Tuesday, September 16, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Bear Stearns, Lehman . . . Ebay? [StillSecure, After All These Years]

Posted: 15 Sep 2008 11:50 PM CDT

Reading Richi Jennings blog today it looks like Wall Street giants aren't the only ones in trouble.  Richi links to two articles, one in Barrons that details increasing problems and pressures at the Internet giant. Of course Ebay, along with Amazon, Yahoo and Google were four of the pillars that the whole Internet commercial sector was built on.  According to the article, their acquisitions of PayPal and Skype have seriously hurt the core business.

The rumors are that up to 1500 people could be laid off, including some execs.  Hard to believe how far the mighty have fallen.  If this can happen to ebay, what about the rest of the tech darlings?  With the Dow losing almost 500 points today, no one will be immune from the bloodbath, not even Internet sacred cows.

Let's talk Software Serviceability [Jeremiah Grossman]

Posted: 15 Sep 2008 08:59 PM CDT

Financial Times graciously invited me to write an opinion piece for their publication entitled "Learn from today's software flaws to protect corporations tomorrow", where I discuss a bit about Software Serviceability. In the wake of Dan K's vulnerability announcement (and others like it), I couldn't shake the notion that no matter how hard to try to write perfectly secure code, given a long enough time line we'll always fall short. We will miss a bug, there will be a new attack technique, hackers will exploit our systems. To me this says our important systems must have speedy and adaptive security measures to identify threats as they happen and the ability to quickly service our deployed software (preferably within days or hours). Some systems have this capability, but it's too few and far between.

"So in the case of the issues found by Dan, Tony, and Alex it is hard to put a top-end market value on them, but consider that other less severe issues have sold for five and six figure sums. Would seven figures be out of the question? Will the next security researcher be influenced by the potential financial reward instead of giving it away for free? We know for sure that there will be a next time, because software is imperfect. Vulnerabilities will be found and long standing encrypting algorithms will be broken or at least weakened. And it's difficult, if not impossible, to future-proof our code against attack techniques that don't yet exist."

Poof* and I’m Back Again [Security Uncorked]

Posted: 15 Sep 2008 08:49 PM CDT

I know… I know… You can yell at me via comments or email… I’ve been a bad blogger…
again.  :(

A flurry of conferences intertwined with customer emergencies have taken me ‘out of pocket’ for the past month or so.

You know it’s serious when I have to cancel my trip to INTEROP… I’m traumatized by that, btw.

What have I been doing? 

The Conferences… Well, after the ILTA Conference in Texas (the hotel was gorgeous, by the way), I returned on a Tuesday evening only to be diverted directly to a customer site for the remainder of the week. After that, a few con calls and customer meetings, followed by SCITDA in South Carolina where I delivered a ‘Network Security Trends’ talk and participated on a Security Panel (with McAfee, Juniper, Cisco and others) later in the conference.

The Other House… As soon as I returned from SCITDA, the next few days were spent over-seeing the replacement windows going into the rental property. A few windows here, some sheetrock there, more painting than I really cared to do… and we were in business.

It’s been an on-going project… Over the past year, the house has been completely repainted (inside and out), all the hardware (doorknobs, fixtures) as well as lighting and outlets/switches replaced.  The master bath was redone with new tile and a new vanity with custom bowl sink and faucet. In addition, the third-acre lot was mostly cleared- from ‘couldn’t-see-the-back-fence’ to ‘wow-there’s sun-light’.  The dark (ugly) wood floor-to-ceiling fireplace surround was removed and sheetrock put up. After a guy ran over (and crushed) the draining system, that had to be replaced also (I have a friend to thank for redoing that, I wouldn’t have known where to start). Oh and, last month the roof was redone too, making the windows the last major project for a while (I hope). The roof and windows were the only parts contracted out… if that gives you any idea as to the volume of work I’ve done on the house. Maybe I’ll share some before and after photos…

And now, I still have more customer projects to complete, more product evaluations and reviews to write and of course… more conferences coming up. Plus, I have a sink to fix and a water heater to drain… (uggg).

Next on the list is SecTor… more on that soon.

So, while I probably could have found 5-10 minutes to write something, the days have been long and tiring. The chances of an even mildly-coherent post were slim to none (at best).

# # #

(Cancelled) / Clickjacking - OWASP AppSec Talk [Jeremiah Grossman]

Posted: 15 Sep 2008 07:55 PM CDT

"Clickjacking," the presentation Robert "RSnake" Hansen and I had planned for OWASP AppSec NY 2008, has been postponed due to vendor request.

The premise of Clickjacking is that we know a lot about what JavaScript malware is capable of once a user comes in contact with an attacker-controlled webpage (or a page with their code on it) such as history stealing, intranet hacking, phishing with superbait, Web worms, browser exploit, and so on, but comparably little about what can be done with a captured "click". Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. What could they possibly do then?

With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily. Over the past couple of weeks/months RSnake and I have been completing our PoC examples to demonstrate the potential attacks and sharing the results privately with a few industry colleagues to obtain a third-party opinion. At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional "exploits," and that guarding against Clickjacking was largely the browser vendors' responsibility. Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception.

One Clickjacking PoC utilized an Adobe product with an attack technique they considered to be a critical issue, we just hadn't realized it, so we narrowly avoided 0-day'ing them! Considering the short notice, Adobe requested additional time in case the browser vendors do nothing to prevent Clickjacking. High severity issue #2 in Internet Explorer 8 would have potentially given the aforementioned issue persistent qualities. There was/is a third issue with websites in general, which would have required all website owners to make an update, but that would obviously be impossible to do so. Again, better fixed by the browser vendors. With much of our technical details taken off the table waiting for patches and/or new safeguards we weren't left with much to convey the true power of Clickjacking other than what's already known.

Postponing our OWASP talk wasn't an easy decision to make as we put a lot of time and effort into the presentation. We apologize to the attendees and had every intention of releasing mind-blowing stuff. At this time just about everyone out there using the latest versions of Internet Explorer (including version 8) and Firefox 3 is affected. Please be assured that as soon as we're able to expose the information we will do so. In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but it's the best we can do right now.

Adobe PSIRT (psirt@adobe.com)

More to come.

VMWorld 2008: "Introducing Cisco's Virtual Switch for VMware ESX"... [Rational Survivability]

Posted: 15 Sep 2008 07:00 PM CDT


Update below.

It's the night before VMworld 2008 and the Technology Exchange/Partner day begins and I'm pawing through the stuff in my bag, separating the "keep it" from the "toss it" schwag.

There's an innocuous little flyer stuffed in the bag on Cisco letterhead titled "Introducing Cisco's Virtual Switch for VMware ESX."  Fantastic.  Let's call it the 'cSwitch' ;)

A year and a month ago in August of 2007, I blogged about this very thing in a post titled: "VMware to Open Development of ESX Virtual Switches to Third Parties...Any Guess Who's First?" based on a hint from virtualization.info.

Given that VMworld 2007 came and went without this announcement, I'm very excited that we're actually going to get a look at what Cisco will offer; I think this is huge news and ultimately offers some profound game-changing (for good and bad) implications on the network and security fronts.

I have dozens of questions like: I wonder how much of the Nexus (7000 series)/IOS-XE code cross-pollinates over (if any) to this solution and if we'll see capabilities such as STP/PVST+/Private VLANs, HSRP, Multicast, etc. make their way into Cisco's vSwitch and how this virtual switch with integrate/interoperate with the vkernel.

Further, as Ed Haletky and I unofficially bet over drinks this evening, I wonder if it will be a direct replacement for VMware's at-boot loadable module or it will co-exist?  I bet the former. ;)

In addition to the "cSwitch," there are a couple of sessions I am very, very interested in attending given my exposure to VFrame and some Cisco engineers/architects at last year's show:

Simplify VMotion with Virtual Machine–Aware Network and Storage Services
See how network and storage services can be linked to a virtual machine so they move with VMotion events.

ESX Server in a Unified Fabric Environment
See how ESX Server works in a unified fabric environment with ESX 3.5 U2, Emulex Converged Network Adaptors, and the Cisco Nexus 5000.

VFrame: Enriching ESX Deployment with End-to-End Orchestration
Cisco's VFrame DC 1.2 provides an easy-to-use template-based provisioning approach for rapid, repeatable, and compliant provisioning of ESX Servers. Through a rich set of networking and storage orchestration capabilities, it reduces the time required to bring up ESX clusters while providing operational scalability to manage large clusters effectively.

See the second topic above?  Remember when I mentioned in prior posts about virtualizing applications directly within the Nexus?

Should be a very interesting couple of days.


Update: So there was no direct news/mention specifically of Cisco today in any of the distributed virtual networking (DVN) sessions -- there's a lot of messaging collisions because the re-branded 'v-everything' strategy has things being renamed.  Hopefully we'll see/hear more from Cisco tomorrow.

Many of the underlying functions that will enable 3rd party virtual switches as well as any network interface to the vkernel via API were discussed today under the capabilities described by vNetwork (this includes the vNetwork Appliance API's and what you've known as VMsafe.)  You can see more about vNetwork here in this post.

All I can say is that I got a lot of my suspicions confirmed, questions answered and conclusions affirmed in today's sessions.  Some good, some bad.  It's going to be a bumpy ride, kids.

The Four Horsemen live! ;)

Actually, FOI and Risk Management Can Coexist. [Security Provoked]

Posted: 15 Sep 2008 06:58 PM CDT

After reading Andy Willingham’s response to my original post about failure-on-investment, watching Willingham’s conversation with Robert last week, and reading Jack Daniel’s Uncommon Sense Security blog, I’m growing fonder of the failure-of-investment concept we’ve found so scintillating lately.

Willingham’s reply to my post:

    “One of [Sara's] concerns was the FOI focused too much on straight security and not enough on risk management. I would say to her that FOI is all about risk management. After all security is managing risk. If we don’t support the business, by understanding it and it’s goals, then we have failed. If we don’t look at what we are doing in light of the business objectives then we are not securing the business but we are securing the technology which misses the mark. Security for the sake of security is no security at all.”

So risk management and FOI happily coexist as long as your definition of “failure” is “did not effectively manage risk.”

I like it. Easier said than done, but I like it. I still can’t envision how FOI will actually be applied–but our other measurements, like ROI, aren’t really getting the job done either.

Another thing that piqued my interest came from Jack Daniel’s post today. Daniel posted an excerpt from an FOI-related conversation between he and his colleagues, and I found this sentence of particular interest:

    “In this environment it usually takes a failure to get focus on an problem, and if budget is allocated to solve the problem, it had better stay solved. ”

In an earlier post, Daniel referred to this as the “did you keep *that* from happening again?” quotient. So, rather than ROI or FOI (or more likely, in addition to ROI and FOI) are we talking about ROF–return on failure?

I sound cheeky (I usually do), but I’m actually rather serious. ROF might not be the sort of metric we share with the CEO, but it might be a useful metric to use amongst the security team, to measure how well we’re communicating with upper management. The best-case scenario however is if you can achieve a high Return-on-Someone-Else’s-Failure: Someone Else suffers a damning, highly publicized data breach. You take the story to your CEO and tell them that your organization is not adequately secured against the attack that hurt Someone Else. CEO finally gives you the resources you’ve been asking for all along.

The conversation Daniel, Willingham and Michael Santarcangelo have begun is far more important than they may have realized when they began it.

All-in-all though I don’t love any of these metrics because none of them do a great job.
I guess Calvin of Calvin and Hobbes said it best: “That’s the whole problem with science [and metrics]. You’ve got a bunch of empiricists trying to describe things of unimaginable wonder.”

VMWorld 2008: Forecast For VMware? Cloudy...Weep For Security? [Rational Survivability]

Posted: 15 Sep 2008 06:37 PM CDT

This post was written prior to the opening of the Partner Day/Technology Exchange, based solely upon information that is publicly available.  No NDA's were harmed during the making of this blog...

So now that I can talk about it outside of the embargo, VMware is announcing extensions to its product roadmap and product marketing to deliver what it calls its "virtual datacenter OS:"

VMware's comprehensive roadmap of groundbreaking new products expand its flagship VMware Infrastructure suite into a virtual datacenter OS. The virtual datacenter OS addresses customers' needs for flexibility, speed, resiliency and efficiency by transforming the datacenter into an "internal cloud" – an elastic, shared, self- managing and self-healing utility that can federate with external clouds of computing capacity freeing IT from the constraints of static hardware-mapped applications. The virtual datacenter OS guarantees appropriate levels of availability, security and scalability to all applications independent of hardware and location. 

The components that make up the VMware's virtual datacenter OS are:

  • Application vServices guarantee the appropriate levels of availability, security and scalability to all applications independent of hardware and location.
  • Infrastructure vServices subtract, aggregate and allocate on-premise servers, storage and network for maximum infrastructure efficiency.
  • Cloud vServices federate the on-premise infrastructure with third party cloud infrastructure.
  • Management vServices allow you to proactively manage the virtual datacenter OS and the applications running on it.

Each of these components have service/product definitions below them.  

While it's exciting to see VMware's strategy around its version of the datacenter OS, it's going to be a bumpy ride as we continue to see how Microsoft, Cisco and VMware all interact and how these roadmaps align -- or don't. 

Remember, despite how they play nice, each has their own bottom line to watch and it's every man for himself.Vcloud

It's quite clear we're going to have some very interesting security challenges bubbling up to the surface; we barely have our arms around what we might call virtualization v1.0 -- we've a lack of maturity in solutions, operations, visibility and security and we're pulling the trigger on what's sure to be a very contentious security model...or lack thereof. 

In the vApplication services, there is a direct call-out titled "Security" in which VMware's ESX 3i's size is touted as it's current security feature (rolleyes) and in 2009 we see the following:

  • VMware VMsafe provides x-ray visibility into virtual machine resources from the vantage point of the hypervisor, making it possible to monitor every aspect of the execution of the system and stop previously undetectable viruses, rootkits and malware before they can infect a system

  • Checkpoint, IBM, McAfee, Radware, TrendMicro and are announcing their plans to deliver VMSafe –integrated products in 2009 that provide superior protection to virtual machines than possible with physical machines or other virtualization solutions

There's nothing new here, except the dependence upon VMsafe, ISV's and virtual appliances...I think you know how I feel about that.

In line with my posts regarding the Cisco vSwitch for ESX (what I'm calling the cSwitch,) the "Infrastructure vServices" component hints at the development of three major investment points: vCompute, vNetwork and vStorage.  

In vNetwork, you'll notice the 2009 arrival of the following three elements which are very interesting, indeed:

  • Distributed Switch simplifies the setup and change of virtual machine networking
  • Network VMotion enables network statistics and history to travel with a virtual machine as it moves from host to host for better monitoring and security
  • Third party virtual switches plug into virtual networks and deliver value added network monitoring, security and QoS

I'll be interested to see what distributed networking actually means -- there's a session today on that, but coupled with the cSwitch, I wonder if it means more than just plugging into virtualcenter/VFrame for management.

Let's not forget how some of the elements in vCompute will effect networking and security such as VMDirect which provides "intelligent" VMM bypass and allow direct access from the VM's...all in the name of performance.  I wrote about that here a couple of days ago.

It looks as though we might see some policy extensions to afford affinity such that policies travel with the VM!?

The notion of vCloud is being desrbied as the notion of portability, mobility and supportability of applications that can be developed and deployed inside an enterprises' "internal cloud" and then handed off to an "external cloud" providers service offerings.  It's really the "infrastructureless infrastructure" play. 

One thing that immediately comes to mind when I hear words "federation" -- as I assume it might to any security professionals ears -- is the issues surrounding exposure of AAA (authentication, authorization and accounting) between internal and external credential stores and how this intersects with SOA environments.

As more details come to light, I'll be adding my thoughts about where (if at all) security really plays into this evolving strategy.

Gotta shower and get to the con.


OSX Update 10.5.5 and Security Update 208-006 [Random Thoughts from Joel's World]

Posted: 15 Sep 2008 04:50 PM CDT

Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305


10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV -- Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329

Finder x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.

Subscribe in a reader

Good resource for tracking uplift from Extended Validation SSL [Tim Callan's SSL Blog]

Posted: 15 Sep 2008 03:08 PM CDT

As you may know, lots of online businesses have measured the results of putting Extended Validation SSL on their sites and have universally found that it increases the propensity for site visitors to complete sensitive transactions. With so many measurements of EV's effect (I am aware of seventeen such tests, personally), we have decided to gather as many of them together in one place so that it's easy to take in the science all at once. The SSL case studies are here.

Video Interview for Applied Security Visualization [Security Data Visualization]

Posted: 15 Sep 2008 01:58 PM CDT

I recorded a short, 10 minute video where I am interviewed by Johnvey Hwang about the Applied Security Visualization book. We are talking about why I wrote the book, what the book is about, and also quickly talk about DAVIX. Tune in.


Virtually excited about virtual IPS [StillSecure, After All These Years]

Posted: 15 Sep 2008 01:57 PM CDT

I have to admit I was a bit excited when I saw the Google Alert for a new article by Ellen Messmer, "Sourcefire Embraces VMware". I assumed we were going to see Snort running in a virtual machines, but even more, an IPS sitting at the nexus of multiple virtual applications.  Perhaps Sourcefire would even announce their own virtual switch/firewall?  Frankly, I have been looking for some new news on IPS period.  You think it's easy writing about NAC all the time?

Anyway, reading Ellen's article it seems that Sourcefire's RNA can "scan" VMware appliances and applications.  This is a bit misleading, as RNA is more of a sniffer.  So I take it that RNA sensors are looking at traffic and from that deducing what type of virtualized applications are running and what if any vulnerabilities they might have.  This is different than classic "active" vulnerability scanning, where an actual scan of the device is made. 

Also, it looks like Sourcefire will soon ship a RNA sensor that actually runs in a VMware server, but not the Citrix or Microsoft virtual machines.  OK, sounds good.  We continue to see vendors, security and others making their products run in a VMware environment and lesson the need for separate appliances. As a matter of fact both Symantec and McAfee released virtual security products today.

StillSecure's Strata Guard IDS/IPS has run in VMware for a while now. BTW, there was some nice coverage of our free version of Strata Guard on Linux.com that you can read here.

Applied Security Visualization [Emergent Chaos]

Posted: 15 Sep 2008 10:31 AM CDT

applied-security-visualization.jpg Our publisher sent me a copy of Raffael Marty's Applied Security Visualization. This book is absolutely worth getting if you're designing information visualizations. The first and third chapters are a great short intro into how to construct information visualization, and by themselves are probably worth the price of the book. They're useful far beyond security. The chapter I didn't like was the one on insiders, which I'll discuss in detail further in the review.

In the intro, the author accurately scopes the book to operational security visualization. The book is deeply applied: there's a tremendous number of graphs and the data which underlies them. Marty also lays out the challenge that most people know about either visualization or security, and sets out to introduce each to the other. In the New School of Information Security, Andrew and I talk about these sorts of dichotomies and the need to overcome them, and so I really liked how Marty called it out explicitly. One of the challenges of the book is that the first few chapters flip between their audiences. As long as readers understand that they're building foundations, it's not bad. For example, security folks can skim chapter 2, visualization people chapter 3.

Chapter 1, Visualization covers the whats and whys of visualization, and then delves into some of the theory underlying how to visualize. The only thing I'd change in chapter 1 is a more explicit mention of Tufte's small multiples idea. Chapter 2, Data Sources, lays out many of the types of data you might visualize. There's quite a bit of "run this command" and "this is what the output looks like," which will be more useful to visualization people than to security people. Chapter 3, Visually Representing Data covers the many types of graphs, their properties and when they're approprite. He goes from pie and bar charts to link graphs, maps and tree maps, and closes with a good section on choosing the right graph. I was a little surprised to see figure 3-12 be a little heavy on the data ink (a concept that Marty discusses in chapter 1) and I'm confused by the box for DNS traffic in figure 3-13. It seems that the median and average are both below the minimum size of the packets. These are really nits, it's a very good chapter. I wish more of the people who designed the interfaces I use regularly had read it. Chapter 4, From Data to Graphs covers exactly that: how to take data and get a graph from it. The chapter lays out six steps:

  1. Define the problem
  2. Assess Available Data (I'll come back to this)
  3. Process Information
  4. Visual Transformation
  5. View Transformation
  6. Interpret and Decide
There's also a list of tools for processing data, and some comparisons. Chapter 5, Visual Security Analysis covers reporting, historical analysis and real time analysis. He explains the difference, when you use each, and what tools to use for each. Chapter 6, Perimeter Threat covers visualization of traffic flows, firewalls, intrusion detection signature tuning, wireless, email and vulnerability data. Chapter 7, Compliance covers auditing, business process management, and risk management. Marty makes the assumption that you have a mature risk management process which produces numbers he can graph. I don't suppose that this book should go into a long digression on risk management, but I question the somewhat breezy assumption that you'll have numbers for risks.

I had two major problems with chapter 8, Insider Threat. The first is claims like "fewer than half (according to various studies) of various studies involve sophisticated technical means" (pg 387) and "Studies have found that a majority of subjects who stole information..." (pg 390) None of these studies are referenced or footnoted, and this in a book that footnotes a URL for sendmail. I believe those claims are wrong. Similarly, there's a bizarre assertion that insider threats are new (pg 373). I've been able to track down references to claims that 70% of security incidents come from insiders back to the early 1970s. My second problem is that having mis-characterized the problem, Marty presents a set of approaches which will send IT security scurrying around chasing chimeras such as "printing files with resume in the name." (This because a study claims that many insiders who commit information theft are looking for a new job. At least that study is cited.) I think the book would have been much stronger without this chapter, and suggest that you skip it or use it with a strongly questioning bias.

Chapter 9, Data Visualization Tools is a guided tour of file formats, free tools, open source libraries, and online and commercial tools. It's a great overview of the strengths and weaknesses of tools out there, and will save anyone a lot of time in finding a tool to meet various needs. The Live CD, Data Analysis and Visualization Linux can be booted on most any computer, and used to experiment with the tools described in chapter 9. I haven't played with it yet, and so can't review it.

I would have liked at least a nod to the value of comparative and baseline data from other organizations. I can see that that's a little philosophical for this book, but the reality is that security won't become a mature discipline until we share data. Some of the compliance and risk visualizations could be made much stronger by drawing on data from organizations like the Open Security Foundation's Data Loss DB or the Verizion Breaches Report.

Even in light of the criticism I've laid out, I learned a lot reading this book. I even wish that Marty had taken the time to look at non-operational concerns, like software development. I can see myself pulling this off the shelf again and again for chapters 3 and 4. This is a worthwhile book for anyone involved in Applied Security Visualization, and perhaps even anyone involved in other forms of technical visualization.

Upcoming Appearances [The Security Shoggoth]

Posted: 15 Sep 2008 09:35 AM CDT

As some know, I will be speaking at the OWASP NYC AppSec conference next week on "Automated Web-based Malware Behavioral Analysis". Unfortunately, I'll be presenting over lunch so I'm limiting it to about 20 minutes of talking so people can eat and not listen to me. If anyone wants to get together wile at the conference, let me know.

As always, the NE Ohio Information Security Forum is this Wednesday and I will be in attendance. I encourage anyone to come out and join us. We'll be having lots of great speakers as well as free food and drink. Afterwards, we'll be going to Mavis Winkles to record the next episode of the Security Justice podcast. I'll also be making a special announcement at the forum and the podcast concerning something Greg and I are doing at this year's Ohio Information Security Summit.

Finally, I'd like to thank mubix for having me as a guest poster concerning packers on his blog. Very cool.

Bracing for the long, cold winter [Security Incite Rants]

Posted: 15 Sep 2008 07:33 AM CDT

I think we all knew the financial industry (mostly here in the US) was in the deep doo-doo. But I don't think the depth of the issues were known to most.

Just over the past weekend, Lehman Brothers has filed for bankruptcy and Merrill Lynch pulled a rabbit out of a hat and got Bank of America to pay a 70% premium to acquire them. It seems BofA wasn't happy with catching a falling knife again (after Countrywide) and turned on the gravity inverter to make it seem like Merrill was worth more, not less than Wall Street figured on Friday.

So over the past few months, Bear Stearns and Lehman are gone. Merrill is subsumed (though their brand will live on within BofA) and you've got a death watch on other major financials like WaMu, Wachovia, and AIG. Will this "crash" rival the issues of the 1930s? I don't know, but we probably need to start planning because our rainy days are upon us.

How will this affect the security industry? Your guess is as good as mine. Alan speculates a bit and I do think that many of the financials will be spending less money ON EVERYTHING, including security. But the US Feds and other verticals (like retail) are picking up the slack. So I think that's probably a break even proposition.

Darwin will re-establish his dominance and I believe we'll see a few more security companies becoming extinct. The strongest (and biggest) will gain market share and the marginal companies will go away. Especially given the reality that VCs have no reasonable exit paths right now, so they aren't going to rescue any of the walking dead in the space. And it's not like you can go down to your bank and get a line of credit nowadays.

From a practitioner's perspective, get ready for the long, cold winter - even if you live in a warm region. The global economy is going to get worse before it gets better. It's fiscally responsible to tighten your belt and focus on the projects that save you money and time, as opposed to those "nice to have" technologies that address emerging attack vectors.

And work on your containment plans. Remember, Bear and Lehman never saw it coming, and you probably won't either. So make sure you are in a good position to REACT FASTER and contain the damage. While the grizzlies are hibernating, we security folks need to make sure there is a world to wake up to when the spring thaw happens a few months from now.

Photo: "Car crash - Stourbridge" originally uploaded by Ian Hampton

Life and Times... Or, Why My Blogging Has Slowed... [The Falcon's View]

Posted: 13 Sep 2008 11:32 PM CDT

Just a brief note... I was on travel a good chunk of last week, combined with having a newborn in the house and several deliverables due last week, leaving me no time to blog. I have a couple topics lined...

DEFCON 16 Audio and (Some) Video [Infosec Events]

Posted: 13 Sep 2008 10:48 PM CDT

It looks like the security conference archive at good.net has all the DEFCON 16 audio online. But what’s better than audio? Video of course, and the folks at DEFCON released four presentations that have been in the news recently.

This posting includes an audio/video/photo media file: Download Now

Is Yammer Bad for Business? [Security Provoked]

Posted: 13 Sep 2008 09:02 PM CDT

If you’re a in a hurry to get something proactive done internally about Yammer, skip to the bottom for thoughts on monitoring it…

I’m fairly sure it doesn’t really say much about a startup’s long-term viability to win as the top pitch at Demo or TechCrunch50. On the other hand, winning does mean there’s something immediately gripping to the audience at these events. In the case of Yammer, which won TechCrunch 50 last week, the concept is Twitter, but for the enterprise.

Many people who like using Twitter got kind of excited about it. There was, indeed, much tweeting. I suspect the rest of the world sort of shrugged their shoulders and said “Huh?” I’ve written here before about why I think Twitter is compelling and useful, but that it’s not immediately obvious what it’s good for when you see it the first time around.
Anyway, Jennifer Leggio, who blogs over at ZD Net and who I think could be described as a bit of a compulsive twitterer, pretty well smacked down Yammer in a recent blog post:

What it appears to do:

* Takes control away from the enterprise and put it into the hands of employees
* Creates the need for additional content monitoring and processes
* Creates more work for employees running HR or communications
* Requires that companies invest in order to manage their own employee communications
* Makes itself one public target for hackers who want to get at companies' proprietary information or employee lists

Her primary beef has to do with the business model. The way Yammer works (for now) is that anyone can use it if they register with an email at a company domain. Anyone with an address in that domain can join. They can yammer at will. If the enterprise at the eye of this storm of yammering would like to exercise some administrative control, though, they have to pay a buck a head per month.

Leggio sees this as strong-arm tactics. If you want to really get good control over who sees what in a Yammer domain, then you’ve got to pay what could amount to a big stack of dollar bills every month. They’re definitely charging too much in the current model–I’m in complete agreement with that.

But I don’t think enterprises are necessarily worse off than they are with other unmoderated venues. They can turn off Yammer traffic within the corporate network and forbid the transaction of business on Yammer if they don’t want to pay for it. The model of offering something that a company starts to use and like so much that they’re willing to go an extra step with your company and pay for more control doesn’t seem inherently like unfair play to me.

And, frankly, I think some companies may be rather eager to adopt Yammer. An internal microblogging environment seems potentially hugely useful to me. Especially if it’s bolstered with better thread management tools than Twitter has. Or, heck, *any* thread management tools.

On the other hand, though… if an enterprise hasn’t noticed that part of the organization has started to use Yammer and the group that’s using it starts really doing business there–well, then part of your business is being conducted, arguably, right out in the open for anyone who can get access to one of your mail accounts to see. This could be the making of a big security gaffe–Leggio is spot-on about the security implications of unmonitored Yammification.

There’s a pretty easy proactive step, though: register an account from your domain. Thereafter, you’ll get an email message whenever anyone joins from your domain. Just as someone discovers and joins is the perfect opportunity to share whatever policy you’ve developed around microblogging.

Travel: Off to VMworld 2008 in Vegas [Rational Survivability]

Posted: 13 Sep 2008 06:54 PM CDT


This coming week I'm off to VMworld in Las Vegas for a week of virtual immersion.

I'm looking forward to meeting with fellow practitioners, analysts, folks from VMware, Microsoft, Citrix and vendors as well as attending many of the sessions and labs.

There are several meet-ups including community get-togethers, so if you're in town, ping me and let's get together and exchange ideas.

There's a bunch of anticipated high-profile announcements and I hope some of them pan out.  I'll be live-blogging/tweeting (beaker) as much as possible from the show.

See you there.


Ultimate Security Conference Media Archive [Infosec Events]

Posted: 12 Sep 2008 09:56 PM CDT

The ultimate security conference media archive has a new home at good.net. Once hosted at EasyNews.com, the massive security conference media archive was consuming too much disk space, outgrowing the very generous host. The archive contains several years of audio and video from security conferences like BlackHat, DEFCON, DeepSec, Hack In The Box, HOPE, ShmooCon, and ToorCon. Definitely check it out, and thanks to the new host and Darkoz for maintaining it.

Hackers infiltrate Large Hadron Collider systems and mock IT security [Vincent Arnold]

Posted: 12 Sep 2008 06:31 PM CDT

Commentary: Just another day in the jungle…

Hackers have mounted an attack on the Large Hadron Collider, raising concerns about the security of the biggest experiment in the world. By Roger Highfield.

As the first particles were circulating in the machine near Geneva where the world wide web was born, a Greek group hacked into the facility, posting a warning about weaknesses in its infrastructure.

Calling themselves the Greek Security Team, the interlopers mocked the IT used on the project, describing the technicians responsible for security as “a bunch of schoolkids.”

However, despite an ominous warning “don’t mess with us,” the hackers said they had no intention of disrupting the work of the atom smasher.

“We’re pulling your pants down because we don’t want to see you running around naked looking to hide yourselves when the panic comes,” they wrote in Greek in a rambling note posted on the LHC’s network.


iPhone 3G Patch, v2.1…Apple gets it. [Vincent Arnold]

Posted: 12 Sep 2008 06:23 PM CDT

Note: After downloading and installing the patch with no issues, it looks like the security vulnerability initiated from the home screen/emergency number dial has been fixed in this release. Now, that being said, Apple should have addressed this flaw quicker instead of waiting to address it in a “.1″ release. Adoption in corporate environments will require a much faster response to security vulnerabilities.

Patch Update

Apple today released their latest patch, version 2.1, for the iPhone 3G. I am still trying to determine from the release notes if they have fixed the security flaw in the home screen lock that was mentioned a few weeks back. Regardless, I am going to download it now and apply.

As I have stated before, I am a Windows Mobile/CE guy. I have been in that camp for at least 9 years, owning numerous Windows mobile devices dating back to the Casseopeia E105 that ran Windows CE. In all those years, the one thing I can say that was consistent about my Windows Mobile/CE experience was slow patch/os upgrade release and delivery. To compare, I have had my iPhone a month and they have patched the iPhone 3G OS at least 2 times and from what I have been told they patched the first gen iphone many times over the past year. It was nice to not have to wait for a handset manufacturer, like HTC or Samsung to finally decide to upgrade their handset OS build of Windows Mobile that might have been release 5 months prior. HTC, who manufactures the popular HTC Tytn II and AT&T Tilt is notorius for slow patch/os upgrade releases. That’s why I moved from my HTC Tytn II to the iPhone 3G. It seems Microsoft needs to come up with a better process for mobile device patch delivery and OS upgrading similar to what they do on the desktop.I haven’t given up on Windows Mobile just yet. Windows Mobile 7 is just around the corner and I am looking forward to taking it for spin.

Mini iPhone Review

Featurewise, Windows Mobile wins. No contest. The handset manufacturers like HTC and Samsung, have many Windows Mobile supported options they can choose or not choose to enable in their phones. Windows Mobile/CE has been around for ages, mutlitasks (unlike the iPhone which I think was a ridiculous feature to leave out since most PDA phones running palm and symbian OS, multitask), has a huge software library including free, free and more free, as well as some pretty slick apps of the quality that you would see running on Windows XP or Vista. I also like being able to access the registry and underpinnings of the OS which Microsoft gives access to like in Windows XP and Vista. But when comparing the average non-technical user’s user experience between Windows Mobile and the iPhone, the iPhone wins hands down.

Ok, i digressed. Back to the original topic, os patching…Apple gets it and their customers are happy. ‘Nuff said.

Security Provoked Video Episode 4 [Security Provoked]

Posted: 12 Sep 2008 05:23 PM CDT

Our guest is Andy Willingham. I wanted him to fill us in a bit on the FOI concept he blogged about (his blog is here). Sara Peters had blogged about his FOI post here on this blog just a couple of days prior.

We also hear from associate editor Kristen Romonovich on what’s in the forthcoming Alert (the Alert is the monthly CSI member newsletter). Information on membership (so’s ya can getcher Alert) can be found here.

RealNetwork’s Legal Copies of Commercial DVDs [Security Provoked]

Posted: 12 Sep 2008 01:04 PM CDT

RealNetworks debuted its new DVD-to-PC copying software that assures users that their copies of commercial videos are legal. The application is called ReadDVD and is available for $50. The company claims RealDVD saves a secure copy of a DVD to the user's hard drive without removing or altering the CSS encryption on the DVD. The software then encrypts and locks the copied movie so it can't be shared or stolen. From their press release: "Content saved to portable drives can be played on up to five machines licensed to an individual user." Says who? It seems they pulled out the magic number five along with believing that copying DVDs is legal. RealNetworks claims that it is entirely legal to copy commercial DVDs, including browser cover art.

The Motion Picture Association of America (MPAA) doesn't seem to be buying it. They have deemed pirated DVDs to be 'the new drug on the street' and they continue to crack down on intellectual property crime.

I remain perplexed. Not that we want to necessarily live in this DRM world, but I am curious if the technology exists to track DVDs that have been copied? Instead of trying to prevent copies with RFID chips or encryption which can easily be averted, why not just track the perpetrators? For instance, if BestBuy had the technology to check returned DVDs to see if they had been copied or not, wouldn't that be an easier alternative to trying to prevent it and failing in the first place? Maybe it's so things like this don't start to happen: http://www.newscientist.com/blog/technology/2008/09/apples-latest-drm-will-restrict-your.html?DCMP=ILC-hmts&nsref=specrt14_head_Wardrobe%20restrictor.

Just a segued thought, but I'm curious as to what the rest of you think.

No comments: