Wednesday, September 10, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Upcoming changes in SIPVicious [SIPVicious]

Posted: 10 Sep 2008 12:44 AM CDT

The following are two updates for the next version of SIPVicious's PBX extension enumeration tool svwar:
  1. svwar now tries to guess common numbers by default. It scans for the following ranges: 1000,2000... 9000, 1001, 2001..9001, 1111,2222... 9999, 11111,22222...99999, 100-999, 1234,2345 ..7890 and so on. This feature has a tendency to identify extensions on many PBX configurations. If you would like to disable it simply pass the --disabledefaults option to svwar.
  2. svwar now sends ACK responses to SIP responses with code 200 because some PBXes keep sending packets until they receive an acknowledge.
That's it for now. Please let me know about your experience with the new features. To give the code a try simply run svn update from the sipvicious directory, or gte the latest by running the following:
svn checkout sipvicious-read-only

Have fun!

Network Security Podcast, Episode 119 [Network Security Blog]

Posted: 09 Sep 2008 07:50 PM CDT

Rich is back after a week at the Democratic National Convention and a week of vacation with his wife. He’s been out of touch between being in Denver and being off the coast of Alaska. He’d also just arrived home a couple of hours before we started recording, so tonight’s show is short, sweet and to the point. Which is probably for the best, since there were privacy issues up for discussion; I was barely able to keep Captain Privacy at bay.

Network Security Podcast, Episode 119, September 9, 2008
Time: 24:14

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

The iPhone - It's just plain EVIL! [Donkey On A Waffle]

Posted: 09 Sep 2008 02:07 PM CDT

Keeping on the theme of iPhones this week, we have a brief video explaining the top 4 reasons that the iPhone is Evil. Very funny.. and very very true! I'm not quite cool/hip enough to actually OWN an iPhone, but I covet those that do, and am just quite lame enough to own an iPod Touch and pretend it's a phone. Yep... I'm that redonkulous!

Welcome to the VeriSign Identity Protection Network, ABA! [Online Identity and Trust]

Posted: 09 Sep 2008 01:13 PM CDT

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

What's going on with the Security Bloggers Network? [StillSecure, After All These Years]

Posted: 09 Sep 2008 12:03 PM CDT

SecurityBloggers2 One of the things I am most proud of regarding my blogging is the Security Bloggers Network.  What started off as an idea has now grown to over 175 blogs with a Feedburner/Google combined subscriber base of over 70,000!  By just about any measure that is a lot of blogs and a lot of readers.

After our very successful Black Hat Bloggers Network affiations, the SBN is getting ready to roll out some new affiliations which should benefit all of our members.  Also, based on a lot of the questions some of us have been seeing, it seems that there is a new class of security bloggers contemplating taking the plunge.  You can get all of these great blogs in one spliced feed here.

Voice mail greetings [StillSecure, After All These Years]

Posted: 09 Sep 2008 07:54 AM CDT

Here is a pet gripe of mine. I was talking to a friend of mine today about missed calls on cell phones.  How many of you try to reach someone get their message and just hang up without leaving a message.  Why?  Its not like the person is not going to know you called.  Missed calls are pretty standard on all cell phone and caller ID phones as well. Do you just want the person to know you called, but leave them guessing about what?  Do you think by seeing a missed call the person will know what you wanted?  Is there some other dynamic at play here?

I think the problem is that too many voice greetings are just too long. There is no way to short circuit the message and get to the beep to leave your message.  If I am calling someone and get their voice mail, especially some one I have called before, I don't want to listen to a greeting for a long period of time.  I often hang up myself rather than listening to the whole thing.  I like messages that say, "if you like press # to leave a message" or are short and too the point.  Too many voice mail systems now penalize you for hitting the # button. They start the message all over again. 

Bottom line is either leave a short voice greeting, not a marketing message or early on say if you want to bypass and just leave a message press "a number".

Italian joke on the CERN experiment :) [Security Circus]

Posted: 09 Sep 2008 03:06 AM CDT


Italian joke on the CERN experiment :)

This posting includes an audio/video/photo media file: Download Now

SCADA exploit goes wild [Security Circus]

Posted: 09 Sep 2008 03:02 AM CDT

The best tool to clone hard drives, is free! []

Posted: 08 Sep 2008 08:37 PM CDT

While not a security related post...I thought I would let everyone know about a really good open source hard drive cloning software that I recently discovered when I needed to clone and image multiple Linux systems. It's called Clonezilla and works just like Symantec Ghost but faster and free.

From the Clonezilla web site:

"Clonezilla, based on DRBL, Partition Image, ntfsclone, and udpcast, allows you to do bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla server edition. Clonezilla live is suitable for single machine backup and restore. While Clonezilla server edition is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk. This increases the clone efficiency. At the NCHC's Classroom C, Clonezilla server edition was used to clone 41 computers simultaneously. It took only about 10 minutes to clone a 5.6 GBytes system image to all 41 computers via multicasting!"

Yeah, it's fast alright! I have been using the Clonezilla Live to image hard drives and it has been working great. You can also run it off of a USB thumb drive if you are so inclined. So, don't fork over $$ to that evil empire called "Symantec"...give Clonezilla a try if you want to clone a drive or multiple drives. :-)

SSAATY Podcast #56 with Michael Montecillo of EMA [The Converging Network]

Posted: 08 Sep 2008 06:20 PM CDT

Microphone The latest installment of the SSAATY podcast is up and available. Michael Montecillo, a security practitioner and analyst with Enterprise Management Associates, stops by to join Alan and me on the podcast. After tricking Michael into a setup Brazilian Jujitsu match with Chris Hoff, we turn our attention to more serious matters; the roll of analysts in the network security industry. The discussion covers the influence analysts have on a vendor's fate, how much vendors can influence analysts and their coverage, and just how reliable predictions are by analysts. We have a good bit of fun and I know you'll enjoy the podcast.

The podcast was recorded in the Medioh studios in Boulder, Colorado, by Medioh CEO Scott Converse. Special thanks to Scott for hosting us one again and acting as our podcast sound engineer.

We have a new URL for the podcat, if you'd like to subscribe to the RSS feed or listen to other episodes.

Enjoy the podcast!


This posting includes an audio/video/photo media file: Download Now

Unified Communications Security for Mid-Size Companies [The IT Security Guy]

Posted: 08 Sep 2008 12:48 PM CDT

My article on unified communications for the middle market came out today on SearchCIO-Midmarket.

The article just scratches the surface of the issue but covers a bit of VoIP and some products within reach of smaller companies.

Secunia to Help Vendors Improve Signatures [Jon's Network]

Posted: 08 Sep 2008 11:10 AM CDT

Secunia doesn’t think AV and IDS vendors are writing signatures well enough and plans to remedy the situation by opening up their analyses to a wider customer base with easier “pay-as-you-go” terms.

we have also realised that far too many of the other AV and IDS / IPS vendors - including the major ones - fail to detect many attacks utilising critical vulnerabilities simply because they too often create payload based signatures rather than vulnerability based signatures.

"Social networking users can easily be tricked into becoming unsuspecting dron..." [Security Circus]

Posted: 08 Sep 2008 09:08 AM CDT

Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research. Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers. –Facebook app shows botnet risk - Woah, Sotiris and the other guys at FORTH just got famous. Well done guys! :-)

Tumbleweed Acquired []

Posted: 08 Sep 2008 12:13 AM CDT

Sopra Group, through its Axway subsidiary, has acquired Tumbleweed Communications for $143 million. The press release is here

With Tumbleweed’s offerings for email security, secure file transport, and certificate validation, there were just not enough tools in that chest to build a compelling story- either for messaging security or secure transaction processing. And it provides just one more example of why Rothman is right on target. Given that Tumbleweed’s stock price has been flat for the entirety of this decade, this is probably both a welcome change of scenery from the stockholders’ perspective, and a sign of new vision on how best to utilize these technology elements. There are lots of fine email/content security products out there having a very difficult time of expanding their revenue and market share. Without some of the other pieces that most of their competitors have, I am frankly impressed that Tumbleweed has made it this far. Dropping this product line into the Axway suite makes sense, as it will add value to most of their solutions, from retail to healthcare- so this looks like a positive outcome.  


Tietoturva 101 [Liquid Information]

Posted: 07 Sep 2008 09:00 AM CDT

(Sorry for Finnish announcement)

Olen vihdoin saanut kirjoitettua perusasioihin paneutuvan tietoturva-paperin, joka on suunnattu tietokoneen loppukäyttäjille ja pienille yrityksille. Tämän paperin piti alunperin valmistua Joulukuussa mutta venyikin sitten näin pitkälle syksyyn, johtuen työkiireistä ja inspiraation uupumisesta.

Nyt sen voi kuitenkin käydä lukemassa täältä ja sen nimi on "Tietoturva 101". Kommentteja voi kirjoittaa tähän blogi-kirjoitukseen tai vaihtoehtoisesti lähettää sähköpostia. On hyvä tiedostaa, että tämä on ensimmäinen paperi minkä olen kirjoittanut suomeksi ja se osoittautui yllättävän vaikeaksi kun pääsääntöisesti termit ynnä muut ovat englanniksi.

New Addition: Security News Links for the week of 8/31 [Nicholson Security]

Posted: 07 Sep 2008 07:00 AM CDT

I read a lot of security news feeds during the week.  So I thought it would be a nice addition to post a link list to the posts I found interesting from the previous week.  My goal will be to collect a brief list of links and them posted every Sunday morning.  I want it [...]

New Blog: Security For All by Joe Webster [The Converging Network]

Posted: 06 Sep 2008 11:39 PM CDT

Security_for_all_blog A former co-worker and security software developer dude Joe Webster  started up his own blog, Security For All ( Joe joined StillSecure back when I was CTO and I remember he was interested in the whole blogging and podcasting thing back even then. Hey, Joe... I'm surprised it took you so long to start the blog! :)

Seriously, Joe's not only a sharp guy but is also dedicated to improving securty. Plus, he's a really nice guy and great keyboard/composer. So check out Joe's new Security For All blog. He has a good post up there in response to one of Joel Snyder's videocasts about Network Access Control.

The Process of Writing the Applied Security Visualization Book [Raffy - Security Data Visualization]

Posted: 06 Sep 2008 03:55 PM CDT

img_0365.jpgA little bit more than two years ago, I approached Jessica Goldstein from Addison Wesley to write a book about security visualization. We sat down during BlackHat 2006 and discussed my idea. It didn’t take much to convince her that they should get me on board. I went home after the conference and started putting together a table of contents. Here is the very first TOC that I submitted:

  1. Introduction
  2. Data Sources
  3. Visualization
  4. From Data To Visuals
  5. Visual Security Analysis
  6. Situational Awareness
  7. Perimeter Threat
  8. Compliance
  9. Insider Threat
  10. Data Visualization Tools

If you read the book, you will notice that this is pretty much what I ended up with. More or less. An interesting fact is that at the time of submitting the TOC, I had no idea what to exactly write about in the compliance and insider threat chapters. The even more interesting fact is that a lot of people told me that their favorite chapter is the insider threat chapter.

img_0336.jpgAfter submitting the TOC to Jessica, she had me fill out some more marketing questions about the book. Things like target audience, competitive books, etc. After handing that in, it went silent for a bit. Jessica was selling the book internally. And then things started to look not so good. Jessica went on maternity leave. Kristin took over and got the proposal review process lined up. I asked some people in the industry to have a look over my proposal and provide feedback to the publisher. Questions like: “Why is Raffy the right person to write this book?” “Is there a market for this book?”  etc. were being asked. I received the six really great reviews (thanks guys!) mid December 2006. On December 19th, I received an email with the contract to write the book. I sent the contract off to a friend of mine who is a lawyer, just because I was a bit worried about intellectual property rights. After a few emails also with Addison, I felt much better. They are not at all interested in any IP. They just want the copyright, which was totally fine with me. Then, finally, on January 17th, I signed and was under contract to write about 300 pages about security visualization.

After a few days, I received an ISBN number for the book and a ton of material about style guides and how to go about writing the book. All very exciting. I decided to not write my book in TeX, unlike my masters thesis. That was definitely a smart decision. It turned out that using Word wasn’t that bad. The template from Addision made it really easy to format the text correctly. I actually ended up using VI to write the original text without any formatting. Once it was all done, I copied the raw text into Word and started formatting. The reason for doing this is that I am so much quicker in VI than I am in Word. (And hitting the ESC key in Word is not something you want to be doing too much.)

cimg2403.jpgOne of the next steps was to put together a timeline. Well, it was sort of aggressive. The version of the schedule I could find in my archives shows that I was planning on being done mid September 2007. Well, I missed that by only a year ;) I attribute a lot to the fact that I didn’ really know how to write (seriously) and to the chatpers for which I had to do a lot of research.

I definitely enjoyed the process of writing the book. The folks at Addison Wesley were awesome. They kept motivating me along the way and provided great insights into the writing process. What I am still very impressed with is the PR aspects. Early on, they hooked me up to film a video cast about the book. After publishing the book, I get about an email a week for some press opportunity. Keep them coming ;)

Here is a fun fact: In ~/Data/projects/vis_addision, where I have all the material for the book, I accumulated 1.1GB of data. Pretty crazy.

img_0260.JPGcimg2019.jpgAre you thinking about writing a book? Do it, but make sure you have time! I spent a LOT of time in the local coffee shop (picture on the left). I always had printouts with me to work on corrections. The picture on the right I took at 6.30am in Taipei. Yes, it’s a full-time job! I learned a lot! I made amazing connections. And I had fun! One piece of advice: make sure you have a good publisher!

I haven’t seen the book in my local Barnes and Nobles yet. Well, I checked two weeks ago. But a friend (@jjx) sent me this picture. So, apparently some book stores have it in stock:


89% of Security Incidents in 2007 Unreported [Matt Flynn's Identity Management Blog]

Posted: 06 Sep 2008 03:40 PM CDT

I've been saying for the past few years that most security breaches go unreported, but I had no hard data to back it up.  I just believed it by instinct and some anecdotal evidence.  Now, we have a survey to point to with supporting data that claims 89% of data leakage incidents in 2007 went unreported.  I've also talked a lot about non-malicious insider breaches which is listed as the #2 security challenge by respondents of this survey.  I haven't seen that question asked very often.  Interesting data points.  Data leakage, lost devices, insider threats continue to be a major concern (along with email attachments, malware and phishing).

FIT-IT Gesucht: Sicheres und Sichtbares [Raffy - Security Data Visualization]

Posted: 06 Sep 2008 03:15 PM CDT

picture-6.pngNext Tuesday I will be speaking in Graz, Austria at the FIT-IT event. The topic of the event is Trust in IT Systems & Visual Computing. I am giving a keynote in the afternoon about the topic of Security Research 2.0. I will be hitting on one of my favorite topics, the dichotomy between security and visualization. We need to all work hard on combining the worlds of visualization and the security. We have all seen what happens if security people are writing visualization tools. And we have seen what happens when visualization people try to understand networking and security. I can show you some pretty bad papers that get either side completely wrong. Maybe I am just too picky, but if you read some of the papers that I reviewed for RAID and VizSec, you would probably agree with me.

While talking about RAID and VizSec, the conferences are taking place in a week at MIT in Boston. I will be giving a short presentation on DAVIX with Jan Monsch and will also be part of a panel discussion. Looking forward to make my points about visualization there. I am going to stay for RAID and hope to catch up with my former collegues from IBM research. Drop me a note if you are attending as well.

Book Review: Secure Your Network for Free (Syngress) [Nicholson Security]

Posted: 06 Sep 2008 12:48 PM CDT

Last week I was visiting the local library with my family and decided to check out the computer books section. I wasn't surprised when I only found about 30 books most of which were out of date. I would like to pretend all the good recent books were out on loan but I wasn't sure. [...]

Se la nuova Alitalia vale più di 300 milioni [Security Circus]

Posted: 06 Sep 2008 07:00 AM CDT

TGIF? WTF, Feds take over Fannie Mae and Freddie Mac [StillSecure, After All These Years]

Posted: 05 Sep 2008 10:28 PM CDT

Well the good news about our economy just keeps right on rolling in.  First came word that unemployment rose to a 5 year high today at 6.1% (and for the first time I know security and IT people in that group who are finding it hard to find a job).  At the end of the day word came out that the Federal Government will announce a bailout/take over of the two mortgage giants, Fannie Mae and Freddie Mac.  This will result in just about all shareholders of these companies being wiped out and more importantly, you, me and the rest of US citizens are now guaranteeing and on the hook for all of those trillions of dollars of mortgages out there!

Fred Wilson says that this is the new MO of the fed.  Wait until after the markets close on Fridays to announce the really bad news. Ever the optimist, Fred thinks that this could be the beginning of the end for the bad news and may represent the bottom.  I say, things will get worse before they get better.

Brad Feld wrote today about cycles in the business world. Certainly the pendulum swings and what goes up, must come down.  But Brad says he is 42 and thinks he has seen it all when it comes to cycles.  I am 47 and realize that is not true either.  Yes, there are cycles but each one is different enough.  Yes things will get better some time, but the pain and damage being done is going to take a long, long time to recover from. 

Try owning a house in Florida, Michigan or some parts of California. Politicians talk of change, but I am not sure what fundamentally is going happen that will change our present predicament. The sheer numbers are just scary. 

I along with many others I am sure will be looking for signs that we are starting to pull out of this mess.  But like in cycles past, by the time it is obvious that we are, the smart money will already betting on the next cycle.

New Blog by Nir Zuk [Jon's Network]

Posted: 05 Sep 2008 05:36 PM CDT

Security Nirvana Blog

Nir is now blogging.

Xcon 2008 in Beijing! [The Dark Visitor]

Posted: 05 Sep 2008 04:39 PM CDT

My Xcon 2006 pass

Jumper sent me an e-mail about the upcoming Xcon 2008 Conference that will take place in Beijing from 18-19 October:

If you have any questions, comments, please shoot against Casper ;)
Though I am happy to forward it.

On Fri, Sep 5, 2008 at 4:40 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
> Got couple of emails with comments (language mistakes) and questions,
> Thanks guys!
> Actually XCon is held by XFOCUS guys (Casper and others), they wrote
> it up and I was just helping to post the CFP.
> If you have any questions regarding the schedule, the conferences,
> the hotel, etc.
> Welcome to XCon! Welcome to China!
> Best
> Sowhat
> On Fri, Sep 5, 2008 at 3:45 PM, Sowhat <smaillist (at) gmail (dot) com [email concealed]> wrote:
>> XCon 2008 Call for Paper
>> Nov. 18th ? 19th, 2008, Beijing, PRC (
>> XCon is wholeheartedly expecting papers from those who are passionate
>> about information security technique and their participation and sharing of
>> the conference.
>> Attenders
>> Anyone who loves information security, including information security
>> experts and fans, network administrators, network security consultants, CIO,
>> hacker technique fans, etc.

More details on the conference here at Security Focus.

For those of you who are unfamiliar with Xcon,  I’ll give you a little background.  The yearly host of the Xcon conference series is a group  going by the name Xfocus.  One of their 2007 conference attendees, XYZreg (Zhang Yi), a regular member of their security group,  claimed to have broken Kaspersky Anti-Virus Technology.  When I went to the conference in 2006, two of the major sponsors were Microsoft and NSfocus. NSfocus was one of the very first hacker sites in China, originally called the Green Army.  The organizaton has a very confusing history.

If anyone is planning on attending the conference, please drop me a line.

CPISM bootcamp and exam a success [PCI Blog - Compliance Demystified]

Posted: 05 Sep 2008 02:50 PM CDT

After long and arduous work on behalf of the SPSP and many others, and after several private classes of the CPISM, the very first public bootcamp and exam proctoring occurred in Salt Lake City, UT last week.  Even a short while after I see people updating their LinkedIn profiles with this designation.

It was so successful that the SPSP immediately booked another class in Dallas in November for not only the CPISM, but also the new CPISA.  People have already been signing up and I expect these classes to sell out as well.  In fact David Bergert, author of Payment Systems Blog, has already blogged about his registration.

Every place I go people are asking how they can become a QSA.  The problem is, you cannot hold the designation of QSA unless you work for a QSA company, which requires a formal application and attestation to the PCI SSC.  And, if you ever leave the QSA company you work for you loose any right to call yourself a QSA.  This is why the SPSP has create the CPISA/CPISM for those “across the table from” the QSA.  So you can hold your own in conversations and discussions regarding the payments industry and compliance.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

No comments: