Thursday, October 2, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Python 2.6 Released [.:Computer Defense:.]

Posted: 02 Oct 2008 12:58 AM CDT

I haven't been blogging much lately (hopefully that will change shortly). However, I wanted to make sure I mentioned this. Python 2.6 has been released. What's new in Python 2.6 can be found here.

Links for 2008-10-01 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 02 Oct 2008 12:00 AM CDT

iPhone 3G v2.1 may have fixed more than my 3G signal strength [Vincent Arnold]

Posted: 01 Oct 2008 11:18 PM CDT

I was really beginning to get frustrated right before Apple released their 2.1 upgrade for the iPhone 3G. Like a lot of folks, dropped calls and a weak 3G signal strength were pretty common. My GPS signal strength in my home was pretty poor as well (actually most GPS’s don’t typically get great signals in a building anyway) but that didn’t bother me so much as the poor 3G reception.

After I upgraded to v2.1, I noticed that my 3G signal strength was stronger and to date, I have yet to have a dropped call, seriously. When I was constantly getting 1 bar in my home for 3G, I now get 4 bars and it rarely modes down to Edge. Sure, the battery is drained faster when 3G is enabled but that was to be expected.

After fiddling around with the GPS tonight, I noticed that it now instantly picks up my location in my home, no matter what room I’m in. I don’t use it that much but I distinctly remember that it took forever to get a fix before and wouldn’t actually “fix” on my position. I would see the blue circle on the map in the area where the GPS “thought” I was located. Maybe this was not an enhancement in v2.1 but I am happy it is working well regardless.

Only the good die young . . . [StillSecure, After All These Years]

Posted: 01 Oct 2008 10:50 PM CDT

From today's Journal News in Westchester, NY:

Robert Hyman, known to most as Bob, a Pleasantville resident for twenty years, passed away on Monday, September 29, 2008. Devoted husband of Carolyn and father of Melanie, David and Sara, Bob was also a wonderful son, brother, friend, coach, attorney and community member. Born on March 18, 1953, Bob grew up in Rockaway, New York, where he developed his love for the beach, and his passion for the Yankees. An avid skier, hiker, and determined tennis enthusiast, Bob loved guiding his own children and influencing other young soccer athletes to love the game. A graduate of SUNY Oneonta, he later attained his law degree from Vermont Law School. Bob was a firm believer in social justice, dedicating his professional life to being an advocate for those in our society who are the most vulnerable, and most recently, victims of nursing home neglect and abuse. He was loved dearly by his family and friends and he inspired everyone he met. A wonderful human being, Bob leaves a legacy of kindness, generosity and a love for life. He is survived by his wife, three children, parents and sister.

Bob and I were business partners together back in the 80's.  We had great times together as we built a law practice, as well as starting our families.  Besides work, we spent a lot of time talking about sports, growing up in Queens, NY and our philosophies on life, politics and religion.  Bob was always there to lend a hand and help out someone who needed help.

As I grow older I realize that loosing people is no longer limited to the "old" and the occasional accident.  Though Bob was a little older than me, I always considered him a peer and friend. He was a quality person who will be missed by everyone who knew him, but most of all by his young children.  Never has it been truer that "only the good die young". 

Security Roundtable for September 27, 2008 [Network Security Blog]

Posted: 01 Oct 2008 07:48 PM CDT

This last weekend Michael Santarcangelo and I were joined by Zach, aka SecurityTwits to talk about security, the community and how we’ve adopted and adapted to social media.  This was another great example of how we just twittered that we needed a third on the show and got a great addition to the podcast. 

Security Roundtable for September 27, 2008






Security Twits:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

Point by point: Changes to PCI in 1.2 [Network Security Blog]

Posted: 01 Oct 2008 07:31 PM CDT

Version 1.2 of the Payment Card Industry Data Security Standards (PCI-DSS or just PCI) came out today.  So of course, I’m on the road working with clients all day.  I’ve looked over the pre-release change form, the pre-release version of the 1.2 standards, but of course I’m unable to look at the full release version let out today.  Luckily I’ve got friends like Michael Dahn and the folks over at the Aegenis Group have given us a full rundown of the changes

There doesn’t appear to be any changes between the change update from last month, but there may have been one or two minor wording changes.  In fact, most of the changes appear to be fairly minor over all.  The only thing that’s a little concerning about 1.2 is that it’s taking effect immediately and sunsetting the 1.1 version of the as of the end of the year.  If you’ve got something that doesn’t quite meet with the new requirements, you’ve only got a few months to try to update and upgrade to catch up.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Exploit found in Microsoft Activesync RNDIS [Vincent Arnold]

Posted: 01 Oct 2008 06:58 PM CDT

As of ActiveSync 4.0, Microsoft has incorporated the Remote Network Driver Interface Specification (RNDIS) into creation of a syncing session between a Windows Mobile device and its host PC. While the implementation of this technology has numerous advantages, it also creates an exploitable situation by which a host PC can be attacked.


Monthly Blog Round-Up - September 2008 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 06:19 PM CDT

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

  1. Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll).  BTW, see my other logging polls.
  2. Security ROI - and its parent topic "security metrics"/"measuring security" - is definitely an ongoing HOT debate. Indeed, the old post "Security ROI Pile-Up!" takes the #2 spot this month, possibly propelled by a more recent post "Second ROI War."
  3. Some say that "short blog posts rule", but, in reality, good, fun content is the best. Here is an example:  "Dumb Luck IS a Strategy!" post makes the top list. In it, I try to explore why people still ignore security concerns even if stare people in the face...
  4. Discussion on what you can do to soften the impact of "getting 0wned" ( "What CAN You Do?") made the top list. Good!
  5. As before, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"". It is both humorous and sadly true (and backed up by other sources)
  6. Still burning hot is a post with my irreverent comments on a Terry Childs saga. Namely, "On Doomsaying (Terry Childs case)", "So ... Am I? Maybe I Am!" and "Admins , Good Guys or "I am NOT an Idiot!""

See you in October.

Possibly related posts / past monthly popular blog round-ups:


Technorati Tags: ,,,

How To Become A Security Blogger? [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 05:04 PM CDT

I know, I know. Some might say that it is a silly question since you rarely seek to become a blogger - you just become one.

However, I got a few emails from my readers asking me something along these line, thus this post. For example, I got asked "Should I focus more on targeting security professionals or general IT users?", "Any pitfalls I should be aware of?" as well as general questions about how to start, what content is best, etc all the way to "How did I profit from my blog?"

Q: Who should I blog to?

A: Blog to colleagues first i.e. infosecurity pros. Blogging to IT or general public is - in some sense - harder or - gasp! - will turn you into a journalist (someone who knows nothing about everything BUT writes about it as an "expert" :-)) Maybe you can broaden it later. Even better, write for YOU (!)

Q: What area of security I should focus my blogging on?

A: Focus on the area of security that you like the most or know them most: IDS? Patching? PIX administration? Linux? AD esoterica? Logs, maybe? :-) Then broaden if you feel like it or as you learn new areas

Q: Any advice on site design, themes, etc?

A: Site design, themes, etc will all come later; just pick something basic and FOCUS on content, not on SEO, design, etc. MUST have RSS feed; make it highly visible (HTML is out, RSS is IN :-))

Q: Any security blogging pitfalls that I should avoid? Any other tips?


  • Don't stick to only long, deep posts? Unbelievably, people often prefer shorter posts or a mix of short/shallow and longer/deep posts (that came as a shock to me early on!)
  • Tips on how to do whatever useful work well; comments on hot issues (that you understand) works too for a shorter post.
  • Definitely comment on other bloggers posts (more often early on, later - as you wish...)
  • Avoid long breaks in blogging (>7 days); it will lead to reader loss (you should only care about it later - focus on fun content first!)
  • Join Security Bloggers Network (drop an email to Alan Shimel for it)

Q: Has blogging in this niche generated any income for you? If so, how much?

A: Exactly $0. The reason is that I never wanted to "monetize" my blog; I don't have banners, etc. This is by design.

Q: How did it help your professional career in a significant way?

Yes, I think it helped my career and connected me to a lot of fun people! I sure hope I am not "known only as as blogger", but blog can definitely make one much more known professionally, especially if you create fun and/or useful content.

Overall, blog is a time commitment, but it is also a passion. It does help your career, but "forcing " yourself to do it just for "career benefits" is, IMHO, a wrong approach.

Yo, my fellow bloggers; help the newbies out, will ya?! Let's start a series of posts on "how to be a good security blogger!"

UPDATE: really good post "Why Blog?" from Richard.

Dedicated to All PMs Out There [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 04:55 PM CDT

A must read on product management... funny as life :-)

"You Might be a PM if…

· … someone asks about your weekend plans and your answer consists of a list of Pri ones, twos, and threes.

· … you've ever ended a relationship using a PowerPoint presentation."


Pimping for Accuvant and Palo Alto Networks [An Information Security Place]

Posted: 01 Oct 2008 04:40 PM CDT

To everyone reading this, take it from me that Palo Alto Networks has some excellent stuff.  I have seen this put into production networks and watched it give tremendous insight into what is getting in and out.  I wish this box had been around when I was an Information Security Manager and Network / Security Engineer.  It would have made my life a lot easier because I would have been able to block traffic according to layer 7, not just the traditional port / IP combination like in typical firewalls.  Please read below for a tease of what you will see if you are in the Houston area and come see the seminar.


The network security space is in desperate need of innovation!  It’s no secret that the Internet generates the majority of traffic on today’s corporate networks.  The question is, how can you know exactly what that traffic is, and control it in a way that’s best for your business?

Comprehensive Internet visibility and control is now essential – not just of network ports, but of the actual applications, users, and content flowing through the firewall. Unfortunately, traditional firewalls are missing three key ingredients that prevent them from delivering the Internet security and protection your organization requires.

Please join us for a 90-minute seminar that puts a spotlight on what’s really happening in today’s enterprise networks, and provides strategic guidance on how to regain the visibility and control you need.


  • New research on the top high risk applications running on more than 50 enterprise networks today
  • Insights into a new generation of evasive applications and related threats capable of bypassing your firewall controls
  • A look at three new network security requirements – missing from traditional firewalls – that will restore IT’s ability to manage these and other Internet risks

In addition, you’ll hear from a CISO of a leading Midwest bank, who has experienced the pain that comes with the inability to control Internet traffic, but is now enjoying unprecedented network visibility and control.

Date: Wednesday, October 22nd, 2008

Time: 11:30 am to 1:00 pm (registration begins at 11:15 and lunch served)


Sullivan’s of Houston
4608 Westheimer
Houston, TX 77027  (MAP & DIRECTIONS)
Phone: (713) 961-0333
To reserve your place at this luncheon, please click HERE.


Really Good Point From Schneier ... [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 04:37 PM CDT

Read all here; the key point is: "The same is true for knitting needles [...] and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer."

Doesn't it just make sense?!

Security + Logging + Virtualization Podcast [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 03:45 PM CDT

Here is a fun podcast a bunch of us (yes, including Chris, of course!) did on security, logging and virtualization (audio, full transcript).

It is actually a fun read / listen, if you are into either/all of these three :-)

Here is the brief blurb on that from the podcaster site: "To help learn about new ways that systems log tools and analysis are aiding the ramp-up to virtualization use, I [Dana Gardner] recently spoke with Charu Chaubal, senior architect for technical marketing, at VMware; Chris Hoff, chief security architect at Unisys, and Dr. Anton Chuvakin, chief logging evangelist and a security expert at LogLogic."

One More Thing About GOVCERT.NL 2008 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 03:36 PM CDT

This is a post that I forgot to post from my drafts folder...

I am [well, I was :-) when I create it] flying back from GOVCERT.NL 2008 and lemme tell you! I have not ever seen a security conference which were THAT well-organized. Really! Everything just worked. Keynotes (first, second) were - gasp! - fun and useful (take that, RSA! :-))

My presentation was "Logging for Incident Response and Forensics: Key Issues" and I promise to post it online (here). BTW, if you attended the presentation, feel free to send the questions direct to me (since I didn't have time to answer them all at the end)

Crazy Consolidation Will Continue [Security Incite Rants]

Posted: 01 Oct 2008 02:52 PM CDT

They say it's very healthy to laugh a good, hearty laugh every single day. I try to do that, and thankfully we all have Stiennon to give us fodder at least once a week. His latest missive had me howling. Though I'm sure he didn't mean it to be so funny, his piece on the McAfee/Secure Computing deal was exactly that.

You see, Stiennon fancies himself as a contrarian. Yet, most of the time he's seems to be a contrarian to be a contrarian. Clearly the "IDS is dead" call has been totally merged into his DNA and he's not capable of viewing anything within any other prism. In fact, it seems Stiennon's MO now is to not say anything unless he has something contrarian to say. 

Listen, if I made a ballsy call like IDS is dead, then I'd probably be wanting to relive it every working day for the rest of my career. 5 years later we are still talking about it. Or at least Richard is. Indulge me for a second and let's visualize a phone call to Richard's office.

(ring, ring)
Stiennon: Hello, this is Stiennon. Did you know that IDS is still dead? What can I do for you? How about a keynote speech?

Caller: Hi Richard. This is 2008 calling.

Stiennon: Huh? What do you mean you are 2008?

Caller: I'm 2008. The year. And I was calling to tell you that maybe you should think about living in the now. I'm not feeling any love from you. I just got off the phone with 2003 and he's pretty pissed that you won't let him rest. He wants to fade off into the sunset, and you won't let it go. Maybe read some Eckhard Tolle or something.

Stiennon: Yeah, I'll get right on that. How about I speak at your New Year's Eve party? Or is do I need to talk to 2009 about that? I can talk about the cyber-threat of upper Bolivia...

Of course, I'm kidding here. It's easy to poke fun at Richard. Probably as easy as it is to poke fun at me. Richard also seems to want to take credit for telling McAfee to go buy some stuff way back when. I wonder if he told them to run the Entercept technology into the ground? It sounds like some of the stuff we hear from Presidential candidates. Remember that Gore invented the Internet and McCain was behind the Blackberry?

Though he does make some decent points about the fact that McAfee has been a bit schizo about the network security business. But as I mentioned in my post on the deal: times are different now and these times call for a different set of offerings to bring to the market. And the price was right.

If you used Richard's yardsticks of a good deal: Growth companies with little overlap, or a large channel engine buying technology to feed the beast - you'd miss a key strategy that works when the markets are either plateauing or maybe even contracting. That's the market consolidation strategy. Of course, Richard is very vocal about how stupid consolidation is, but it's a fact of life.

There is no doubt that Secure bungled the CyberGuard deal. In fact, it ended up killing the company. They didn't really execute crisply on the CipherTrust deal either and you end up having to sell to McAfee for a song and a dance when you screw up. But that doesn't mean that someone else can't make sense of it and make the deal work.

Fact is, we are going to see a lot of deals over the next 18 months. There are no IPOs and there won't be anytime soon. There will be a few good, high multiple deals, but not many. And there will be a LOT of deals that don't hit either of Richard's deal qualifiers. But they'll be cheap and not paying a lot can make even a bad deal on paper into a good deal for shareholders.

And the reality is things are likely going to get a lot tighter on the VC front, so many of those companies still trying to find their markets are going to die on the vine. With limited exits possibilities, the VCs are going to be very selective about who they allow to continue living.

Actually, Richard's strong grasp of history (at least the history he wrote) will come in handy. I suspect 2009 will look a lot more like 2001 than anything else. Very little funding, tight budgets, and a big hangover resulting from some investment bankers partying like it's 1999.

Bottom photo credit: "No Exit"originally uploaded by braheem

My Lunch Presentation at SANS Network Security 2008 [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 01:33 PM CDT

If you are at SANS Network Security 2008 in Vegas, come see me speak about "'Worst Practices' of Log Management." It is a fun presentation - and we (LogLogic) will feed you lunch. For those of you who cannot make it, I will release the slide deck here after I present it this last time...

Here is the announcement:
LogLogic Lunch and Learn Presentation
'Worst Practices' of Log Management
Speaker: Dr. Anton Chuvakin, GCIH, GCFA
Friday, October 3rd, 2008 * 12:30pm - 1:15 pm

BTW, I am arriving Thursday night, so if anybody wants to meet and "talk logs," please drop me an email.

Possibly relates posts:s

“Threat Event Frequency” [Risktical Ramblings]

Posted: 01 Oct 2008 11:42 AM CDT

In mid-September, most of Ohio encountered a weather anomaly. The remnants of Hurricane Ike collided with a cold front coming down from Canada that resulted in sustained winds of between 35-65 MPH for about 4-5 hours. It was quite an extraordinary event – the closest thing to a hurricane the Midwest has probably ever witnessed by its human residents. As a matter, earlier this year, I heard a statistician / actuarial make an analogy that a 1-in-100 (or maybe it was 1-in-250) event was like a hurricane hitting Indianapolis - nearly happened in Ohio – minus the rain and coastal water surge.

Throughout the wind storm my wife and I went outside frequently to secure loose debris and objects that posed a threat to our cars and home. Besides some Bradford Pear trees (30+ feet tall) that managed to not get blown over, the closest call we had was a chimney cap we found lying next to my brand new Honda FIT.

Being the geek that I am, once I got back inside I wrote down a note to myself to blog about this; specifically, in the context of "threat event frequency" (TEF).  Over on my risk vernacular page there are definitions for "threat event frequency", "action" and "contact" (action and contact make up TEF).

The reason TEF is on my mind is because the chimney cap / Honda FIT scenario is a great illustration of various information security risk assessment concepts. I have witnessed many risk assessments where the assessor errors on the side of possibility versus probability. Thus – and in the context of possibility - because there are bad things out there that can inflict harm against my assets, then surely its going to happen. This sound like "crying wolf" to me and is something I always double check myself on for each and every risk scenario I assess. During the windstorm, I was worried about my home (business context, my network / my assets) – not the homes a few blocks away or in another part of the state. Now make no doubt about it, TEF is not the simplest topic to wrap you brain around and a lot of folks confuse TEF with loss event frequency (LEF) – which is really the frequency, or number of instances within a time frame, that the threat was able to overcome the resistance of the security controls.

So, whether it's the threat of zero day viruses, a virtual machine security vulnerability, or the slew of other threats that take up memory space in our brains – properly analyzing threat event frequency in the context of the environment at risk (or that you have oversight for) and not confusing TEF with LEF is a must and in my mind is the difference between a seasoned and unseasoned information security risk analyst.

I am still compiling a few risk scenarios to post. Stay tuned and have a great day!


Professor Wikipedia [Security Circus]

Posted: 01 Oct 2008 11:17 AM CDT

Professor Wikipedia

Eating your own dog food [Security For All]

Posted: 01 Oct 2008 11:12 AM CDT

Photo from AP Photo by BERNAT ARMANGUE

Photo from AP Photo by BERNAT ARMANGUE

Every so often you see something that is just so elegant and ironic that, well, you’ve just got to pause and admire it. Pete Finnigan has an article on Full Disclosure about an Oracle password cracker he has written completely in PL/SQL. That’s right - in PL/SQL.

I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you
need a faster cracker.

You can should download Pete’s tool here.

Talk about eating your own dog food. Or picking your own poison. Great idea. Get it. Use it.


Links for 2008-09-30 [] [Anton Chuvakin Blog - "Security Warrior"]

Posted: 01 Oct 2008 12:00 AM CDT

New Trojan Using HTML Injection on Bank Sites [The IT Security Guy]

Posted: 30 Sep 2008 09:32 PM CDT

A new Trojan, called Limbo, is making the rounds that inserts data fields into the legitimate web sites of banks, according to Computer World. This is different than a phish, which is a totally bogus duplicate of a legitimate site.

The Trojan was reported by RSA and uses several routes to get onto a user's machine. These include pop-up messages that download programs.

Unlike other injection attacks, this one actually inserts HTML code, with additional fields, right onto a bank's web site, even while the user might be logged in.

Network Security Podcast, Episode 122 [Network Security Blog]

Posted: 30 Sep 2008 08:27 PM CDT

We had a lot of fun with tonight’s episode!  If you happen get be available when Rich or I tweet about a live stream of the podcast, tune in if you can.  We had a couple of back and forth’s before the podcast really started that were worth it.  Rich and I were joined by Robert "Rsnake" Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security to talk about clickjacking.  There aren’t a lot of details they can share with us at this point, but this is looking to be a fairly issue.  We’ll know more around the end of October it sounds like.

Network Security Podcast, Episode 122, September 30, 2008

Show Notes

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

This posting includes an audio/video/photo media file: Download Now

The Risk of ePassports and RFID [Security Circus]

Posted: 30 Sep 2008 07:39 PM CDT

Scareware ad from Skype? [An Information Security Place]

Posted: 30 Sep 2008 05:44 PM CDT

Just got this from Skype.  Anyone else ever see this?  I have never received spam from Skype.



Feingold Fights Search And Seizure Of Our Laptops [Vincent Arnold]

Posted: 30 Sep 2008 05:28 PM CDT

Bob Geiger

Posted September 30, 2008 | 10:36 AM (EST)

Imagine you’re on your way home from a family vacation or business trip and some border agent or Transportation Security Administration (TSA) screener stops you or a family member at airport security and insists that you turn on your laptop. They then demand your password so they can browse around and they follow that by confiscating your computer until a later date — with no charges filed and no reasonable suspicion.


The Cloud will need Infrastructure 2.0 [ARCHIMEDIUS]

Posted: 30 Sep 2008 03:00 PM CDT

Cloud computing has replaced virtualization as the new hot topic of 2008.  Yet underneath the headlines a very basic shift is taking place in the network that promises even more conversations in the very near future.  Let's call this shift the rise of infrastructure 2.0 or the result of escalating pressures on an already tired [...]

Playing catchup [Andy, ITGuy]

Posted: 30 Sep 2008 07:27 AM CDT

I think this may be the longest stretch that I've had with no blogging. My last post was on Sept 14th. Since then I've gone on vacation and been preparing for vacation and catching up after vacation. Needless to say it's been busy. Hopefully Ill be back to regular posting now.

I'm going to do a "catch-all" post to try and comment on a couple of things.

I'm going to start off by going back just over 2 months to a post that Rebecca Herold made regarding awareness training and a part 2 here. I starred this in Google Reader and then forgot all about it. I'm bad about that. I need things screaming at me so I will remember to go back and read it. Anyway, she talks about the fact that we often fail to give adequate awareness training to those who need it most. Specifically those who deal with customers on a daily basis. Our Receptionists, call center reps, etc. These folks are on the front lines but are often ignored as we focus our awareness training on those who are in "check box" positions. What I mean by that is that those who work with PCI data, financial info, etc.. Somewhere there is a regulation that says "train these people or else". We train them so we can claim compliance and then give the crumbs to the rest.

The next item is actually recent and both of these were posted within the last 24 hours. Two different stories with the same theme. I saw this one on first and then a few minutes later this one on It seems that we still haven't learned basic security in many cases. What's really sad is that in both of these cases there is really no excuse for this happening. It seems that we are still disposing of devices that have not been sanitized. One case involves a British MI6 agent selling a digital camera on eBay that had all sorts of Top Secret data on it. There were pictures, fingerprints, names of terror suspects and other information. I can see this happening to someone who is a "regular" person (obviously not the top secret data but selling a camera with pictures still on it) but a MI6 agent. I'm sure they are trained in basic security such as this. The next article talks about a Cisco VPN Concentrator that was bought by Andrew Mason on eBay that was still configured to automatically connect to the central VPN concentrator at the company it originally belonged to. It's a good thing that Andrew is one of the good guys. According to him he had full access to the network by simply plugging it in and connecting to the internet.

A story that is close to home involves patient data for 45 people who were patients at Atlanta's Grady Hospital. It seems that their data was inadvertantly put on a unsecured web site instead of on a secured web site. There are lots of interesting facts and issues involved in this that you can read about here. First of all often companies give too many people access to their web sites to add content. Just as we don't give everyone access to our financial data we shouldn't give everyone, or even several people, rights to add content to web sites. There is way too much risk in insecure or unauthorized code/data getting put up. We have a hard enough time getting our web developers to write secure code much less allowing marketing to add content at will or any other department. The second problem that I see is that Grady outsourced the work to one company who outsourced it to another company who outsourced it to a 3rd company. I'm not totally opposed to outsourcing but this is ridiculous. Either legal didn't do their job in contract negotiations or they need to do a better job in ensuring that outsourcers are staying within the bounds of the contract.

One last thing that I want to comment on. Kudos to Jeremiah Grossman and Robert "RSnake" Hansen for the way that they handeled themselves when vendors requested that they not release information regarding their OWASP talk on clickjacking. It shows maturity on their part to be patient and not try to rush something out just to get name recognition. Not that either of them are hurting for name recognition.

There are lots of other things that have been going on over the last 2 weeks but many other bloggers have done a great job of covering them so hopefully you already know all you need to know about them.

It has a Password...It's "Secure" [CultSEC Blog]

Posted: 30 Sep 2008 03:47 AM CDT

I attended a presentation last week and heard the phrase, "The server is secure. It has a password."

Never mind I was at a security meeting. What hits me is that simple phrase being used. But then, why should I be surprised?

Things like this will continue to be said because security is rather nebulous. I try to put myself in non-security minds. Say I was a color blind painter and mixed up a bucket of red paint. My color blindness prevents me from seeing that it is actually pink when I paint it on the barn. Do I still call it a red barn?

Until we can figure out how we can make information security an inherent part of every aspect of our lives, we're going to have the phrases I opened with. It takes time and education. We'll get there.

No comments: