Saturday, September 20, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

How to make a bad first impression [StillSecure, After All These Years]

Posted: 20 Sep 2008 03:17 AM CDT

Blogging is a fairly new medium.  I have seen many PR people who just are befuddled about how to leverage blogs for their clients.  There is no book of blogging etiquette for them to study.  Even companies who hold themselves out as "marketing and relationship" experts just don't know squat about the blogging world.  So when they venture out without a safety net, invariably they screw it up.  A case in point is a rookie mistake that a Joshua Lewis of a company called Twelve Horses committed today. 

Joshua left a long comment on one of my recent articles today trying to flatter me about how in doing research he stumbled across my blog was so impressed, yada, yada, yada.  He then told me about how a company he is working with Solera Networks may be interesting to me. He proceeded to write a commercial for Solera Networks. That would be bad enough if that was all he did.

Joshua had no idea that many security bloggers talk to each other pretty regularly too.  It seems that our boy Josh was pretty busy running around to a bunch of security blogs, spouting similar comments about how he loved them best and touting Solera.  Well that about sealed it for me.  I have deleted his comment as spam.  Deleting comments is something I seldom if ever do by the way.  But this kind of behavior needs to be dealt with.  These kinds of shenanigans are not acceptable.

So Josh, not only is your comment touting Solera now gone, but I am calling out what exactly you were up too.  I am pretty sure you have done Solera more harm than any good you could have done.  Maybe next time before you think you are going to game the system, you should learn how to play the game.

Note to self: Take a closer look [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 20 Sep 2008 01:20 AM CDT

Mental note to self: Take a closer and deeper look at Atlas, a monitor of IT-related threats.

This Week in Petard-Hoisting, the Palin Edition [Emergent Chaos]

Posted: 19 Sep 2008 06:26 PM CDT


If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it's not a temporary copy that is needed for the communications (like a mail spool), and not a backup.

This reasoning is bizarre to people who use protocols like IMAP precisely as a backup. It's also bizarre to people who wonder why the DOJ would argue that stored communications are not Stored Communications. Those people tend to think that perhaps this would mean that if those stored emails are not Stored, then it wouldn't be illegal for the DOJ to just kindly request that copies of them be pulled from an ISP's storage (as opposed to their Storage) and be handed over, just in case you've been doing whatever.

The EFF has posted an interesting opinion, one that points out that if stored email is not Stored, then the people who reset Sarah Palin's password and read her email probably did not commit a crime under the DOJ's own interpretations of the law.

There doesn't seem to be much wrong with this reasoning. In any event, it's going to make it hard to prosecute the miscreants, because they will have to explain to a judge why they changed their mind, or why there is one law for veep candidates and one or everyone else. Way to go, guys.

Whatever one's opinion of Ms Palin, it's hard to defend violating her privacy. Let's hope this leads the DOJ to conclude that when you take communications and store them that they would be protected under the Stored Communications Act. As usual, the word is "oops."

(Many people will note that there are undoubtably plenty of other laws to charge them under, starting with the Computer Fraud and Abuse Act. But any good prosecutor can find something to charge someone with. The point is about upholding and enforcing existing laws.)

Photo "Hockey Mom Makeover" by julie.anna.

Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document [CGISecurity - Website and Application Security News]

Posted: 19 Sep 2008 05:11 PM CDT

An anonymous user writes "In his previous blog post, Sacha provided an updated list of the control html encoding information. He now integrated the content into FXCop to help quickly identify spots in binaries that should be reviewed for XSS issues." Read more:

Eugene Kaspersky on the Latest Malware Trends [IT Security Expert]

Posted: 19 Sep 2008 05:00 PM CDT

I was fortunate enough to catch up with the one and only Eugene Kaspersky this week. Eugene is one of the world's leading experts in the information security field, co-founder and CEO of Kaspersky Lab, the international information security software vendor and a technology leader in malware protection. (malware: malicious software such as trojans, viruses, keyloggers) protection.

