Posted: 05 Oct 2008 03:34 AM CDT
Why we are so obsessed with the newest exploit and attack developments while forgetting that the world hasn’t changed much since the last time we looked at it and laughed.
I think it is because very few of us, if anyone, are capable of looking into the entire security landscape with an open eyes and clear mind. I think that most security experts are too much about the technology and its inner workings (the geekyness) that they forget that the there are other factors that contribute to overall problem. The reason we are so much into this is because it makes sense for most of us. It is logical. It is easy to learn and you know how it feels when you get into your comfort zone. It is hard to get back on track.
The reason I am wasting time writing a post on this topic is because I find it funny when certifications and standards are drivers of the infosec field but not the tools. I find it funny to look how people fight over who knows the most about a particular technology. Who is the biggest, the ugliest, the baddest hacker of all? Well, it is not you. Nor me! It is the script-kiddie next door! You don’t agree? Perhaps we forget that it is always about opportunities and script-kiddies are nothing more but the best opportunists. The entry level for getting into hacking today is practically zero. All you need is the opportunity window. It happens all the time. Perhaps too often to admit to ourselves.
Posted: 04 Oct 2008 09:43 PM CDT
Well it looks like our presidential campaign is about to take a turn to the gutter. First John McCain spoke about taking off the gloves and now that hockey mom with lipstick says its "now the heels are on, the gloves come off'". That was before she accused Barak Obama of "palling around with terrorists". Hey I guess desperate times call for desperate measures. But if the top of the ticket is pulling out all of the stops, can you imagine what some of their minions and the swift boat crowd are going to be up to!
I am sure we will all start getting forwarded emails making wild claims that Osama and Obama are related, Barak was sworn in on a Koran, etc. etc.. I would set my spam filters right now to start taking some of the more obvious of this stuff out of the way, before it clogs your inbox.
Oh boy politics, you gotta luv it!
Related articles by Zemanta
Posted: 04 Oct 2008 11:36 AM CDT
Posted: 04 Oct 2008 10:42 AM CDT
One of the European members of the Security Bloggers Network is Kai Roer. Kai asks in his blog "Do we really need Anti-virus in 2008". Kai says that it has been some time since we have had a good old fashioned virus outbreak like a Blaster. He also says,
My answer is a resounding yes! Of course we still need AV. But we don't need the AV of 2001, we need the AV of 2008 and beyond. To me this argument of whether or not we need AV is like the recent controversy we had about should we continue to vaccinate children against many childhood diseases. As soon as the vaccinations stopped, the diseases came back. The same is true with AV. There is still plenty of older virus attacks out there that would infect our machines and networks pretty quickly without AV. Also, without AV how long would it be until malware writers found that it was easy again to get a Blaster type of virus or worm going. It would be just a matter of time.
Finally lets not forget that today's AV products are combined with anti-spyware and anti-malware products to form harder lines of defense than we have had in the past. Abandoning them now would be like spinning down the armed forces after the war is over. It just makes you unprepared for the next one. When it comes to viruses, ever vigilant has to be a way of life!
Related articles by Zemanta
Posted: 04 Oct 2008 08:15 AM CDT
A security researcher has uncovered administrative login credentials for over 200,000 web sites, according to a report Friday in Computer World.
Ian Amit, security research director at Aladdin, said the sites included the US Postal Service and Fortune 500 companies. He wouldn't disclose any site names other than that of the USPS.
Amit found the logins on a server compromised by Neosploit, a hacker tool kit used by cybercriminal gangs.
Posted: 04 Oct 2008 12:27 AM CDT
Startups are clearly much more agile than “established industry behemoths” and most of their mid sized brethren. The passion, drive and commitment of the small team offsets the capital, expertise and experience of the larger, older outfits.
Having worked across the entire spectrum in my career as a software engineer - from a small “mom and pop” DoD contractor (literally: Mom was the Controller and Pop was the CTO) all the way to a Fortune 50 computer manufacturer (truly one of those “established industry behemoths”) - I have definitely seen this in action. In a small startup everyone is intimately familiar with the customers, whereas large corporations have to make concerted efforts to allow a design engineer to even have marginal contact with a customer - and that’s usually second hand through either a sales or marketing initiative.
So being a startup is swell and you can innovate the pants off the big boys. The force is strong with startups. But there is a dark side. You didn’t really expect anything else now did you?
The conundrum which is faced by all startups (who don’t get snatched up immediately post initial product release by one of those big fish) is how to get new customers and still keep existing customers happy by providing a stable value added upgrade path. It’s really hard to innovate out of this one. But you have to in order to make that next step from being a startup to being an established concern that is in it for the long haul. From some things I’ve witnessed on the engineering side where this innovation actually happens, I present this cautionary tale.
Startup creates first product - brilliant idea, incredibly fast time to market. The chief engineer is now the CTO, but spends a fair amount of time addressing customer concerns (i.e. putting out fires). As a result the CTO is well loved and well rewarded by customers and executive staff alike. So now it’s time for the next big release of the product. The CTO has very precise ideas about what new features are important and what failings must be addressed. In fact the CTO knows that the largest customer is poised for a huge purchase when that killer feature is added. Unfortunately the CTO is way too busy and valuable an asset to the business to focus on the mundane tasks of development any longer so developers are hired to get the next version and next product out to the breathlessly waiting customers and potential customers.
So lets pause here and take stock of the new developers’ situation. They have to update an existing code base which has been field patched (remember those firefighting drills) with a technical lead (our CTO) who doesn’t have time to spend mentoring anyone. And they have to do it quickly. The CEO recalls that the first release came after 6 months and the following 2 releases came on 3 month cycles. Now granted the CEO knows that the now-CTO is a bona fide savant, a true code ninja, but surely these new mere mortal programmers can get the next rev out in 6 months. 9 months tops. Besides they’ve promised customers and there are some big deals riding on this next release. So the show must go on.
Fast forward 9 months and the vaunted next release is dangerously close to slipping the release date. The executive staff is not too worried as they recall the 160 hour weeks that the now-CTO put in to get the product out. So the pep-talks begin to motivate the new programmers to “take one for the team” and get this release done on time no matter what.
We’ll stop this tale here. The aforementioned allegorical startup can still make a happy ending, but not without recognizing the realities of the dark side.
Can a startup successfully address these dark side issues? Absolutely. To be successful you have to. Will you fall victim to most of these at least once? Of course. I’ve never heard of any company that survived the transition to post-startup unscathed. But the one edge that a startup can never afford to relinquish is that customer focus that Todd describes in his articles.
May the force be with you.
Posted: 03 Oct 2008 05:26 PM CDT
If you Have or are Planning to Have:
THEN ...Please give us a call.
I recently wrote a paper discussing how we (NetVision) extend the ability of SIEM or log management solutions by getting better, more reliable, and more relevant information directly from what is arguably your most critical source (the network directory). The paper isn't publicly available (it's not that kind of paper). So, let us know and we'll pass it along or we can save you the trouble of reading and just explain it.
Posted: 03 Oct 2008 03:30 PM CDT
The IETF’s NEA Working Group is (among other things) standardizing a set of “PA-TNC attributes” for use during NAC health checks. These standard attributes will be implemented in many network endpoints (laptops, desktops, printers, etc.) so that a NAC server can query an endpoint and obtain information about its health in a standard way. The tricky part is deciding which attributes are important enough to be in the first standard and which attributes can be left to future standards or vendor extensions.
I bet you have some ideas on this topic. Review the current draft list of attributes (below) and post your comments. I’ll bring them back to the NEA WG. Thanks!
A standard set of components are defined and then a standard set of attributes that describe aspects of those components. This avoids the need to define separate attributes for “OS Version”, “AV Version”, etc. Of course, some devices won’t implement all these components and attributes. No Anti-Virus on my printer (yet!).
Components: Operating system, Anti-Virus, Anti-Spyware, Anti-Malware, Host Firewall, Host Intrusion Detection and/or Prevention System, Host VPN
Tags: NAC Standards, NEA, IETF, NAC, standards
Posted: 03 Oct 2008 02:38 PM CDT
I've talked before about security breaches being crimes of opportunity. I've given presentations and webinars discussing the Insider Threat and talking about security breaches. And I always mention that I don't think the concern should be that people are bad. I don't think that employees are out-to-get their companies.
I didn't want to paint a picture of bad guys huddled in a dark room trying to figure out how to breach the company's security. Sure, that happens too. But, I don't think that's the real Insider Threat. Some of those attacks may have an element of insider advantage, but the big number of security breaches that I attribute to insiders are more opportunistic. It's administrators who have been given explicit access to sensitive information and stumble across it in their daily routine. And it happens all the time.
According to a new Data Breach Report by Verizon Business,
85% of security breaches are opportunistic.
I always thought the percentage of insider breaches that are opportunistic would be high. But, of the breaches covered in this report,
18% were caused by insiders.
I believe that number to be much higher. This report is based on breaches that were not only reported, but brought to Verizon Business for help. Nobody calls a forensics team when an admin opens up an HR doc containing a co-worker's salary. Or when an admin creates a new account and grants full system rights in order to get a new application up and running. I would consider both scenarios to be a security breach, but neither would appear in this report (or other reports). Those breaches are generally not reported and quite often not even noticed.
Does your environment have a mechanism that enables you to even see that kind of activity? Most do not. ...which leads me to the last stat I'll share from the report:
87% of breaches in this study were considered
avoidable through reasonable controls
...and I would argue that the same is true for the unreported, opportunistic, insider-threat type of breaches that are likely unrepresented in this research.
Posted: 03 Oct 2008 02:04 PM CDT
Posted: 03 Oct 2008 01:12 PM CDT
Let me preface this by stating I am not a lawyer. I don't live in California. I'm also not an expert at reading legislation, and I may also be thinking about this the wrong way.
That said, I've been reading California's legislation marked SB 31, which makes it illegal to read RFID without the possessor's prior consent and approval. This raises some very interesting questions to me...
How does this affect installed systems used for automobile toll collection? Does this mean that each time I drive through a tollbooth with this technology, the State of California has to ask my permission to read, and then I have to consent? Certainly, they can pre-authorize consent through the usage agreement, which they may need to change now. Until then (if it isn't already in the agreement), is the State of California currently engaging in an illegal act?
The same becomes true of those using RFID for access control or payment information. Does my employer need to ask me permission to read my RFID enabled badge every time I enter the building? Or, do they need to cover it with a blanket usage agreement?
In my opinion, I think that the legislators went about this a little backwards. I personally think that they should not have made it illegal to read without permission, but that they should have done the opposite; pass legislation that requires the RFID vendors to implement technology to prevent unauthorized, unencrypted reading of data from RFID. Sure, form a technological standpoint it is certainly a challenge, but consider making it a future rollout, such as the new digital TV rollout here in the US.
Certainly neither plan is perfect or foolproof. I just see this as going after the attacker, while really not fixing the problem.
When you outlaw reading RFID, only outlaws will read RFID.
Posted: 03 Oct 2008 09:46 AM CDT
Posted: 03 Oct 2008 09:26 AM CDT
We're all familiar with the idea of adverts promising you all sorts of cool things, but here's one that seemingly can't stand to let you leave you empty handed (with no ulterior motives at all, honest).
These have been popping up on Youtube for a while:
And another one:
...hmm, do I? Well, it's fun when she bounces round in PVC or whatever the Hell it is. That Disturbia song sucked, though. I liked the one about the Umbrella, ella, ella.
Anyway. Click the ad, and you get this:
That seems quite clear: Pass, and you get a ringtone. Hooray. Fail, and you get NOTHING. Because you suck. You suck hard.
That seems reasonable, so let's give it a try. I smell something a bit fishy though, so I'm going with my first instinct and getting everything wrong on purpose. But wait! What's this...
Oh Lordy! It's on now, chaps. I let the timer run right down, wondering what horrible fate would befall me when it got down to zero...
Imagine my dismay, then, when....
...uh, what? is it just me, or do they really want me to reach the end of this quiz? Well, no biggie. I'm going to answer everything incorrectly anyway, see how they like those apples!
Let's do this thing. "Name of Rihanna's breakthrough single"...I'll go for "This DJ". "Where is she originally from"? Duh, it's obviously Bangladesh. "Who is she dating"? Obviously, that would be Ice Cube.
I think they screwed up with the next question, because....
Let's go with Polka. Final question - "Name another Rihanna song". Easy:
Trash Can ftw. Now, let's see how we did:
....is it just me, or are they offering me a ringtone anyway?
Oh, they are. And it costs $8.00 a week, with a $8.00 signup fee. And here was me thinking they were just being kind. What's really amazing is how many people have already taken this thing - 71,720 votes? Sheesh. Someone, somewhere, is rolling around in a big pit of money.
And it's Rihanna. In PVC hotpants.
Posted: 03 Oct 2008 09:22 AM CDT
From the post: “Quantum cryptography is supposed to be unbreakable. But a flaw in a common type of equipment used makes it possible to intercept messages without detection.
Quantum cryptography has been used by some banks to protect data, and even to hide election results in Switzerland last year. But it has been discovered that shining bright light into the sensitive equipment needed makes it possible to hijack communications without a trace.Laser cracks ‘unbreakable’ quantum communications  Paper: Can Eve control PerkinElmer actively-quenched single-photon detector? (PDF)  Discoverer: Vadim Makarov, Norwegian University of Science and Technology, Trondheim, Norway
Posted: 03 Oct 2008 08:47 AM CDT
From the post: “The latest bad news for Google comes courtesy of the malware team in charge of the XRumer project. XRumer is a blogspam tool that’s particularly good at what it does, and is capable of fooling multiple CAPTCHA systems. Once it successfully registers, XRumer may take steps to avoid human detection by first posting an innocuous question regarding a specific product or service. The point of all the subterfuge is to boost the Google page rank of a site by bombarding multiple forums with product/service mentions and discussions. Users that can be tricked into posting their own links (perhaps in an attempt to demonstrate where a product may be found) only help the program perform its primary function. “
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|