Monday, September 22, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

European companies forced to own up to data losses [Malta Info Security]

Posted: 22 Sep 2008 02:31 PM CDT

European companies will be forced to tell customers if their personal
data has been lost or stolen, as part of a new EC directive.

The data breach notification provision is part of the ePrivacy Directive that is currently being debated by the EU.

However, speaking to journalists in London, MEP Malcolm Harbour said
he was confident that the data breach legislation will be approved.


Social Media Security [GNUCITIZEN]

Posted: 22 Sep 2008 05:57 AM CDT

I am happy to announce the relaunch of Blogsecurify. I have some more announcements to make. Read on!


Blogsecurify will become a division of GNUCITIZEN. Although initially the project was planned to tackle blog-only security issues, today Blogsecurify moves into the more main stream domain - the social media platforms. Therefore, Blogsecurify team will now test and research technologies outside of the blogsphere including things such as wikis, feeds, social networks and all other types of social media technologies.

This is a very exciting for us. We’ve got a blog, a testing tool and soon a wiki. However, we need smart people like you to join our exclusive team and make it all happen. It is an excellent opportunity if you are interested in investigating security issues in social media technologies. It is also an excellent opportunity to build yourself as an opinion making figure and we promise to use the GNUCITIZEN media platform to promote all of the activities of Blogsecurify tiger team.

So, if you have passion towards web security, you enjoy playing with Web2.0 technologies and you are open for new opportunities, do not hesitate to contact us from our contact page. This opportunity is very unique and extremely exciting. So what do you think?

Grecs Twitter Updates for 2008-09-21 []

Posted: 21 Sep 2008 11:59 PM CDT

  • iphone lockdown - the next couple of tweets are just some thoughts i wanted to get down for a potential blog post #
  • iphone lockdown - enable pin; enable sim pin; disable bt when not being used; disable wifi when not being used #
  • iphone lockdown - enable option to wipe phone after 10 invalid pins (be sure to sync often though); enable ask to join wifi; reset home key #
  • iphone lockdown - is it unusable yet ;) #
  • iphone lockdown - enable cookies for just visited site; setup to connect to email servers via secure imap/pop; enable autolock #
  • iphone lockdown - require pin after 5 mind; disable js; disable plugins; enable pop-up blocker; clear cookies/cache/history often #
  • iphone lockdown - keep firmware patched to latest version; keep 3rd party apps up to latest version; sync often for backups #
  • iphone lockdown - use 3g in public areas instead of free/paid hotspot (or figure out way to do a VPN; basically turn off wifi unless home) #
  • iphone lockdown - wow, now it’s really not usable ;) #
  • security trends - servers > clients (os + 3rd party apps eg browser) > communications (mitm eg update servers, html code inject) #
  • social networking sec - more than just social engineering worries #
  • more social net probs - check out for a bunch of probs w/ twitter #

Grecs Twitter Updates for 2008-09-21 []

Posted: 21 Sep 2008 11:59 PM CDT

  • - pull info from multiple social networking sites; useful for social engineering testing; see what you can find out about yourself #
  • facebook hole - first photos & now fans #

New experience [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 21 Sep 2008 10:44 PM CDT

Today, I will be learning a new trade. Or at least I will take part in a new trade. I will be a local judge. No, not the Miss Local Salmon or whatever they call it. A real judge in a real court.

As the court of law is a part of security in the society, I am looking forward to this opportunity. I do realize that it is miles away from how I usually spend my time.

Anyway, enjoy your day in the sunshine, while I will try not to fall asleep in the dark halls of Justice!

TSA "Special Screening" Fun [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 21 Sep 2008 10:34 PM CDT

Hi friends - Odds are, as you read this on Monday morning with your donut and latte, I'll be getting "Special Screening" from our friends at the TSA.

Why? I've got 3 one-way tickets booked, international, between Chicago, Ottawa (CA), Montreal (CA), and New York City. I didn't do it intentionally to get hassled, it just worked out that way, lovely for me. Conventional logic would tell you that of those 3 tickets, at least one of them will qualify for the "Special Screening" (with the SSSS on the bottom of the boarding pass). I'll report on what happens... stay tuned.

I can't wait to meet up with some folks at the AppSec event in NYC (OWASP '08)... it'll be a blast. For those of you coming to the 2 workshops in Ottawa and Montreal - see you there!

Sarah Palin and the great Yahoo! angst [Security For All]

Posted: 21 Sep 2008 05:48 PM CDT

I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.

So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes! (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! - I like that one).

Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:

Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.

Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?

  1. What is the benefit received from a web-based email/calendar/contacts system?
  2. What are the information assets that would be exposed?
  3. What are the threats to those assets?
  4. How can those threats be mitigated?
  5. Given the value of the exposed assets, can the threats be mitigated sufficiently such that the risk can be accepted?
  6. Do the benefits outweigh the cost in money and risk?

So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.

In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.

The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.

I’ve already written a blog entry about password security and I also use some of the stuff outlined here.

The value of my exposed information assets is pathetically low - my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.

Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.

But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity - er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk - some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.

I’m pretty sure I wouldn’t get promoted to Vice President.


Initech, Inc. [Risktical Ramblings]

Posted: 21 Sep 2008 04:27 PM CDT

As part of my goal of wanting to post some risk scenarios and accompanying assessments on the blog, I went ahead and posted a profile of a company (and one of its subsidiaries) over on the "Initech, Inc" page. Instead of having to write background and "given" information for each and every risk scenario – doing it once will save a lot of time.

This approach is also important, because it underscores the importance of analyzing risk elements within the context of the organization that faces the exposure. Company X may have a strong security posture where Company Y may have a weak security posture. Thus, a threat agent may be able to come in contact, take action against, and overcome Company Y's security controls but not be successful against Company X. It would not be reasonable for Company X's information security risk assessors to assume that since Company Y was impacted by a risk scenario that they are equally as vulnerable as well.

So, take a look at the "Initech, Inc." page, have a good chuckle, and stay tuned for some upcoming risk scenarios, assessments, and interesting dialogue.


SANS Helsinki 2008 [Liquid Information]

Posted: 21 Sep 2008 02:08 PM CDT

I attended SANS Helsinki 2008 last week. It was six days of intense forensics training and it went quite deep into the filesystem level which definitely was useful to me. Now I understand the Sleuthkit tools much better as I know what they actually touch and I am able to better do forensics related tasks.

Thumbs up also to Jess Garcia, he made it all much more interesting. There was also some tips which were presented in the course that I haven't heard of earlier, which speed up analysis of information.

A tale of Physical Fitness [Random Thoughts from Joel's World]

Posted: 21 Sep 2008 07:55 AM CDT

Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.

One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)

I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.

So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)

I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.

I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).

Subscribe in a reader

Hotel Hacks [CTO Chronicles]

Posted: 21 Sep 2008 07:53 AM CDT

There's an interesting, if unsurprising, article up on darkreading about the security of hotel networks.  I think we've all been to a hotel or two before that had, say, SNMP community strings that were easily guessable.  In general, it seems that "Broadband" Inernet access at hotels has morphed from being an ammenity to simply being a given.  However, it does not appear that most hotels take any real steps to manage that resource, or the people using it.

So, first, it seems from the study that hotels should look to technologies like Network Access Control to protect themsevles.  Second, we should all be mindful of just how open these networks are when our users come back from them.

PaulDotCom Security Weekly - Episode 123 Part I - September 18, 2008 [PaulDotCom]

Posted: 21 Sep 2008 07:08 AM CDT

Paul & Larry interview Fyodor, author of Nmap!


Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian


Direct Audio Download

Audio Feeds:

ShmooCon 2009 Infosec Conference Event []

Posted: 20 Sep 2008 10:38 PM CDT

The Shmoo Group has announced that the CFP is open for next year’s ShmooCon 2009 infosec conference event. Here are the logistics for next year’s conference:

  • Who: The Shmoo Group
  • What: ShmooCon 2009
    • ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.
  • When: 2/6 - 2/8/2009
  • Where: Wardman Park Marriott Hotel (2660 Woodley Road, NW; Washington, DC 20008)

For more information on ShmooCon, see its description in our Infosec Conferences section. View our Calendar for a complete list of infosec events in and around the NoVA area. See ShmooCon’s CFP page for more information.

Security wrapped up [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 20 Sep 2008 11:44 AM CDT

Just love this cartoon :)


Palin e-mail hack gives better understanding of security [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 20 Sep 2008 10:15 AM CDT

Carl Jongsma, Computerworld Australia gives some valuable input to how business should consider web-based e-mail.

Using the Palin e-mail hack as an example, Carl discusses how companies can learn from this and similar attacks.

, ,

Note to self: Take a closer look [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 20 Sep 2008 01:20 AM CDT

Mental note to self: Take a closer and deeper look at Atlas, a monitor of IT-related threats.

Grecs Twitter Updates for 2008-09-19 []

Posted: 19 Sep 2008 11:59 PM CDT

Fxcop HtmlSpotter - Spotting ASP.NET XSS using Fxcop and Html encoding document [CGISecurity - Website and Application Security News]

Posted: 19 Sep 2008 05:11 PM CDT

An anonymous user writes "In his previous blog post, Sacha provided an updated list of the control html encoding information. He now integrated the content into FXCop to help quickly identify spots in binaries that should be reviewed for XSS issues." Read more:

The Palin Hack: Why most question recovery systems suck [CGISecurity - Website and Application Security News]

Posted: 19 Sep 2008 04:40 PM CDT

Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are...

Identity-Based NAC or UTM [Matt Flynn's Identity Management Blog]

Posted: 19 Sep 2008 04:14 PM CDT

While walking the floor at Interop in NYC this week, I stopped to chat with the guys at the Cyberoam booth. Cyberoam provides a security appliance that provides identity-based Unified Threat Management (UTM). Similar to most Network Access Control (NAC) devices, the solution grants and denies access to systems and resources based on the IP+port destination address. Typically, this is done at the network layer by enforcing policies based on the requesting machine's MAC address (laptop X is allowed to access application Y on server Z).

Cyberoam's messaging is that they are identity-based. This means that the appliance (the red box below) doesn't enforce policies strictly based on MAC address (the user's hardware). It is identity-aware in that it knows who is logged onto the desktop, verifies policies and access rights against the network directory (Microsoft's Active Directory, for example) and grants access to the user rather than to the machine. This is a level of protection and intelligence above purely hardware-driven NAC solutions.
I can't vouch for Cyberoam as a solution. I haven't used it and don't know more than was told to me in a five minute conversation. But, I immediately recognized a use-case scenario for NetVision.

If access to systems and assets across the network is based on data held within Active Directory, then you better be able to monitor changes to that data and get immediate alerts if there's a policy breach. If it's true that 88% of IT admins would steal from their employers or snoop around the network, then an environment that puts the keys to the kingdoms in the hands of the Active Directory administrators needs a comprehensive ability to audit and monitor administrative activity.

So, if you are a Cyberoam customer or if you have a similar NAC or UTM solution that relies heavily on the network directory, please let me know. Even if you're not interested in finding a monitoring solution, I'll buy you a cup of coffee and maybe lunch if you're willing to tell me about your environment, the business challenges, how it's going, what risks you see, etc..

Cyber-Ark Study: 88% of IT admins would steal [Matt Flynn's Identity Management Blog]

Posted: 19 Sep 2008 04:01 PM CDT

From the press release:
Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.
I guess if you're hiring an IT admin, you might ask if they participated in the Cyber-Ark study and if so, there's an 88% chance that you shouldn't hire them. I know the criticism about surveys like this, but is it really that hard to believe? Seems like human nature to me.

Quicktime/iTunes DoS [Random Thoughts from Joel's World]

Posted: 19 Sep 2008 12:00 PM CDT

I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.

I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.

Call me when this vulnerability is remotely exploitable. THEN i'll be interested.

Subscribe in a reader

5 dumb business errors from Avenue Z [Roer.Com Information Security Blog - Information security for entrepreneurs]

Posted: 19 Sep 2008 11:49 AM CDT

Avenue Z is a blog that covers "the trials and tribulations of a new freelance copywriter". Not my usual cup of tea. But, being freelance usually means doing business, and doing business usually means making mistakes. No surprise there.

The errors made by Beth Z at Avenue Z may not seem to grave, nor to relevant at first glance.

But failing to set targets for sales and income very soon mean you are loosing out on opportunities, and reducing profit. And failing to sell to existing contacts usually means you both miss out good business, and also that you spend more time and gain less business (I know of no industry where the cost of getting new clients is lower than getting more business from existing clients).

How Wall Street Lied to Its Computers [Richi Jennings]

Posted: 19 Sep 2008 11:25 AM CDT

New York TimesI really like Saul Hansell's post in the NYT's Bits blog. He eloquently explains how it is that so many financial institutions managed to fail so spectacularly -- given that they are regulated as to how much risk they can expose themselves to.

In summary: the institutions had sophisticated computer models to warn management if things were getting too risky, but the people running the models didn't give the models the right data.

Saul summarizes the summary thus: "Lying to your risk-management computer is like lying to your doctor. You just aren't going to get the help you really need."

To summarize the summary of the summary: garbage in, garbage out.

Hat tip: Techmeme.

Risk Ostrich [Risktical Ramblings]

Posted: 19 Sep 2008 07:37 AM CDT

Risk Ostrish

Risk Ostrich

The recent “midwest wind storm” combined with some crazy work activities has hindered my ability to get in some blog postings. I took a few minutes this morning to quickly peruse some blogs and stumbled across this posting over at securosis.

I think it is pretty irresponsible for someone to poo-poo an emerging discipline in our profession by comparing it to financial risk management. The motive of being able to quantify information security risk is to allow for better decision making and understanding the cost of risk to an organization- not to make a profit. More on this in a future posting.

We all know that ostriches appear to bury their heads in the sand. However, apparently it is a myth that they do it because they are scared. They bury their eggs in the dirt or in a hole and once in a while, they stick their head in there to check up on the eggs or do whatever to them.

So, to the blog post author, while you have you head under the dirt checking up on your investment eggs, take another look at those risk quantification eggs.


Nice stuff from DHS for your FDPP [Security For All]

Posted: 18 Sep 2008 10:27 PM CDT

In recent days the U.S. Department of Homeland Security (DHS) has been getting spanked pretty hard for being unprepared for cyberthreats. Since that mule has been pretty well beat to death, I’m not going to chime in on that. Instead, in the immortal words of the great philosopher sage Monty Python “And now for something completely different”.

I’d like you to know about something the DHS is doing right - the Ready Kids Campaign. From this press release on September 17:

Today the Department of Homeland Security’s Ready Kids Campaign announced with Sesame Workshop a new tool on emergency preparedness for parents of young children called “Let’s Get Ready!” This guide aims to get families planning together for emergencies through simple activities and games that focus on talking to young children about the people, places and things that will keep the family safe during an emergency.

“Emergencies can happen at any time with little or no warning and, as we’ve seen with recent natural disasters, personal and family preparedness are critically important,” said Erin Streeter, Director of the Ready Campaign. “'Let’s Get Ready!’ gives parents the tools they need to talk to their young children in a very kid-friendly and non-threatening way and instill in them important information to help them deal with the unexpected.”

Specifically, the guide offers tips from Sesame Street’s and Rosita on how families can prepare their children for an emergency in age-appropriate ways such as:

  • Everyone, including young children, can play a role in planning for the unexpected.
  • Creating an emergency kit and plan that the entire family practices and shares is important.
  • Helping children learn personal information such as a phone number, their full names and the full names of their parents or caregivers, is helpful in case of any emergency.

If you have children you should definitely take advantage of this excellent resource. This is something that every family needs to consider seriously. Just like every business should have a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP),  (I’ll bet you were wondering how I was going to relate this to security) you need to have a Family Disaster Preparedness Plan (FDPP). Except that your  FDPP is way more important than any DRP or BCP because this is your family, not some business that we’re talking about. It’s critical to note that no disaster plan (or any plan for that matter) has value if all of the players don’t know their parts. In the same way that it is critical for a business to make sure all employees, especially those in leadership roles, have and understand current copies of the DRP and BCP documents, all members of your family, must understand your FDPP. Furthermore, (and this is where many if not most businesses fall down) you must practice the plan. That’s right, it’s very well and good to have a plan that calls for tuning the weather radio to the correct station in case of a tornado warning, but it doesn’t work too well if you don’t know what station that is or where to find the radio.

So this is where you can really leverage the “Let’s Get Ready!” resources. It can help you devise, disseminate and practice your family’s FDPP. While this specific program is targeted at families with young children, there are links on this page to many excellent resources. I will admit that I learned a few things and picked up some ideas for my family’s FDPP. According to the site, this month, as part of Emergency Preparedness month, Sesame Workshop will be distributing 150,000 of the free kits to families. These kits include not only the downloadable materials on the site, but a DVD that is great for young kids.

So get going on your own FDPP, and definitely check out the resources at DHS. Seriously, they’re not just about fighting terrorism and cyberthreats. Which I guess is a good thing. Sorry couldn’t resist.

Information on “Let’s Get Ready!” is here. Materials are available in English and Spanish.


No comments: