Sunday, October 5, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

You Will Do Well [GNUCITIZEN]

Posted: 05 Oct 2008 03:34 AM CDT

Why we are so obsessed with the newest exploit and attack developments while forgetting that the world hasn’t changed much since the last time we looked at it and laughed.

Computer Technology Fortune

I think it is because very few of us, if anyone, are capable of looking into the entire security landscape with an open eyes and clear mind. I think that most security experts are too much about the technology and its inner workings (the geekyness) that they forget that the there are other factors that contribute to overall problem. The reason we are so much into this is because it makes sense for most of us. It is logical. It is easy to learn and you know how it feels when you get into your comfort zone. It is hard to get back on track.

The reason I am wasting time writing a post on this topic is because I find it funny when certifications and standards are drivers of the infosec field but not the tools. I find it funny to look how people fight over who knows the most about a particular technology. Who is the biggest, the ugliest, the baddest hacker of all? Well, it is not you. Nor me! It is the script-kiddie next door! You don’t agree? Perhaps we forget that it is always about opportunities and script-kiddies are nothing more but the best opportunists. The entry level for getting into hacking today is practically zero. All you need is the opportunity window. It happens all the time. Perhaps too often to admit to ourselves.

Better turn up your spam filters, political spam is on the way [StillSecure, After All These Years]

Posted: 04 Oct 2008 09:43 PM CDT

Well it looks like our presidential campaign is about to take a turn to the gutter. First John McCain spoke about taking off the gloves and now that hockey mom with lipstick says its  "now the heels are on, the gloves come off'". That was before she accused Barak Obama of "palling around with terrorists".  Hey I guess desperate times call for desperate measures. But if the top of the ticket is pulling out all of the stops, can you imagine what some of their minions and the swift boat crowd are going to be up to!

I am sure we will all start getting forwarded emails making wild claims that Osama and Obama are related, Barak was sworn in on a Koran, etc. etc..  I would set my spam filters right now to start taking some of the more obvious of this stuff out of the way, before it clogs your inbox. 

Oh boy politics, you gotta luv it!

Reblog this post [with Zemanta]

The only time it makes sense to use a pie chart [Emergent Chaos]

Posted: 04 Oct 2008 11:36 AM CDT

Do we need AV solutions in 2008? Its like the Measles [StillSecure, After All These Years]

Posted: 04 Oct 2008 10:42 AM CDT

One of the European members of the Security Bloggers Network is Kai Roer. Kai asks in his blog "Do we really need Anti-virus in 2008". Kai says that it has been some time since we have had a good old fashioned virus outbreak like a Blaster. He also says,

Have the virus authors started to write smaller virus that stays below the radar - and thus are not detected by the AV-products? Are they now only targeting special targets - like particular banks, SCADA or singled out corporations? Or countries and causes? Or are they too busy writing malware to care about virus?

My answer is a resounding yes! Of course we still need AV.  But we don't need the AV of 2001, we need the AV of 2008 and beyond.  To me this argument of whether or not we need AV is like the recent controversy we had about should we continue to vaccinate children against many childhood diseases. As soon as the vaccinations stopped, the diseases came back.  The same is true with AV.  There is still plenty of older virus attacks out there that would infect our machines and networks pretty quickly without AV.  Also, without AV how long would it be until malware writers found that it was easy again to get a Blaster type of virus or worm going.  It would be just a matter of time.

Finally lets not forget that today's AV products are combined with anti-spyware and anti-malware products to form harder lines of defense than we have had in the past.  Abandoning them now would be like spinning down the armed forces after the war is over.  It just makes you unprepared for the next one.  When it comes to viruses, ever vigilant has to be a way of life!

Reblog this post [with Zemanta]

Massive Site Compromise [The IT Security Guy]

Posted: 04 Oct 2008 08:15 AM CDT

A security researcher has uncovered administrative login credentials for over 200,000 web sites, according to a report Friday in Computer World.

Ian Amit, security research director at Aladdin, said the sites included the US Postal Service and Fortune 500 companies. He wouldn't disclose any site names other than that of the USPS.

Amit found the logins on a server compromised by Neosploit, a hacker tool kit used by cybercriminal gangs.

The dark side of post startup innovation [Security For All]

Posted: 04 Oct 2008 12:27 AM CDT

Todd at the Napera blog has two great articles here and here about how most of the innovation in network security comes from startups.

Breakthrough products like security appliances and virtualization were not pioneered by established industry behemoths, but originated with smaller companies willing to pioneer new product ideas and disrupt the status quo.

Startups are clearly much more agile than “established industry behemoths” and most of their mid sized brethren. The passion, drive and commitment of the small team offsets the capital, expertise and experience of the larger, older outfits.

startups spend an order of magnitude more time talking to customers and thinking about the challenges customers face. Ideally, interacting with and thinking about customers should happen at every level of a company. To add to that focus, a product team in a startup has a lot more autonomy in making product decisions.

Having worked across the entire spectrum in my career as a software engineer - from a small “mom and pop” DoD contractor (literally: Mom was the Controller and Pop was the CTO) all the way to a Fortune 50 computer manufacturer (truly one of those “established industry behemoths”) - I have definitely seen this in action. In a small startup everyone is intimately familiar with the customers, whereas large corporations have to make concerted efforts to allow a design engineer to even have marginal contact with a customer - and that’s usually second hand through either a sales or marketing initiative.

So being a startup is swell and you can innovate the pants off the big boys. The force is strong with startups. But there is a dark side. You didn’t really expect anything else now did you?

The conundrum which is faced by all startups (who don’t get snatched up immediately post initial product release by one of those big fish) is how to get new customers and still keep existing customers happy by providing a stable value added upgrade path. It’s really hard to innovate out of this one. But you have to in order to make that next step from being a startup to being an established concern that is in it for the long haul. From some things I’ve witnessed on the engineering side where this innovation actually happens, I present this cautionary tale.

Startup creates first product - brilliant idea, incredibly fast time to market. The chief engineer is now the CTO, but spends a fair amount of time addressing customer concerns (i.e. putting out fires). As a result the CTO is well loved and well rewarded by customers and executive staff alike. So now it’s time for the next big release of the product. The CTO has very precise ideas about what new features are important and what failings must be addressed. In fact the CTO knows that the largest customer is poised for a huge purchase when that killer feature is added. Unfortunately the CTO is way too busy and valuable an asset to the business to focus on the mundane tasks of development any longer so developers are hired to get the next version and next product out to the breathlessly waiting customers and potential customers.

So lets pause here and take stock of the new developers’ situation. They have to update an existing code base which has been field patched (remember those firefighting drills) with a technical lead (our CTO) who doesn’t have time to spend mentoring anyone. And they have to do it quickly. The CEO recalls that the first release came after 6 months and the following 2 releases came on 3 month cycles. Now granted the CEO knows that the now-CTO is a bona fide savant, a true code ninja, but surely these new mere mortal programmers can get the next rev out in 6 months. 9 months tops. Besides they’ve promised customers and there are some big deals riding on this next release. So the show must go on.

Fast forward 9 months and the vaunted next release is dangerously close to slipping the release date. The executive staff is not too worried as they recall the 160 hour weeks that the now-CTO put in to get the product out. So the pep-talks begin to motivate the new programmers to “take one for the team” and get this release done on time no matter what.

We’ll stop this tale here. The aforementioned allegorical startup can still make a happy ending, but not without recognizing the realities of the dark side.

  1. Brilliant innovative engineers are rare. The dark side of being brilliant is that they rarely value mundane necessities like documentation. They know the code inside and out, so from their point of view it’s self-documenting.
  2. Competent engineers are not so rare. They are also not so expensive. Or fast. They need mundane stuff like documentation to accomplish their job.
  3. The ramp up time it takes to come up to speed on a new product such that you can enhance and maintain it always takes at least twice as many engineering hours as it took to develop it in the first place. Don’t believe me? No problem, you can find out on your own.
  4. All engineers come to the realization (usually sooner rather than later) that firefighters get rewarded. So they look for fires to put out rather than doing the critical but boring and largely unnoticed jobs like configuration management or refactoring for maintainability.
  5. Executive management is always willing to oblige firefighters. They like it when the customer’s problem is solved quickly. That’s in the job description.
  6. The original founding members of the startup usually have an equity position in the company. So they know that at least the potential is there to be very well rewarded if the company is successful. So they are willing to work insane hours and make huge sacrifices for the company because of the potential rewards. Later members are employees or contractors with no real equity stake in the company. When they work insane hours and make huge sacrifices they get to keep their jobs. And have a party. Until they burn out.
  7. Customers who have your product expect to get new features before they are willing to pony up for the next version. They also expect a smooth and painless upgrade path - even when they decide to skip 3 or 4 releases. This is probably the most difficult part of software development. And one that most of us don’t consider until it steps up to brazenly bite our backsides.
  8. Customers really want the features they want. For them. Not for the entire customer base or potential markets. For them. And they are happy to drive your product strategy - where they want it to go.

Can a startup successfully address these dark side issues? Absolutely. To be successful you have to. Will you fall victim to most of these at least once? Of course. I’ve never heard of any company that survived the transition to post-startup unscathed. But the one edge that a startup can never afford to relinquish is that customer focus that Todd describes in his articles.

May the force be with you.


Better data from Active Directory for your SIEM [Matt Flynn's Identity Management Blog]

Posted: 03 Oct 2008 05:26 PM CDT

If you Have or are Planning to Have:
  • A SIEM solution (ArcSight ESM, RSA enVision, Novell Sentinel, IBM TCIM)
  • An enterprise Log Management solution (LogLogic, TriGeo, SenSage)
And your employees log on to:
  • Microsoft Active Directory / Windows
  • Novell eDirectory / NetWare
And you're unhappy with the solution's ability to:
  • Get complete information from the directory or file system
  • Filter which information is collected
  • Generate highly relevant alerts based on filtered event data and custom policies
  • Collect event data directly from the source (independent of system logs)
  • Apply decisions or alerts based on WHO is performing the action
  • Report on ANY combination of objects and attributes in the directory
  • Report on who is opening or modifying files, folders, or file system permissions

THEN ...Please give us a call.

I recently wrote a paper discussing how we (NetVision) extend the ability of SIEM or log management solutions by getting better, more reliable, and more relevant information directly from what is arguably your most critical source (the network directory). The paper isn't publicly available (it's not that kind of paper). So, let us know and we'll pass it along or we can save you the trouble of reading and just explain it.

What do you need to know? [Got the NAC]

Posted: 03 Oct 2008 03:30 PM CDT

The IETF’s NEA Working Group is (among other things) standardizing a set of “PA-TNC attributes” for use during NAC health checks. These standard attributes will  be implemented in many network endpoints (laptops, desktops, printers, etc.) so that a NAC server can query an endpoint and obtain information about its health in a standard way. The tricky part is deciding which attributes are important enough to be in the first standard and which attributes can be left to future standards or vendor extensions.

I bet you have some ideas on this topic. Review the current draft list of attributes (below) and post your comments. I’ll bring them back to the NEA WG. Thanks!

A standard set of components are defined and then a standard set of attributes that describe aspects of those components. This avoids the need to define separate attributes for “OS Version”, “AV Version”, etc. Of course, some devices won’t implement all these components and attributes. No Anti-Virus on my printer (yet!).

Components: Operating system, Anti-Virus, Anti-Spyware, Anti-Malware, Host Firewall, Host Intrusion Detection and/or Prevention System, Host VPN

Attributes: Product Information (vendor, name),  Numeric Version, String Version, Operational Status (operational?, problems detected?, last time run), Port Filter List (for Host Firewall), Installed Packages (name, version)

Tags: , , , ,

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

85% of Security Breaches are Opportunistic [Matt Flynn's Identity Management Blog]

Posted: 03 Oct 2008 02:38 PM CDT

I've talked before about security breaches being crimes of opportunity. I've given presentations and webinars discussing the Insider Threat and talking about security breaches. And I always mention that I don't think the concern should be that people are bad. I don't think that employees are out-to-get their companies.

I didn't want to paint a picture of bad guys huddled in a dark room trying to figure out how to breach the company's security. Sure, that happens too. But, I don't think that's the real Insider Threat. Some of those attacks may have an element of insider advantage, but the big number of security breaches that I attribute to insiders are more opportunistic. It's administrators who have been given explicit access to sensitive information and stumble across it in their daily routine. And it happens all the time.

According to a new Data Breach Report by Verizon Business,

85% of security breaches are opportunistic.

I always thought the percentage of insider breaches that are opportunistic would be high. But, of the breaches covered in this report,

18% were caused by insiders.

I believe that number to be much higher. This report is based on breaches that were not only reported, but brought to Verizon Business for help. Nobody calls a forensics team when an admin opens up an HR doc containing a co-worker's salary. Or when an admin creates a new account and grants full system rights in order to get a new application up and running. I would consider both scenarios to be a security breach, but neither would appear in this report (or other reports). Those breaches are generally not reported and quite often not even noticed.

Does your environment have a mechanism that enables you to even see that kind of activity? Most do not. ...which leads me to the last stat I'll share from the report:

87% of breaches in this study were considered
avoidable through reasonable controls

...and I would argue that the same is true for the unreported, opportunistic, insider-threat type of breaches that are likely unrepresented in this research.

Taking Sunday Off! [Infosecurity.US]

Posted: 03 Oct 2008 02:04 PM CDT

Taking Sunday off to enjoy some autumnal fishing in the Sound, just south of the Narrows Bridge…Great fishing weather, woohoo! Posting resumes on Monday, October 6, 2008.

Reblog this post [with Zemanta]

RFID in California [PaulDotCom]

Posted: 03 Oct 2008 01:12 PM CDT

Let me preface this by stating I am not a lawyer. I don't live in California. I'm also not an expert at reading legislation, and I may also be thinking about this the wrong way.

That said, I've been reading California's legislation marked SB 31, which makes it illegal to read RFID without the possessor's prior consent and approval. This raises some very interesting questions to me...

How does this affect installed systems used for automobile toll collection? Does this mean that each time I drive through a tollbooth with this technology, the State of California has to ask my permission to read, and then I have to consent? Certainly, they can pre-authorize consent through the usage agreement, which they may need to change now. Until then (if it isn't already in the agreement), is the State of California currently engaging in an illegal act?outlaw_rfid.jpg

The same becomes true of those using RFID for access control or payment information. Does my employer need to ask me permission to read my RFID enabled badge every time I enter the building? Or, do they need to cover it with a blanket usage agreement?

In my opinion, I think that the legislators went about this a little backwards. I personally think that they should not have made it illegal to read without permission, but that they should have done the opposite; pass legislation that requires the RFID vendors to implement technology to prevent unauthorized, unencrypted reading of data from RFID. Sure, form a technological standpoint it is certainly a challenge, but consider making it a future rollout, such as the new digital TV rollout here in the US.

Certainly neither plan is perfect or foolproof. I just see this as going after the attacker, while really not fixing the problem.

When you outlaw reading RFID, only outlaws will read RFID.

A quick headshot... [ - A Revolution is the Solution]

Posted: 03 Oct 2008 09:46 AM CDT


Not anymore, he can't. No idea if he was telling the truth or not, but in all likelihood it was just a scam to suck $5 a time out of chumps. At any rate, he's with God now.

Well, his Youtube is canceled anyway. Which is about the same thing, surely...

Promise the World, then give it to you anyway [ - A Revolution is the Solution]

Posted: 03 Oct 2008 09:26 AM CDT

We're all familiar with the idea of adverts promising you all sorts of cool things, but here's one that seemingly can't stand to let you leave you empty handed (with no ulterior motives at all, honest).

These have been popping up on Youtube for a while:

And another one:

...hmm, do I? Well, it's fun when she bounces round in PVC or whatever the Hell it is. That Disturbia song sucked, though. I liked the one about the Umbrella, ella, ella.

Anyway. Click the ad, and you get this:

That seems quite clear: Pass, and you get a ringtone. Hooray. Fail, and you get NOTHING. Because you suck. You suck hard.

That seems reasonable, so let's give it a try. I smell something a bit fishy though, so I'm going with my first instinct and getting everything wrong on purpose. But wait! What's this...

Oh Lordy! It's on now, chaps. I let the timer run right down, wondering what horrible fate would befall me when it got down to zero...

Imagine my dismay, then, when....

...uh, what? is it just me, or do they really want me to reach the end of this quiz? Well, no biggie. I'm going to answer everything incorrectly anyway, see how they like those apples!

Let's do this thing. "Name of Rihanna's breakthrough single"...I'll go for "This DJ". "Where is she originally from"? Duh, it's obviously Bangladesh. "Who is she dating"? Obviously, that would be Ice Cube.

I think they screwed up with the next question, because....

Let's go with Polka. Final question - "Name another Rihanna song". Easy:

Trash Can ftw. Now, let's see how we did:

Click to Enlarge it just me, or are they offering me a ringtone anyway?

Oh, they are. And it costs $8.00 a week, with a $8.00 signup fee. And here was me thinking they were just being kind. What's really amazing is how many people have already taken this thing - 71,720 votes? Sheesh. Someone, somewhere, is rolling around in a big pit of money.

And it's Rihanna. In PVC hotpants.

Unbreakable Quantum Communications Cracked [Infosecurity.US]

Posted: 03 Oct 2008 09:22 AM CDT

News, late yesterday, of the apparent cracking of so-called unbreakable quantum cryptographic communications protocols with coherent light technology (lasers).

From the post: “Quantum cryptography is supposed to be unbreakable. But a flaw in a common type of equipment used makes it possible to intercept messages without detection.

Quantum cryptography has been used by some banks to protect data, and even to hide election results in Switzerland last year. But it has been discovered that shining bright light into the sensitive equipment needed makes it possible to hijack communications without a trace.

“It turns the equipment into a puppet-box that an eavesdropper can control,” says Vadim Makarov from the Norwegian University of Science and Technology in Trondheim, who uncovered the vulnerability.”

[1] NewScientist: Laser cracks ‘unbreakable’ quantum communications
[2] Paper: Can Eve control PerkinElmer actively-quenched single-photon detector? (PDF)
[3] Discoverer: Vadim Makarov, Norwegian University of Science and Technology, Trondheim, Norway
Reblog this post [with Zemanta]

GMail, HotMail CAPTCHA Cracked. Again. [Infosecurity.US]

Posted: 03 Oct 2008 08:47 AM CDT

News surfaced, late yesterday, of recently released hack tools targeting Gmail and HotMail CAPTCHA systems.

From the post: “The latest bad news for Google comes courtesy of the malware team in charge of the XRumer project. XRumer is a blogspam tool that’s particularly good at what it does, and is capable of fooling multiple CAPTCHA systems. Once it successfully registers, XRumer may take steps to avoid human detection by first posting an innocuous question regarding a specific product or service. The point of all the subterfuge is to boost the Google page rank of a site by bombarding multiple forums with product/service mentions and discussions. Users that can be tricked into posting their own links (perhaps in an attempt to demonstrate where a product may be found) only help the program perform its primary function. “

Hat Tip to Joel Hruska!

Reblog this post [with Zemanta]

No comments: