Friday, September 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Help fund historic computers at Bletchley Park [Emergent Chaos]

Posted: 12 Sep 2008 07:17 AM CDT

transport for London.jpg

Bletchley Park, the site in the UK where WWII code-breaking was done, has a computing museum. The showpiece of that museum is Colossus, one of world's first computers. (If you pick the right set of adjectives, you can say "first." Those adjectives are apparently, "electronic" and "programmable.") It has been rebuilt over the last fourteen years by a dedicated team, who have managed to figure out how it was constructed despite all the plans and actual machines having been dismantled.

Of course, keeping such things running requires cash, and Bletchley Park has been scrambling for it for years now. The BBC reports that IBM and PGP have started a consortium of high-tech companies to help fund the museum, starting with £57,000 (which appears to be what the exchange rate is on $100,000). PGP has also set up a web page for contributions through PayPal at, and if you contribute at least £25 (these days actually less than $50), you get a limited-edition t-shirt complete with a cryptographic message on it.

An interesting facet of the news is that Bletchley Park is a British site and the companies starting this funding initiative are each American companies. Additionally, while PGP is an encryption company and thus has a connection to Bletchley Park as a codebreaking organization, one of the major points that PGP and IBM are making is that Bletchley Park is indeed a birthplace (if not the birthplace) of computing in general.

This is an interesting viewpoint, particularly if you consider the connection of Alan Turing himself. Turing's impact on computing in general is more than his specific contributions to computers -- he was a mathematician far more than an engineer. He was involved in designing Colossus, but the real credit goes to Tommy Flowers, who actually built the thing.

If we look at the history of computing, an interesting thing seems to have happened. The Allies built Colossus during the war, and then when the war ended agreed to forget about it. The Colossi were all smashed, but many people involved went elsewhere and took what they learned from Colossus to make all the early computers that seemed to have names that end in "-IAC."

(A major exception is the work of Konrad Zuse, who not only built mechanical programmable computers before these electronic ones, but some early electronic ones, as well.)

This outgrowth from Colossus also seems to include the work that turned IBM from being a company that primarily made punched cards and typewriters to one that made computers. It is thus nice to see IBM the computing giant pointing to Colossus and Bletchley as a piece of history worth saving along with the cryptographers at PGP. It is their history, too.

I think this dual parentage makes Bletchley Park doubly worth saving. The information economy has computers and information security at its core, and Colossus sits at the origins of both. Please join us in helping save the history of the information society.

Links for 2008-09-11 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 12 Sep 2008 12:00 AM CDT

Michelle vs. hot Ukrainians [Security For All]

Posted: 11 Sep 2008 11:27 PM CDT

Every so often you get a wickedly satirical comment that turns out to be wickedly insightful as well. Provided for your consideration is just such a witty piece from Chris Webster, a law student at University of Maryland at Baltimore. had this article about malicious spam purporting to be a sex scandal involving Barack Obama. You can get the article here.

Web monitoring firms are warning IT administrators to update their spam filters after a massive new spamming campaign was detected. Inboxes are filling up with spam claiming to have a link to a web site that carries video footage of a sexual indiscretion committed by presidential candidate Barack Obama. It alleges to show footage of him having sex with Ukrainians after a visit to the country last year.

Chris has this clever insight.

Michelle Obama v. hot Ukrainians? I can see that…

What does this say about idiot spam victims?

  1. they like to see online sex videos
  2. they like to believe the worst about Obama
  3. they think anything can happen in Ukraine
  4. they think everybody tapes everything
  5. if it’s on email it must be true!

Very interesting study in social engineering.
I personally think Putin is behind this web attack.

  1. he knows a lot about Ukraine ( and Ukraine’s girls)
  2. sources close to him say with his reduced duties he has been watching more movies — Top of his Netflix you’d enjoy list = “Sex, lies & Video Tape”
  3. the other guy who might be behind this is McCain, and he has never been on the internet
  4. Putin needs to get back at the, “American political candidate who initiated the Georgian war for their own gain.”

Thanks for the warning, luckily all my money is tied up in this can’t lose Nigerian investment ;)


In the interest of full disclosure, you should know that I am, in fact, related to Chris - he’s my eldest son.

911 Remembered [SecurePuter]

Posted: 11 Sep 2008 09:08 PM CDT

Take a Moment to Remember the Fallen

Free AntiVirus

My heart goes out to all the families that lost loved ones 7 years ago on that most tragic day. I salute the men and woman who stepped up to fight the terrorist threat head on. To the soldiers wounded and killed in the battles that followed, you are in my prayers. A moment of silence for you all


Support the Serving

To the military men and woman still fighting this terrible war, take care of yourselves and be safe. My former unit, in which I served in Operation Enduring Freedom, is currently deployed to Iraq and is training the Iraqi police departments. You are doing a great service. We need them to take care of their own so that U.S. Troops can come home. I hope all is going well for the 344th and I promise to send another care package full of beef jerky and sunflower seeds soon. If you didn't know, those two foods are the most sought after items in a care package.

In addition, any donations receives this month will go directly toward the creation of more care packages. If you are so generous, the donation button is in the bottom of the sidebar.

Second ROI War [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Sep 2008 01:06 PM CDT

Another day, another security ROI blogwar.

Overall, I love it when educated peoples' debate just falls waaaay down to the level of "I won't care what YOU call it as long as you don't care what I call it...." Yuck! :-)

All security ROI coverage is tagged here: The previous, "First ROI War", is summarized here.

Canadian PM FAIL [Emergent Chaos]

Posted: 11 Sep 2008 12:09 PM CDT

Dear Mr Harper,

In general people do not care for the government to be tracking their religious affiliation. In particular however, there are few groups who care less for this sort of tracking than Jews. Seriously, you're not going to get votes by sending Rosh Hashanah cards to your Jewish constituents. It freaks us out, really.

I was a little alarmed at the idea that the government might have some list of Canadian Jews, whether or not they're using that for benevolent or malevolent or cynical reasons," Mr. Terkel said. "It doesn't seem my religion should be the business of any federal government.

With No Love,


P.S. It would be ever so slightly more convincing if you didn't also schedule the upcoming election on a Jewish holiday. Hope that helps.

9/11 seven years on [Security For All]

Posted: 11 Sep 2008 11:16 AM CDT

Yesterday the Department of Homeland Security (DHS) released it’s annual report
Fact Sheet: U.S. Department of Homeland Security 9/11 Anniversary Progress and Priorities which begins with the following introduction (emphasis mine):

Since 9/11, the Department of Homeland Security (DHS) has made significant progress in protecting the nation from dangerous people and goods, protecting the nation's critical infrastructure on which our lives and economy depend, strengthening emergency response and unifying department operations. Seven years without an attack on U.S. soil are a testament to this department's 216,000 employees – and the nation's first responders and law enforcement officers – who every day put service before self. Since its creation in the aftermath of the tragic events of 9/11, the department has achieved much to protect and secure the United States

What struck me about this report, aside from the solemn occasion it commemorates, was the realization that what all professional security organizations have in common regardless of size, scope or budget is that when we do our job right nothing happens. Our successes go unnoticed but our failures are spectacularly visible.

On this day lets take some time to think about all of those folks whose purpose is to keep our lives as safe as possible and remain unnoticed.

Flux Agent Geographic Distribution [The Security Shoggoth]

Posted: 11 Sep 2008 10:48 AM CDT

I've been looking into a fast flux botnet for the past day which came in the form of some banking malspam. If you don't know what fast flux networks are, check out the Honeynet Project's Know Your Enemy paper on them - its one of the best resources out there.

I set up a script to resolve the DNS name of the website which held the malware on it. The DNS record expired every 1500 seconds (25 minutes) so my script would perform the lookup, wait 25 minutes. perform another lookup, rinse, repeat. I did this for about 24 hours. The purpose was to see where the flux agents for the botnet were residing.

In the end, I had 88 unique IP addresses acting as flux agents residing in 21 different countries.

Interestingly, while the most were coming from Romania (18), the second largest was from Israel (15) and there were no .edu's in the mix. Remember, these are the flux agents, not the members of the botnet.

NAC management server running in a virtual machine - BFD! [StillSecure, After All These Years]

Posted: 11 Sep 2008 08:41 AM CDT

Things must be slow for Tim Greene.  Either that or Greg Stock, CEO of MIrage snookered him pretty good.  Tim's article today talks about the virtues of Mirage's management console running in a virtual machine and the company is "contemplating" moving its policy software also to run in a virtual environment.

Come on guys, are you kidding me.  Being able to get your product to run in a virtual server is newsworthy?  We have been installing Safe Access like that for a long time already.  I guess when all you sell are appliances, the idea of just selling software is radical?

Tim next time you can't find something to write about NAC give me a call, we can talk.

NAC day at Interop NY with Mike Fratto [StillSecure, After All These Years]

Posted: 11 Sep 2008 08:21 AM CDT

Just wanted to make sure you were all aware of NAC day at Interop NY this year, which is Sept 16th (next Tuesday).  Joel Snyder usually runs Interop NAC events and does a great job. However it seems Joel had a scheduling conflict this year.  The show organizers went to the bullpen and have none other than Mike Fratto as master of ceremonies.  Mike I am sure will do a great job.  You can read more about  what Mike says about it here.

In addition to Mike you can hear from some NAC vendors, primarily Microsoft, Cisco and Juniper.  The reason being that they are the only ones to pony up the 30k or so it takes to get on the panel for NAC day.  Realize that though educational, the Interop folks charge vendors an arm and leg to educate you.  My only beef is that if Interop wanted to really educate you on NAC they would have NAC experts who did not "pay to play".  Shame on them for not making it clear that these companies have paid that kind of money to be called NAC experts!

In Remembrance [SecuraBit]

Posted: 11 Sep 2008 08:06 AM CDT

Today marks 7 years ago that we lost so many fellow americans in the horrific attacks which unfolded that day.  Think about them, and also think about our troops.  Without their sacrifice we would not be able to do things like drink beers and talk about security on Skype every couple of weeks. To those who [...]

9/11 - Seven years later, a moment of silence [StillSecure, After All These Years]

Posted: 11 Sep 2008 08:03 AM CDT


Links for 2008-09-10 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 11 Sep 2008 12:00 AM CDT

Ultimate Attack Vectors - Web Browsers [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Sep 2008 10:04 PM CDT

Talking about web application security lately is making me nuts. It's been about what, 12 years since we security folks started preaching about "firewalls", right? That took at least 5 years before anyone started taking firewalls with any serious thought - and now it's just a matter of need when building a network. People started putting in firewalls because servers got hacked, and bad things happened.

This got me thinking. Servers got hacked the "old fashioned way" which meant that a bad guy scanned one of the millions of IPs on the Internet, over the range of 65, 535 ports available looking for one to exploit, and then tried one of dozens of exploits available for any given listening service (such as an XP-on-Win32 exploit for DCOM). The odds of this were good - but the execution wasn't simple, and the attacker had to go find targets.

In comes the browser. Forget port-scanning, customizing exploits to processors + operating systems, listening services. Just craft an exploit that any standards-based browser can exploit, such as Cross-Site Scripting (XSS), reflect it to the victim (who is willingly coming to the attacker), and voila. Hacked.

The browser is such a double-edged sword... Users love it because it drives all the cool "web stuff" they can do like Facebook, MySpace, YouTube, and so on... and it's a hacker's dream. No longer does the attacker have to go out seeking servers with Internet-open ports to scan and victimize... the attacker simply follows the Kevin Costner (Field of Dreams) model... if you build it, they will come... and you can exploit them. This of course blows the firewalled machine model right out the window. It doesn't matter that they're firewalled, the avenue for exploit so much greater than a firewalled server.

... and people tell me that they just don't see the value in spending copious amounts of money and resources on securing web apps. Makes me crazy.

I love getting spam, redux [The Security Shoggoth]

Posted: 10 Sep 2008 09:44 PM CDT

Back in May I blogged about a site named Knujon, run by Garth Bruen, which was attempting to fight the good fight against spam not by attempting to shut down the spammers themselves, but by attempting to shut down the domains for the sites spam is advertising. His theory is sound, but how effective was it? I signed up for the Knujon service, downloaded a Thunderbird extension to send the spam I received to Knujon and have been watching the reports.

Before I go on, let me just say that with the email accounts that I use Thunderbird to check I probably receive close to 500-1000 spam a day. Thunderbird does a fairly good job of recognizing them as junk and putting them in my Junk folder. When I run my Knujon extension it attaches them to an email and sends it to Knujon to process.

By logging into the site you receive status reports on the emails you have sent them. From the statistics available, you can see how many domains they have received, how many are pending suspension and how many have been suspended.

As of 9/9/08, Knujon has received 7,115 sites from me that were being advertised in spam. So far, 291 domains are pending suspension and 270 domains have been completely removed. Not bad for only 5 months of sending emails.

For the amount of effort that I have had to put in to Knujon (almost none), I am very impressed with the results. Garth Bruen is making alot of progress in his work - according to the site they have shut down 79,500 domains with another 33,671 pending.

I highly encourage everyone to sign up on Knujon.

Google Chrome criticised over lack of security [CGISecurity - Website and Application Security News]

Posted: 10 Sep 2008 07:23 PM CDT

"Users should wait to use Google Chrome after its vulnerabilities were exposed. Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages. He claimed that the oversight by Google is indicative of either a...

Microsoft IE8 and Google Chrome - Processes are the New Threads [CGISecurity - Website and Application Security News]

Posted: 10 Sep 2008 07:20 PM CDT

"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I'm sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just...

Samurai Web Testing Framework [CGISecurity - Website and Application Security News]

Posted: 10 Sep 2008 07:16 PM CDT

" As live CD's have become more popular, specialized distributions have begun to emerge. One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a "web testing framework" in much the same way that Metasploit is termed a framework. Samurai...

Episode 10 recording notice and streaming! [SecuraBit]

Posted: 10 Sep 2008 05:48 PM CDT

We will be steaming Ep 10 live tonight at around 7:30PM EST.  Feed urls will either be ChrisAM’s, mubix’s, or both. Join us as well on IRC at #securabit

If This Isn't 'Semantic Hacking', I Don't Know What Is... [Anton Chuvakin Blog - "Security Warrior"]

Posted: 10 Sep 2008 05:35 PM CDT

"Shares of UAL Corp. went from $12.16 to $0.01 [A.C. - the number is actually not true; they dropped to about $3, but still] when a 2002 Chicago Tribune article with the headline "United Files For Bankruptcy" appeared today. With today's date." (more coverage)

Think about it...

Worms? RBN? Bots? Rootkits? DLP? NAC? For kids.

Projects march on [IT Security: The view from here]

Posted: 10 Sep 2008 03:40 PM CDT

Following on from my last post, I've had a lot of comments suggesting various technologies for firewall monitoring and application scanning, but absolutely nothing on endpoint security.

Funny that, but I'm wondering exactly why. Is it maybe because you all assume I know enough about endpoint security to make my own decision? I think not. Is it because endpoint security is totally irrelevant to our current situation? Again, not very likely.

What I think is more likely is that it's still just too early for anyone to really have the requisite experience of these technologies to have a real opinion yet. Certainly my conclusion on the project is that we should wait. Although the action to get something to protect our endpoints came from an audit, I believe we can mitigate the risk sufficiently to pass the next audit until the endpoint/DLP market has settled down, and therefore 'sweat the assets' a bit more. I hope the business would appreciate that thought.

Therefore it follows that the project I got most feedback on - web app scanning - should be the one I concluded was the most important. Incredibly, it was. My suggestion is to make it into a real project, but try to get our outsourcer to swallow some of the cost as they do our solution design. I like the idea of getting something that checks sourcecode too, so that will form the next part of my project.

Which leaves us with the firewall monitoring. One comment, which predicted the technology which has already been suggested to solve the issues we are facing. The problem and the solution were suggested by the operational security guys, so I've suggested we pass ownership of the whole project back to them... seems simple enough.

What's really pleasing is to get my ideas out and validated by the great and the good. Glad to be back and blogging...

What CAN You Do? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 10 Sep 2008 01:16 PM CDT

This is NOT a funny post. At all.

Alan is not the only one who got 0wned. I am hearing VERY disturbing rumors from some other people (sorry, can't share them here) - and they are good, paranoid people :-) People who don't have a password of "password." :-)

Now, think.

What can you, personally, do today if you know - or, at least, suspect - that somebody is after you?

Change all passwords? Create paper copies of financial records? Backup everything offline? What else?


Maybe it will become a new blog meme... In any case, I AM thinking about it. Today!

And I suggest you do that too.

UPDATE: a very good follow-up post to this with a lot of practical suggestion. Go there!

SCADA Exploit Released [CTO Chronicles]

Posted: 10 Sep 2008 12:03 PM CDT

SC Magazine has an article up that a security researcher has "released" an exploit for the CitectSCADA vulnerability announced earlier this summer.  I've written about the challenges around SCADA systems before, and we continue to monitor this space, so the article caught my attention.

I have little doubt that the original vulnerability was serious, and all indications are that it was taken seriously, if not by the press then at least by Citect and their customer base.  This newly released "exploit" seems a bit over the top to me, as do a couple of quotes in the article.  Here's an example:

"As a result of the need for real-time business information, it is becoming increasingly popular for the plant network to connect with enterprise networks and the open internet."

I don't know Brian Ahern, and far be it from me to say that companies, industrial or otherwise, shouldn't secure their networks.  But is Mr. Ahern truly making the allegation that power companies are giving their industrial control systems unfettered access to the public Internet?  Seems a bit of a stretch.  The stretch gets even broader when a look at the code shows a high ephemeral port related to ODBC connectivity.  Is there really any company that allows incoming connections on ephemeral ports to internal systems?  Much less industrial control systems running SCADA applications?  None of the utility guys that I've had the opportunity to meet does.

Given today's landscape, what seems a more likely vector is a bot or otherwise malware-infected host already inside the company's perimeter.  Put another way, given that we're in an election year, "It's the Inside, stupid."

By all means, take this vulnerability seriously.  By all means, leverage perimeter security devices (if you don't already) to protect critical infrastructure devices from the public Internet.  But you should also secure your network from the inside out, not just from the outside in.

Camera MMC card failure? [Liquid Information]

Posted: 10 Sep 2008 11:59 AM CDT

Our camera MMC card decided to get corrupt once again as XP had some trouble recognizing it. I wouldn't have bothered but it had around hundred photos so I decided to check if I can grab them off the card. When I checked the card with fdisk in Linux, it complained about a corrupt table (so I fixed it).

Of course things looked very blank at that moment.

As I had the Helix Live CD I thought I try to find the pictures from unallocated space / RAW image, and booted things up. Lo and behold, I noticed it had a tool called photorec. I simply grabbed an image of the MMC and ran the tool, which nicely grabbed all the pictures and a couple of videos from it.

After this I just created a new FAT partition and the card was ready to go again. As the card had space for a few pictures before it went nuts, I was able to recover two that were taken in December. So... next time you decide to borrow your camera to someone, think twice ;-)

Barbary Pirates Evolve Into Modern Day Hackers [SecurePuter]

Posted: 10 Sep 2008 11:37 AM CDT

I recently attended an Infragard meeting that featured an interesting lecture titled "Freedom of the Cyber Seas" given by Aaron Turner.

The article presented an interesting comparative analogy of the historic Pirates of the Barbary States and nowadays hackers. The thesis revolves around the measures taken by the United States to defend itself from pirates in the early days of independence and international trade. Aaron compares the Tripoli, Morocco, Tunis and Algiers sponsored Barbary pirates to paid hacker coalitions. Much like ancient pirate fleets, hacker groups are being hired by nations to attack other nations, such as the Russia Georgia incident. These hackers could be considered internet mercenaries or modern day pirates.

The article also parallels the extortion demanding pirates with modern day computer security protections. If the pirates didn't exist, no tribute would need to have been paid for safe travels. If malicious hackers didn't exist, there would be no need to spend a fortune on security products for safe internet travels. Aaron preaches drastic measures, such as Jefferson's philosophy “Millions for defense, not one cent for tribute”, is needed to properly defend the United States in the new "sea", the world wide web.

SecuraByte Episode 3 [SecuraBit]

Posted: 10 Sep 2008 11:20 AM CDT

Last night we did a spontaneous hour long interview with the guys from HacDC, a Hackerspaces group. Hosts: Rob Fuller - Mubix Chris Mills - ChrisAM Chris Gerling - Hak5Chris Guests: Nick Farr - Treasurer HacDC Mitch Altman - NoiseBridge San Francisco, Hackerspace Bryce - HacDC HacDC and Hackerspaces. What is a Hackerspace?: Physical space where hackers make things, in person place to do things rather [...]

This posting includes an audio/video/photo media file: Download Now