Posted: 13 Sep 2008 06:27 AM CDT
It's déjà vu all over again. I see that Jeremy Jaynes has won his most recent argument in Virginia that the state's anti-spam law is unconstitutional. (Once again, thanks to Slashdot for the heads-up.)
Jaynes would have us believe that spamming is protected speech under the U.S. First Amendment. The court didn't exactly say that, but concluded that the law as written was overly-broad, because it didn't explicitly differentiate between commercial speech and any other kind of speech (e.g., political expression).
While I agree that anti-spam laws shouldn't restrict political speech, I have a couple of issues with this decision:
Again, I say I find it really hard to believe that the American founding fathers intended my inbox be full of spam.
More at today's IT Blogwatch EXTRA...
Posted: 13 Sep 2008 05:28 AM CDT
Hmmm, so I see that Jeremy Jaynes has lost his appeal in Virginia that spamming is protected speech under the U.S. First Amendment. (Thanks to Slashdot for the heads-up.)
Jolly good, and no surprise there, I think. However, why on Earth was it a 4-to-3 split decision? What were those three state supreme court judges thinking?
Well, according to the AP:
Justice Elizabeth Lacy wrote in a dissent that the law is "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mail including those containing political, religious or other speech protected by the First Amendment."Oh, balderdash. I find it really hard to believe that the American founding fathers intended my email to be full of spam.
Posted: 13 Sep 2008 12:43 AM CDT
The iPhone is my first experience being an Apple customer. After a few months now, I have one thing to say to Steve Jobs and Co - Set my people free! They talk about Microsoft locking you in? Apple makes Microsoft look like libertarians.
A few days ago I wrote about a frustrating experience I had flying across the country. I had a file attachment in an email on my iPhone. It was a Power Point file. I wanted to edit it before I had to present in the morning. There was just no way to get it off my phone on the computer, without mailing it to myself, which I could not do on the plane. It was frustrating for me because for the last two years I had Windows mobile phones. When you plugged in the USB, the phone became a mounted drive and you could drag and drop files back and forth between the phone and your computer. Not with the iPhone it seems. Even though when you plug it in and it syncs with iTunes, is not any different, Apple does not want you to be able to move your own files on and off the phone.
I received a note from a reader telling me that a new app was available called Air Sharing that would let you do this. I downloaded the app and tried it out. First of all you still can't just plug in the USB and move files. It works by setting up a web server on your iPhone that can only be accessed via a wireless network connection. So for the plane scenario that started this, it was basically useless.
I had music on my iPhone that was there from my old computer. It was my own MP3 files, not bought from iTunes and no DMR issues. I have been trying to get them on my new computer from the iPhone. But again because of Apple's totalitarian philosophy, if you want to sync your iPhone with iTunes it will wipe out your iPhone music and replace it with what you have in your iTunes library. Again, it is the Apple way or no way. Well it turns out that Air Sharing is the same garbage. You can move files from your computer to the iPhone but not the other way. What good is that? I could just attach and mail them to myself and do the same thing. I don't blame the developers of Air Sharing, their hands are tied by Apple.
In spite of this uselessness, the Apple fan boy crowd can't stop crowing about the legendary Apple user experience that this App allows and how great it is. Here is a news flash for you: You want to see how it should really work, go check out a Windows mobile phone! In the meantime I am in countdown mode to when I can ditch the iPhone. I am tired of dropped calls, poor signals and black box controls.
My message to Apple is - Set the people and their files free!
More on Apple. Mitchell sent me a wav file to edit for our next podcast. I clicked the link it opens in my browser and the quicktime plug in that I don't even remember giving permission to install starts playing the wave file. Go to save the file and it tells me I have to buy Quicktime Pro. The heck with that. I opened the URL in Windows media play and clicked save file as. Easy pizy,
Posted: 12 Sep 2008 11:43 PM CDT
It is not just who is going to put Lehman Brothers out of their misery in the M&A
1. Why are wireless companies like bellybuttons? Because it seems like everyone has one. Continuing the recent trend Juniper wants to be latest one on the block to acquire their own wireless company. According to reports, they are interested in buying Meru Networks (96 million raised) or publicly traded Aruba. While Meru has nice technology, an Aruba buy would be a great fit for Juniper. Aruba is Cisco's biggest competitor in the wireless space, so should fit well with Juniper's take on Cisco persona.
From various sources, it will be one or the other of these two wireless providers, but Juniper is certainly buying one.
2. What took them so long? I have always thought for the longest time that Citrix was a good buy for Microsoft. Now once again rumors are flying that Redmond will finally pull the trigger on this multi-billion dollar deal. Cicso, IBM and HP are also rumored to be in the hunt this time though. I guess the virtualization stuff is driving a lot of that.
I have also heard rumors that Citrix will be moving its HQ from Ft Lauderdale to Silicon Valley. The South Florida tech community would certainly be a big loser in that one.
In any event, the march of consolidation moves on.
Posted: 12 Sep 2008 11:34 PM CDT
You read right.
My colleague Scott sent me an email today with this story from the Atlanta Journal-Constitution, which basically strikes down the law which put one of the most infamous spammers in history in the slammer for 9 years. Unbelievably, he was allowed to argue that his "email campaigns" were covered under the "freedom of speech" provisions in the US Constitution... even though his email spews were 100% commercial - how does that work?
Of course... the question is, will this reversing of the Virginia law cause a cascading failure of legal precedent up into the US Federal CAN-SPAM Act? We'll have to wait and find out I guess - but I have some additional thoughts on this topic - namely - does this have anything to do with security, or is it simply a nuisance to administrators, mailbox owners, and network managers have to learn to live with?
Interesting that arguing "freedom of speech" could reverse a law that makes it illegal to send unsolicited, commercial email to random people.
My favorite quote of the article is this one... from the ruling itself.
...so because the law prohibits the transmittal of *any* type of unsolicited email (including religious and political emails) it means that the law in whole is unconstitutional.
--Thanks Scotty... interesting development indeed.
Posted: 12 Sep 2008 07:57 PM CDT
Posted: 12 Sep 2008 02:04 PM CDT
OWASP NY AppSec 2008 is only week away and is going to be big, really big, bigger than anyone expected I think. So big in fact that Tom Brennan, conference organizer, had to find a larger venue this week to accommodate all the attendees. The Park Central Hotel - 870 Seventh Avenue at 56th if you hadn't already seen the updated page. What Tom and Co. also did was create a jam-packed line-up of sweet looking presentations. So much so that everyone will probably miss something they wanted see because of dueling talk. Oh well, that's what video is for! While the schedule still seems to be in a bit of flux, I thought I'd list the stuff I'm most interested in and get my personal schedule going.
Disclaimer: If I don't pick your talk it doesn't mean I don't like you or the material. :) It might be that I've already seen it and/or familiar with the content.
Web Application Security Road Map - Joe White
Because its initiatives like this one that will eventually serve as a template for other organizations to follow.
Http Bot Research - Andre M. DiMino - ShadowServer Foundation
I have a soft spot for bots, seemed interesting, and wanted to see what data they have.
Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Trey Ford, Tom Brennan, Jeremiah Grossman
Well, you know, I sorta have to be there. :)
New Exploit Techniques - Jeremiah Grossman & Robert "RSnake" Hansen
One of those presentations exposing what Web attacks in the next 12-18 month will look like. We've purposely kept really quiet about what we plan to demonstrate, but its certainly going to make people a little nervous. :)
Industry Outlook Panel
Curious about what these folks have on their mind.
Multidisciplinary Bank Attacks - Gunter Ollmann
Good speaker and I enjoy hacking backs. :)
Case Studies: Exploiting application testing tool deficiencies via "out of band" injection
I have no idea, though appeared to be an interesting topic
w3af - A Framework to own the web - Andres Riancho
I'd like to see this tool demonstrated and understand what it can really do.
Coding Secure w/PHP - Hans Zaunere
Want to see more about how this is done. It can be right?
Best Practices Guide: Web Application Firewalls - Alexander Meisel
A big toss up between this one and Pen Testing VS. Source Code Analysis, but had to go with the WAFs. Wanted to see what their point of view is and the guidance they're suggesting.
APPSEC Red/Tiger Team Projects - Chris Nickerson
Sounded cool, that's about it.
Industry Analyst with Forrester Research - Chenxi Wang
It's always good to know how the certain enterprises will be influenced
Security in Agile Development - Dave Wichers
As before, is this possible? And if so, how!? TELL ME!
Next Generation Cross Site Scripting Worms - Arshan Dabirsiaghi
cmon Arshan, no holding back. Give me the next NEXT generation XSS worms! :)
NIST SAMATE Static Analysis Tool Exposition (SATE) - Vadim Okun
Tools lined-up side-by-side and tested always interested me.
Practical Advanced Threat Modeling - John Steven
It's been a while since I attended a threat modeling talk, especially one targeted towards webappsec, which I hope this is.
Off-shoring Application Development? Security is Still Your Problem - Rohyt Belani
Uh yap it is, but what to do about it is the question. Hopefully Rohyt will answer that one.
Flash Parameter Injection (FPI) - Ayal Yogev & Adi Sharabani
Flash security is HUGE! HUGE I SAY!
Most of these speakers I've never seen present before, which I find refreshing. New talent, new ideas, and shows an emerging industry. Good luck everyone!
Posted: 12 Sep 2008 08:49 AM CDT
Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.
Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!
Subscribe in a reader
Posted: 12 Sep 2008 08:45 AM CDT
Available for: iPhone v2.0 through v2.0.2
Impact: An application may be able to read another application's files
Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Multiple vulnerabilities in FreeType v2.3.5
Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/
Available for: iPhone v1.0 through v2.0.2
Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information
Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.
Available for: iPhone v2.0 through v2.0.2
Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking
Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v2.0 through v2.0.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.
Available for: iPhone v1.0 through v2.0.2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.
Subscribe in a reader
Posted: 12 Sep 2008 08:06 AM CDT
Haven't Blogged in awhile, I've been working on some other stuff as well over at dearcupertino.com.
For those of you that haven't seen, here's a bit of mac news, Apple released iTunes 8, a new set of iPod Nano's (going back to the more vertical shape), updated and dropped the price on the iPod Touch, as well as refreshing the iPod Classic line.
Basically, for the holiday shopping season. Good stuff.
They also released an update to the iPod Touch software (2.1), and it has some nifty features in it (like the Genius feature from iTunes 8.0). Reports are also, that it is faster. The iPhone update 2.1 is supposed to hit today, so I might blog again with some updates about that.
Otherwise, for those who know me, and know that i have been on a single customer site for the past year+, I have 12 days left (including weekends.)
Subscribe in a reader
Posted: 12 Sep 2008 07:43 AM CDT
Well, inadvertently it would seem. Data forensics wonk, Jonathan Zdziarski, indicated that when the iPhone does that cool fade out, when you switch applications, it takes a screen shot. No, there are no black helicopters here. This is apparently how the effect is achieved.
I imagine it has the potential for being a privacy issue. In all fairness though, if someone already has access to your phone you’re pretty much fubar anyway.
Posted: 11 Sep 2008 06:39 PM CDT
Jeremiah Grossman wrote in the opinion section for Application security in CSO Online magazine about Web Application Security Today — Are We All Insane?
I have an opinion of my own which I would like to share with my readers. Jeremiah spreads FUD — Fear, Uncertainty, and Doubt (mostly fear) in his message. I wanted to walk through some parts of what he wrote that were especially messages of fear, particularly ones that are over-blown.
Many of us (including myself) know exactly where Jeremiah is going with this. However, my addition is that the purity of the water in his example is what is important — not the flood of code. We shouldn’t slow down the production of code, or put an end to it.
While some of this FUD is certainly true to a point, we don’t have any specific measurements on the reality of our situation. What Jeremiah purports as fact is merely theory, speculation, and potentially myth.
I’ve been having a lot of interesting conversations about compliance with my colleagues lately. It’s been indicated to me that PCI-DSS is not the only compliance standard or regualation that has a framework to enforce application security or application penetration-testing. Stranger, the “cost of a breach” isn’t the only cost of insecurity.
Marcin and I were discussing an article on Sound compliance polices, practices reduce legal costs. I had other discussions about cyber-insurance in the Security Catalyst community regarding a presentation at the recent Defcon conference from Taylor Banks and Carric on [PDF] The pentest is dead, long live the pentest! At the end of their presentation, Taylor and Carric provide a long list of cyber-insurance providers — extremely useful for anyone unaware of such a thing or looking to buy. In David Rice’s book, Geekonomics, David makes mention of AIG’s cyber-insurance offerings and how the ISAlliance and AIG provide discounts to ISAlliance members who implement security-framework controls. In other words, doing compliance “right” not only buys protection from the regulators, but it also demonstrates cost-improvements for legal and insurance activity.
Another conversation with colleague Adam Muntner discussed how “compliance readiness” is both more profitable and more enjoyable than compliance work itself. Many organziations realize that the time and effort it takes to pass any given set of criteria for an audit standard, so they prepare themselves ahead of time using experts in application risk, network penetration-testing, and application penetration-testing. What most organizations are looking for is custom-tailored advice in the form of strategy consulting, not just another fancy report that they can give to the auditors.
Compliance and breach disclose laws could possibly be the primary motivators towards spending on application security, but there is certainly more at work here. If compliance is driving application security, then what is driving compliance?
Here’s where Jeremiah’s FUD really kicks in. I don’t know where his sources are, but the factual nature of this information should definitely come into question. I have heard of one or two exploits that have been sold for US 30,000 dollars. However, this is not the norm. The rumors of automatic reverse-engineering of patches into exploits has been disproved, so why make mention of it? Even the Asprox botnet that coordinated the SQL injection attacks is over one year old — and I’m certain that a large majority of Enterprises are patched. The clear target of the malware behind the SQL injection attacks is consumers, particularly those whose Windows XP operating system has some sort of automatic update deficiency or mis-configuration.
Actually, application security principles have been around for a lot longer! I think that security in the SDLC has definitely been talked about before the invention of the web. The only concepts that I’ve seen emerge from the “inadequacies of first-generation Web application security measures” that have been “beating their drums” and touting their solutions as the cure to all our woes are:
Secure code review has been a concept that I’ve been aware of since OpenBSD opened their doors. Improving software development processes for both quality and security go back in the literature to the 1970’s. Unit testing, and security unit testing, are relatively new concepts — but certainly not as new as WASS or WAF!
Secure code review is a competitive sport that is different than the sales/marketing approach of security product vendors. When Theo de Raadt, a renown (some would say notorious) NetBSD core member who had an appetite for application security branched OpenBSD from NetBSD — he didn’t have it directly in mind that he and his team would scour their source code looking for security-related bugs. However, the NetBSD team provided some extra competitive eyes on the OpenBSD commits — looking especially hard on security-related bugs to embarrass Theo and crew. From this back-and-forth competitive challenge — the application security industry was really born.
Certainly, some will claim that fuzz testing was invented earlier. However, before OpenBSD — security-related bugs were found mostly by accident (while looking for something else). If they were found on purpose, like in the case of the Morris Internet worm, it was a personal matter — potentially shared by a group, but not taken on by a group, rarely even in academia.
It’s interesting how Jeremiah views “secure software” as a battle cry. For many security-focused developers, this isn’t a war — it’s just a way of coding properly. Maybe he pictures that the war is “secure software vs. WASS+WAF”, which from his wallet’s perspective — might be right. I am having some issues separating application penetration-testing and general application security, but I don’t see it anywhere near as bad as the case that Jeremiah has got.
The one thing about the above paragraph that is potentially very sad is that he calls XSS bugfinders “attackers” — “amateur attackers” at that. There were no real attacks against the presidential candidates’ websites — there were just some vulnerability findings. No exploits were written or used. Jeremiah really has a way of twisting words around — maybe he should be working for one of the presidential candidates!
Application security vs. Application penetration-testing
Some of us choose to focus our efforts on penetration-testing — finding bugs in the code that can be used as an exploit. Others focus just on building the code with security in mind — to enhance security. This is an important distinction.
In a recent presentation entitled [PDF] Code Scanning: Success and Failure in the Field, Alex Stamos discussed some differences between false-positives and non-exploitables. Sure, black-box web application scanners, including SaaS vendors such as WhiteHatSec indeed find exploitable conditions. This comes at a serious cost.
Problems with black-box web application security scanners, including and especially WhiteHatSec:
I think Jeremiah said it best himself:
What I propose is that it is safer and easier to avoid the exploitability arguments. Who cares if something is exploitable or not? A better question is: how obviously secure is the code?
Advantages of security unit testing, secure code review, and white-box dynamic analysis:
Certainly, I have some ideas and products in mind when I think of true application security tools: security unit test frameworks (which don’t exist), security code review tools, and white-box dynamic analysis, or hybrid/composite analysis. However, the primary focus should be on the expertise needed to perform application security tasks, the process in place to allow individuals and teams to rise to the occasion, and guidance/governance from organizational figureheads and leaders.
Jeremiah thinks that developers work with source code one line at a time. They don’t. Modern developers utilize techniques such as metaprogramming, code generation, templating, and model-driven architecture. They’re programmers, why wouldn’t they write programs to help them develop other applications?!
Some web applications are so legacy, that they require re-writing from scratch — however we don’t have numbers or statistics on this amount. Also note that if Jeremiah is going to only include SSL web applications as important — than he should also include them in these numbers as well.
Developers have been using unit testing frameworks, IDE features, and processes such as iterative programming, Extreme programming, and Agile to help them refactor their applications for quite some time now. Refactoring does not require re-writing from scratch. With refactoring, developers can restructure the design of their applications by tweaking small parts of the code. Dependency injection, Aspect-oriented programming, and Attribute-oriented programming make this faster — as do general development concepts such as Design-by-contract, Test-driven development, Reflective programming, and many others. Some of these practices don’t even require use of an object-oriented language — let alone an Enteprise web application programming language such as Java Enterprise or ASP.NET.
There are numerous books on refactoring the Web, databases, and specific programming languages. Some languages have used metaprogramming to build refactoring, unit testing, TDD, and many other quality/security-control concepts into the entire framework — such as Rails for Ruby.
I dislike how Jeremiah fails to bring this analogy back around in order to prove any point. If WASS+WAF is supposed to signify blocking the inflow of water, this neither cleans up the already dirty pond, nor does it prevent the acidic/polluted water from immediately disintegrating the wooden plug that is supposed to stop the inflow.
If classic firewalls and virtual-patching didn’t work the first time around — what makes people think they’re going to work now?
The web does not require 10 years to be rebuilt — especially not the SSL web. It requires smart developers with metaprogramming, refactoring, and high-efficiency skills that can be focused towards security. Do not hire cowboy coders. Hire developers that can utilize and spread TDD, Design-by-contract, metaprogramming, and code generation concepts and tools throughout your organization. Hire application security experts that can work with these super-developers. Train and promote modern, secure development practices to every developer-newbie, veteran developer — and every network, application, or information security professional.
Posted: 11 Sep 2008 02:26 PM CDT
Posted: 11 Sep 2008 10:47 AM CDT
Bill Brenner, Senior Editor over at CSO Magazine has a great Podcast where he covers a recent security gathering in Boston, MA. The one that captured my attention is a summary of some Forrester Research study on the increase in security spending. According to their research, and I'm just going on the information from the Podcast, I haven't read the paper yet, FUD has fueled an approximate 10% increase in information security budgets – a 2% increase over last year.
If you have the time – and you only need seven and a half minutes – it is worth your time to listen to Bill Brenner's Podcast.
Posted: 11 Sep 2008 10:25 AM CDT
NetworkWorld just released an excellent article on the impact of Cybercrime on businesses. Now this article isn't technically oriented so it is perfect to print out and send to senior management to highlight the need to properly secure company information.
The article showcases the efforts that computer and electronics retailer TigerDirect goes through to combat credit card fraud. TigerDirect's system is homegrown and looks to flag online transactions that originate from countries known to be hotbeds of credit card fraud and online anonymizer sites. These transactions can then be investigated further (by either calling the customer or the bank) to determine if they are legitimate.
The one item in the article that I disagree with is the following quote:
In spite of caution and preemptive actions, TigerDirect will still get hit by costly card-related fraud each year through a small percentage of bad sales — which the retailer absorbs, not the victim of the stolen card. "It costs us millions and it costs the industry billions," Fiorentino says.
(Gilbert Fiorentino is the CEO of TigerDirect)
The retailer does not absorb the cost. The customer does. Every product that is sold carries a mark-up that includes a percentage of the retailer's overhead costs as well as the profit margin. Now you may not be able to find a fraud markup on the balance sheet but rest assured it is there typically hidden in some sort of overhead figure.
Consumers carry the burden of fraudulent activity as well as other increases. Just look at the cost of Milk. The New York Daily News ran an article earlier this year on the cost of Milk jumping 36%. This price increase was attributed to the increase in demand on the feed corn. The corn is being used to meet the increased in demand for ethanol therefore it is becoming more expensive to purchase. Just as these increases in costs are impacting the price of the final product (the milk) so do increased overhead costs impact the retail prices of all other products.
Now if we can work to reduce the cost of fraud by implementing appropriate security measures then we can contribute to lowering costs for consumers, or by increasing the profit margin for the company. Either way it is important to tie information security to these final end results as it could very well help you to make the business case for information security.
Posted: 11 Sep 2008 08:23 AM CDT
Off to visit a client site today. Then into the studio tonight. Won’t be home until the wee hours. And for those of you who might have missed it. Myrcurial has dropped his Mexican wrestler mask to reveal his true identity. World, James Arlen. James, World.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 11 Sep 2008 06:28 AM CDT
September 11, 2008 - Volume 3, #76
Top Security News
Too busy? Nah, just addicted to the status quo
Top Blog Postings
The business should be managing business information
Posted: 10 Sep 2008 12:09 PM CDT
To the proud constituents of the Liquidmatrix Army:
I call upon you this day to take note, not since the dark ages of October 2006 has there been such a glorious day for our proud people.
Much as was said by El Jefe, our glorious leader (shall he reign forever), it’s time to grow up and own it.
As you may have noticed in recent times, I’ve been… shall we say… the anti-recluse.
If you were paying attention, you would’ve seen me here:
And of course, no one could possibly forget seeing me here:
And with such public excursions, the swiftest reconnaissance squadron known to any - the Liquidmatrix Army - would have also noticed me (or my evil twin half-brother) in a few other places.
Upon the sage advice of El Jefe, I did a funny (and potentially cripplingly foolish) thing.
strangled that grey-hat hacker Myrcurial and completely outed myself in what has been amongst the info security (and control systems security) best held non-secrets.
So howdy everyone, just call me James.
And don’t worry, I’m not changing - I’ll be the same acerbic person you’ve all come to know and (love|hate) - I do have a reputation to uphold after all.
Posted: 10 Sep 2008 08:05 AM CDT
What is it about top ten lists that attracts bloggers like moths to a flame? Are we all frustrated David Letterman wannabes? In any event, I came across this top ten list of security threats to the SMB market. I think that many if not most of these apply to organizations of all sizes actually. I am copying it in here, as I think there is some good stuff here:
- Insiders - In many SMBs, business records and customer information is often entrusted to a single person. Without adequate checks and balances, including network system logs and automated reports, data loss from within can stretch over long periods of time.
- Lack of contingency plans - One of the biggest threats to SMBs relates to the business impact of post-hack, intrusion or virus. Many SMBs lack a data loss response policy or disaster recovery plan, leaving their business slow to recover and restart operations.
- Unchanged factory defaults - Hackers publish and maintain exhaustive lists of default logins (username and password) to nearly every networked device, and can easily take control of network resources if the default factory configuration settings are not changed.
- The unsecured home - in many small businesses, employees often take laptops home to work. In an unsecured home network environment, a business laptop can be dangerously exposed to viruses, attacks and malware applications.
- Reckless use of public networks - A common ruse by attackers is to put up an unsecured wireless access point labeled, 'Free Public WiFi' and simply wait for a connection-starved road warrior to connect. With a packet sniffer enabled, an attacker stealthily sees everything the employee types, and is then able to utilize that data for personal gain.
- Loss of portable devices - much SMB data is compromised every year due to lost laptops, misplaced mobile devices and left behind USB sticks. Although encryption of mobile device data and use of strong passwords would mitigate many of these losses, many SMB users simply fail to secure their mobile devices and data.
- Compromised WebServers - Many SMBs host their own websites without adequate protection, leaving their business networks exposed to SQL injections and botnet attacks.
- Reckless web surfing - Now more than ever, malware, spyware, keyloggers and spambots reside in innocuous looking websites. Employees who venture into ostensibly safe sites may be unknowingly exposing their business networks to extreme threats.
- Malicious HTML e-mail - no longer are attackers sending e-mails with malicious attachments. Today, the threat is hidden in HTML e-mail messages that include links to malicious, booby-trapped sites. A wrong click can easily lead to a drive by download.
- Unpatched vulnerabilities open to known exploits - more than 90 percent of automated attacks try to leverage known vulnerabilities. Although patches are issued regularly, a short staffed SMB may likely fail to install the latest application updates and patches to their systems, leaving them vulnerable to an otherwise easily stopped attack.
Posted: 10 Sep 2008 07:43 AM CDT
I’ll be knee deep in docu-hell today. My day job project is heading to its conclusion nicely.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 10 Sep 2008 07:29 AM CDT
In a bid assuage privacy advocates Google has announced that they plan to dump IP addresses of users earlier than previously announced.
From BBC News:
Which is a good thing. I wouldn’t feel to comfortable knowing that the authorities might be aware I was searching for things like this:
the horror…the horror…
Posted: 10 Sep 2008 07:14 AM CDT
OK, where’s Waldo takes on a different spin. The patches are out and admins and vuln researchers alike are burning through the coffees and red Bulls. I found that the pre release announcement for Patch Tuesday seemed a touch vague. Now we know why.
From Network World:
I am counting my lucky stars that I don’t have to administer any Windows systems. Good luck to those of you who do.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|