Wednesday, September 17, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Roundtable for September 13 [The Security Catalyst]

Posted: 17 Sep 2008 06:30 AM CDT

Martin McKeay and I are evolving the Security Roundtable: we'll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we'll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static "panel" of people, we're exploring more voices, shorter segments and more interactive. We'd love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn't need the rules – he's got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I'll be in Las Vegas – so for me, it will actually be nice and early (and I'll find some Mountain Dew before we start – MD should sponsor me!).

This posting includes an audio/video/photo media file: Download Now

Information Security Services [GNUCITIZEN]

Posted: 17 Sep 2008 06:09 AM CDT

I just want to announce that we have recently launched some exiting new services as part of the GNUCITIZEN.COM initiative.

GNUCITIZEN Man

We still do tiger team operations, what we are best know for, but now we are also engaged with more streamlined, narrowed and very specific types of jobs. As always, our goal is to provide quality rather than quantity. Therefore, we are extremely close to our clients, we constantly change in order to stay agile, ahead of the game and always useful to our clients, and we do everything with style.

If you are interested in working with us, please do let us know. Our contact details are located here.

Information Security Gigs [GNUCITIZEN]

Posted: 17 Sep 2008 05:32 AM CDT

GNUCITIZEN.ORG has been a very successful site so far and as a result we are receiving tones of requests from advertisers to work with us. Well, we are doing what we do for the love of information security and therefore we have to reject offers which does not quite fit into our vision.

gig tickets

However, I do realize that we should work in equilibrium with the rest of the system. Therefore, I am proud to announce our new initiative which gives us more control over how we would like you to advertise on our ground and at the same time give you the opportunity to do so for a reasonable price based on our monthly traffic, page rank and brand awareness in general.

GNUCITIZEN Information Security Gigs (the sidebar on the right) can be used to post information about your products and services, announce job positions, promote yourself and your organization, build marketing campaigns on the top of our platform, etc. We provide the means to do what you have always wanted to do for some time now.

Our platform is at a very early stage of development at the moment and we do realize that there might be some bugs that needs to be fixed. However, if you have any problems, please do not hesitate to contact us. We will try our best to provide excellent customer support while the system is still developed.

Thank you for your attention.

Audio From Black Hat USA 2008 [GNUCITIZEN]

Posted: 17 Sep 2008 04:50 AM CDT

We’ve got some audio from the past Black Hat conference I’ve already talked about over here and here.

pdp.blackhat.2008.usa

Keep in mind that without the slides it will probably sound very boring. Both parts of the presentation can be found here and here.

How America can get her "groove" back [StillSecure, After All These Years]

Posted: 17 Sep 2008 02:11 AM CDT

hot flat and crowded

I blog a lot. Some times I write stuff I think important. Sometimes I write stuff that is not so important.  What I am going to tell you now is most important.  It has nothing to do with IT security and everything to do with the very future of the planet we all share.  If you are going to read only one book this year, make it Thomas Friedman's Hot, Flat and Crowded.  Friedman has written some amazing books, most recently "The World is Flat".  He also writes amazing columns. But never have a I read anything that has so grabbed me and resonated so strongly with me as this book.  Within the first 25 pages I was so drawn and attuned to what he describes that I am ready to go out and volunteer to do my part and I want to convince you to go do your part too.

Friedman says that America has lost its focus, party due to 9/11, partly to the "dumb as we want to be" mentality of our politicians.  We have built ourselves into a "Fortress America", where "even birds don't fly". We have allowed ourselves to think that the blessed American way of life means we don't have to worry about things like energy consumption, educational challenges and national debt. We are America, we will deal with our problems when we want to and it won't catch up to us because we are America. At the same time the world is changing.  It is getting hotter from global warming, flatter with the world-wide rise of a prosperous middle class and the demands for food, energy and resources are quickly outpacing our ability to meet them.  Our uniquely American problem and the world-wide problem can both be solved by America getting her "groove" back.  By taking its place in the world and by leading the way in the 21st century with "Code Green".  A multi-generational, long term plan to solve the urgent issues facing us all.  Not for altruistic reasons, but for the reasons that have always driven this country - profit and our desire to innovate and reinvent ourselves to be the very best and lead the world.

We need to leave our post 9/11 defensive crouch that has us playing afraid. We need America to "play the vital role it has long played for the rest of the world - as a beacon of hope and the country that can always be counted on to lead the world in response to whatever is the most important challenge of the day. We need that America - we need to be that America -more than ever today."  I personally have felt for a long time that we needed a new "put a man on the moon" mission to energize our country, to rally around and bring our tremendous innovation and ingenuity to bear. I have also felt that energy was that next great American mission. The reason that the last century and a half were American centuries is that we led the way in energy production. We need to lead the way with the next dominant energy sources. Everything I have felt around this, Friedman has put to words.  He defines the problems and lays out what we have to do to invent the solutions, while reinventing ourselves and the world we live in. 

Enough gushing on about the book. Go out and buy and read this book.  After you do, try to do your part in making Code Green a success. The life you and your children will lead may very well depend on it!

Going Green, One Mile At A Time [The Converging Network]

Posted: 17 Sep 2008 01:15 AM CDT

I've been shamed. It happened the other night when Terry Swack, CEO of Sustainable Minds (a green product design information services company), called me. It wasn't her fault, she just called me on my own dumb behavior. See, I'm an advisor to Terry's company and a long time friend to Terry and her husband who are some of the best people on the planet. Here's how being an advisor and being shamed are related.

Terry called the other night, needing to catch up on how things are with my family. After we both covered the important family stuff, Terry asked what kind of vehicle I'm currently driving. Being a green entrepreneur, Terry's naturally curious if I'm still driving that gas sucking Chevy Suburban truck around. I wanted to lie. I wanted to lie to her so bad and tell her we had a Toyota Prius, or a Smart Car or something. I didn't want to tell her I just turned over 140k miles on the "subhuman" (my nickname for the Suburban). But I had to tell her, so, sheepishly I said, "Still have the Suburban. Haven't decided with car to replace it with. It's hard finding something that will handle our two big dogs." There we go, blame it on my two helpless, and blameless, animals. The response I got back was one of those heart stopping, "Mitchell!" responses. I was waiting for a smack on the back of my head to come flying out of the telephone receiver. Ouch, I felt one step lower than an oil rig being drilled in ANWR.

That experience put a change in motion. No, I haven't pushed the Suburban off the cliff yet into the gas guzzlers bone yard hall of fame. Not yet anyway, but I ordered a new vehicle. One that gets 80 MPG. Put that in your carbon footprint calculator and smoke it!

Sunl_sl120_2b I have a 150cc SUNL scooter headed my way from the west coast, fresh off the boat from China. Ironic that I'm buying a super gas efficient scooter from a country whose oil consumption is rising faster than a typhoid patient's fever.

I did a little local and Internet shopping and you can get a really good moped for about half the price on the Internet as compared to buying one from a motorcycle dealer. I paid $1260, all in, for this little baby. And Mary Ellen (my wife) is stoked about it and wants to ride it around too. It's good for a quick jaunt to the grocery store, a stop by the bank, or dropping by to do some errand. The thing goes 60mph and has on-board storage compartments. If this works out, we could have two of them sitting in the garage tout suite.

While I can't say I've gone full out green quite yet, at least it's a step in the right direction. I'll bet I can claim better fuel savings that most people reading this blog. Plus the dirt bikes in the garage that I don't ride much any more are going up for sale. That's leave more room in the garage for the "subhuman". And maybe it'll spend more time there while I'm zipping around on my scooter instead of driving my lone self around town, sucking down fuel in the SUV.

Power IT Down Day + Call To Action To Create Greener Products [The Converging Network]

Posted: 17 Sep 2008 01:14 AM CDT

Power_it_down_day Yesterday I recorded a podcast about Power IT Down Day. I'll be posting the podcast to my Network World Converging On Microsoft Podcast first part of next week. Power IT Down Day is an initiative set up by Citrix, HP and Intel, to get everyone to fully power down their desktop and laptop computers, and associated monitor, printers, powered speakers, etc. during the off work hours on August 27th. I say fully power down because even hitting the power button on monitors and laptops, for example, doesn't mean they aren't sucking up juice through their standby modes and transformers. Better yet, power it all down, by hitting the power switch on the power strip plugged into the wall.

The idea behind Power IT Down Day is to help all of us be aware, and also to try and start some behavior changes, to save electricity consumed by our individual computers while we're not working at our desks.  According to my podcast guest Tom Simmons, area Vice President Federal at Citrix, many are projecting we could see electric power costs soar in the future similarly to how gas prices skyrocketed this summer. California already suffers rolling brown outs and a lack of power for data centers. The seemingly unlimited low cost power we take for granted today, like the low cost gasoline of the past, could become a scarce and expensive resource in the future.

I'll save some of the specifics behind the program for the coming podcast, but until then please visit http://www.hp.com/go/poweritdown and sign up for the program. Based on the estimated power savings from powered down PCs at participating companies, Citrix, HP and Intel will donate an approximated savings amount the Red Cross. (Personally I wish they were donating the money to help us build more wind farms, or create hydrogen powered cars and fueling stations in the U.S.) I think this is a great program and I hope you'll participate.

Power IT Down Day is a socially conscious conservation effort: Help users, through their company's participation, understand the impact of needlessly leaving computers running during off work hours. That's good stuff, and well worth doing. I hope we change some habits and conserve power as a result. I've already started changing some of my power munching habits just after hearing about the program. But, I think we should tackle something closer to the heart of the problem: designing greener products.

Do monitors, printers, computer motherboards and power supplies, etc., really need to operate in standby mode where they continue to consume power? What's it save us, 10, 5, 3 or 1 seconds to start up our devices faster? Are we that pressed for time or that lazy? Why can't laptop power supplies (bricks) have a built in sensor that determines when laptop batteries no longer need charging, and then fully turn off the transformer? I'm sure those are just a few of the obvious examples and there are many more that could save even more energy.

I have the same beliefs about network security. Educating users only marginally helps the problem. The real issue is designing products that are fundamentally more secure or can automatically configure themselves securely rather than relying on end users to deem what programs should/shouldn't talk through a personal firewall, for example. Same with conserving energy. Fix the problem of creating greener products.

I call on product designers to design products than consume less or no energy, including periods when they might experience light or almost no use, rather than relying on end users to know and act to conserve energy. If you need help understanding how product design decisions impact the "greenness" of a product, and want to know how to design greener products, check out a company called Sustainable Minds (I'm an advisor to this company), their Okala methodology and their green product design industry expert blog. Help us all by starting at the source, creating greener products from the get-go.

And remember to sign up for Power IT Down Day, and most importantly, turn off all that computer equipment when you leave work on August 27th, and every day for that matter.

StillSecure, After all these years, Podcast 57 - Thomas Noonan [StillSecure, After All These Years]

Posted: 17 Sep 2008 01:12 AM CDT

tomnoonan_smallMitchell and I were lucky to have security industry pioneer and legend, Thomas Noonan as our guest for episode 57.  In case you don't know, Tom was the co-founder and CEO of Internet Security Systems (ISS) and than managed that division after its acquisition by IBM.  Well Tom has taken an "early retirement" from his IBM gig.  But don't look for Tom to be playing tennis or golf at some retirement village here in Florida. He is already looking at places and technologies that get his juices flowing and interest him.  One of those is Rohati.  I have written about Rohati before.  Their technology is tackling a problem where others have not treked before.  Thomas is now a member of their advisory board, but I would not rule out a bigger role for him with the company in the future.

Mitchell and I give Tom a chance to talk about his long strange trip in helping invent the security industry and what he sees as the future for himself and our industry. It is a good 35 minutes of insight from a true security original.  I hope you enjoy it. 

You may notice that the podcast is longer than 35 minutes though.  That is because after the interview, Mitchell and I do our usual shtick about what is going on in the industry.  We talk about acquisition rumors, virtual security (or what passes for it nowadays) and Apple - love' um, hate' um or leave' um. 

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com 

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley! 

Enjoy the podcast! 

Send to Friends | Leave a Comment | Download | Permalink

This posting includes an audio/video/photo media file: Download Now

Are you here for the Thomas Noonan podcast? [StillSecure, After All These Years]

Posted: 17 Sep 2008 01:05 AM CDT

If so, welcome to StillSecure, After all these years.  If you have visited here before you are probably familiar with my blog.  I blog mostly about information security, but there is nothing off limits for my blogging.  My fellow StillSecure co-founder, Mitchell Ashley and I also co-host the SSAATY podcast.  You can listen to it here or on Mitchell's blog, The Converging Network or on iTunes.

The Noonan podcast is the blog post directly below this one. But besides the podcast, have a look around at some of the other content.  My article on what effect the financial crisis will have on the security market may be of interest to you. I also write a lot about NAC.  If you like what you are reading here, please subscribe to the blog in your favorite RSS reader.

Thanks for stopping by!

The Green Green Garage of Home [The Converging Network]

Posted: 17 Sep 2008 12:57 AM CDT

If you follow my blog you know I'm working to make our home and my family's life greener, more environmentally friendly. I'm much more conscious about turning off lights, running the air conditioning a little less and keeping electronic gadgets with thirsty power supplies turned off. But my biggest struggle has been getting rid of our Suburban SUV. Part of it has been giving up the roomy vehicle and part of it is balancing buying the right vehicle I really want. Anything that gets 30 MPG or less doesn't even seem worth it, and I'm just disgusted our automobile industry can't produce more vehicles that get well over 30, even 40 MGP. Our country has just been down right lazy about fuel economy and me right along with it. But I'm not going to buy an SUV that gets 22 or 24 MPG when what I want is 30 to 40, or more. I'll just drive my "subhuman" (my nickname for the Suburban) a lot less. My alternative has been to ride scooters.

My garage now has two scooters, a 150cc for my wife and a 250cc for myself. They get around 70 to 75 MPG respectively, and that's driving around town, not highway mileage. The biggest compromise in changing my driving habits to a scooter has been safety on the road. I took the motorcycle safety training a few years back, and I "strongly suggested" my wife take the course, which she did this past weekend. Still, I try to be extra cautious when driving the scooter and always wear a helmet.

We traded out the dirt bikes (sold them) we owned and used the cash for scooters. You can get an amazing deal on scooters if you are willing to shop online, and do some basic set up and maintenance on the scooters. Frankly, it's really easy. Just pull the scooter off the crate (wood or metal cage, on a wooden pallet), put acid in the battery and seal it up, hook up and charge the battery (charger included), put on the mirrors and stuff like the riding deck (where your feet rest), check the tire pressure, and go through and check/tighten bolts and screws (a little Locktite helps too).

I found our Chinese manufactured SUNL scooters online, for about $1000 and $2000 respectively, shipping included! Dealers want $2500 and $3500 for the exact same bike so you can save a bunch of bucks on the scoots and on sales tax if you are willing to do a little (very little) work yourself.

Tonight Mary Ellen and I went for a ride over to Anthony's Pizza for some dinner. We had cheese slices and soda. It reminded me of when we were first married and lived on Long Island, NY. After dinner, we popped back on the scoots and drove through the neighborhood on the way back home. It was fun.

While I can't say we're officially "green" since the subhuman is still around, but the garage has definitely gotten a bit greener recently. And with gas still around $3.65/gallon, it's pretty satisfying when I need to visit the pump on one of the scoots. It makes my wallet happy too.

SSAATY Podcast #57 - Tom Noonan [The Converging Network]

Posted: 17 Sep 2008 12:44 AM CDT

Microphone It's that time again and we really have a "big show" for you with episode 57 of the SSAATY Podcast. Industry veteran and luminary Tom Noonan joins Alan and me. Unless you are new to security, you know that Tom was the co-founder of Internet Security Systems (ISS) which was sold and is now part of IBM. Through ISS, Tom helped make intrusion detection, vulnerability management, unified threat management, and security research (through the X-Force team) commonplace within the security industry.

Tom's now retired from IBM following ISS's integration into the company and is now on the advisory board of Rohati. Rohati provides Network-Based Entitlement Control (NBEC), offering the Rohati TNS 100, 500 and Central Management System products. Tom's excitement about Rohati and the Rohati team is clear and you can tell he's enjoying his advisory role with the company.

Tom_noonan During the podcast, we reflect on Tom's early experiences with ISS and how that has shaped and relates to today's security industry. Tom's view is that it's still early in the life of the security industry and there's ample opportunity for new companies and technologies to emerge and make an impact.

Whether you are a security newbie or veteran, you'll find the interview with Tom informative and inspiring, so join Alan and me in welcoming Tom to episode 57 of the podcast.

As a wrap up, Alan and I talk about some of the acquisition rumors, including Citrix being in play with Microsoft, Cisco and IBM, and Juniper is looking at Aruba and Meru Networks. Alan also applies some smackdown on Mirage Networks for making such a big deal about running their NAC product as a virtual software appliance. Alan also surprises us with his less than enthusiastic experience with his iPhone 3G, and surprisingly is ready to bring back his Microsoft Windows Mobile 6 phone in place of the iPhone. I'm glad Alan's finally seen the light and sees Apple for what it is, a closed hardware and closed software company that's more about cool fads and cultish followings than easy to use, functional, customer centered products. Since recording the podcast, Apple's now taken to banning competitive products from App Store too! Looks like Alan isn't the only one with iPhone buyer's remorse.

Remember to send us your comments and questions to podcast@stillsecure.com. You can also subscribe to the podcast via iTunes or at http://ashimmy.podomatic.com.

 

This posting includes an audio/video/photo media file: Download Now

Wild Wild Virtual West [BumpInTheWire.com]

Posted: 16 Sep 2008 10:49 PM CDT

El Sidekick is at VMworld this week expanding his mind and stress testing his liver so I figured I might as well be doing a little virtual knowledge attaining myself.  I installed the trial version of XenServer 5.0 Enterprise Edition along with XenCenter.  I spent more time tracking down hardware to install this on than the time the actual install process took.  A lot of that had to do with my “shoot first, ask questions later” mentality.  According to the documentation, which I read after the fact, you can not install XenServer 5.0 on 32-bit hardware.  Only 64-bit hardware.  So then I had to hijack some 64-bit hardware in order to get it installed.  My next “cowboy moment” came with XenConverter.  After being unable to find the XenConverter download I sent out a few feelers and one of them pointed me to the download location.  It was hidden in plain sight.  After downloading it I immediately installed it on a XenApp server and began converting it from physical to virtual.  About 15 minutes later I got an email from a XenServer SE Manager saying to pay attention to the release notes because of a gotcha with Windows Automount.  Dammit.  So I let the conversion process complete and it failed.  So I enabled Windows Automount via Diskpart and started it over. 

RTFM they say.  RTFM.  I’ll shoot that f’n manual!

OWASP AppSec NY 2008 Disclosure of ClickJack Exploit Postponed By Vendor Request [Infosecurity.US]

Posted: 16 Sep 2008 06:26 PM CDT

In reported efforts to minimize the impact of disclosure of a serious vulnerability dubbed ‘ClickJacking‘, the Adobe Systems, Inc. (NasdaqGS: ADBE) PSIRT (Adobe Product Security Incident Response Team) has requested the deferral of disclosure to permit more time to patch the vulnerability.

Security researchers Jeremiah Grossman (a fellow member of the Security Bloggers Network) and Robert Hansen have retracted their presentation detailing the apparent serious vulnerability from OWASP USA.

[1] Jeremiah Grossman (Cancelled) / Clickjacking - OWASP AppSec Talk

[2] Robert Hansen Clickjacking

[2] OWASP AppSec NY 2008,

But how do you make money? [StillSecure, After All These Years]

Posted: 16 Sep 2008 05:43 PM CDT

I love the idea that you can use software for free.  I am a big fan of open source software being made available to people.  I am also a big fan of commercial companies with an open source business model.  I am not a big fan of irrational exuberance though. Maybe that is a result of living through the dot com bubble and Alan Greenspan.  Maybe it is the recent housing/mortgage/credit bubble. In any event I was reading an article in InfoWorld today on Untangles "re-router" software.

The gist of the article was that Untangle has taken its open source router/UTM Linux based software and made it run on a Windows XP PC.  Great!  I assume they are running a virtual instance of their Linux server with the apps on top of it.  I don't think that is rocket science, but having played a bit with this myself, my first question was what is the throughput and usability like.  From what I know unless the laws of physics have been circumvented, you are not going to get a lot of performance running a UTM on that type of platform.  Sure enough Untangle's CTO acknowledges that this solution is really aimed at the under 25 user crowd.  Untangle claims this same customer would have to use several boxes otherwise for similar functionality.  The company sees this appealing to companies who don't have the money to buy the hardware and/or the resources to configure the apps.

OK, first of all there are plenty of low budget UTM's that can do this job and do it cheaply.  eSoft is one I know, our own Cobia is another and there are plenty of others.  So Untangle is talking about saving the cost of one low end box?  A few hundred dollars?  Is setting up the Untangle software going to be any easier than any of the commercial solutions? Open Source stuff is free, but generally not easy.  But here is my real problem with this from a business perspective.  Untangle is going to give this away for free and seeks to run their company from the percentage of these users who will sign up for support and higher end services.  There are lots of open source business models that work like this.  But if the customer is too small to afford to buy a server costing a few hundred dollars, what makes you think they can afford to pay for a service to manage it?  If they do need a service they need an MSSP type of product.  At the end of the day is Untangle an MSSP?  I don't think so.  Fundamentally, I think that is where the problem here lies.  How can Untangle generate enough revenue from a market sector that they say is too poor to pay for anything? 

If they did this to build presence while pursuing a higher market segment to pay the bills, that would make sense.  But I don't see that.  So at the end of the day, virtualizing your software for the SOHO crowd is dandy.  But how do you put food on the table?

NIST Completes Upgrades To National Vulnerability Database [Infosecurity.US]

Posted: 16 Sep 2008 05:23 PM CDT

NVD UPGRADED TO VERSION 2.2

The National Institute of Standards and Technology (NIST) has announced the completion of the National Vulnerability Database (NVD) Upgrade. The database is recognized as the single most comprehensive repository of public information on vulnerabilities in computational and networked systems. The upgrade focused on the database’s dictionary, which identifies the well-known, or commercial names of products (e.g., operating systems and applications).

From NIST: The new version, known as NVD 2.2, conforms to a product-naming scheme known as the Common Platform Enumeration (CPE, http://cpe.mitre.org). With NVD 2.2, the official CPE dictionary of 15,500 products is now incorporated into the NVD data.

The NVD was originally created and developed by NIST's Computer Security Division researchers with the full support from the Department of Homeland Security's National Cyber Security Division.

NVD may be accessed at http://nvd.nist.gov.

Editors Note: Infosecurity.US is a member of The Federal Information Systems Security Educators' Association [FISSEA] sponsored and administered by the National Institute of Standards and Technology.

Backtrack 3 How-to updated… [Infosec Ramblings]

Posted: 16 Sep 2008 04:46 PM CDT


Well folks, I made a rather stupid mistake in my Backtrack 3 how-to.  Instead of writing “>>” to append information to a file, I wrote “>” which overwrites the file.

Bad things happen when you overwrite the /etc/ld.so.conf file.

Thank you very much to David who left a comment pointing out my mistake.  The how-to has been updated.

Kevin

With Friends Like Fiorina… [Liquidmatrix Security Digest]

Posted: 16 Sep 2008 03:24 PM CDT

This one is off topic. But, as I lay here in bed, I’m comforted in knowing that I don’t have to rely on people like Carly Fiorina for support.

Wow.

Oh, and I should be back in fine posting form tomorrow. I hope.

Scammers taking advantage of Ike [Alert Logic]

Posted: 16 Sep 2008 03:08 PM CDT

It is not uncommon for people to use natural disasters as a opportunity to spread malware. So it should be no surprise that while looking for Ike information today I ran into this: Google search for “ike fema” and one of the first results is… The site promptly redirects you to another domain and the pop ups [...]

Yet More EstDomains Claims Shown To Be Phoney [Infosecurity.US]

Posted: 16 Sep 2008 03:03 PM CDT

Rogue Domain Registrar Attempts CYA, Yet Fails To Deny Criminal Activities Via Press Release

Dancho Danchev has posted an absolutely superb write-up and exposes more EstDomain and Intercage claims as phony.

Via a rather unimpressive press release, the rogue registrar has attempted, clumsily, to protect it’s brand by claiming efforts to police it’s client list is effective. At the same time failing to deny, much less explain, the charges made in the various Washington Post SecurityFix articles.

[1] DomainNews.com: EstDomains Denies Links to Malware Distribution; Fails to Deny Washington Post Allegations

Secure system design that is impossible to break… [Infosec Ramblings]

Posted: 16 Sep 2008 01:29 PM CDT


I just finished reading Cory Doctorow’s Little Brother. You can buy a copy here or read it for free here. Don’t let its classification as young adult deter you.  I really enjoyed it. If you are interested in privacy and government and how “it’s for your own good” can escalate out of control, I highly recommend giving it a gander.

In the book, there is a terrorist attack on San Francisco which results in draconian security measures being put in place. Our protagonist is Marcus, a 17 year old, who gets picked up by those enforcing the new security measures and is sorely mistreated.  Through the book, we follow Marcus as he fights for his rights and the rights of his friends as citizens using every means at his disposal, most of them being technical in nature.  He is able to circumvent many of the controls put in place because he is a savvy, technically astute individual who has the security mindset we talk about frequently and is in many cases smarter than those who designed the systems he fights against.

So what does all this have to do with a secure system design that is impossible to break? Well, first of all, it is impossible to design a secure system that is impossible to break :) Further, as Bruce Schneier says in the afterword:

“Anyone can design a security system so strong he himself can’t break it.”

We see this same type of phenomenon in other areas. For me, it’s proof reading.  I have the hardest time proof reading my own writing because I know what it is supposed to say. My own brain gets in my way and I read text as I intended it to be as opposed to how I actually wrote it.

If we can’t design perfect systems and we are not able to sufficiently test our systems ourselves, how can we improve those designs to make them more robust and harder to break?

There are a lot of things we can do like build on the successes of other, use “best practices”, etc.  However, I can think of a couple things that can significantly improve our efforts:

  1. Peer review - We should have our peers look at our designs.  They will see things that we are blind to.
  2. Testing by a third party - Yes, I am promoting third party testing of our systems, preferably by more than one person. Again, the more eyes involved in reviewing a system, the better chance that weaknesses will be found. I am not proposing that every system get a third party review. It would be prohibitively expensive.  However, important ones probably should.

This also started me thinking about our risk assessment processes and procedures.  If we develop our risk assessment processes internally, aren’t we, in the context of the assertions above, creating a system that is destined to have built-in short comings?  Should we have our risk assessment processes “tested?”

I’m interested in your thoughts on both topics, so drop me a note in the comments.

Kevin

Technorati Tags: ,

Infected by SQL...But Where Is The Remediation? [ImperViews]

Posted: 16 Sep 2008 01:25 PM CDT

Graham Cluley from Sophos recently wrote about how hackers infected BusinessWeek's website via SQL Injection attack.

Unfortunately, it looks like the daily SQL injection stories are starting to become boring as the list of victims grows day-by-day. (Dilbert hints that there are too many databases. Some might be redundant). 


dilbert database.jpg


Sophos is providing the community a good service as they have created a nice visual of the attack, showing how the infected site appears to the innocent, soon-to-be-a-victim visitor as well as what the page code looks like. They also provide a list of some suggestions that would allow customers to protect their site.


However, I would argue claim that they do not emphasis the most immediate solution - Web Application Firewall (WAF) - or the benefits of integration between vulnerability assessment, code review and WAF. In the real world, the process of fixing the code can take some time...

Security Provoked Video Episode 5 [Security Provoked]

Posted: 16 Sep 2008 12:33 PM CDT

In which we talk to Jim Hurley, managing director of the IT Policy Compliance Group about the results of their study on best practices for managing data for legal holds and discovery.

Mentioned in the Webcast:

Bruce Schneier’s forthcoming book.

Security Twits.

Alan Shimmel’s blog entry on the financial meltdown and the security industry.

The IT Policy Compliance Group and their latest report.

The September Alert is now Online [Security Provoked]

Posted: 16 Sep 2008 12:11 PM CDT

We have created a PDF of the September Alert for you to read the entire issue electronically: http://www.gocsi.com/membersonly/showArticle.jhtml?articleID=210601906&catID=14122

CSI members can follow the links below. If you are not yet a member and would like access to these articles, visit our CSI membership page to become a member and receive discounts on conferences, access to the Alert and invitations to our members-only security calls.

The Insecurity of Green Computing
How can your organization go green without jeopardizing security?

Proper Disposal of Waste Electrical and Electronic Equipment
Policy: Company X’s purchases of electrical and electronic equipment must only be from vendors that follow European Union directives about the disposal of waste equipment. These directives include the provision of a formal take-back program for the recycling of equipment that has reached the end of its useful life. Prior to the release of Company X’s electrical or electronic equipment to third parties for recycling, a memo from the Information Security Department must be obtained. This memo must state that no sensitive Company X information is stored on the equipment, or that all sensitive information stored thereon has been successfully removed.

U.S. States Enact E-Waste Disposal Laws
Will secure, effective data storage device destruction methods become illegal?

Europe’s WEEE Directive Far Ahead of United States’ Green Disposal Law

Is Cloud Computing Really a Green Technology?

Administration, Security Challenges of Virtualization Could Defeat the Green Purpose of Consolidation

Desktop Power Management: Energy Efficiency for End Users is the Safest Way to Begin Going Green

Telecommuting Shrinks Carbon Footprint, Expands Endpoint Security Needs

Sidebars:
Computer Aid International

Security Troubles Disrupt Oregon State Data Center Consolidation

Big Blue Goes Big Green

Desktop Energy Usage

Gosh ... a not so nice security flaw in Google Docs (from (ISC)2's blog) [Security Circus]

Posted: 16 Sep 2008 11:06 AM CDT

Rogue Registrars’ Demise Migrates Miscreant Clients [Infosecurity.US]

Posted: 16 Sep 2008 09:59 AM CDT

More News Surfaces of Rogue Registrar Customer Shuffling

McAfee’s AvertLabs’ blogger Francois Paget comments on the Shadowserver reports of the apparent demise of rogue registrar RBN and the apparent customer migration of that rogue host to another miscreant registrar, this time monikered AbdAllah. Not surprising…

From the post: “One thing is sure, each time a report discloses a lax ISP, many unscrupulous customers looking for discretion, cover or camouflage, are disrupted. As I said before, we have seen some of them moving to AbdAllah or Atrivo. I should not be surprised if they started searching for a new refuge! All the more probable that bad advertising arrived to the ears of many attentive backbone providers bring about Atrivo to lose peering from all sides. At least it is something!”

[1]McAfee AvertLabs: If RBN is dead, their customers are still alive

[2] ArborNetworks: Atrivo/Intercage Called Out as US RBN

[Illustration by Martin Gee]

Security Catalyst Community Update: September 16 2008 [The Security Catalyst]

Posted: 16 Sep 2008 09:41 AM CDT

Greetings from Rochester, NY. We head out today to pick up a few cartons of Into the Breach - hot off the press - and then head to Nashville. Now that people are back to school, and back to work, the forums are really picking up. If you want to help with the planning and expansion of the SCC, please send me an email.

I am also spending more time on twitter these days - and would love to engage in the conversation with you.

Discussion Forum Activity

The Voices of the Community

List of community blogger and podcasters (I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included):

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Join our LinkedIn Group (for active members of the Security Catalyst Community)

http://www.linkedin.com/groups?gid=27010

Here are some recent blog posts from Community Members that you may have missed:

 

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

  •       Go here: http://www.securitycatalyst.org/forums/
  •       Select the register link
  •       Follow the naming standard: firstname.lastname (include the period between first and last names)
  •       Your account will be reviewed and approved
  •       Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

Coming Up:

  •       Week of September 15: Rochester, NY enroute to Nashville, TN
  •       Week of September 22: Las Vegas
  •       Week of September 29: San Francisco/Bay Area

SecuraNibble: Snort Sensor Tutorial [SecuraBit]

Posted: 16 Sep 2008 08:24 AM CDT

Chris Wilson brings us some Snort goodness with this 37 minute tutorial on how to build a snort sensor from scratch using CentOS. I hope this is of use to everyone, it is very very well done!

This posting includes an audio/video/photo media file: Download Now

Cricket Liu: The DNS Infrastructure is “Creaking” [ARCHIMEDIUS]

Posted: 15 Sep 2008 07:33 PM CDT

This 12 minute "bloxTV" video interview with Cricket Liu, one of the world's leading experts on DNS, is conducted by blogger John Furrier.  While this interview is about Cricket's take on the Kaminsky exploit, his comments underscore some core issues with the 25 year old DNS infrastructure.     You can read my disclaimer at: About ARCHIMEDIUS. [...]

No comments: