IPICS software version in use, programmed VTGs (virtual talk groups), anti-virus software used on the PC to access the IPICS, email client on the PC used to access the IPICS, etc. Other slides detail on a high level network topography and geographical coverage.
While providing support and training to IPICS users to prevent these kinds of sensitive information disclosure is arguably outside of the Cisco IPICS Expert’s purview, I strongly suggest that it is worth considering given the importance of interoperability deployments — that is, it in in all of our interests to provide public safety personnel the information and support to minimize their risk exposure and empower them to exercise their training and expertise to accomplish what they are best at doing.
To this end, I suggest that the Cisco IPICS Expert reach out and support organizations that can provide insight and security training to avoid these types of issues, as well as a host of others. One that comes to mind is the Center for Infrastructure Assurance and Security based at the University of Texas at San Antonio — tangible and direct support from Cisco to CIAS in the form of TAC accounts, full CCO access and IPICS and interoperability systems could enable CIAS to proactively engage, educate, inform and support public safety officials’ IPICS deployments in a vendor-agnostic manner above and beyond the profit/marketshare/image-motivated goals of Cisco.
Again, I thank you for your time and look forward to your answers to these questions as well as the previous unanswered 25 questions.
Posted: 07 Sep 2008 03:22 PM CDT
Alex Eckelberry over at Sunbelt got an itch to see which virus vendors were just using packer signatures instead of emulating the defaltion process and detecting the virus inside. This is a shortcut that can yield false positives such as demonstarted in Alex’s experiment, but is done due to the overhead such an undertaking would introduce, I assume, to the client software.
I bring this up here because I recently conducted a somewhat similar test, although I admittedly know very little about packers. I submitted a couple of No-CD cracks that I got from a unnamed source (GameCopyWorld.com) and tested it with VirusTotal.com to see if they had viruses, and all of them came back positive. I doubted these finding since they were mostly labeld “Trojan.Downloader” and similar generic names. I then used Sunbelt’s very own CWSandbox and a few local tools to determine of the trojan downloaders I had were actually that. All tests came back stating non network connections, packed by UPX, and made minimal DLL calls which were all used to disply windows GUIs.
Alex’s article and my recent research renewed my want to learn more about packers. Where to start? Wikipedia. Nope! Wikipedia’s article on runtime packers hasn’t been written yet. I haven’t stopped searching for a good resource on the topic, but if anyone knows one, please leave a comment and a link.
Posted: 07 Sep 2008 12:51 PM CDT
Posted: 07 Sep 2008 12:19 PM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|