Posted: 22 Sep 2008 02:31 PM CDT
European companies will be forced to tell customers if their personal
data has been lost or stolen, as part of a new EC directive.
The data breach notification provision is part of the ePrivacy Directive that is currently being debated by the EU.
However, speaking to journalists in London, MEP Malcolm Harbour said
Posted: 22 Sep 2008 05:57 AM CDT
I am happy to announce the relaunch of Blogsecurify. I have some more announcements to make. Read on!
Blogsecurify will become a division of GNUCITIZEN. Although initially the project was planned to tackle blog-only security issues, today Blogsecurify moves into the more main stream domain - the social media platforms. Therefore, Blogsecurify team will now test and research technologies outside of the blogsphere including things such as wikis, feeds, social networks and all other types of social media technologies.
This is a very exciting for us. We’ve got a blog, a testing tool and soon a wiki. However, we need smart people like you to join our exclusive team and make it all happen. It is an excellent opportunity if you are interested in investigating security issues in social media technologies. It is also an excellent opportunity to build yourself as an opinion making figure and we promise to use the GNUCITIZEN media platform to promote all of the activities of Blogsecurify tiger team.
So, if you have passion towards web security, you enjoy playing with Web2.0 technologies and you are open for new opportunities, do not hesitate to contact us from our contact page. This opportunity is very unique and extremely exciting. So what do you think?
Posted: 21 Sep 2008 11:59 PM CDT
Posted: 21 Sep 2008 11:59 PM CDT
Posted: 21 Sep 2008 10:44 PM CDT
Today, I will be learning a new trade. Or at least I will take part in a new trade. I will be a local judge. No, not the Miss Local Salmon or whatever they call it. A real judge in a real court.
As the court of law is a part of security in the society, I am looking forward to this opportunity. I do realize that it is miles away from how I usually spend my time.
Anyway, enjoy your day in the sunshine, while I will try not to fall asleep in the dark halls of Justice!
Posted: 21 Sep 2008 10:34 PM CDT
Hi friends - Odds are, as you read this on Monday morning with your donut and latte, I'll be getting "Special Screening" from our friends at the TSA.
Why? I've got 3 one-way tickets booked, international, between Chicago, Ottawa (CA), Montreal (CA), and New York City. I didn't do it intentionally to get hassled, it just worked out that way, lovely for me. Conventional logic would tell you that of those 3 tickets, at least one of them will qualify for the "Special Screening" (with the SSSS on the bottom of the boarding pass). I'll report on what happens... stay tuned.
I can't wait to meet up with some folks at the AppSec event in NYC (OWASP '08)... it'll be a blast. For those of you coming to the 2 workshops in Ottawa and Montreal - see you there!
Posted: 21 Sep 2008 05:48 PM CDT
I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.
So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes!“ (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! - I like that one).
Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:
Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.
Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?
So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.
In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.
The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.
The value of my exposed information assets is pathetically low - my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.
Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.
But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity - er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk - some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.
I’m pretty sure I wouldn’t get promoted to Vice President.
Posted: 21 Sep 2008 04:27 PM CDT
As part of my goal of wanting to post some risk scenarios and accompanying assessments on the blog, I went ahead and posted a profile of a company (and one of its subsidiaries) over on the "Initech, Inc" page. Instead of having to write background and "given" information for each and every risk scenario – doing it once will save a lot of time.
This approach is also important, because it underscores the importance of analyzing risk elements within the context of the organization that faces the exposure. Company X may have a strong security posture where Company Y may have a weak security posture. Thus, a threat agent may be able to come in contact, take action against, and overcome Company Y's security controls but not be successful against Company X. It would not be reasonable for Company X's information security risk assessors to assume that since Company Y was impacted by a risk scenario that they are equally as vulnerable as well.
So, take a look at the "Initech, Inc." page, have a good chuckle, and stay tuned for some upcoming risk scenarios, assessments, and interesting dialogue.
Posted: 21 Sep 2008 02:08 PM CDT
I attended SANS Helsinki 2008 last week. It was six days of intense forensics training and it went quite deep into the filesystem level which definitely was useful to me. Now I understand the Sleuthkit tools much better as I know what they actually touch and I am able to better do forensics related tasks.
Thumbs up also to Jess Garcia, he made it all much more interesting. There was also some tips which were presented in the course that I haven't heard of earlier, which speed up analysis of information.
Posted: 21 Sep 2008 07:55 AM CDT
Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.
One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)
I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.
So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)
I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.
I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).
Subscribe in a reader
Posted: 21 Sep 2008 07:53 AM CDT
There's an interesting, if unsurprising, article up on darkreading about the security of hotel networks. I think we've all been to a hotel or two before that had, say, SNMP community strings that were easily guessable. In general, it seems that "Broadband" Inernet access at hotels has morphed from being an ammenity to simply being a given. However, it does not appear that most hotels take any real steps to manage that resource, or the people using it.
So, first, it seems from the study that hotels should look to technologies like Network Access Control to protect themsevles. Second, we should all be mindful of just how open these networks are when our users come back from them.
Posted: 21 Sep 2008 07:08 AM CDT
Paul & Larry interview Fyodor, author of Nmap!
Posted: 20 Sep 2008 10:38 PM CDT
For more information on ShmooCon, see its description in our Infosec Conferences section. View our Calendar for a complete list of infosec events in and around the NoVA area. See ShmooCon’s CFP page for more information.
Posted: 20 Sep 2008 11:44 AM CDT
Posted: 20 Sep 2008 10:15 AM CDT
Carl Jongsma, Computerworld Australia gives some valuable input to how business should consider web-based e-mail.
Using the Palin e-mail hack as an example, Carl discusses how companies can learn from this and similar attacks.
Posted: 20 Sep 2008 01:20 AM CDT
Mental note to self: Take a closer and deeper look at Atlas, a monitor of IT-related threats.
Posted: 19 Sep 2008 11:59 PM CDT
Posted: 19 Sep 2008 05:11 PM CDT
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx
Posted: 19 Sep 2008 04:40 PM CDT
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are...
Posted: 19 Sep 2008 04:14 PM CDT
While walking the floor at Interop in NYC this week, I stopped to chat with the guys at the Cyberoam booth. Cyberoam provides a security appliance that provides identity-based Unified Threat Management (UTM). Similar to most Network Access Control (NAC) devices, the solution grants and denies access to systems and resources based on the IP+port destination address. Typically, this is done at the network layer by enforcing policies based on the requesting machine's MAC address (laptop X is allowed to access application Y on server Z).
Cyberoam's messaging is that they are identity-based. This means that the appliance (the red box below) doesn't enforce policies strictly based on MAC address (the user's hardware). It is identity-aware in that it knows who is logged onto the desktop, verifies policies and access rights against the network directory (Microsoft's Active Directory, for example) and grants access to the user rather than to the machine. This is a level of protection and intelligence above purely hardware-driven NAC solutions.
I can't vouch for Cyberoam as a solution. I haven't used it and don't know more than was told to me in a five minute conversation. But, I immediately recognized a use-case scenario for NetVision.
If access to systems and assets across the network is based on data held within Active Directory, then you better be able to monitor changes to that data and get immediate alerts if there's a policy breach. If it's true that 88% of IT admins would steal from their employers or snoop around the network, then an environment that puts the keys to the kingdoms in the hands of the Active Directory administrators needs a comprehensive ability to audit and monitor administrative activity.
So, if you are a Cyberoam customer or if you have a similar NAC or UTM solution that relies heavily on the network directory, please let me know. Even if you're not interested in finding a monitoring solution, I'll buy you a cup of coffee and maybe lunch if you're willing to tell me about your environment, the business challenges, how it's going, what risks you see, etc..
Posted: 19 Sep 2008 04:01 PM CDT
From the press release:
Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.Also:
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.I guess if you're hiring an IT admin, you might ask if they participated in the Cyber-Ark study and if so, there's an 88% chance that you shouldn't hire them. I know the criticism about surveys like this, but is it really that hard to believe? Seems like human nature to me.
Posted: 19 Sep 2008 12:00 PM CDT
I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.
I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.
Call me when this vulnerability is remotely exploitable. THEN i'll be interested.
Subscribe in a reader
Posted: 19 Sep 2008 11:49 AM CDT
Avenue Z is a blog that covers "the trials and tribulations of a new freelance copywriter". Not my usual cup of tea. But, being freelance usually means doing business, and doing business usually means making mistakes. No surprise there.
The errors made by Beth Z at Avenue Z may not seem to grave, nor to relevant at first glance.
But failing to set targets for sales and income very soon mean you are loosing out on opportunities, and reducing profit. And failing to sell to existing contacts usually means you both miss out good business, and also that you spend more time and gain less business (I know of no industry where the cost of getting new clients is lower than getting more business from existing clients).
Posted: 19 Sep 2008 11:25 AM CDT
I really like Saul Hansell's post in the NYT's Bits blog. He eloquently explains how it is that so many financial institutions managed to fail so spectacularly -- given that they are regulated as to how much risk they can expose themselves to.
In summary: the institutions had sophisticated computer models to warn management if things were getting too risky, but the people running the models didn't give the models the right data.
Saul summarizes the summary thus: "Lying to your risk-management computer is like lying to your doctor. You just aren't going to get the help you really need."
To summarize the summary of the summary: garbage in, garbage out.
Hat tip: Techmeme.
Posted: 19 Sep 2008 07:37 AM CDT
The recent “midwest wind storm” combined with some crazy work activities has hindered my ability to get in some blog postings. I took a few minutes this morning to quickly peruse some blogs and stumbled across this posting over at securosis.
I think it is pretty irresponsible for someone to poo-poo an emerging discipline in our profession by comparing it to financial risk management. The motive of being able to quantify information security risk is to allow for better decision making and understanding the cost of risk to an organization- not to make a profit. More on this in a future posting.
We all know that ostriches appear to bury their heads in the sand. However, apparently it is a myth that they do it because they are scared. They bury their eggs in the dirt or in a hole and once in a while, they stick their head in there to check up on the eggs or do whatever to them.
So, to the blog post author, while you have you head under the dirt checking up on your investment eggs, take another look at those risk quantification eggs.
Posted: 18 Sep 2008 10:27 PM CDT
In recent days the U.S. Department of Homeland Security (DHS) has been getting spanked pretty hard for being unprepared for cyberthreats. Since that mule has been pretty well beat to death, I’m not going to chime in on that. Instead, in the immortal words of the great philosopher sage Monty Python “And now for something completely different”.
I’d like you to know about something the DHS is doing right - the Ready Kids Campaign. From this press release on September 17:
If you have children you should definitely take advantage of this excellent resource. This is something that every family needs to consider seriously. Just like every business should have a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP), (I’ll bet you were wondering how I was going to relate this to security) you need to have a Family Disaster Preparedness Plan (FDPP). Except that your FDPP is way more important than any DRP or BCP because this is your family, not some business that we’re talking about. It’s critical to note that no disaster plan (or any plan for that matter) has value if all of the players don’t know their parts. In the same way that it is critical for a business to make sure all employees, especially those in leadership roles, have and understand current copies of the DRP and BCP documents, all members of your family, must understand your FDPP. Furthermore, (and this is where many if not most businesses fall down) you must practice the plan. That’s right, it’s very well and good to have a plan that calls for tuning the weather radio to the correct station in case of a tornado warning, but it doesn’t work too well if you don’t know what station that is or where to find the radio.
So this is where you can really leverage the “Let’s Get Ready!” resources. It can help you devise, disseminate and practice your family’s FDPP. While this specific program is targeted at families with young children, there are links on this page to many excellent resources. I will admit that I learned a few things and picked up some ideas for my family’s FDPP. According to the site, this month, as part of Emergency Preparedness month, Sesame Workshop will be distributing 150,000 of the free kits to families. These kits include not only the downloadable materials on the site, but a DVD that is great for young kids.
So get going on your own FDPP, and definitely check out the resources at DHS. Seriously, they’re not just about fighting terrorism and cyberthreats. Which I guess is a good thing. Sorry couldn’t resist.
Information on “Let’s Get Ready!” is here. Materials are available in English and Spanish.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|