It was a real privilege and honour to chat with the Moscow based Security Guru about the latest malware patterns, trends and threats being monitored by Kaspersky Lab. I do not use the term "Security Guru" lightly either, Eugene is a graduate of the Institute of Cryptography, Telecommunications and Computer Science and has conducted scientific research in these areas before entering the antivirus industry (before it was an industry) in 1991. This was after his interest in viruses was sparked when his own system was infected by the Cascade virus in 1989.

I remember my Commodore Amiga being infected by a boot sector virus around the same time, if only I had the same kind of vision back then. Actually one of the new trends being observed by Kaspersky Lab was the return of the old boot sector virus. The reason behind this trend is if the "bad guys" can load and execute the malware ahead of the loading of the operating system, OS security protection and antivirus, it makes it much easier to deliver the malware payload and avoid detection, and even actually prevent the security countermeasures from operating properly.

Kaspersky underlined a fact I myself have been preaching for a number of years now, in that the people behind these global malware attacks are becoming more professional, organised and are financially motivated, as opposed to being out to cause system crashes for kudos. The traditional idea of a teenage spotty faced kid sat in his bedroom bringing down TV networks for fun is a myth, these guys are in it for the easy money.

The evidence of this financial motivation can be clearly be seen in the Kaspersky Labs statistics, which shows 90% of Internet malware as being spyware trojans, designed to steal information, whether it be credit card details, login credentials or general personal details. No longer do cyber criminals have any interest in bringing down systems either, which is why only 5% of malware are the traditional "trouble making" viruses. These bad guys actually want their target systems to stay online for as long as possible, so they can be fully exploited. Such is the lucrative nature of these attacks and high rewards of this dark economy, the cyber criminals are even aggressively competing against each other, with malware actually attacking and "killing" other malware to gain supremacy. How much malware is out there to be protected against? Well today Kaspersky Labs are protecting against 1.250 million and rising, which shows the scale of the malware problem. I remember when my AV signature list had a couple of a hundred types of viruses listed in it, you could scroll through the list and look at the names and what they did!

I asked Eugene one particular question which has being puzzling me with Antivirus protection for some time…given that most malware is targeted against Microsoft operating systems and applications, which these days tend to offer better protection (arguably), how come malware trends are not shifting to target the lower hanging fruit more, in non-Microsoft operating systems, especially given the recent popularity and rise of freeware (Linux) and Apple systems in recent years. Eugene pointed out there was an increasing trend in the number of malware specifically targeting Apple systems, while on the Linux front, he said with a big grin, that Linux users tended to be more skilled, security savvy and wise, therefore less prone to being successfully breached by malware. In my own summary, the successful malware attacks occur against the "dumb users", who tend to be a Microsoft system, or increasingly an Apple system. This makes perfect sense, as after all the biggest gap in security lies between the keyboard and the back of the chair.

Eugene went on to say there was a shift towards malware specifically aimed at mobile devices. These days there is a lot of valuable information held on mobile devices, while typically they tend not to have good protection against malware, which can be delivered to the device through the Internet connectivity. On top of this mobile devices are being increasingly used for making payment transactions, with payment card information being highly targeted by cyber fraudsters.

Kaspersky also highlighted another very interesting global malware trend, which is being driven through the deployment of cheap hardware and fast Internet access to the developing parts of the world, the $100 laptop for example. New malware threats are increasingly originating from places like Latin American and Africa. However over 50% of malware is still coming from out of China, but the overall problem is still rising. Kaspersky went on to describe a "division of labour" in the malware black market, with cyber criminal groups specialising in different areas and collaborating. Typically groups are dividing and specialising in areas such as writing the malware code, malware deployment, malware management (those bot-herders) and data hijacking/data mining, which really underlines how organised this black market is now becoming. Also Kaspersky Lab has observed general differences in the types of malware targets around the globe, with South East Asia specialising in online gaming fraud, Latin America developing banking Trojans, while Russia appears to be the place where a lot of malicious code is written and sold on.

Fascinating stuff and it goes to emphasize the importance of running antivirus or a complete security suite on your computer systems, and ensuring such systems are automatically kept up-to-date. So there you have it, Eugene Kaspersky, Security Guru and a great down to earth guy, I thoroughly recommend going to hear him speak if you get the opportunity.

You can obtain a Free Trial of the awarding winning Kaspersky Internet Security 2009

The Palin Hack: Why most question recovery systems suck [CGISecurity - Website and Application Security News]

Posted: 19 Sep 2008 04:40 PM CDT

Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site using common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable and...

""... door locks that can be wirelessly set or opened via the Internet, from a..." [Security Circus]

Posted: 19 Sep 2008 03:51 PM CDT

"... door locks that can be wirelessly set or opened via the Internet, from a mobile phone or a computer. Each of the battery-operated locks have keypads that are locked and unlocked with 4-digit access codes. Users who forget to lock a door and want to enter their code remotely can hop onto a Web portal or use software added to their mobile phones [...] The back up device is still a set of metal keys which is how it has been done for more than 4,000 years." –Unlock your house via the Internet

Mozilla Firefox 3 comes without any EULA. Great idea, guys! This shows some c... [Security Circus]

Posted: 19 Sep 2008 03:48 PM CDT


Mozilla Firefox 3 comes without any EULA. Great idea, guys! This shows some courage!

This posting includes an audio/video/photo media file: Download Now

Apple Needs an SDL ? [Jeff Jones Security Blog]

Posted: 19 Sep 2008 03:25 PM CDT

Of course, if you ask me, everyone should be implementing a process that is SDL-like, so that isn't particularly interesting for me to write about.

However, it is interesting when others probe the question.  I think you may be interested in reading Time For Apple To Embrace A Security Development Lifecycle by Andrew Storms.

Give it a read and let me know your thoughts...

Regards ~ Jeff

I’m not an economist, but… [SOURCE Conference Blog]

Posted: 19 Sep 2008 01:22 PM CDT

I just read the info on the new US mortgage bailout.

I’m bothered.

I can’t figure out how this works. I mean, I get the idea - the federal government purchases (and later attempts to sell) “hundreds of billions of dollars” of bad paper.

But, if the paper is no good, it means there’s no resale value.

So, that hundreds of billions of dollars gets piled on top of the federal debt.

It seems to me that, in the medium term, that extra debt exerts further downward pressure on the US dollar against other international currencies. (What’s interesting is that, up to now, most of the US borrowing has been for international and discretionary purposes like war and trade - now we’re borrowing large-scale for domestic purposes. It seems to me that it’s like the difference between borrowing on a credit card to eat at restaurants and borrowing to buy groceries…)

As the dollar declines further, the US has a harder and harder time remaining solvent and inflation increases. At that point, more bad paper will emerge (i.e. more mortgage defaults as gas hits $10/gal and a loaf of bread costs $5), making this all get a whole lot worse.

This doesn’t seem to be the right way out.

USA Today made a fantastic point today - the USA is not following its own counsel. From the article:

Throughout more than a decade of recurrent crises in nations such as Mexico, Russia and Thailand, the United States offered the same advice: Let the market solve the problem and get the government out of the way……

…. In the 1990s, officials of the U.S. Treasury and the U.S.-backed International Monetary Fund urged the leaders of crisis-hit countries to embrace market-oriented policies designed to put their economies on sounder, long-term footing. But the recommendations — to slash government spending and privatize bloated state companies — meant genuine pain for millions and thus real political costs for leaders.

It seems to me that we’re taking massive short term action to avoid the long term consequences of our actions. It’s like someone who is writing bad checks: you write one, then you write another to cover that one (plus a little more), then another, and another, until, eventually, you can’t write a $1M check to cover everything you’ve done.

Unfortunately, as anyone who has piled lie on top of lie to avoid getting caught knows, if you come clean and pay the piper early, the pain isn’t so bad. It’s only by putting it off over and over again that we create a situation that ends up as a disaster.

It seems to me that this is just another way of putting off the inevitable. Anyone who has read the story of Japan’s collapse in the 90s knows what eventually happens - you eventually can’t cut the interest rate any further, and can’t borrow any more.

At that point, everything comes back in to line with a snap. And putting it off another six months only makes it hurt that much worse.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Technorati Tags: , , ,

An Information Security Place Podcast - Episode 5 [An Information Security Place]

Posted: 19 Sep 2008 12:06 PM CDT

OK folks.  Here’s the long awaited episode 5 of the the podcast.  Sorry for the delay in getting this one out.  Hurricane Ike put a big damper on our plans since I was without electricity for a few days.  Internet has been spotty as well, but it held up for Jim and I to record last night.

Link to MP3

Show notes:

  • Geek Toys - Personal Raid Devices - aka Drobo Review
  • Consultants Corner - Dealing with clients that are bound by compliancy requirements.


  • Intro/Outro - Digital Breaks - “Therapy”
  • Segway 1 - Climax - “OnTheEdge”
  • Segway 2 - Climax - “Eternity”


This posting includes an audio/video/photo media file: Download Now

Quicktime/iTunes DoS [Random Thoughts from Joel's World]

Posted: 19 Sep 2008 12:00 PM CDT

I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.

I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.

Call me when this vulnerability is remotely exploitable. THEN i'll be interested.

Subscribe in a reader

5 dumb business errors from Avenue Z [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 19 Sep 2008 11:49 AM CDT

Avenue Z is a blog that covers "the trials and tribulations of a new freelance copywriter". Not my usual cup of tea. But, being freelance usually means doing business, and doing business usually means making mistakes. No surprise there.

The errors made by Beth Z at Avenue Z may not seem to grave, nor to relevant at first glance.

But failing to set targets for sales and income very soon mean you are loosing out on opportunities, and reducing profit. And failing to sell to existing contacts usually means you both miss out good business, and also that you spend more time and gain less business (I know of no industry where the cost of getting new clients is lower than getting more business from existing clients).

University of Lake Wobegon? [Emergent Chaos]

Posted: 19 Sep 2008 10:19 AM CDT

Spaf has an excellent post up about Purdue's decision to no longer be an NSA Center of Academic Excellence. He makes a number of thought-provoking points, among them that "excellence" loses its meaning if the bar is set too low, and that being an academic center and having a training (as opposed to educating) curriculum is a bit awkward. (These are my summaries of his views, obviously).

Spaf's been doing top-caliber infosec work since many of us were wearing short pants and riding tricycles. His thoughts on this topic are well worth considering.

SecuraBit Episode 10 [SecuraBit]

Posted: 19 Sep 2008 08:49 AM CDT

(Apologies in advance for the short term ‘wiki’ look of these show notes, the public wiki will be up soon!) This week Anthony Gartner, Chris Gerling, Chris Mills, Jason Mueller discuss the latest computer security news.  Special guest, Chris Wilson, talks about the increase of traffic on port 808. Episode 10 - A milestone! We are all still [...]

This posting includes an audio/video/photo media file: Download Now

Surf Jack - Cookie Session Stealing Tool [Darknet - The Darkside]

Posted: 19 Sep 2008 05:46 AM CDT

A tool which allows one to hijack HTTP connections to steal cookies - even ones on HTTPS sites! Works on both Wifi (monitor mode) and Ethernet. Features: Does Wireless injection when the NIC is in monitor mode Supports Ethernet Support for WEP (when the NIC is in monitor mode) Known issues: Sometimes the victim is not redirected correctly...

Read the full post at

Avast there! [Emergent Chaos]

Posted: 19 Sep 2008 12:00 AM CDT


You might not be able to think like one, but today you should certainly talk like a pirate.

Yo ho ho, shiver me timbers, etc. etc.

Image credit: charliekwalker

Links for 2008-09-18 [] [Hackers Center Blogs]

Posted: 19 Sep 2008 12:00 AM CDT

CERT: Home Network Security [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 18 Sep 2008 01:05 PM CDT

A document by CERT that gives home users an overview of the security risks and countermeasures.

IMO, most of the content is also relevant to SOHO (Small Office/Home Office) environments.

, ,

ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery [CGISecurity - Website and Application Security News]

Posted: 18 Sep 2008 11:29 AM CDT

"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks....

Kudos to Starbucks after Ike [An Information Security Place]

Posted: 18 Sep 2008 10:44 AM CDT

The last few days have held many challenges.  Basic necessities like food and water have been in short supply.  Not so basic necessities like electricity, air conditioning (thank God for the cool front that came down right after the storm), phone, and TV have been gone.  But the one thing that has really bothered me is the loss of the Internet (Starbucks and other places were closed).  This has caused me to feel more disconnected than ever before.  And though it was probably good to unplug for a few days, it is also how I earn a living for the most part.    The information junkie in me is also suffering greatly.

So when the Internet came back up at the house, I was thrilled.  The junkie in me would be satiated. I started tapping a vein, and then I connected.  I started working and surfing.  I looked at what was going on with the world, with the tropics (nothing so far), and security.  I got some work done.  I reconnected.

Well, this morning, it all hit again like a brick.  Yes, the Internet was dead.  I was without my fix.  But hey, I remembered that Starbucks had opened up.  W00T!  I headed out for my fix. 

When I arrived, I ordered a beverage, and sat down to connect.  I expected the typical T-Mobile screen with the AT&T Internet link (I have AT&T broadband at the house, so Internet is free for me at Starbucks).  It surprised me when I connected straight to the Internet without any portal screen.  What was going on?  When I expressed surprise to the guy sitting next to me, he stated that they had opened up their Internet to everyone for free.  That was a pleasant surprise, even though it would have been free for me.  It really made me feel grateful, and it showed that people care.  So kudos to Starbucks on 2920 and Kuykendal in Spring, TX.  I appreciate you, and I will bring you my business from now on.


Lack Of Standards Adoption Are Softening NAC Uptake [Articles by MIKE FRATTO]

Posted: 18 Sep 2008 09:15 AM CDT

There are a lot of reasons why NAC adoption is slower than expectedits expensive, its complicated, there isnt always a clear benefit, competing IT projects are taking priority, there is still a lot of confusion about NAC technologies. Until IT grasps ...

Malware Analysis Contest [The Security Shoggoth]

Posted: 18 Sep 2008 09:05 AM CDT

Last night at the NE Ohio Information Security Forum and the Security Justice podcast, I made an announcement about a malware analysis contest that Greg and I are putting on.

Starting from October 1, 2008 and ending October 26, 2008 we will be running a malware analysis challenge at In the challenge participants will download a malware sample to analyze. The site will have a list of questions for participants to answer and send in. We will judge the answers and those scoring the highest will win prizes.

We have some great prizes donated by some very cool companies. To only name some, Hex-Rays is donating a copy of IDA Pro and No Starch Press is donating a copy of Chris Eagle's IDA Pro book. Addison-Wesley and KoreLogic Security are also donating prizes (yet to be announced).

I want to emphasize that you don't need to be a malware analysis expert in order to have a chance to win. The challenge is about learning. You don't need to get the answers 100% correct in order to win a prize. The goal is to learn malware analysis skills, try out new tools and have some fun in the process.

We're also looking for more companies to donate prizes. If you think your company would like to donate something for the contest, please contact me.

Please spread the word about the challenge. I'll be posting again once the challenge goes live to remind everyone!

No comments: