Posted: 01 Oct 2008 07:14 AM CDT
Social media and social networking continue to spread - and that includes the security community. If you have heard about twitter, wondered about a service that begins with 'twit’ and have pondered the advantages and concerns - listen in to the Security Roundtable that discusses those very points.
Our guest for this episode is Zach - security professional, friend of the show and curator of the Security Twits list.
Security Twits: http://n0where.org/security-twits/
Next Recording: Saturday, October 11, 2008 @ 10a Eastern - look for the live stream (and your chance to participate) around 10:15.
PS: 10 Days after the break-in and theft - we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book - and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot.
I am confirming some exciting opportunities this week and next - and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!
This posting includes an audio/video/photo media file: Download Now
Posted: 01 Oct 2008 06:42 AM CDT
ISSA Triangle InfoSeCon 2008
Our company, Carolina Advanced Digital, is a Platium Sponsor of this year’s ISSA InfoSeCon 2008 in Raleigh, NC. Come see us, meet our new folks and hear my talk on ‘Network Security Stripped’.. it’s the only scheduled North Carolina presentation of this talk!
Also, don’t miss Raffy’s session on “Insider Threat, Governance, Risk, and Compliance (GRC), and Perimeter Threat” at the same event. Visit Raffy’s blog…
Registration is Open!
# # #
Posted: 01 Oct 2008 01:51 AM CDT
Spylogic pointed me to this interesting challenge.
It turns out that the Ohio information Security Summit is hosting (and dishing out prizes too) to people who try to analyze malware and document their findings. The contest is open Oct. 1 to Oct 26, and I just love it!
Howow - hold yer horses. Malware, you said? So this gotta be dangerous? Yes? Ok. Let us check their FAQ:
"Are you using real malware? Isn't that dangerous?
Yes and yes. The malware being used in the test is malware we pulled from the wild. It will infect machines it is run on so you should take every precaution to ensure you do not infect machines or networks you do not mean to."
Ah, so I need to use my lab for this.
Seriously, I think this may be a nice way to create awareness and interest for malware out in the jungle. Unfortunately for me, I will be nowhere near Ohio in October, but I will give it my best shot anyway. First, let me find an old, battered computer I can use for this test...
Posted: 30 Sep 2008 07:53 PM CDT
Hey, readership was down after my hiatus… I needed something catchy ;)
Next week, I’ll be unleashing “Network Security Stripped: From layered security to bare essentials” at the SecTor conference October 7-8 in Toronto.
It’s bound to be a great event- with keynotes by Johnny Long and Stepto (Stephen Tolouse) and sessions by the Hoff (with his Four Horsemen, My Little Pwnie Edition - don’t ask), HD Moore, Josh Perrymon, Bruce Potter and.. well you can read the whole roster of speakers yourself.
And I have to go first… why do I have to go first… ? *sigh
# # #
Posted: 30 Sep 2008 05:10 PM CDT
Posted: 30 Sep 2008 05:10 PM CDT
Posted: 30 Sep 2008 03:58 PM CDT
UCLA’s Mathematics Computing Group Manager Edson Smith, has reportedly discovered a new prime number. Kudos to Mr. Smith, who was responsible for deployment and implementation of GIMPS software on the UCLA Mathematics Department’s systems.
The effort is a direct output of the Great Internet Mersenne Prime Search (GIMPS). From the Mersenne announcement: ” 45th and 46th Known Mersenne Primes Found!!!! GIMPS set to claim $100,000 EFF award!
On August 23rd, a UCLA computer discovered the 45th known Mersenne prime, 243,112,609-1, a mammoth 12,978,189 digit number! The prime number qualifies for the Electronic Frontier Foundation’s $100,000 award for discovery of the first 10 million digit prime number. Congratulations to Edson Smith, who was responsible for installing and maintaining the GIMPS software on the UCLA Mathematics Department’s computers.On September 6th, the 46th known Mersenne prime, 237,156,667-1, a 11,185,272 digit number was found by Hans-Michael Elvenich in Langenfeld near Cologne, Germany! This was the first Mersenne prime to be discovered out of order since Colquitt and Welsh discovered 2110,503-1 in 1988. The nearly decade long quest for the EFF award came down to a close race to the finish - with just two weeks separating the discovery of the two primes.
As promised, GIMPS will give $50,000 of the EFF award to the UCLA Mathematics Department for discovering the first 10 million digit prime. $25,000 will go to charity, and most of the remainder will go to discoverers of the previous six Mersenne primes. You can read a little more in the short press release.”… Mersenne GIMPS Home  ComuterWorld: Grid power: Sysadmin discovers 13-million-digit prime number
Posted: 30 Sep 2008 03:51 PM CDT
When I used to receive 10-20 voicemail messages per day from the office, it was a complete pain in the arse to go through them each hour to make sure I wasn’t missing something important. When the server room was down? ”Sorry, didn’t get that memo,” was not a viable solution. So I looked at a service called Simulscribe. I fell in love with the service immediately. It was simple — Sign up, redirect voicemail to their phone number and never check my voicemail again. How do they do it? It’s simple, as PhoneTag (previously Simulscribe) shows you:
I wasn’t too skeptical of whether or not a service like this could take off. To my amazement, I was not the only person out there that valued their time and didn’t want to waste 30 minutes per day listening to messages (most of which were junk) when they could be working, on the golf course or simply taking a relaxing bubble bath. Today, PhoneTag has been written about in The New York Times, Forbes and even NPR (Radio? What’s that?).
Yeah, it may not be free anymore but I still highly recommend their service to anyone that cares about how they spend 1/16th of their work day. It’s a lot of time to be spending with a phone pressed against your ear and it can really hurt your neck. You wouldn’t want to get hurt by listening to voicemail, right? That’d be embarrassing.
Posted: 30 Sep 2008 03:42 PM CDT
I have had my share of blog wars with Richard Stiennon. I try to go easy on him now, so as to stay out of it. But, once again Richard shows that sometimes he just doesn't get it. His latest flub comes in a post on Nokia exiting the security appliance business.
Richard says in essence "good riddance". He says Nokia was lucky to capitalize on Check Points failure to come to market with an appliance. But they missed the boat by never developing their own solutions and moving into UTM (isn't UTM the answer to everything for Richard?) and other security technologies. Richard says they should have sold 5 years ago and now of course will have to take a bargain basement price.
Richard you are wrong because you don't understand Nokia's value. They never claimed to develop great software. They developed a great hardware platform. Yes Nokia is a giant telecommunications company and the appliance business was never really more than a small rounding error on the bottom line I guess. But the division that ran the appliance business did a good job.
I have met with and spoken to engineers and sales people who worked for Nokia. They were able to clearly articulate their value prop and never tried to hide the fact that they ran best of breed software on the appliance. The Nokia boxes were quality appliances. In a market where far too many appliances are Dell boxes with a different color bezel, the Nolia appliance was a more than just a white box. Over the last few years they branched out beyond Checkpoint and ran several other applications on the appliance. All in all, Nokia had a good product and a good channel. I wish they would sell StillSecure on a Nokia box.
Also, for a good explanation check out the comments to Richard's post by Gray haired security Wonk. If you think you know who it is, mail me.
Related articles by Zemanta
Posted: 30 Sep 2008 01:43 PM CDT
I wandered over to the PCI-SSC site today and noticed that they have reposted the press release from August 18 reminding everyone that the new version of the standard will be announced TOMORROW.
Thanks for the reminder; I'm pretty sure we all have that date etched into our brains via green laser.
Posted: 30 Sep 2008 10:39 AM CDT
The idea of advertising is not a new one. Google has mastered the online world, Clear Channel seems to own most of the real-life TV, radio and billboard advertising. Why couldn’t we start to allow people to advertise with their own vehicles?
Take a travelling sales guy (or girl) for instance. They travel over 150 miles per day down the highway, stuck in traffic, stopped at red lights and parked in open lots. Now take a product like LTLprints. They have something that seems to be fairly waterproof, durable to the sun and it doesn’t harm almost anything. What if we put these two together to form the greatest, movable advertising system ever. Inexpensive to produce (under $150), could be as small or as large as necessary and it won’t damage the vehicle.
Could you imagine a swarm of PostIt, AOL, Starbucks or Whole Foods cars driving around the highway? It would be advertising genius and could possibly make four different parties money. The advertiser gets customers, the company that designs the advertising gets paid, the company that places the ads gets a service fee and the car owner gets a cut of the placement.
One large issue is see is the control of the advertisements that go on YOUR vehicle. This could be solved with a simple two-way agreement system. Half.com uses it for selling your books. Someone opts to purchase the book (or space in this case) and the seller gets the chance to both name their price AND to take the offer or not.
Just a thought, keep it in mind if you’re looking to make big money. And if you don’t mind, send a slice of it my way.
Posted: 30 Sep 2008 08:50 AM CDT
Aditya K Sood of SecNiche has released a security advisory focused on Google’s Chrome Web Browser. The specific issue revolves around a window object remote denial of service. Submitted to SecurityFocuses’ BugTraq, the advisory’s details follow after the jump.
This security issue is a result of design flaw in the browser as function show stringent behavior in many cases. .Scripts must not close windows that were not opened by script,if script specific code is designed. There must be a parent window confirmation check prior to close of window.
Posted: 30 Sep 2008 08:40 AM CDT
Security Research Aditya K Sood of SecNiche has discovered, and reported (via BugTraq at SecurityFocus) a null pointer bug, leading to a potential Remote Denial of Service exploit targeting the new version of Mozilla’s Firefox 3.0.3. The full advisory appears after the jump…
From the Advisory: Mozilla Firefox User Interface Null Pointer Dereference Dispatcher Crash and Remote Denial of Service.*Version Tested:*
Exception Type: EXC_BAD_ACCESS (SIGBUS)
nsTArray&) + 261 (nsContentUtils.cpp:4083)This security issue is a result of unhandled exception which is a result
*Proof of Concept*
*Detection:* SecNiche confirmed this vulnerability affects Mozilla Firefox on Microsoft Windows XP SP2 platform.The versions tested are:
Mozilla 3.0.3 - 1.9.0 Branch
Posted: 30 Sep 2008 08:39 AM CDT
Garth Bruen over at KnujOn reports (via CNET) on congressional approval of the Ryan Haight Online Pharmacy Consumer Protection Act.
From the Act: “Ryan Haight Online Pharmacy Consumer Protection Act of 2008 - Amends the Controlled Substances Act to prohibit the delivery, distribution, or dispensing of controlled substances over the Internet without a valid prescription. Exempts telemedicine practitioners.
Defines “valid prescription” as a prescription that is issued for a legitimate purpose by a practitioner who has conducted at least one in-person medical evaluation of the patient.
Adds definitions to the Controlled Substances Act relating to online pharmacies and the issuance of prescriptions over the Internet.
Imposes registration and reporting requirements on online pharmacies.
Requires an online pharmacy to: (1) display on its Internet homepage a statement that it complies with the requirements of this Act; (2) comply with state laws for the licensure of pharmacies in each state in which it operates or sells controlled substances; (3) post on its Internet homepage specified information, including the name, address, and telephone number of the pharmacy, the qualifications of its pharmacist-in-charge, and a certification of its registration under this Act; and (4) notify the Attorney General and applicable state boards of pharmacy at least 30 days prior to offering to sell, deliver, distribute, or dispense controlled substances over the Internet.
Authorizes the Attorney General to issue a special registration under this Act for telemedicine practitioners.
Increases criminal penalties involving controlled substances in Schedules II, IV, and V of the Controlled Substances Act.
Authorizes states to apply for injunctions or obtain damages and other civil remedies against online pharmacies that are deemed a threat to state residents.”
Posted: 30 Sep 2008 08:32 AM CDT
Last week, the Swedish government made vital changes to the law they approved this summer.
According to Digi.no (sorry, only Norwegian), the Swedish government has changed the law, and there is no longer legal to do surveillance without consent.
In July, I covered the story when the Swedish approved the new law, allowing their police and surveillance teams to tap into ANY and ALL internet traffic that came through their country - no matter if there where any suspicions or not at hand. This meant that everyone suddenly became victims, and no-one would be able stay off their radar - innocent or not.
This time, the Swedish government where forced to redo the law. They had to add a quality control mechanism, something that has been a very well accepted rule in the western world for centuries - that any surveillance must be following (not followed by) a suspicion. Thus following the principle - innocent until proved guilty.
In the past (mainly since 9/11/2001), we have seen dramatic changes in how this principle is followed. Privacy is lessened by the day. Surveillance increases - with or without our consent. Our legal rights are set aside by the governments increased lack of control. And our politicians constantly fail to understand how technology changes the world - no, not slowly, but at speeds that keeps spinning the world around so fast that no-one are really able to grasp even the smallest of implications.
Today, laws tends to come around way too late to tackle the initial challenge. And instead of allowing the technology be an enabler, they tend to force into action regulations that are no longer relevant, to challenges no longer available.
I applaud the Swedish government for extremely quick action when they discovered their error. This kind of reaction is exactly what is required to stay up to date for any government. Don't just sit around, poking your stick in the ground, waiting for someone to decide for you.
Governments challenge is to turn their reactive regulations into proactive delegations. By using laws as enablers, as opposed to regulators as they are today, governments will be able to change the way we do business, and the way we use technology. And the way we interact.
Posted: 30 Sep 2008 08:30 AM CDT
I was scanning through my hundreds of RSS feeds and decided to share this with the rest of the class –
The gist of the story is that Google Finance was showing incorrect closing prices where it has the big red numbers as proper closing prices according to their stock charts. Who would notice this you ask? Everyone! It’s not a mundane detail. Things like Google’s finance services are relied on by many hundreds of thousands of people (I would venture a guess) and that means that it’s not only for fun, money-watching extravaganzas but also for their careers.
This leads to the point of this post — Attention to detail matters. It doesn’t matter if you’re building a house, raising a child or creating Google Finance, all of these things need a lot of attention to detail. It’s the little things that make the difference. Take a look at Yahoo’s old email compared to when Gmail rolled out. They both did the same basic things. They received and sent email, they categorized it and filed it away and they allowed email signatures. What Google did was made it simpler with the little things. They made the interface AJAXy and they redesigned how “folders” worked. They turned over a new leaf when it came to the amount of storage and more. Under the hood, the site did the same thing as Yahoo’s email but they blew them out of the water with the other pieces.
I know that a lot of this advices sounds like, “DUH! Everyone knows that!” But apprently that isn’t the case. Due to a coding error, miscommunication or some other issue, Google’s Finance missed one of the mundane details. If you had relied on their service for your job, you could be as low as the stock market really is today.
Posted: 29 Sep 2008 09:06 PM CDT
Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.
Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.
Subscribe in a reader
Posted: 29 Sep 2008 08:25 PM CDT
Posted: 29 Sep 2008 06:07 PM CDT
Posted: 29 Sep 2008 05:53 PM CDT
Yesterday’s SANS Handler’ Lorna Hutcheson posted a helpful (if you thrive on lists like I do) diary post enumerating the 10 signs of a potential compromise. Of course, if you notice these conditions (dependent upon cause), your systems are already toasted. At the very least, food for thought…
From Lorna’s post:
Posted: 29 Sep 2008 04:02 PM CDT
Posted: 29 Sep 2008 11:01 AM CDT
Posted: 29 Sep 2008 10:40 AM CDT
Federal Computer Week’s Alice Lipowicz reports on evidentiary data culled from a Federal Government Accounting Office (GAO) report detailing cybersecurity challenges at one of our nations’ most valuable laboratory assets. Evidence points to security lapses protecting information on the Lab’s unclassified computer network.
Summary statements from the report: “The Los Alamos National Laboratory (LANL), which is operated by the National Nuclear Security Administration (NNSA), has experienced security lapses protecting information on its unclassified computer network. The unclassified network contains sensitive information. GAO (1) assessed the effectiveness of the security controls LANL has in place to protect information transmitted over its unclassified computer network, (2) assessed whether LANL had implemented an information security program for its unclassified network, and (3) examined expenditures to protect LANL’s unclassified network from fiscal years 2001 through 2007. To carry out its work, GAO examined security policies and procedures and reviewed the laboratory’s access controls for protecting information on the unclassified network.”
Posted: 29 Sep 2008 10:08 AM CDT
Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.
You can read all the details on their website (except for the part about the certification not being a measure of practical skills). From what I can tell, the CSSLP is just the CISSP with different CBKs, or Common Bodies of Knowledge. As with the CISSP, they are going for broad knowledge, not depth. Starting in June 2009, you can get certified by taking a paper exam, likely a multiple choice test similar to the CISSP. Why June? Because the test isn’t even written yet — I’ve heard from several sources that they are actively soliciting their existing pool of CISSPs to help write test questions.
Ah, but what if you can’t wait that long and want to get certified right away? You’re in luck. If you act before March 31, 2009, you can get grandfathered in without even having to take the exam! That’s right, they call it the CSSLP Experience Assessment, and here are the requirements:
Let’s examine these requirements one at a time.
Three years of experience. (ISC)2 doesn’t provide any requirements on depth of experience, other than citing the broadly-defined CBKs. Considering they are targeting everyone from software developers to security assessors to business analysts (yes, really), chances are they are going to accept any experience that is even tangential to the SDLC or software security.
Short essays on four of the CBKs. I asked the (ISC)2 exhibitors specifically what they are looking for to satisfy this requirement, and they said the essays should be a general discussion of the CBK topic, optionally citing your personal experience in that area if you have any. This messaging is not quite aligned with the website guidance, which states that the essays should be “Accomplishment Records” which are self-reported descriptions of experience. Either way, with a maximum essay length of 500 words, it’s pretty obvious that substance is not (ISC)2’s first priority. Here’s one data point for you: I spoke to someone who has already submitted the CSSLP Experience Assessment, and he said it took about an hour to write the essays.
Get a CISSP to vouch for you. Actually this can be any (ISC)2 certified person, not just CISSPs. Contrary to what you’d expect, though, the person isn’t vouching for your skillset so much as they are confirming that the attestations on your resume are accurate.
Pay $650. You knew it was coming. After all, there is money to be made. How is it that qualifying for the CSSLP through professional experience should cost $650? If you’re taking the written exam, fair enough, (ISC)2 does incur the cost of administering and grading that exam (even though the Scantron machine is probably paid off by now). But $650 for the submitted-online Experience Assessment? If we assume that the person reading these essay submissions makes a rather generous $100k per year, then $650 accounts for roughly a day and a half. Will it really take that long to read a maximum of 2,000 words and pass judgment? Of course not. (ISC)2 wants to get as many people as possible to qualify based on “experience”, seeding the initial pool of CSSLPs and netting them $650 per head for doing next to nothing.
As Lee Kushner stated during his OWASP AppSec presentation (7 Habits of Highly Effective Career Managers), “the more people who own a cert, the less relevant it becomes.” Irrelevant — that’s exactly what the CISSP has become, and it’s exactly where the CSSLP is headed. Meanwhile, (ISC)2 will sit back and watch while you and your employers continue to fill their coffers.
In closing, let me acknowledge that this blog entry probably comes across as judgmental. I accept that. I’m not ranting against the idea of certifications, though admittedly I’m not a fan of them either. I am disappointed that (ISC)2, an organization with tremendous influence, could have created something more meaningful but chose not to. Why bother when people will just fork over the cash anyway?
Posted: 29 Sep 2008 09:02 AM CDT
Have you ever thought that your actions impacted more than your immediate surroundings? I’m really starting to think that the books that I author trigger some sort of butterfly effect. Take, for example, the OSSEC Host-Based Intrusion Detection Guide. About a month after the book hits the shelves, the OSSEC project is bought up by Third Brigade. Now this results in a positive, especially for Daniel Cid the creator, but nevertheless a strange coincidence.
The Nokia Firewall, VPN, and IPSO Configuration Guide, the latest book I was involved with which has yet to be published, hasn’t even made it out of the printers yet and today Nokia announces that it is selling off its firewall business. From the article:
Nothing, to my knowledge, has resulted from the publishing of the Nagios 3 Enterprise Network Monitoring book but I do not yet know the full extent of my powers. To the 700 Nokia staff who are impacted by this phenomena…I apologize but I didn’t know what writing that book would do to the universe.
Posted: 29 Sep 2008 08:56 AM CDT
jI received this amazing chain letter from my future father-in-law and I had to pass it on (yes, I did just say I’m passing along a chain letter but it caused me to LOL, ROFL, etc so I figured it might help your Monday as well). Enjoy. –
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|