Friday, September 19, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Risk Ostrich [Risktical Ramblings]

Posted: 19 Sep 2008 07:37 AM CDT


Risk Ostrish

Risk Ostrich

The recent “midwest wind storm” combined with some crazy work activities has hindered my ability to get in some blog postings. I took a few minutes this morning to quickly peruse some blogs and stumbled across this posting over at securosis.

I think it is pretty irresponsible for someone to poo-poo an emerging discipline in our profession by comparing it to financial risk management. The motive of being able to quantify information security risk is to allow for better decision making and understanding the cost of risk to an organization- not to make a profit. More on this in a future posting.

We all know that ostriches appear to bury their heads in the sand. However, apparently it is a myth because they do it because they are scared. They bury their eggs in the dirt or in a hole and once in a while, they stick their head in there to check up on the eggs or do whatever to them.

So, to the blog post author, while you have you head under the dirt checking up on your investment eggs, take another look at those risk quantification eggs.

      

The mother of all bailouts [StillSecure, After All These Years]

Posted: 18 Sep 2008 08:54 PM CDT

stocks Well just when we thought we had seen it all comes word that the Secretary of the Treasury and the Fed Reserve Chairman are huddled with our Congressional leadership working out a bail out for the entire banking system in regard to bad mortgages. This one could put taxpayers on the line for upwards of a trillion dollars.  That is right Trillion with a T.  Jeez, is their a friggin' mortgage out there that is not in default? 

Similar to what we did with the Resolution Trust Company back in the Savings and Loan crisis (Does anyone remember the Keating 5?  Extra points for naming who was the number one of the Keating 5), we will set up a company that banks can sell or transfer all of their bad mortgages too.  This way they get all of the bad stuff off of their books and can get back to pillaging the little guys in this country.

Speaking of the little guys, where is their bailout?  Where is the government to help the people being put out of their homes everyday.  It is OK to give trillions of dollars to Wall Street fat cats and bank presidents, but the families being tossed out of their homes get nothing.  It just doesn't add up for me. If the banks and Wall Street need relief, so do the individual people who are already suffering from the greed and excess of the last years.  I am waiting to see what comes next.  In the meantime I am thinking of starting a bank to get my share of the bailout money.

Reblog this post [with Zemanta]

This posting includes an audio/video/photo media file: Download Now

NAC Interoperability - Man or Myth? [StillSecure, After All These Years]

Posted: 18 Sep 2008 08:02 PM CDT

charlton heston Sean Michael Kerner at Internetnews.com is the latest in a long line of journalists to ask if NAC interoperability is a myth and ask when, if ever will it be achieved.  Lately, whenever I hear this I am reminded of one of my favorite movies when I was a child.  In my house during Easter/Passover time, a highlight for me was when when our family would gather around the TV and watch Charlton Heston in The 10 Commandments.  They just don't make movies like that anymore.  Anyway, there is a line when Sethi, Pharaoh of Eygpt tells Yul Brenner, who is Ramses, the future Pharaoh to find out the truth about the prophesied deliverer of the Hebrews. Sethi tells Ramses that if the deliverer is a myth bring him the myth in a bottle, but if he is a man bring him in chains.  Of course Ramses returns with an empty bottle, for the Hebrew deliverer is no myth. Instead he has Charlton Heston as Moses in chains.

Well here is my empty bottle about the myth of interoperability of NAC.  The bottle is empty because NAC interoperability is no myth and is very much real.  The problem is that most people are waiting for that golden moment when the Sun aligns, the angels sing and interoperability is proclaimed throughout the land.  What does interoperability really mean?  Does it mean one NAC solution is going to work with another and are interchangeable?  I don't think so.  Interoperability means to me that all of the moving parts involved in NAC work together across different vendors.  My friends we have that now.  Call off the hunt for the myth, the reality is here.  What NAC interoperability means is can your NAC controller work with switches from different vendors to test and enforce for access control.  What NAC interoperability means, is can NAC systems use a soon to be ubiquitous agent, such as the Microsoft NAP agent? If so, we have that today with any TCG compliant NAC.  Can NAC systems use just about any DHCP or Radius server? Yes.  SNMP or 802.1x? Check. Default supplicants? Yes again.  Guys the systems and tools used to install NAC, the switches, VLANs, ACLs, Radius, AD, DHCP servers all work together today.  Cisco works with NAP, TCG works with NAP, NAP works with everything else.  Stop waiting for the mythical deliverer, the NAC promised land is right here before your eyes.  It is just not a StillSecure thing either.  Take a look at any of the leading NAC solutions with the exception of Cisco and you will see a high level of interoperability with the network infrastructure components that NAC needs to function.

Cisco is another story. My personal belief is that they give lip service to wanting to be interoperable, but frankly they would rather see hell freeze over.  With their dominant position in the network market, they want their stuff to work best on their own gear.  They want to use that as a reason to use only their equipment and lock you into the Cisco mono-culture. Every other NAC vendor will work with a wide range of network switches and gear.  So it is in Cisco's interests to sow myths and misconceptions.  To drag their feet in working with other solutions.  But other NAC solutions work just fine on Cisco gear. Make no mistake about it. NAC is interoperable right now!

Untangle for Windows - Exploding the Myths [untangling the future...]

Posted: 18 Sep 2008 07:34 PM CDT

medusacaravaggio1.jpgIn the 48 hours since its release, several myths have already begun to emerge about “Untangle for Windows” and its patent-pending Re-router™ technology.

I suppose that we should consider it a success of sorts that so many people are talking about it — and we do.

But please allow me to set the record straight in several areas….

Here are some of the claims being made, along with my responses to them:

  • Myth #1 - Untangle suggests Untangle for Windows for networks with fewer than 25 users - it must not scale.
    • Our virtualization layer creates some overhead, but not much. Depending on workload, Untangle for Windows will scale to well over a hundred users. However, Untangle for Windows must “see” the protected hosts on the network, i.e., they must either all be on a single network segment or a lot of config work has to be done. But smaller LAN’s are typically single-segment.
  • Myth #2 - Untangle for Windows is a watered-down version of Untangle - it must not do much.
    • Except for some routing functionality, Untangle for Windows offers all the normal functionality that the market expects — anti-spam, web content filtering, anti-phishing, AV, etc. Untangle for Windows is Untangle. It’s the same code base, running in as a bridge and tailored for single-NIC Windows environments.
  • Myth #3 - Untangle for Windows is inherently not as secure as “normal” Untangle (or my Brand-X appliance).
    • If deployment guidelines are followed, Untangle for Windows will be virtually as secure as Untangle. The small increase in “attack surface” is virtually () meaningless in the environments where Untangle for Windows will be deployed. Moreover, one can argue that Untangle for Windows is actually in a safer place on the network (a managed server or desktop on the LAN, probably belonging to the network administrator) than the DMZ-based appliances.
  • Myth #4 - Untangle can’t make money with Untangle for Windows.
    • Really? Let’s look at the facts:
      • A new instance of Untangle goes into production (and stays there) every 7 minutes, 24×7
      • Untangle for Windows expands the population of “places where Untangle can be deployed” by at least 20x
        • Home deployments, for example, are way up since its release.
      • The fraction of users of our free-and-open-source products who convert to a paying subscription is above industry norms; and
      • Hundreds of Untangle channel partners and community members stand ready carry Untangle for Windows into the market, with little incremental cost to us.

So that’s how we see it. We think that the “small business” market (10-100 users) will see it this way too. And their networks will be safer, more reliable, and less expensive to operate because of it.
Lastly, we released our rendition of a “modern appliance” today. It looks like this, costs us $4, and plugs into your nearest available USB port:

silver-bullet.jpg

Anonymous hacks Sarah Palin's Yahoo! account [Security Circus]

Posted: 18 Sep 2008 04:39 PM CDT

Sarah Palin, a yahoo email account, and something more shocking... [extern blog SensePost;]

Posted: 18 Sep 2008 04:24 PM CDT

By now everyone knows that John McCain's running mate Sarah Palin had her yahoo email account hacked. I guess a presidential candidate using yahoo for govt. related email was about as shocking as Sarah Palins nomination as possible future president ((unless of course you have ever heard of other govt. officials using yahoo/gmail/hotmail for serious business)(inside joke for south africans!)).

People have been talking about secure password resets for a long time [1] and this was pretty shocking all around..

But even more shocking for me (as a totally removed observer), was the Errata Security post (authors of hamster, which we commented on [here]) ending their post with an endorsement of the McCain/Palin ticket.. i thought all (american) hax0rs leaned towards "the change"

Vulnerability scanning NAC - Thats why it is the wrong tool at the wrong time [StillSecure, After All These Years]

Posted: 18 Sep 2008 02:09 PM CDT

This weeks Tim Greene NAC newsletter (Tim actually writes the most consistent NAC column there is, thanks Tim!) deals with an age old problem with NAC.  That is the case of the wrong tool at the wrong time.  Tim highlights a recent release of a new version by one of the smaller NAC vendors. The vendor is seeking to make lemonade out of lemons.  Because they use traditional vulnerability testing in place of true NAC policy tests, the testing takes a long time to complete, by their own admission.  Therefore they are advocating letting people on the network and scanning them in the background.  If they fail they can then be dealt with.  Of course this still leaves you open to a user coming on the network and doing something bad before they are discovered.  In the case of this vendor, they say to only do it with "trusted" devices.  That would work if you could say for sure who and what a trusted device is. In today's world there are no trusted devices, same as there are no trusted networks.

The problem with vulnerability scanning is it is hard to do quickly before someone logs onto a network. That is the fundamental problem here and the same with other agent-less tests from other NAC vendors (think used car sales guys).  In certain verticals, such as the edu space they are comfortable with testing a device once a semester or so and not testing again for a few weeks or months. That is a question of what your risk tolerance is though.  Also don't be fooled by millisecond response times.  The clock doesn't start until the vulnerability or malicious behavior is actually detected.  By than it could be too late.

Purpose built NAC products that don't just re-use vulnerability scanners provide superior solutions to this problem and should be what you look for.

MindshaRE: Live Analysis Markup [DVLabs: Blogs]

Posted: 18 Sep 2008 01:57 PM CDT

Posted by Cody Pierce
I have mentioned before that I am always trying to bridge the gap between static analysis and live analysis. I try to always reverse statically but lets face it, sometimes due to time constraints, complexity, or dynamic resolution of functions we need a little help from our favorite debugger. So today I'll demonstrate a little tool I use to help me easily pull the information I need from a debugger and still stay focused in IDA. My simple live analysis markup utility might help you in these situations as well.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.

Lets set up a scenario.  You are reverse engineering calc.exe so you can patch its addition functionality.  Maybe you want to make 2 + 2 equal 5. When you encounter the following snippet you feel the need to just take the easy route and use a debugger.
.text:01011605    push    edi
.text:01011606    mov     edi, [eax]
.text:01011608    mov     ecx, [edi+4]
.text:0101160B    mov     eax, [edi+8]
Normally, you would switch gears and open your debugger.  Then you'd have to set a breakpoint at each address you are interested in.  Once the breakpoint hits you would then inspect the register or memory address you need. Not exactly a quick and painless process.

Thats why I wrote this simple markup script for IDA.  It works like this.  You add a comment on the address you are interested in.  The comment contains the information you'd like the debugger to report.  It supports three different types of information, Register, Operand, and Memory.  Registers are self explainatory.  Operand allows you to automatically resolve the type of data at that operand.  For instance at 0x01011606 the script would understand a pointer is being dereferenced.  Memory allows you to specify a memory address you want to read.  Here is an example using the snippet from above.
.text:01011605    push    edi             ; **LA R:eax
.text:01011606    mov     edi, [eax]      ; **LA O:1
.text:01011608    mov     ecx, [edi+4]    ; **LA O:1
.text:0101160B    mov     eax, [edi+8]
The comments tell our debugger that we want the contents of eax at 0x01011605, and the second operands at 0x01011606 and 0x01011608.  In order to do this we run a script which outputs this into a list we can feed to our debugger.  The output of this script follows.
1011605,r,4,EAX
1011606,p,4,2
1011608,o,4,2
Simple enough.  But what kind of debugger can actually read this in and give us what we want? I hope by now you've checked out PyDbg.  A fully scriptable debugger implemented in Python. A perfect use for this little utility. My PyDbg script will read in this list and set all of our breakpoints. When a breakpoint is hit, it prints the info.  Here is our run using the generated list of breakpoints.
C:\Code\Python\live_analysis>live_analysis.py calc.exe la.conf
[*] Trying to attach to existing calc.exe
[*] Attaching to calc.exe (2932)
[*] Setting bp @ 0x01011605
[*] Setting bp @ 0x01011606
[*] Setting bp @ 0x01011608
[*] 0x01011605      EAX [Reg    ] is 0x7f7b8    [4]
[*] 0x01011606        2 [Pointer] is 0xa8038    [4]
[*] 0x01011608        2 [Offset ] is 0x1        [4]

C:\Code\Python\live_analysis>
Not bad. Certainly this can help. We can also get more information. Check this out.

.text:01011605    push    edi             ; **LA R:eax,R:ebx,R:ecx,O:0
.text:01011606    mov     edi, [eax]      ; **LA O:1,R:eax,R:edi
.text:01011608    mov     ecx, [edi+4]    ; **LA O:1,O:0,R:ECX

1011605,r,4,EAX
1011605,r,4,EBX
1011605,r,4,ECX
1011605,r,4,EDI
1011606,p,4,2
1011606,r,4,EAX
1011606,r,4,EDI
1011608,o,4,2
1011608,r,4,ECX
1011608,r,4,ECX

C:\Code\Python\live_analysis>live_analysis.py calc.exe la.conf
[*] Trying to attach to existing calc.exe
[*] Attaching to calc.exe (2188)
[*] Setting bp @ 0x01011605
[*] Setting bp @ 0x01011606
[*] Setting bp @ 0x01011608
[*] 0x01011605      EAX [Reg    ] is 0x7f7b8    [4]
[*] 0x01011605      EBX [Reg    ] is 0xa8038    [4]
[*] 0x01011605      ECX [Reg    ] is 0x7c8099fd [4]
[*] 0x01011605      EDI [Reg    ] is 0x0        [4]
[*] 0x01011606        2 [Pointer] is 0xa8038    [4]
[*] 0x01011606      EAX [Reg    ] is 0x7f7b8    [4]
[*] 0x01011606      EDI [Reg    ] is 0x0        [4]
[*] 0x01011608        2 [Offset ] is 0x1        [4]
[*] 0x01011608      ECX [Reg    ] is 0x7c8099fd [4]
[*] 0x01011608      ECX [Reg    ] is 0x7c8099fd [4]
[*] 0x01011605      EAX [Reg    ] is 0x7f7b8    [4]
[*] 0x01011605      EBX [Reg    ] is 0xb4410    [4]
[*] 0x01011605      ECX [Reg    ] is 0x7c8099fd [4]
[*] 0x01011605      EDI [Reg    ] is 0x0        [4]
[*] 0x01011606        2 [Pointer] is 0xb4410    [4]
[*] 0x01011606      EAX [Reg    ] is 0x7f7b8    [4]
[*] 0x01011606      EDI [Reg    ] is 0x0        [4]
[*] 0x01011608        2 [Offset ] is 0x1        [4]
[*] 0x01011608      ECX [Reg    ] is 0x7c8099fd [4]
[*] 0x01011608      ECX [Reg    ] is 0x7c8099fd [4]

C:\Code\Python\live_analysis>
With this we can easily pull out interesting information and stay centered in IDA. In the future I will actually call PyDbg from within IDA. Thus making it even more simple. There also exists a method for exporting this data to an IDC for loading back in IDA, but it is not on by default. This is because breakpoints can get hit multiple times, and you may not want this to get convoluted.

I always want to keep my concentration on IDA. For me it's always difficult to "switch gears" and go into debugger mode. I use this script for quick access to information without having to lose track of what I am currently doing.

I hope this can be of some use to you when reverse engineering. I would love to hear how you personally bridge the static/live analysis gap. I know you can achieve some of this in IDA's debugger, if you do this hook us up with some scripts, or info.  Like I have previously stated, one day I'll get use to IDA's debugger.

The two scripts in this post have been bundled into live_analysis.zip.
  • gen_la_config.py - Generates the configuration from your comments in IDA
  • live_analysis.py - PyDbg script that sets breakpoints and logs hits.
Enjoy!

-Cody

How Sarah got her hack on [Errata Security]

Posted: 18 Sep 2008 01:36 PM CDT

When McCain chose Palin as his running mate, the US Secret Service descended upon her home in Wasilla, Alaska. They set up a perimeter around her house with 24 hour surveillance. They set up alarm equipment. They might've installed bullet proof windows.

But they ignored her computer.

And she got hacked.

The news reports speak about shadowy cabals of hackers performing mysterious rites to break into her computer. It was much simpler than that. Her "secret question" in to reset a lost password was "Where did you meet your spouse?". The secret answer was an easily guessed "Wasilla high".

The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high".

This is an obvious flaw that most people have with their accounts. Look at your friends e-mails from services like Yahoo and Google. Go to the logon page, click on something about a "lost password", and check out their secret question. Chances are good that you can figure out the answer. Checking out their question isn't illegal, but successfully guessing the answer might be.

This was how Paris Hilton got her account hacked. Her secret question was "What's your favorite pet's name?". The answer, Tinkerbell, was prominently in the news, so pretty much everyone knew the secret answer.

After calling the Secret Service to get them protect the VP nominee, the first thing McCain should have done is call a cybersecurity consultancy (like Errata Security) to protect her computer and online accounts. Fixing the "secret question" would have been the first thing we did. This would be followed by changing all her passwords, especially fixing the fact that she probably uses the same password for all her accounts. Next, we would have fixed her home network, especially the insecure WiFi setup she probably has. We would have scanned her computer to see if she were already infected with malware/bots, and then reconfigured her (and her families) computers so that they couldn't accidentally be infected. We would have made sure that all appropriate data was encrypted, and that she could access her accounts in an encrypted fashion (to avoid pesky things such as Sidejacking). Depending on how paranoied the campaign wanted us to be, we probably would have just backed up everything and wiped all her computers and rebuilt them from the ground up to be secure.

We also would have educated her on cybersecurity. The reason that Gov. Palin was using Yahoo mail to begin is probably because she found it inconvenient using the VPN software to logon to her office e-mail. We see that a lot in business: people use private e-mail services like Yahoo and Gmail to carry out corporate activities because they are annoyed with how their own computer staff have things set up. Yet, your computer people set things up this way precisely because there are obvious things that hackers can do to break into your data, such as guessing a poorly chosen "secret" question.

It would be harsh to judge Gov. Palin as being stupid about cybersecurity. The risks she chose could be appropriate for a private citizen not in the spotlight. However, those risks changed the moment she became a VP candidate - her cybersecurity was not adequate to defend against the hightened hacking threat.

BTW, most of us at Errata Security are a bit to the right of the political spectrum. Go McCain/Palin!

PS: Yahoo Mail will give your secret question to anybody who asks for it. Gmail will only give out your secret question after 5 days of inactivity on the account. Yet again this shows why Gmail is more secure than Yahoo Mail.

No Firefox EULA screen on Linux [Robert Penz Blog]

Posted: 18 Sep 2008 01:10 PM CDT

Today the Mozilla Foundation announced that here will be no EULA screen on Linux. Take a look at this post for details. It seams that our protest helped to convince them to remove that idea from the table.

Reminder: Catalyst Live! Talkcast tomorrow, 2pm ET [The Security Catalyst]

Posted: 18 Sep 2008 10:00 AM CDT

I take the stage today to share some insights on “Awareness that Works” - live in Nashville, TN. In the event you were unable to join me in Nashville (or even if you did), we can keep the conversation going tomorrow during the first Catalyst Live! talkcast:

Join me on Friday – September 19th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I'll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

So Logically, If She Weighs The Same As A Duck…She’s A Witch! [RiskAnalys.is]

Posted: 18 Sep 2008 09:59 AM CDT

I usually try to stay far away from politics and current events, but my friend Rich has put up a blog post blaming the credit crisis on quantitative analysis, and then positing that because the economy sucks, Information Security should be only qualitative.

Now I’ve been “accused” of being a quant in the past (hi rybolov!) but in reality the only dogs I have in this fight are the model and the application of scientific method - and really, ethically speaking, I have to be tied to the latter while applying the former.

And I see a false dichotomy in this whole Quant vs. Qual thing.  We, as a profession, tend to create a political divide between the two which, if it even exists, I’d say is based more on our ignorance rather than our expertise.  After all, we are the profession that regularly multiplies across ordinal scales and uses wonderful models like R=VxTxI.   As someone  learning to deal in probabilities and rationalism, I have to recognize that this discussion is really just about the act of observation using different metrics of measurement.

But how we’re going about observing does not change the fact that there is measurement based on observation.  So if I’m working with you I can easily turn your qualitative scale into a quantitative one, and vice-versa.  Yes, Shrdlu, if we had the time, even your most seemingly Qual things could be Quant! (This flexible world view, btw, is an outcome of that new-fangled Bayesian thing).

COGNITIVE BIAS A-PLENTY

But back to what Rich is saying there about information security and risk - and he isn’t/won’t be the only one saying these sorts of things - we should try to understand what’s really going on rather than get caught up in the emotional hurricane.  Our profession suffers several forms of cognitive bias.  The nature of our jobs and what we do can cause us to be focused on the outcome and not the quality of the decision at the time it was made.  We want to bring in things from other professions that are useful, but at times we do view things outside our profession with false correlation to our own (unfortunately for those who write these sorts of articles, financial risk is completely different than operational risk).  We also have the tendency to focus on negative outcomes without acknowledging the positive outcomes (For example, I hear that Alan Greenspan’s new firm is up a couple of $billion in all this mess since he joined them, short sellers are doing quite well - must be because they have qualitative models or something -grin-).  The effect of these biases are compounded by the facts that proper correlation takes more work than we usually give it, and rational thought is not that easy when there’s a witch-hunt mentality.

Burn her anyway!

What also floats in water? (link to Youtube)

WHAT SHOULD WE BE THINKING ABOUT?

So as you and I read opinions that seem to be the polar opposite of irrational exuberance (and there will be plenty between now and the election) we’ll have to ask ourselves, “what really failed here?”  At the risk (pun) of over-simplification:

  • Was There an Error on the part of Probability Theory?

After all, Probability Science like all other fields of knowledge is always “advancing” as they say.  So perhaps probability theory is wrong somehow?

I’m personally disinclined to put the blame here, primarily because I would think that there would be evidence from other fields (like Quantum Mechanics) that something is amiss waaaaay before it hit a field like economics.

  • Was There Error In The Model Used to Determine Risk?

Some people who understand real estate valuation and complex derivatives and financial risk want to put the blame here.  It’s a little too early to tell, but one thing is for sure - Financial risk is so different from operational risk I couldn’t begin to hazard an opinion on the subject.   But it would seem that this is really somewhere we might look.

  • Was There Error In The  Scale Used (Quantitative vs. Qualitative)?

Honestly?  I find it extremely difficult to understand how this could be the source of financial ruin.

  • Was There Error on the part of the Decision Maker?

What if all of the above were just fine, and the decision maker chose short term gain over long term stability?  What if this was (to simplify the matter greatly) a choice of “heads” over “tails” and the coin landed on tails?  What if the model represented the right risk (probability of negative outcome vs. positive outcome), but the complex derivative was sold to someone else who had poor “risk management” (ability to make a good decisions)?

Now I have no clue about complex derivatives, and I’m oversimplifying to be sure - chances are like most things, there are several problems that helped create the primary cause. But it seems to me that as we go into incident response mode for the economy, it’s more helpful to do so in a rational, logical manner.

OTHER THINGS WE MIGHT WANT TO CONSIDER

Consider the Source
Some authors (who I think tend to exploit outcome and hindsight bias,and then combine those with indirect ad hominem attacks in order to sell their books), are actually putting forth arguments against the use of analytics.  The source of this is a current epistemic debate between those who believe that only falsification is certain, and those who maintain that neither proof nor falsification are certain, there are only probabilities.    So before you go believing any “quadrants” of usefulness on faith - I encourage you to understand what is at the heart of the discussion.

We All Have to Live In The Real World

The sun will rise tomorrow, and someone will try to find the source of the problem and do a better job.  Now chances are, they’ll be doing it in a quantitative manner.  Chances are also that at some point their models will fail and we’ll need to build new ones.  And this will happen whether the field is cosmology, economics, meteorology, information security, or professional baseball.

WHAT ABOUT YOU, ALEX?

I’m far from certain and subject to change, but these days I lean towards Robin Hanson & MIchael Lewis w/regards to placing blame.

Is Nortel next? [StillSecure, After All These Years]

Posted: 18 Sep 2008 09:09 AM CDT

Story over at C/Net highlights that long troubled networking and telecommunications gear maker Nortel is again suffering.  They are slashing their outlook and guidance and have announced that they will be looking to sell some business units.  Could this be the beginning of the end for Nortel?  Are they the next bailout candidate?  Maybe Canada can bail them out.

So, who will take on Cisco?  Juniper seems to be gearing up.  Sometimes I think if you took the next 3 or 4 network gear vendors and lumped them together, you might have a real Cisco killer.  Until than there is not much on the horizon that will change the status quo on the network gear market

Two weeks until PCI 1.2! [Branden Williams' Security Convergence Blog]

Posted: 17 Sep 2008 05:14 PM CDT

While the official release does not happen until two weeks from today, many key stakeholders now have a copy of the pre-release version. What can you expect?

You can expect THIS blogger to honor his NDA!

Seriously though, are you ready? Version 1.1 has been around for over two years now (birthday was September 7, 2006), and by now you should have been able to validate as compliant to that version of the standard. If you are still struggling with 1.1, there is good news along with the bad.

The bad news is that in some cases your remediation targets may have shifted slightly in one direction. This will apply to you if you have been doing the absolute bare minimum to comply. VeriSign advises our customers to use PCI as a baseline, and pick certain areas to exceed in so that minor adjustments to the standard will not affect you. I'm pleased to say that our recommendations have been on track.

The good news is that some requirements have been altered to more closely match existing risk management procedures. The bad news here is there is some room for interpretation (as always), that may once again cause some QSAs consternation.

Sorry, I meant to say, cause some QSA's customers consternation.

For those of you heading to the PCI Community Meeting in Orlando next week, please stop by our booth! We'll have a few leaders in our PCI consulting practice available to chat with you!

Bye Bye eBay [Richi Jennings]

Posted: 17 Sep 2008 05:13 PM CDT

Eric Savitz at Barrons writes that eBay's (EBAY) business is "deteriorating" and is preparing big layoffs (like: 1500-employees big).

Ina Steiner seems to agree, pointing out that "Meg Whitman and her inner circle of top executives are gone" --to which I say: good. And not a moment too soon.

eBay is now a complete, unmitigated disaster zone:
  1. It's managed to alienate both its sellers and buyers with a sequence of ill-thought-out and badly-executed actions, such as mandating PayPal.
  2. It's PayPal division seems to be staffed exclusively by cut'n'paste junkies who couldn't spot a fraudulent seller if you painted him flourescent orange and dangled it from a cherry picker.
  3. It even seems to have strangled the life out of its exciting Skype acquisition.
Lest we forget, this is the company who in 2005 soothingly reassured concerned recipients that a blatant phishing scam was actually sent by eBay themselves. I still pinch myself.

Hat tip: Techmeme

"Americans' fear of a terrorism could create a mass outbreak of a psychosomati..." [Security Circus]

Posted: 17 Sep 2008 02:48 PM CDT

Americans' fear of a terrorism could create a mass outbreak of a psychosomatic illness -- even in the absence of any real attack -- -- creating a fake epidemic that could overwhelm hospitals attempting to treat real victims. –Terrorism Fear Could Create Psychosomatic Epidemic

Confusion and Delay [Room362.com]

Posted: 17 Sep 2008 08:55 AM CDT

Due to a PEBKAC error with the ID 10 T, I have had to retype parts 2 and 3, which were ready to go out the door.

In the mean time while I fix myself, here are a couple sites that can keep you busy:

Search google for exploits:
http://www.exploitsearch.com/

Watch just about any TV show (and some movies) online:
http://www.surfthechannel.com/

Play any NES game online:
http://www.virtualnes.com/

Start a blog without any signup?
http://www.posterous.com/

 

Security Roundtable for September 13 [The Security Catalyst]

Posted: 17 Sep 2008 06:30 AM CDT

Martin McKeay and I are evolving the Security Roundtable: we'll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we'll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static "panel" of people, we're exploring more voices, shorter segments and more interactive. We'd love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn't need the rules – he's got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I'll be in Las Vegas – so for me, it will actually be nice and early (and I'll find some Mountain Dew before we start – MD should sponsor me!).

This posting includes an audio/video/photo media file: Download Now

Reminder: OWASP NYC AppSec 2008 Infosec Conference Event - Next Week [NovaInfosecPortal.com]

Posted: 16 Sep 2008 11:17 PM CDT

Just a quick reminder that the OWASP NYC AppSec 2008 infosec conference event is next week. The agenda and speakers are ready and they’ve even made a recent venue change to the Park Central New York Hotel to accomodate more people. Unfortunately, we won’t be able to make it this year, but we’ll be scanning the blogosphere for updates and announcements. See our original post for more information about this conference.

ISSA - NoVA Chapter Infosec Meetup Event - Thursday, 09-18: A Technical Introduction of SCAP [NovaInfosecPortal.com]

Posted: 16 Sep 2008 08:53 PM CDT

Here is some information regarding this week’s Thursday ISSA - NoVA Chapter infosec meetup event. There seems to be lots of SCAP related training going on lately; the following week NIST is holding their IT Security Automation Conference, which seems to focus on SCAP as well.

  • Who: Andrew Buttner, The MITRE Corporation
  • What: A Technical Introduction of SCAP
    • The presentation will focus on a technical introduction of SCAP and how FDCC is leveraging this to enable automated evaluation of a given system. An overview of each of the six IA Standards that SCAP leverages will be given, as well as how SCAP uses these standards to enable automated assessment. The SCAP Validation program will be addressed in order to help the audience understand how the standards are enforced within the community and how trust in the SCAP can be achieved. The presentation will finish with an overview of FDCC and how SCAP is hoping to make this all a success.
  • When: 9/18, 5:30 (doors open) & 6:30 (meeting starts) PM EST
  • Where: Oracle Corporation (1910 Oracle Way; Reston, VA 20190)

For more information on the ISSA - NoVA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

No comments: