Posted: 11 Sep 2008 07:04 AM CDT
This is there trophee page for the moment but it is not at all clear why they hack also .be domains when Belgium has declared that they will recognize Kosovo. Maybe the political actions aren't that well understood or their software isn't that well managed but if you launch a political hack campaign you should at least to your political research. click on the image to enlarge
but another thing is that a whole series of hosting firms have been hacked by them, aside the typical stupid Joomla sitting ducks that continue to be shot down at a decreasing but still important rate. Of the hoster firms we give just one example, the rest you can find in their list.
Posted: 11 Sep 2008 06:48 AM CDT
Posted: 11 Sep 2008 06:35 AM CDT
Resolution on Software Interoperability and Open Standards
Consumer organizations clearly see interoperability as an important means to achieve consumer welfare in the sector of Information and Communication Technologies. Consumer interest relies heavily on the ability to exchange data from one software to another, and from one person to another, but also on the ability to understand that information so that it can be used. Standardisation and Open Standards can be useful tools to achieve interoperability.
Posted: 11 Sep 2008 06:00 AM CDT
Nearly three years ago, Ken Belva wrote a paper intended to be a “starting point for further, positive discussion” regarding the topic of data breaches and reputational risk. The title of the paper also presented Ken’s major theme: “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk.”
The paper analyzed trends associated with stock prices of several prominent retail and financial services corporations that had experienced well publicized data breaches. Ken concluded that, for these organizations, the announcement of a breach was usually followed by a brief dip in the closing price of a company’s stock, quickly followed by a sustained rise. Ken interpreted this counterintuitive finding as evidence that a data breach does not necessarily pose a reputational risk to an organization, as long as (1) there is no sustained pattern of similar breaches experienced by the company and (2) the organization’s primary business does not involve providing a service where information security is an integral element. Polo Ralph Lauren and Citigroup-two of the companies discussed in Ken’s study-are not selling security as a major service; ChoicePoint, however, offers security controls as an essential feature of its product.
Ken’s thesis was validated when, in January 2007, TJX (the parent company for Marshall’s, TJ Maxx, and other retail establishments) announced the unauthorized disclosure of credit card data concerning millions of customers. The breach was announced on January 17. That day, TJX closed at $29.63, down .22 from the previous day. On the next day, the stock fell an additional .13. However, two days following the breach announcement, TJX shares closed at $30.03, a .40 rise since the announcement.
This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!
Posted: 11 Sep 2008 05:46 AM CDT
There are have been indications that the number of pc's that have become zombies of a botnet has risen enormously the last month. Probably they are activating the infections that were carried out by the Storm Worms and the SQL injections that were carried out the last months. As both of these campaigns were rathter successful because the viruses (ex. CNN campaign) were only detected by most of the Antivirus products hours or days after their launch and because the SQL injections in the sites were only removed very slowly it doesn't come as a surprise.
But those zombies are only very dangerous if they are actually controlled by a Control center that send them instructions. The owner of the PC won't see a thing because those zombies are used in such a way that the user don't see a thing so he doesn't start cleaning and protecting his machine.
Belgium is one of the countries that has the most problem with closing down and cleaning up those botnet control centers. THe numbers reinforce the demand for an active CERT that can take this problem and organize the response to it.
numbers are from Shadowserver and are just a small part of the problem, the numbers are only based on what their honeypots see
Posted: 11 Sep 2008 05:33 AM CDT
There will be vulnerable CITECScada critical infrastructure in Belgium because there are several firms that have installed and deployed it. We can only hope that they have patched and investigated their systems and are having a close watch on their logfiles to be sure that all attacks are stopped. The problem maybe that those metasploit attacktools are finding other vulnerabilities on other parts of the infrastrucutre that can have the same effect.
There are also some small and medium enterprises that are using this software and here the problem could be that they don't have the necessary knowledge and monitoring contracts to be sure that they are patched.
It is not up to me here to write the names of the firms that use that software but it is about time that maybe the firms that installed that software in those firms call those firms to be sure that they are patched even if they don't have a contract (yet) so that there is nothing bad going to happen to their clients.
Posted: 11 Sep 2008 05:23 AM CDT
When we talk about SCADA it isn't about a car but about the IT infrastructure in our electrical, gas and other utilities infrastructure that monitors and organizes those installations. Most of that software and hardware has been developed years ago and has always more or less had the feelings that they weren't connected to the internet and couldn't be attacked an sich. Many of those installations that weren't meant to be connected to the internet have now internet connection points to make life easy for the IT guys without imaging everything that is possible and their consequences.
It is a small risk they took but just as the financial credit guys, they couldn't imagine the consequence if something went wrong as Murphy is never on holiday and always finds you when you aren't ready for him.
THere was a vulnerability for a certain SCADA software that was published. This isn't so bad, but when people develop exploits based on that vulnerability that can be inserted in automated scanning and attack tools, this changes the whole spectrum of attacks you can see arriving at your networks. Such an exploit plugin has been developed for METASPLOIT and the ports of the software to be attacked have seen a very important rise in use and intensity. THis means that people are in fact looking for vulnerable Crtiical Infrastructure that can be hacked this way. So don't be surprised if in the coming weeks you will read articles about hackers or others having penetrated such critical infrastructure.
You should follow the Internet Storm Center on more news about this issue http://isc.sans.org/diary.html?storyid=4997
Posted: 11 Sep 2008 03:05 AM CDT
MX Lab offers Unified Communications Protection based on FaceTime’s Unified Security Gateway (USG) appliance that allows enterprises to communicate and collaborate in a save environment without sacrificing security and control.
Combined with the in house developed and managed MX Lab Zero Hour Anti Virus & Anti Spam services offers an complete solution for your business communication wether it’s email, web, IM, Skype.
Read the press release MX Lab offers Unified Communications Protection at the MX Lab web site
Posted: 11 Sep 2008 02:11 AM CDT
Sitting here writing this on the plane to Sacramento. I have a presentation that I am giving tomorrow that was mailed to me this afternoon. It is on my iPhone and I would like to work on it on my computer on the plane. If I had a windows mobile phone (like I used to) that would be no problem. When I did an active sync, my mail would sync as well. Also, I could access all of the files on my windows mobile phone and convert and move them over to my laptop. However, not that I have a fancy iPhone, no can do. I could be working on the 4 hour trip on my presentation for tomorrow. BUT NO! I am blogging my frustrations, while that file I need is trapped on my iPhone with Apple's magic holding the key. I am sure there is some application I could buy or download that would allow me to unlock this file and move it over, but I can't get it while in the air. So instead I will just keep blogging.
I expected more around integration with Exchange and Outlook from Apple. They need to do a better job before Microsoft starts running commercials where Bill Gates is a windows mobile phone and Jerry Seinfeld is an iPhone. Than Bill can really have something to shake about.
Posted: 11 Sep 2008 02:09 AM CDT
Coming home on the plane last night I had a chance to catch the "Sex and the City" movie. I admit that I watched the HBO series with my wife and was sorry it ended. When the movie came out, my wife went with her friends on the first night it opened and I stayed home. No biggie, I figured it was a chick flick anyway. So when I saw it as an option on the flight home, I thought it would be a great time to see it for myself. Within just a few minutes I felt like I was back among old friends. Carrie, Charlotte, Miranda and Sam - I have watched these girls grow up in NYC. Of course Mr. Big, Steve, Smith and Harry were there. Aiden and Petrovsky weren't there, but hey I liked those guys too. Tell the truth, which of you have ever watched this show and not found fragments of your personality in these characters. Be really honest with yourself, which of the characters have you thought you are most like? I thought so. I am not alone. Like most of you I have seen myself in multiple characters on the show. Elements of my relationship have been dead on to those on the show.
Now, I have never held myself out as an expert on women and relationships. As a matter of fact, I have always been a bit slow, truth be told. Having several friends recently going through breakups of both marriages and long standing relationships, as well as dealing with getting older and not being a 20-something or even a 30 something anymore, this movie really struck home. Watching this movie I was moved to tears and laughter at the same time. It was not over the fashions either.
No, the characters are not real and there is no exact clone of you or me. But collectively there is so much truth and lessons to be learned in this movie and with these characters. The writers and creators have done an excellent job of staying true to the original show and making a movie that even a somewhat oversensitive guy could truly appreciate! If you get a chance rent the DVD when it is out.
Now if I can only get my email off that damn iPhone I can get some work done on this plane ride instead of writing about this stuff!
Posted: 11 Sep 2008 01:40 AM CDT
Posted: 11 Sep 2008 12:39 AM CDT
I did mention this earlier in the week when I was talking about Twitter being used as a malware distribution platform, there also seems to be an auto follow vulnerability that spammers would love. Do you remember Myspace and samy with 900,000 friends? Now we have johng77536 on Twitter! Last week, TechCrunch's Jason Kincaid wrote about an [...]
Read the full post at darknet.org.uk
Posted: 11 Sep 2008 12:06 AM CDT
Om Malik certainly deserves credit for talking about the vision of cloud computing two years ago, as well as understanding the potential opportunity posed by new relationships between the browser and the service provider in his recent piece in BusinessWeek: In the meantime, always-on broadband connections at home, work, and on the move have become commonplace. [...]
Posted: 10 Sep 2008 10:40 PM CDT
I’m actually a little disappointed I’m using that word because its the new “hip” word and I usually try to stay away from what all the cool kids are doing.
Yesterday, four of us walked out of our network operations center just before lunch. Right outside our door sits a male programmer. As myself and two others walked out to go to lunch I noticed a woman wearing a pink shirt sitting at this guy’s desk in his chair. Not only was she sitting in his chair she was leaned over plugging something into his computer. Myself and another guy walked one way to the restroom while the third walked the other way. Shortly after the three of us walked by this unknown woman a fourth member of our department walked out the same door by this desk and noticed the woman sitting there as well. NOT A SINGLE ONE OF US SAID A THING TO HER! As I got to the restroom I realized what I had done and started kicking myself. On my way back I was going to ask who she was but she was gone. Luckily she was only plugging in an iPod to charge but the psychological damage was done. Four “security-minded” people walked by a desk with an unknown person at it and not a single word was said. Only two of us even noticed she was sitting at a desk a guy usually sits at. Talk about feeling like an ass clown.
What was the popular catch phrase after 9/11/2001? Be in a constant state of awareness.
Posted: 10 Sep 2008 07:03 PM CDT
Here is an overview of some of the information published about Google's own browser:
It started with denial of service bugs, carpet bombing (the ability to drop files on the user's desktop), EULA discussions etc......
Although some of these issues have already been fixed. There are some things that I don't like at all.
(Photo under creative commons from aacool's photostream)
Posted: 10 Sep 2008 06:23 PM CDT
We've decided to do an early release of a few of the news-making presentations from DEFCON 16 in video format! The following links are in two formats, the h.264 version is an iPod compatible version of the presenter's slides with audio of the speech, and the full .mov is quicktime with dual video of the speaker and the slides. Enjoy, and keep your eye out for all the videos and audio from DEFCON 16 to be released in the next couple months!Brenno De Winter - Ticket to Trouble
Dan Kaminsky - DNS Goodness
Anton Kapela and Alex Pilosov - Stealing the Internet
Mike Perry - 365 Day: Active HTTPS Cookie Hijacking
Posted: 10 Sep 2008 04:12 PM CDT
It would be impossible to write about low hanging fruits without mentioning network shares. I say it because they are usually my favorite path to elevate privileges when I’m performing a penetration test. Among stuff that I’ve already found on unprotected (I mean, Everyone - Full Control) shares are:
- Source code for critical applications
- Configuration files of applications containing database credentials (VERY COMMON)
- Configuration files of applications containing Administrator level credentials for servers (service passwords!)
- Debug logs containing a lot of sensitive information and even user credentials (SMS logs!)
- Network and systems documentation (Lot’s of Visio diagrams)
- Personal private information (Human Resources stuff)
Network shares appear and grow on the network like tribbles. The problem starts with weak policies regulating the subject, but it grows when the infrastructure needed as an alternative for non-authorized shares is not available. If you compare companies that have a good file server infrastructure with those that are trying to save some bucks by saving file server megabytes you will notice that the last has a higher occurance of non-authorized file shares. Non-authorized network shares fall in that “Shadow IT” category and are an easy bet for unprotected sensitive information. I can tell from experience that just by browsing network shares you can own an entire network. No need for leet exploits.
If you are just starting as a security manager, include it as one of your first steps: map and control your network shares. You need to know where they are, what is inside and who can access them.
Posted: 10 Sep 2008 03:39 PM CDT
I was reading a comment from Shimel mentioning that NAC technology is becoming more mature every day, as we can see more 3rd party products integration. He mentions the integration of a IPS system, what promptly made me wonder about another kind of security product: DLP.
Have anybody tried to integrate DLP and/or e-Discovery products with NAC? Can you imagine the possibilities? You can build a policy where workstations with protected/sensitive information stored have their connectivity restricted to reduce the chances of data loss. Your computer is free from protected information, you can browse the Internet with more freedom than that guy with sensitive files in his hard disk. I wonder if anyone from Symantec is trying to do that with Vontu and their Endpoint Protection suite.
Posted: 10 Sep 2008 02:59 PM CDT
As there has been a furor of emails on various lists regarding the recent Citect vulnerability Metasploit modules I thought a little discussion of the risk of Non-Disclosure might prove valuable.
Disclosure and the development of such a modules do increase exposure. An unpatched, unmitigated, and exposed system now becomes ripe for exploitation by script kiddies, which does increase exposure and risk. But what is the risk of an undisclosed vulnerability?
Does a vulnerability that has not been disclosed not exist? Does the risk suddenly spring into existence because it is published/dissemenated? Of course not. It was there and hidden, and possibly known by someone.
My experience in performing and exposure to the results of software and protocol reviews employed by SCADA and Digital Control systems leads me firmly to the conclusion that these systems are rife with vulnerabilities of the most basic type, namely simple buffer overflows. In my opinion there exist one or more such simple exploits in every product used in our industry, though much has been done to reduce this in the newest and soon to be released products.
The IT side of software development went through these type of growing pains 10 years ago as the knowledge of finding these type of bugs disseminated across the globe. The publication of these flaws does increase exposure and in turn risk, but the disclosure also drives mitigation.
When first contacted about said stack overflow flaw (according to the publicly available timelines) the vendor basically responded with “Meh, we are not going to do anything about it.” It was only as their awareness of the ramifications of the flaw grew, that they took action to mitigate. And they were very slow in doing so. Yes the publication of such a vulnerability does possibly create PR and financial backlash for the vendor, but it does not create the flaw, it already existed and therefore is inherent risk.
To get a better picture of what I am speaking of consider the following video entitled “Did You Know” that I first saw at the DOE CST conference of 2007 (Provided in wmv and mov format). Pay particular attention to the segments that touch on the populations and potential of China and India. China proved in this round of olympics that when you have a population of over 1 billion people, statistically speaking, you have a lot of exceptional people, in any field to choose from (this includes people who make good hackers). The video notes that the 25% of people in China with the highest IQs exceeds the number of total population in North America eg the United States, Canada and Mexico combined and in the vernacular of school teachers, that the number of “honor” type students in China’s educational system exceeds the total number of children in North America.
To think that only one researcher or research group has found a specific 0 day exploit for a control system is to ignore the odds. To think that there are not groups in other nation states sitting upon 0 days is, in the phrasing I have oft used “shear insanity.” The vulnerabilities are remedial at best and very simple to find. The majority of such simple bugs were weeded out of the IT side of things years ago but are still prevelant in the majority of the products that we use to control “Critical Infrastructure.” And as it is critical the risk is that much higher. The recent leak of the firmware vulnerability is a case in point. Everyone with exposure to these systems knew that this was a risk, and no one was surprised by the contents of the briefing.
It seems to me and I think history supports the assertion, that vendors will only move to mitigate when facing immanent disclosure. Hence disclosure drives mitigation. Disclosure does not increase risk as much as non-disclosure, because at least through disclosure awareness is gained and mitigation becomes available.
This is why in hacking circles the undisclosed 0 day is so coveted. There are no mitigations impeding the use of a 0 day exploit. It is the golden key. Due to the ease of finding the flaws in control system software how many “research groups” with good or bad intentions are sitting upon 0 day exploits against critical infrastructure? And if you think the answer is 0 then you live in a different world……
This posting includes an audio/video/photo media file: Download Now
Posted: 10 Sep 2008 12:23 PM CDT
Congratulations to CERN for achieving first beam on the LHC.
Posted: 10 Sep 2008 12:13 PM CDT
A couple of articles today forced me into an Aha! moment on NAC. I think you can tell when a technology begins to mature when you see announcements about how the products are working with 3rd party products. On the other hand I think it also shows what the strengths and weakness of individual vendors are as well.
Two cases in point
1. Bradford announces that it plays well with Top Layer - This press release details how Top Layer IPS can alert Bradford's NAC product to devices on the edge sending out bad traffic. At that point presumably Bradford would be able to quarantine the offending device. According to the spin this results in "core to edge" protection
Well this is certainly not new. Bradford has advertised working with 3rd party IPS's for sometime. Bradford is not alone in this either. There are several NAC vendors including StillSecure that can do this. But is integrating with existing IDS/IPS a post-connect NAC solution? I don't think so. I don't think it is truly a holistic approach. All you are doing is sending out a syslog alert and based upon that quarantining a device. No context, no depth, you are piling on separate solution on top of another separate solution. While as I have said this integration is not new, we have been working for a long time to take our own IDS/IPS technology and use that as a the basis of a true post-connect NAC sensor. Integrating the products into a common UI, with common policies, rule sets and management is where the value is.
A vendor who only has a NAC product that can do pre-connect health checks (which are valuable in and of themselves) but can than only "integrate" by passing data back and forth is going to have a tough time in the maturing NAC space.
2. InfoExpress teams with Alcatel-Lucent - In this story, InfoExpress talk about how they teamed up to deliver to Iona College a secure wireless solution. Good for InfoExpress, they are often left out of the NAC market discussion, though they have been selling NAC as long as anyone. What I found surprising is what does this say about Alcatel-Lucent's OEM of ConSentry gear for NAC. Does this mean Alcatel-Lucent is no longer selling the Consentry NAC solution? What is going on with ConSentry anyway?
One thing for sure is that NAC makes for strange bedfellows.
Posted: 10 Sep 2008 09:30 AM CDT
Posted by Mike Dausin
Alright, it's time for an installment ThreatLinQ: Movers and Shakers. Most every week we will use this space to point out any interesting and or sudden events we may see in the ThreatLinQ data. This week there are a couple of PHP File Include filters which popped up on the movers and shakers page which are worth talking about:
First, Filter 4270 saw a sudden increase in traffic on 9/08/2009. This was due entirely to a single attacker from New Jersey targeting various PHP file include vulnerabilities. It looks as if this attacker resides at a hosting facility, so it would be a good bet to say this machine has been compromised. Below is a graph of this attacker's activity for the last few days:
A similar story exists for filter 6007. This time however, the IP is located in the Ukraine and appears to be targeting sites in the US and Korea.
That's it for the Movers and Shakers summary for this week. If you have a TMC account and would like more information about the latest trends be sure to visit the ThreatLinQ portal here: https://tmc.tippingpoint.com/TMC/threatlinq/
The two IPs responsible for these attacks are below:
220.127.116.11 - New Jersey U.S.A.
18.104.22.168 - Ukraine
Posted: 10 Sep 2008 08:05 AM CDT
What is it about top ten lists that attracts bloggers like moths to a flame? Are we all frustrated David Letterman wannabes? In any event, I came across this top ten list of security threats to the SMB market. I think that many if not most of these apply to organizations of all sizes actually. I am copying it in here, as I think there is some good stuff here:
- Insiders - In many SMBs, business records and customer information is often entrusted to a single person. Without adequate checks and balances, including network system logs and automated reports, data loss from within can stretch over long periods of time.
- Lack of contingency plans - One of the biggest threats to SMBs relates to the business impact of post-hack, intrusion or virus. Many SMBs lack a data loss response policy or disaster recovery plan, leaving their business slow to recover and restart operations.
- Unchanged factory defaults - Hackers publish and maintain exhaustive lists of default logins (username and password) to nearly every networked device, and can easily take control of network resources if the default factory configuration settings are not changed.
- The unsecured home - in many small businesses, employees often take laptops home to work. In an unsecured home network environment, a business laptop can be dangerously exposed to viruses, attacks and malware applications.
- Reckless use of public networks - A common ruse by attackers is to put up an unsecured wireless access point labeled, 'Free Public WiFi' and simply wait for a connection-starved road warrior to connect. With a packet sniffer enabled, an attacker stealthily sees everything the employee types, and is then able to utilize that data for personal gain.
- Loss of portable devices - much SMB data is compromised every year due to lost laptops, misplaced mobile devices and left behind USB sticks. Although encryption of mobile device data and use of strong passwords would mitigate many of these losses, many SMB users simply fail to secure their mobile devices and data.
- Compromised WebServers - Many SMBs host their own websites without adequate protection, leaving their business networks exposed to SQL injections and botnet attacks.
- Reckless web surfing - Now more than ever, malware, spyware, keyloggers and spambots reside in innocuous looking websites. Employees who venture into ostensibly safe sites may be unknowingly exposing their business networks to extreme threats.
- Malicious HTML e-mail - no longer are attackers sending e-mails with malicious attachments. Today, the threat is hidden in HTML e-mail messages that include links to malicious, booby-trapped sites. A wrong click can easily lead to a drive by download.
- Unpatched vulnerabilities open to known exploits - more than 90 percent of automated attacks try to leverage known vulnerabilities. Although patches are issued regularly, a short staffed SMB may likely fail to install the latest application updates and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.
Posted: 10 Sep 2008 06:00 AM CDT
Corporate governance is in the limelight. No one wanted it, not many embrace it. But it’s here and here to stay, thanks to the horrifying outcomes vis-a-vis criminal activity leading to the failures of Enron, Worldcomm and the likes.
In the newly published anthology, CISO Leadership: Essential Principles for Success [Auerbach Publications, New York, 2008], Robert Coles and Rolf Moulton explore governance as it relates to information security. In chapter 13, entitled “Extending the Enterprise’s Governance Program to Information Risks” the authors provide an eye-opening and somewhat threatening stance: ”In this litigious age, governance failures could result in damaged careers, shareholder lawsuits or corporate collapse.”
However, because the focus is on compliance with Sarbanes Oxley, Basel II and other knee-jerk regulations, it may be worthwhile to put corporate governance into perspective. The authors position is that it can be leveraged to strengthen information security. Further, since governance is amorphous at best, the authors declare their stance as “Our definition of information security governance is the establishment and maintenance of the control environment to manage the risks relating to the confidentiality, integrity and availability of information and its supporting processes and systems.”
This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright_at_bloginfosec.com. Thank you!
Posted: 10 Sep 2008 04:19 AM CDT
Skyrails is a social network (or any graph really) visualization system. It has a built in programming language for processing (as far as visualisation attributes goes) the graph and its attributes. The system is not only aimed at expert users though, because through the scripting languages menus can be built and the system can be used by any users.
The main distinguishing point of the system comes from the built in scripting language, the added flexibility of how to represent attributes (nodes can be binded to planes and spheres based on their attributes) and the scriptability of the user interface system. This makes skyrails ideal for creating presentations targeted at the average users.
skyrails in action:
Posted: 10 Sep 2008 12:57 AM CDT
What Does reDuh Do? reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially What is it for? a) Bob.Hacker has the ability to upload / create [...]
Read the full post at darknet.org.uk
Posted: 10 Sep 2008 12:03 AM CDT
Even most financial institutions can only manage a password and some personal questions (which incidentally is not really multi-factor it’s multiple single-factor, i.e. several things that you know) to authenticate us for the most sensitive and important transactions. And forget about web sites. Everybody wants you to have a password. Presumably a good - and unique - one for each.
By now most people have heard the about the guidelines for good passwords. For example Wikipedia lists the following common guidelines.
I can see heads start spinning! How in the world can I remember only one 12-14 character password that contains nothing I can remember, and is more or less random? Much less the 50 or so passwords I need for all my web sites and financial stuff? Yeah - that’s a problem. And it’s exacerbated by the fact that as the need for passwords has proliferated, the practicality (i.e. horsepower) of password crackers has improved exponentially. Oh and by the way, to really achieve decent security (i.e. mitigate the threat of exposure) you should really change your passwords at least annually and preferable more often.
Yikes! So how exactly can a person possibly memorize 50 pseudo-random character strings that all change every year? Well, in a nutshell - you can’t. No one can. Well maybe someone with an eidetic memory, but not you or me. There is, however, hope. SecurePuter has a great post on “How to Create and Remember Multiple Secure Passwords” wherein an easy to remember but hard to guess formula is presented that will allow you to calculate what your password is so it removes the randomness and requirement to memorize many different things. It’s a great idea, and be sure to read all of the comments as further refinements are suggested.
Still, if you’re like me and make an actual effort to forget things as soon as possible, this might not be an optimal solution. So how do I manage to remember 50 (or in my case more like 150) dynamic random character strings. It’s easy - I don’t even try. I use a password generator and storage system. There are quite a few good packages out there. The one I use is the open source package Password Safe partly because Bruce Schneier started the project, partly because it runs on all of the platforms I use, partly because it has great encryption but mostly because I’m cheap and it’s free (as in free speech and free beer). I keep my fully encrypted password safe database file on a USB thumb drive so all of my passwords are available on whatever device I’m using - except my iPhone (which is a rant for another time). Basically the way it works is that I make an entry for whatever web site or computer I need a password for and then let it generate one for me. There are all sorts of policy options so you can get insanely long and complex passwords. When I save the new password, it is encrypted using the one and only password I need to remember. That’s it. So not only do I not remember my 150 different passwords, I never knew what they were to begin with. Now there are situations where this kind of password safe mechanism will have an issue, specifically you can run into a race condition with computer logons that require a regularly changing password (e.g. most corporate networks) whereby you must be able to type in the password to log in so that you can get access to the password safe. I get around this by generating a random 12-character password that I can remember for the 90 days that it will be valid. So I guess I really have to remember 2 passwords. But even I can do that. And so can you.
Posted: 09 Sep 2008 06:32 PM CDT
Vorrei segnalare il seguente paper frutto di una ricerca dell'Università di Genova,Universidad de Castilla-La Mancha, SAP e Siemens.
La ricerca mi è stata resa nota dal gentilissimo Luca Compagna al quale ho avuto il piacere di dare una mano nella divulgazione della stessa.
La vulnerabilità riscontrata nel servizio Single Sign On di Google Apps, basato sull'archtiettura OASIS SAML 2.0 ha un impatto notevole al di là del nome coinvolto (Google).
E' un esempio di come un architettura per l'autenticazione basata su uno standard de facto riconosciuto a livello internazionale possa presentare delle vulnerabilità a causa della sua (errata) implementazione.
(Copyright immagine: Clareity Consulting)
Single Sign on di Google basandosi su SAML permette una sola autenticazione per poter accedere a servizi diversi appartenenti a domini amministrativi diversi (quindi non solo all'interno di una singola organizzazione). I concetti base sono quelli di Kerberos,per intenderci, da cui SAML eredita alcune caratteristiche introducendone altre e adattandosi all'ambiente web mediante l'utilizzo di XML.
L'advisory è disponibile qui
Posted: 09 Sep 2008 11:40 AM CDT
We are pleased to announce that there will soon be a new look for the Ascension Risk Management Website. We engaged the services of a graphic artist to come up with a logo. This artist also came up with a very nice, simple and straightforward website design for us. We are going through the final design and content reviews now and hope to have the site up and online within the next two weeks. (Our blog design will stay the same.) In the meantime I thought that I'd share with you the new logo.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|