Posted: 27 Sep 2008 03:53 PM CDT
Video from the European Network and Information Security Agency (ENISA) focused on Social Networking.
Posted: 27 Sep 2008 02:42 PM CDT
It look like the Fall 2008 phishing season has re-opened. In the last few days, I have seen more variations of the same phishing attack than I have whole summer. The scam usually revolves around scaring users to give up their username, email address and/or password. The reasons are usually varied: ranging from expired email addresses to incorrect claim that the account was involved in illegal activities or in spam abuse.
A common message typically looks something like this:
Obviously, no IT department will ever ask for passwords. Any email that you receive that asks for one (or any other personal or confidential information) should be promptly deleted and/or reported to your local abuse team. Another dead give-away is the contact email address at hotmail.
Interestingly enough, where phishing messages typically flooded an entire domain, the last ones seem to be much more targeted-- only 50-100 of the top-level managers received it. The attack is not customized and targeted enough to qualify as spear phishing, but it is not your regular run-of-the-mill phishing run either.
A typical response to such an attack is blocking messages at the border (inbound and outbound), retraction of delivered but unopened messages and log analysis to figure out if anyone responded to the phishing message.
When someone did respond, the first order of business is to disable that user's password until he or she has time to reset it (only in a controlled and authenticated fashion), and to review additional log files for any irregular behavior of that user.
As you may notice, log review is an essential tool in a response to a phishing attack. Make sure you have logs, but also that you can trust them, know where they are, and what they mean.
Of course continued awareness training is important, as it may reduce the response efforts to containment and eradication.
Posted: 27 Sep 2008 02:19 PM CDT
Posted: 27 Sep 2008 12:56 PM CDT
Vulnerability management is still one of the most important things you can do to increase your security posture. To many people vulnerability management means scanning for vulnerabilities or applying the latest patch Tuesday updates. Of course there is much more to it than that. Managing the complete lifecycle of vulnerabilities is the key to successful risk management in this area. Whether PCI, HIPAA, SOX or just good old fashioned common sense is driving you to do it, vulnerability management is the right thing to do.
This week StillSecure announced the latest addition to our line up of free security tools. VAM Lite is a freeware edition of our award winning, enterprise class VAM vulnerability management platform. VAM Lite has most of the features of the full VAM product but is limited to scanning just 100 devices and offers only our basic reporting package. Because you can only scan 100 devices, it does not support the distributed scanner architecture that full VAM does either.
If your organization can be scanned with just 100 devices or if you just want to give it a try and if you see the value possibly upgrade to full VAM, download it from our site. It can run on a dedicated server or in a VMware environment as well.
If you like, try some of the other StillSecure freeware products like Strata Guard Free and Safe Access Lite as well.
Posted: 27 Sep 2008 09:07 AM CDT
Not Infosec related but certainly noteworthy, (to say the least).
Yves Rossy, popularly known as FusionMan has crossed the English Channel using his jet-assisted wing! Brightcove: FusionMan Crossing The English Channel Video
 Wired.com: Soaring Over The Alps On Homemade Jet Wings  BBC News International: Pilot Completes Jetpack Challenge
Posted: 27 Sep 2008 08:11 AM CDT
Did you know that Hex-Rays IDA pro send a broadcast message in order to check if same licence is already used by another computer on the network ?
Indeed, an UDP broadcast is sent and here’s a packet example:
Frame 1337 (82 bytes on wire, 82 bytes captured)
Assume you bought a license for 10 users. If 10 or more answers are replied to the broadcast message then local IDA will refuse to start.
What’s the deal with VLANs ?
As every serious networking professionnal over there I definitely can’t live over a flat network.
VLANs break broadcast. It means that if 10 programmers are in the vlan number 10, 10 others are in the vlan number 20 and last 10 are in the vlan number 30, IDA will note refuse to start.
So, ask the network engineer if VLANs are configured over the network and how they are designed (by department, by floor or by 802.1x) to save your users or upgrade your license before reaching maximum users limit!
And if no VLANs are present over the network ? Pay coffees to your network administrators while two weeks or so and ask him to type switchport protected command under interface-level configuration mode where your RJ45 cord is plugged. This command runs a cheap private vlan (PVLAN) which deny your host to receive broadcast message from layer 2 hosts (aka attached to the same switch).
Posted: 27 Sep 2008 02:31 AM CDT
Apparently I had a bunch more of these holiday things leftover and decided to take the week off. However, it all went a bit sideways yesterday while I was looking for a particular image of something.
With a little playing around, I found you could fiddle with what seemed like any picture on Imageshack and grab the IP Address of the uploader. More here.
To their credit, Imageshack had it fixed in an hour which is pretty spectacular - from my experience, stuff like this can drag on for an age before anything is resolved.
Oh, and in case you were wondering about the image I was looking for:
Posted: 26 Sep 2008 06:01 PM CDT
Posted: 26 Sep 2008 05:45 PM CDT
While I am too busy too blog [I will explain why soon!], I wanted to give my readers some fun logging and security stuff to read.
So, I am releasing one of my favorite presentations, the one on log forensics, in its newest expanded form: "Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008"
Here it is also embedded below:
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Posted: 26 Sep 2008 04:44 PM CDT
Update: From the pilot on my flight I got some light news... apparently that flight blew a tire and was stopped after it landed. *Whew!*
Hello folks this post is a little off-typic but as I sit here and stare out the Red Carpet Club window waiting for my 2hour late departing flight (gotta love La Guardia, eh?) I can see a NWA jet sitting out off of C concourse, with tons of emergency crews (3 fire trucks, police vehicles, and other various emergency vehicles as well as 3 busses) and lots of flashing lights but no movement from the plane. The plane is about 500' from the jetway, and there doesn't appear to be any immediate danger since other planes are buzzing about the area without issue.
Just thought I'd let everyone in on it, in case someone sees it on the news later. Weirdness.
Posted: 26 Sep 2008 01:03 PM CDT
Here I attempt to provide some information on some well known certifications and resources. In doing this, I hope to entice and encourage other individuals to look further into obtaining anyone of them.
Like most fields within IT, certification as a security professional helps to quantify the knowledge that an individual already has. But more important, it motivates individuals to learn new concepts. The following sections outline some of the more prestigious security certifications.
Updated article with CSSLP certification...
Continue reading "Security Certifications"
Posted: 26 Sep 2008 12:09 PM CDT
The Estonian Ministry of Defense has published the country’s official Cybersecurity Strategy Document, available for download at the Estonian MOD, or via the Infosecurity.US Public Documents Repository link after the jump. The Republic of Estonia is a member of NATO, and an ally of the United States.
 Estonia Ministry of Defense: Cybersecurity Strategy  CIA Factbook: Estonia  NATO: List of Members  Estonia: The Government of the Republic of Estonia  Infosecurity.US: Estonian Cybersecurity Strategy
Posted: 26 Sep 2008 11:23 AM CDT
Mozilla has released Firefox 3.0.2 to address multiple vulnerabilities (evidently up to 11 bugs have been quashed). Ranging from security related exploitable vulnerabilities fixes, to usability modifications; testers at Infosecurity.US conclude, in fact, this release is a significant more robust product. Warranting, in our opinion, a greater than point release moniker. Kudos to Mozilla Foundation for the addition of new EV Roots.
From Mozilla’s Release Notes: “Firefox 3.0.2 contains the following updates:
Posted: 26 Sep 2008 11:22 AM CDT
PCU 400 can be used in a variety of configurations to cater for different network topologies and different levels of fault tolerance in the system. The alternatives include single or redundant PCU 400 units.
Description: A buffer overflow exists in the component that handles IEC60870-5-101 and IEC60870-5-104 communication protocols. The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker. The description of the vulnerability is intentionally limited as this software controls critical national infrastructure.
Impact: An attacker can compromise the server which runs PCU400, which acts as the FEP server of the ABB SCADA system. This vulnerability is another method to carry out the “field to control center” attack vector mentioned in C4’s S4 2008 paper “Control System Attack Vectors and Examples: Field Site and Corporate Network”, which will allow the attacker to control other RTUs connected to that FEP. In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid.
Both documents are available at http://www.c4-security.com/index-5.html .
Workaround/Fix: The vendor issued a hotfix to resolve this vulnerability. The Register: World’s Electrical Grids Open To Attack  Wikipedia: SCADA  Sandia National Laboratories: The Center For SCADA Security  C4 Security: ABB PCU400 Vulnerability  SecurityFocus: C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow
Posted: 26 Sep 2008 09:21 AM CDT
News yesterday afternoon of The Senate Homeland Security and Government Affairs Committee approval of an update to the Federal Information Security Management Act.
 E-Government Act (Public Law 107-347)  FISMA Final
Posted: 26 Sep 2008 08:42 AM CDT
Posted: 25 Sep 2008 11:16 PM CDT
Or does Greg LeMond seem like a little bitch by “confronting” Lance Armstrong during his press conference today? I don’t think its just me.
I have a busy weekend ahead of me so I better get my Huskers pick in now. Nebraska is a 7 point favorite in their game against Virginia Tech Saturday nigh. I’ll give the points but I think the under (46) is the safer play. Nebraska 24 VT 13
USC is 2:43 from being beat. Looks like there will be a new #1 team on Monday!
Posted: 25 Sep 2008 11:09 PM CDT
Here it is Thursday night and we are four days into running the latest code on our LANenforcer 2024s. There has been a couple of rough spots but nothing that was not solvable. There is a feature or two that has changed in this latest release and one of the changes caused some sporadic access issues Monday morning. The logs told the story and the problem was short lived. The second rough spot was self inflicted in a TCP Idle setting we has configured on our primary LE was not configured on the new LE. This caused a long running FTP job to abend but like most things it was easily solvable. They just had to restart the FTP job. Of note was the apparent override of this setting on the LE where all of our users currently reside. Either it was overwritten or somebody changed the setting. Beings I’m the only one that knew where the setting was I’m fairly certain it was overwritten during the upgrade. It didn’t affect anything but it was something we noticed.
Other than that it has been status quo around the Nevis homefront. I might have a couple of things that we are working through right now but I need to see how things play out before doing so.
Posted: 25 Sep 2008 10:26 PM CDT
We posted a Systems Engineer position at work this week on Monster.com. Every morning I get an email from Monster with jobs that match my profile. The funny thing is I never received an email containing the Systems Engineer position we posted. I guess Monster doesn’t think I’m qualified for my own job!
Posted: 25 Sep 2008 12:14 PM CDT
Oracle (NasdaqGS: ORCL) Security pioneer and all-around class act Pete Finnigan has just released, (along with his sponsor SENTRIGO, publishers of HedgeHog, and the winner of the SC Magazine 2008 Rookie Award) a new set of slides and video of his recent Oracle Security Master Class.
If you have not had the opportunity to attend one of Pete’s superb webinars, I strongly suggest you watch the video (viewable via Microsoft Windows Media Player, or VLC), and high-thee-ho over to PeteFinnigan.com to delve deeper.
 PeteFinnigan.com: An update, slides, USA and a masterclass
 Oracle Security Master Class Courtesy of Sentrigo: Database Security_Masterclass_With_Pete_Finnigan
Shout out to Melanie Marks, Director of Marketing at Sentrigo for permissions.
Posted: 25 Sep 2008 07:15 AM CDT
OWASP AppSec 2008 in New York City, day 2 is officially under way. Day 1 was tremendous simply because of all the great people I got to get back in contact with, and many I've never met in person before. There were also a bunch of wonderful presentations, for example the w3af talk by Andres Riancho was not only very informative - but made me realize that commercial black-box web app sec tool vendors have some things to learn from w3af and the supporting group. The Cross-Site Scripting Filter Evasion talk by Alexios Fakos was also very good - filled the room and got a thunderous applause when that was over... great job. I think Alexios made lots of the folks in that room realize that their black-lists are not only very inadequate but that you can do so much more than most people even think to evade filters. Ivan Ristic's talk on mode_security was pretty good too. I think that if the commercial WAF vendors didn't have someone in the room paying attention, it will be their loss. No matter how you feel about the topic of WAF, Ivan's talk set the record straight in a lot of ways and clearly outlined the benefits and downfalls of the WAF community while highlighting mod_security.
I think I have to echo the folks I was standing around with and their sentiment when it comes to the ISC^2 tactic for party-scheduling. First off, a room-full of security nerds and an open bar is never a good idea for that much time... but when you first don't feed us and give us endless glasses of liquor before your talk on... whatever it was you talked about - I don't think anyone remembers what that talk was about. All I can recall was that someone won a 42" TV, and that my drink (Goose & cranberry) ended up being a Fruit Punch and grapefruit. I guess that's what I get for ordering from a guy that well...
As a final note - thanks to Trey and Darren for hanging out and drinking beers and eating some late-night dinner food... great times guys.
Now I'm off to the next day of presentations and lunacy.
Posted: 25 Sep 2008 06:44 AM CDT
Writing this one on the plane, where I just watched President Bush address the American people on why the Wall Street bailout plan is necessary. I think that the President actually did a good job of explaining how we got in this mess, what the consequences are of doing nothing are and even a decent job of explaining what his plan will try to do. He also was very clear about the fact that he is willing to accept changes to the plan suggested by a bi-partisan Congress. All of this is good but frankly scares the hell out of me! Things must be truly bad to bring about such a coalition as we have forming here. In that case I hope that what they have to do, they do quickly and smartly.
With everyone suspending everything to see this crisis through and put their 2 cents in, I wanted to put mine in too. For my part I would like to see something in the oversight of the financial industry that says all of these financial institutions must do something about information security and data protection. Personally I think requiring intrusion detection/prevention, vulnerability management and network access control (especially if they all work together) for each each of these companies should be part of the package. Of course if they do require that, I demand that they have no limits on the compensation paid to security company executives ;-)
Related articles by Zemanta
Posted: 25 Sep 2008 12:00 AM CDT
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|