Sunday, September 28, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Social Networking: How to Avoid The Digital Hangover [Infosecurity.US]

Posted: 27 Sep 2008 03:53 PM CDT

Video from the European Network and Information Security Agency (ENISA) focused on Social Networking.

Phishing season opened [Kees Leune]

Posted: 27 Sep 2008 02:42 PM CDT

It look like the Fall 2008 phishing season has re-opened. In the last few days, I have seen more variations of the same phishing attack than I have whole summer. The scam usually revolves around scaring users to give up their username, email address and/or password. The reasons are usually varied: ranging from expired email addresses to incorrect claim that the account was involved in illegal activities or in spam abuse.

A common message typically looks something like this:

Dear User

Due to spam complaints of email users in our webmail system, our
investigation shows that your email address is compromised and is used to send
out spam message in our webmail system. As a result, our network
engineer will be conducting a maintenance in our webmail system, your Username
will be disabled if you do not send us the required information within 24hrs.

Information Required:
Your Full Names:
Email address:
Retype Password:

We value your business and thanks for using our Webmail Service.

Obviously, no IT department will ever ask for passwords. Any email that you receive that asks for one (or any other personal or confidential information) should be promptly deleted and/or reported to your local abuse team. Another dead give-away is the contact email address at hotmail.

Interestingly enough, where phishing messages typically flooded an entire domain, the last ones seem to be much more targeted-- only 50-100 of the top-level managers received it. The attack is not customized and targeted enough to qualify as spear phishing, but it is not your regular run-of-the-mill phishing run either.

A typical response to such an attack is blocking messages at the border (inbound and outbound), retraction of delivered but unopened messages and log analysis to figure out if anyone responded to the phishing message.

When someone did respond, the first order of business is to disable that user's password until he or she has time to reset it (only in a controlled and authenticated fashion), and to review additional log files for any irregular behavior of that user.

As you may notice, log review is an essential tool in a response to a phishing attack. Make sure you have logs, but also that you can trust them, know where they are, and what they mean.

Of course continued awareness training is important, as it may reduce the response efforts to containment and eradication.

Security Provoked Video episode 8 [Security Provoked]

Posted: 27 Sep 2008 02:19 PM CDT

There’s no guest for Episode 8, just Robert off on a little exploration of third-party cookies and how they relate to what’s broken in the security model for Web 2.0.

Do you need a free vulnerability management solution? [StillSecure, After All These Years]

Posted: 27 Sep 2008 12:56 PM CDT

Vulnerability management is still one of the most important things you can do to increase your security posture.  To many people vulnerability management means scanning for vulnerabilities or applying the latest patch Tuesday updates.  Of course there is much more to it than that.  Managing the complete lifecycle of vulnerabilities is the key to successful risk management in this area.  Whether PCI, HIPAA, SOX or just good old fashioned common sense is driving you to do it, vulnerability management is the right thing to do.

vam_lite_bab_small This week StillSecure announced the latest addition to our line up of free security tools.  VAM Lite is a freeware edition of our award winning, enterprise class VAM vulnerability management platform.  VAM Lite has most of the features of the full VAM product but is limited to scanning just 100 devices and offers only our basic reporting package.  Because you can only scan 100 devices, it does not support the distributed scanner architecture that full VAM does either. 

If your organization can be scanned with just 100 devices or if you just want to give it a try and if you see the value possibly upgrade to full VAM, download it from our site. It can run on a dedicated server or in a VMware environment as well. 

If you like, try some of the other StillSecure freeware products like Strata Guard Free and Safe Access Lite as well.

Fusionman Crosses English Channel Using Jet Wing [Infosecurity.US]

Posted: 27 Sep 2008 09:07 AM CDT

Not Infosec related but certainly noteworthy, (to say the least).

Yves Rossy, popularly known as FusionMan has crossed the English Channel using his jet-assisted wing!

[1] Brightcove: FusionMan Crossing The English Channel Video
[2] Soaring Over The Alps On Homemade Jet Wings
[3] BBC News International: Pilot Completes Jetpack Challenge
Reblog this post [with Zemanta]

VLAN lesson for IDA users [Francois Ropert weblog]

Posted: 27 Sep 2008 08:11 AM CDT

Did you know that Hex-Rays IDA pro send a broadcast message in order to check if same licence is already used by another computer on the network ?

Indeed, an UDP broadcast is sent and here’s a packet example:

Frame 1337 (82 bytes on wire, 82 bytes captured)
Ethernet II, Src: Dell_ba:be:ca (00:21:70:ba:be:ca), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: (, Dst: (
User Datagram Protocol, Src Port: 23945 (23945), Dst Port: 23945 (23945)
Source port: 23945 (23945)
Destination port: 23945 (23945)
Length: 48
Checksum: 0×850a [correct]
Data (40 bytes)
Data: 4944410001000000494632FEDF56B6009331A4DFA2E42D00…

Assume you bought a license for 10 users. If 10 or more answers are replied to the broadcast message then local IDA will refuse to start.

What’s the deal with VLANs ?

As every serious networking professionnal over there I definitely can’t live over a flat network.
Programmers too and most particularly IDA power-users but most of them don’t know it at this time.

VLANs break broadcast. It means that if 10 programmers are in the vlan number 10, 10 others are in the vlan number 20 and last 10 are in the vlan number 30, IDA will note refuse to start.

So, ask the network engineer if  VLANs are configured over the network and how they are designed (by department, by floor or by 802.1x) to save your users or upgrade your license before reaching maximum users limit!

And if no VLANs are present over the network ? Pay coffees to your network administrators while two weeks or so and ask him to type switchport protected command under interface-level configuration mode where your RJ45 cord is plugged. This command runs a cheap private vlan (PVLAN) which deny your host to receive broadcast message from layer 2 hosts (aka attached to the same switch).

IP Addresses of picture uploaders up for grabs, Imageshack fix it quickly [ - A Revolution is the Solution]

Posted: 27 Sep 2008 02:31 AM CDT

Apparently I had a bunch more of these holiday things leftover and decided to take the week off. However, it all went a bit sideways yesterday while I was looking for a particular image of something.

With a little playing around, I found you could fiddle with what seemed like any picture on Imageshack and grab the IP Address of the uploader. More here.

To their credit, Imageshack had it fixed in an hour which is pretty spectacular - from my experience, stuff like this can drag on for an age before anything is resolved.

Oh, and in case you were wondering about the image I was looking for:

Aaaargh., originally uploaded by Paperghost.

That's right, kids. Bruce Lee saved the Internet.

XKCD [Infosecurity.US]

Posted: 26 Sep 2008 06:01 PM CDT

Presentation from GOVCERT.NL 2008: Log Forensics [Anton Chuvakin Blog - "Security Warrior"]

Posted: 26 Sep 2008 05:45 PM CDT

While I am too busy too blog [I will explain why soon!], I wanted to give my readers some fun logging and security stuff to read.

So, I am releasing one of my favorite presentations, the one on log forensics, in its newest expanded form: "Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008"

Here it is also embedded below:


Possibly related:

La Guardia/NWA Airport Craziness [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 26 Sep 2008 04:44 PM CDT

Update: From the pilot on my flight I got some light news... apparently that flight blew a tire and was stopped after it landed. *Whew!*

Hello folks this post is a little off-typic but as I sit here and stare out the Red Carpet Club window waiting for my 2hour late departing flight (gotta love La Guardia, eh?) I can see a NWA jet sitting out off of C concourse, with tons of emergency crews (3 fire trucks, police vehicles, and other various emergency vehicles as well as 3 busses) and lots of flashing lights but no movement from the plane. The plane is about 500' from the jetway, and there doesn't appear to be any immediate danger since other planes are buzzing about the area without issue.

Just thought I'd let everyone in on it, in case someone sees it on the news later. Weirdness.

Security Certifications [Malta Info Security]

Posted: 26 Sep 2008 01:03 PM CDT

Here I attempt to provide some information on some well known certifications and resources. In doing this, I hope to entice and encourage other individuals to look further into obtaining anyone of them.

Like most fields within IT, certification as a security professional helps to quantify the knowledge that an individual already has. But more important, it motivates individuals to learn new concepts. The following sections outline some of the more prestigious security certifications.

Updated article with CSSLP certification...
Continue reading "Security Certifications"

Estonian Defense Ministry Cybersecurity Strategy Published [Infosecurity.US]

Posted: 26 Sep 2008 12:09 PM CDT

The Estonian Ministry of Defense has published the country’s official Cybersecurity Strategy Document, available for download at the Estonian MOD, or via the Infosecurity.US Public Documents Repository link after the jump. The Republic of Estonia is a member of NATO, and an ally of the United States.

Reblog this post [with Zemanta]

Thanks plus a Hat Tip to Gadi Evron

[1] Estonia Ministry of Defense: Cybersecurity Strategy
[2] CIA Factbook: Estonia
[3] NATO: List of Members
[4] Estonia: The Government of the Republic of Estonia
[5] Infosecurity.US: Estonian Cybersecurity Strategy

Firefox 3.0.2 Released - Multiple Vulnerabilites Addressed [Infosecurity.US]

Posted: 26 Sep 2008 11:23 AM CDT

Mozilla has released Firefox 3.0.2 to address multiple vulnerabilities (evidently up to 11 bugs have been quashed). Ranging from security related exploitable vulnerabilities fixes, to usability modifications; testers at Infosecurity.US conclude, in fact, this release is a significant more robust product. Warranting, in our opinion, a greater than point release moniker. Kudos to Mozilla Foundation for the addition of new EV Roots.

Reblog this post [with Zemanta]

From Mozilla’s Release Notes: “Firefox 3.0.2 contains the following updates:

  • Fixed several security issues.
  • Fixed several stability issues.
  • Official releases for Sinhala and Slovene are now available.
  • Beta releases for Bengali, Galician, Hindi, Icelandic, Kannada, Marathi, Telugu, and Thai are available for testing.
  • Fixed a number of minor issues with the layout of certain web pages.
  • Fixed several theme issues that affected right-to-left locales.
  • Fixed issue that caused some users with customized toolbars to have their Back and Forward buttons go missing (bug 426026)
  • Add new Extended Validation (EV) roots to Firefox 3.0.2.
  • On certain IDN sites, the password manager would not fill in username and password details properly.
  • Fixed several hangs and crashes that occurred when using screen readers.
  • Fixed Mac-specific issues:
    • Keyboard shortcuts would stop working in some cases.
    • Japanese, Korean, Chinese and Indic characters can not be entered (using IME) into text fields in Flash objects (bug 357670)
    • Firefox 3.0.1 could not be used when the user profile is stored on an AFP directory (bug 417037)’

    Related Posts

C4 Security Advisory: SCADA Power Grid Exploit [Infosecurity.US]

Posted: 26 Sep 2008 11:22 AM CDT

News has surfaced this morning focusing on another SCADA software vulnerability - essentially putting the world wide power grid in serious jeopardy.

Good news: The vendor has issued a patch targeting the vulnerability. Bad news: When will the systems affected be patched?

Reblog this post [with Zemanta]

From the Advisory: ” PCU400, Process Communication Unit 400

forms the communication interface to the network of remote terminal units (RTUs) together with the RCS Application Software located in the application server of a Network Manager SCADA system.  The PCU400 can be used as a SCADA front-end, communication gateway for Substation Automation systems or as a standalone protocol converter.
Two parts define the Data Acquisition system:

  • RCS Application, a software package running in the Application Server
  • PCU400, a front-end converter that implements the protocols and connects the physical lines.

PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system. The alternatives include single or redundant PCU 400 units.

Description: A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols. The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker. The description of the vulnerability is intentionally limited as this software controls critical national infrastructure.

Impact: An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system.  This vulnerability is another method to carry out the “field to control center” attack vector mentioned in C4’s S4 2008 paper “Control System Attack Vectors and Examples: Field Site and Corporate Network”, which will allow the attacker to control other RTUs connected to that FEP. In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid.

Both documents are available at .

Affected Version
PCU400 4.4
PCU400 4.5
PCU400 4.6
Other versions may be vulnerable, as they were not tested.

Workaround/Fix: The vendor issued a hotfix to resolve this vulnerability.

[1] The Register: World’s Electrical Grids Open To Attack
[2] Wikipedia: SCADA
[3] Sandia National Laboratories: The Center For SCADA Security
[4] C4 Security: ABB PCU400 Vulnerability
[5] SecurityFocus: C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow

FISMA Bill Update Garners Committee Approval [Infosecurity.US]

Posted: 26 Sep 2008 09:21 AM CDT

News yesterday afternoon of The Senate Homeland Security and Government Affairs Committee approval of an update to the Federal Information Security Management Act.

S. 3474, The FISMA Act of 2008, has been  introduced Sept. 11 by Sen. Tom Carper (D-Delaware) ostensibly to address issues with FISMA compliance activities that are simply a rubber-stamp.

Reblog this post [with Zemanta]

From NIST: The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

[1] E-Government Act (Public Law 107-347)
[2] FISMA Final

Friday News and Notes [Digital Bond]

Posted: 26 Sep 2008 08:42 AM CDT

  • The US House Energy and Commerce Committee decided to not address a bill giving FERC emergency powers for cyber security of the electric grid this session. This was more of a time issue than a position, and expect to see it come up again in the spring.
  • Lofty Perch has a temporary offer to provide CS2SAT free of charge to asset owners - - while supplies last.
  • Eyal Udassin of C4 Security in Israel disclosed a vulnerability in ABB’s PCU400 FEP this week. A patch is available.
  • For our Japanese readers - - JPCERT has launched a control system security portal page with links to pertinent information in Japanese.

Is It Just Me? []

Posted: 25 Sep 2008 11:16 PM CDT

Or does Greg LeMond seem like a little bitch by “confronting” Lance Armstrong during his press conference today?  I don’t think its just me.

I have a busy weekend ahead of me so I better get my Huskers pick in now.  Nebraska is a 7 point favorite in their game against Virginia Tech Saturday nigh.  I’ll give the points but I think the under (46) is the safer play.  Nebraska  24  VT 13

USC is 2:43 from being beat.  Looks like there will be a new #1 team on Monday!

Four Days []

Posted: 25 Sep 2008 11:09 PM CDT

Here it is Thursday night and we are four days into running the latest code on our LANenforcer 2024s.  There has been a couple of rough spots but nothing that was not solvable.  There is a feature or two that has changed in this latest release and one of the changes caused some sporadic access issues Monday morning.  The logs told the story and the problem was short lived.  The second rough spot was self inflicted in a TCP Idle setting we has configured on our primary LE was not configured on the new LE.  This caused a long running FTP job to abend but like most things it was easily solvable.  They just had to restart the FTP job.  Of note was the apparent override of this setting on the LE where all of our users currently reside.  Either it was overwritten or somebody changed the setting.  Beings I’m the only one that knew where the setting was I’m fairly certain it was overwritten during the upgrade.  It didn’t affect anything but it was something we noticed.

Other than that it has been status quo around the Nevis homefront.  I might have a couple of things that we are working through right now but I need to see how things play out before doing so.

How Does That Happen? []

Posted: 25 Sep 2008 10:26 PM CDT

We posted a Systems Engineer position at work this week on  Every morning I get an email from Monster with jobs that match my profile.  The funny thing is I never received an email containing  the Systems Engineer position we posted.  I guess Monster doesn’t think I’m qualified for my own job!

Finnigan Oracle Master Class [Infosecurity.US]

Posted: 25 Sep 2008 12:14 PM CDT

Oracle HQ

Oracle (NasdaqGS: ORCL) Security pioneer and all-around class act Pete Finnigan has just released, (along with his sponsor SENTRIGO, publishers of HedgeHog, and the winner of the SC Magazine 2008 Rookie Award) a new set of slides and video of his recent Oracle Security Master Class.

If you have not had the opportunity to attend one of Pete’s superb webinars, I strongly suggest you watch the video (viewable via Microsoft Windows Media Player, or VLC), and high-thee-ho over to to delve deeper.

Reblog this post [with Zemanta]

[1] An update, slides, USA and a masterclass

[2] Sentrigo: Sentrigo Wins SC Magazine 2008 Rookie Security Company Of The Year Award

[3] Oracle Security Master Class Courtesy of Sentrigo: Database Security_Masterclass_With_Pete_Finnigan

Shout out to Melanie Marks, Director of Marketing at Sentrigo for permissions.

OWASP AppSec 2008 - New York [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 25 Sep 2008 07:15 AM CDT

OWASP AppSec 2008 in New York City, day 2 is officially under way. Day 1 was tremendous simply because of all the great people I got to get back in contact with, and many I've never met in person before. There were also a bunch of wonderful presentations, for example the w3af talk by Andres Riancho was not only very informative - but made me realize that commercial black-box web app sec tool vendors have some things to learn from w3af and the supporting group. The Cross-Site Scripting Filter Evasion talk by Alexios Fakos was also very good - filled the room and got a thunderous applause when that was over... great job. I think Alexios made lots of the folks in that room realize that their black-lists are not only very inadequate but that you can do so much more than most people even think to evade filters. Ivan Ristic's talk on mode_security was pretty good too. I think that if the commercial WAF vendors didn't have someone in the room paying attention, it will be their loss. No matter how you feel about the topic of WAF, Ivan's talk set the record straight in a lot of ways and clearly outlined the benefits and downfalls of the WAF community while highlighting mod_security.

I think I have to echo the folks I was standing around with and their sentiment when it comes to the ISC^2 tactic for party-scheduling. First off, a room-full of security nerds and an open bar is never a good idea for that much time... but when you first don't feed us and give us endless glasses of liquor before your talk on... whatever it was you talked about - I don't think anyone remembers what that talk was about. All I can recall was that someone won a 42" TV, and that my drink (Goose & cranberry) ended up being a Fruit Punch and grapefruit. I guess that's what I get for ordering from a guy that well...

As a final note - thanks to Trey and Darren for hanging out and drinking beers and eating some late-night dinner food... great times guys.

Now I'm off to the next day of presentations and lunacy.

Wall Street bailout - Do we need it? [StillSecure, After All These Years]

Posted: 25 Sep 2008 06:44 AM CDT

Writing this one on the plane, where I just watched President Bush address the American people on why the Wall Street bailout plan is necessary.  I think that the President actually did a good job of explaining how we got in this mess, what the consequences are of doing nothing are and even a decent job of explaining what his plan will try to do.  He also was very clear about the fact that he is willing to accept changes to the plan suggested by a bi-partisan Congress.  All of this is good but frankly scares the hell out of me! Things must be truly bad to bring about such a coalition as we have forming here.  In that case I hope that what they have to do, they do quickly and smartly.

With everyone suspending everything to see this crisis through and put their 2 cents in, I wanted to put mine in too. For my part I would like to see something in the oversight of the financial industry that says all of these financial institutions must do something about information security and data protection.  Personally I think requiring intrusion detection/prevention, vulnerability management and network access control (especially if they all work together) for each each of these companies should be part of the package.  Of course if they do require that, I demand that they have no limits on the compensation paid to security company executives ;-)

Reblog this post [with Zemanta]

Links for 2008-09-24 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 25 Sep 2008 12:00 AM CDT

No comments: