Posted: 14 Oct 2008 04:53 AM CDT
Another tool is out of the door. I am happy to announce the official launch of the Netsecurify GNUCITIZEN initiative. In this post I am planning to give a bit of an overview of the system and also to explain what were are aiming to do with it.
Netsecurify is part of GNUCITIZEN’s online security toolkit including tools such as Blogsecurify (Social Media Security) and Websecurify (Websecurity services, yet to be released)! The Netsecurify initiative was established to provide free network security services through our automated testing engine based on open source technologies.
As I mentioned earlier, Netsecurify is based on open source technologies and it does not differentiate much from the payed automated information security tests you get from respectful security companies. We have built a solid framework around these technologies which allows us to easily expand and produce even more quality results with minimum overhead. The engine is also designed to allow us to easily contribute back to the employed open source products and as such complete the circle of energy.
Why we are offering Netsecurify for free?
Because we can! Because it is noble. Because we want to change the world in our own way. Because we still learn how to defeat limitations and control the perception. Because it hasn’t been done before to the extend we are planning to do it. And because we have a good business plan.
Netsecurify certainly costs something. This service consumes a lot of manpower, time and computational resources. Every single one of these components costs something. It all adds up. However, we believe that we can still do what we want to do with a little bit of help from you, our friends and of course our sponsors and advertisers.
The Netsecurify platform provides ingenious, brand new form of advertising which interested companies and organizations can use to make the service better by providing additional value, to advertise and promote their services and products, etc. We believe that the platform is unique because we haven’t seen it implemented elsewhere. We also believe that our service provides one of the most targeted advertising technologies built so far.
For more information, please get in touch with us from our contact page. You can also read this excerpt over here, for more information regarding what you can do with the Netsecurify platform. Again, if you are interested in taking part of the trial period then just fill the invite form or better yet, get in touch with us directly.
Posted: 14 Oct 2008 12:13 AM CDT
Hard to believe but we are already planning for the 3rd annual bloggers meet up at RSA Conference 2009. The RSA Conference folks were nice enough to again give us our own blog to discuss the meet up. You can find it here. Its the usual suspects writing on the blog and planning the meet up. If you don't want to be left out of what promises to be a great event, be sure to follow the instructions in the post on the blog.
Speaking of RSA and bloggers meet up, we also sent out an important email to the SBN members. Please respond as requested, time is running short.
Posted: 13 Oct 2008 08:52 PM CDT
The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.
Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.
Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual "devices," networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining "constant" element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.
Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.
Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.
I shall try and elaborate on my thoughts in upcoming posts...
Posted: 13 Oct 2008 08:28 PM CDT
One of the challenges of using open source components as part of the mix in our products at StillSecure, is to show the value we add over "pure" open source. This is especially true in our Strata Guard IDS/IPS, which uses a Snort engine. A question we always are asked is what about the Snort signatures. Do we use the Sourcefire signatures? Do we get them right away? Do we add any value over what Sourcefire does?
For many years I have spoken about the StillSecure Security Alert Team (SAT). By the way, don't pronounce it S-A-T. That is a test students take when applying to college. SAT is how they like to call it. Anyway, our SAT team is tasked with keeping all of the StillSecure products up to date against the latest threats and offering up to the minute protection. It is a 24x7x365 operation.
It is a thankless job for the SAT team. For the most part they work in obscurity. In fact as long as the rule updates they write work and protect our customers, you don't hear about it. Usually only when something goes wrong, do you hear or focus on the SAT.
When it comes to Snort signatures, we have always partnered with and supported some of the alternative snort communities. Communities such as bleedging edge and more recently emerging threats. So it was gratifying to see Matt Jonkman at emerging threats call us out for contributing a bunch of Snort signatures this week.
Anyway, kudos to the usually anonymous folks on our StillSecure SAT team. Keep up the great work guys!
Posted: 13 Oct 2008 05:08 PM CDT
Look out merchants, there is a sneaky omission to PCI v1.2 that does not seem to be making any headlines, and I'm wondering if this will just fly under the radar until someone like me stands up and points it out. All the discussion thus far has been around Anti-Virus, Network Segmentation (or lack of a requirement for), WEP, and firewall rules having a six month review (vs. quarterly). But, does anyone remember this little tidbit from the PCI v1.1 when trying to determine the scope of a PCI Assessment?
Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored [are in scope].
I've heard that this little loophole has saved many merchants from fines simply because they were able to take some non-compliant processes and get them under this threshold. Don't get me wrong, merchants would be liable for a breach if those non-compliant processes were linked to a breach, but anything below this threshold would technically not be material enough to show up in a Report on Compliance generated by a QSA.
Well, that whole provision is GONE from PCI v1.2. This means that merchants and service providers (small service providers could get hit hard with this) will have to do a better job of 1) defining where their data is, and 2) making those repositories compliant as they could be subject to the review of a QSA. Based on my interaction with customers, I think this is one of the more significant (if not the most significant) changes in the standard that people should worry about.
What do you think?
If you are worried about it, don't forget to ask a VeriSign consultant about our Data Discovery service that can help you map out all of this data (and other non-PCI data) across your enterprise.
Posted: 13 Oct 2008 04:37 PM CDT
But go feds!
"DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network."
Posted: 13 Oct 2008 01:14 PM CDT
As the years move by, many researchers are trying to understand the magical mystery that is the End-User and, more specifically, End-User Passwords.
Most password cracking and bruteforce techniques are pretty advanced as they use different elements to discover behavior, probable words, and dates that might be relevant to a user. And there are also the famous rainbow tables ...But would these techniques ever work on a real-life system administrator of any type?
Lets face it, the real reason for getting behind the wheel and trying to discover a password is to access a privileged account such as a Root account or a Database account that will let you gain access to restricted systems and information.
Posted: 13 Oct 2008 12:15 PM CDT
I stumbled across this article this morning while combing through my RSS feeds. This author used a little bit of ingenuity when disposing of an unwanted credit cards that were sent to them. Normally I, along with most folks, would cut up the cards and dispose of them in trash at a couple locations.
This person went that one step further.
From Parent Hacks:
It might make you squeamish but, I know I wouldn’t go looking for anyone’s personal data there.
Posted: 13 Oct 2008 10:34 AM CDT
Curious and curiouser, there is no news to speak of from DayCon - with the exception of Twitter news bursts. What happens at DayCon stays at DayCon, one surmises.
REDACTED COMMENTARY RELATED TO CIGARS AND BLUE DRESSES.
Good to see you back Dave, though the Digest is in good hands when you’re away. Really.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
EDITOR’S NOTE: Sometimes, copy and paste is a scary scary thing. Have a great Columbus Day everyone.
Posted: 13 Oct 2008 10:21 AM CDT
Securabit Episode 12 Anthony Gartner Chris Mills Chris Gerling Chris G rides the Failbus with his FIOS connection IT Jobs: No “Widespread Worry” Air Force Cyber Command Cracking one billion passwords per second with NVIDIA video card BREAK Chris G talks about running VM’s in Vista Ultimate 64 bit The guys discuss home networking Soekris Box Netgate m1n1wall firewall 3E 2D3 AIG Executives Blow $440,000 After Getting Bailout Password [...]
This posting includes an audio/video/photo media file: Download Now
Posted: 13 Oct 2008 09:22 AM CDT
Uninformed V10 has been released. As always the content looks top notch. I suppose it might have something to do with the authors (*GRIN*). Congrats guys on another piece of excellent work.
Using dual-mappings to evade automated unpackers
Analyzing local privilege escalations in win32k
Exploiting Tomorrow's Internet Today: Penetration testing with IPv6
Posted: 13 Oct 2008 08:49 AM CDT
The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.
There seems to be a pattern that you can follow when we have major incidents like this:
I think we are edging towards number 3 now.
And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.
And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:
As in banking, if you don't trust you don't do business.
So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.
I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.
Posted: 13 Oct 2008 07:53 AM CDT
Image via CrunchBase
Something is up with Google Alerts. I have alerts set up for a lot of key words around security technologies and companies. This weekend I started receiving a whole bunch of alerts based upon news stories that were in some cases 2 years or more old. Does anyone know any reason for this?
Posted: 12 Oct 2008 08:05 AM CDT
Posted: 12 Oct 2008 01:19 AM CDT
While ClickJacking is the latest apocalyptic threat in IT Security, I wanted to point out something yet again, as I did back when Dan Kaminsky reported his DNS flaw and it because catachlysmic for its 15 minutes of fame.
I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.
This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we've been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]
Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?
I'd love to know a few things:
Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.
EDIT: Sun. Oct 12, 2:02pm CDT
I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.
There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.
Posted: 11 Oct 2008 11:07 AM CDT
When it rains…
From Network World:
So what, you may ask, did they punt on? Well, they sent out numerous
…wait for it…
I shit you not.
Then some more fun from the article,
So, Exchange was responsible for the email addys in the “To:” field?
Er, no. That would be the duplicates but, it does give the impression that they are trying to duck the whoops by invoking the spectre of an errant mail server. I would assume that Verizon staffers will be attending their own seminar en masse then?
Oh, and just to flog the dead horse once again…one installment in the series is called, “Are you prepared for data loss?”
Um, yeah, FAIL.
Posted: 11 Oct 2008 10:25 AM CDT
This great posting showed up on Ars Technica a couple days ago. Mail Goggles is an add-on that is designed to save you from yourself should you find yourself in front of a computer at 3 am and decide, via fuzzy wobbly brown pop logic, that now would be a great time to answer emails. This add-on for gmail will do a WORLD of good for some of my friends.
From Ars Technica:
This is a great tool because before you can send out emails in an altered state you have to tackle some mental gymnastics.
Thankfully those days are behind me now.
Posted: 11 Oct 2008 09:53 AM CDT
Seriously does anyone care about this bit of news? I missed this when it hit the wire but, thanks to Serge for forwarding me the link.
Now, “Infamous Canadian hacker ‘Mafiaboy’ breaks silence with book release” is a title that I have a problem with. He was a 15 year old kid and playing with a DoS. The major difference between this kid (at the time) and anyone else launching a denial of service was one of two things. 1) He was bereft of the intelligence that said “hey, bad idea” and/or 2) Far too mentally challenged to not get caught. I hardly consider a DoS ‘hacking’ so much as a giant nuisance. Sure the instigator can offline a system for a while and cost the target money but, it is by no means indefinite. When you really boil it down it is a pointless endeavour.
I’m sorry but, could someone grab a mop and bucket?
My head just exploded.
Posted: 10 Oct 2008 10:08 PM CDT
Panel: Palin abused power in trooper case
ANCHORAGE, Alaska (CNN) — Republican vice presidential nominee Sarah Palin abused her power as Alaska’s governor and violated state ethics law by trying to get her ex-brother-in-law fired from the state police, a state investigator’s report concluded Friday.
“Gov. Palin knowingly permitted a situation to continue where impermissible pressure was placed on several subordinates in order to advance a personal agenda,” the report states.
Public Safety Commissioner Walt Monegan’s refusal to fire State Trooper Mike Wooten from the state police force was “likely a contributing factor” to Monegan’s July dismissal, but Palin had the authority as governor to fire him, the report by former Anchorage prosecutor Stephen Branchflower states.
Posted: 10 Oct 2008 08:05 PM CDT
This week was a wild ride. The culmination of a great deal of work from a diligent group came to a head with the second annual SecTor conference. Based on the feedback that I got from attendees, it rawked.
The morning crowd was quite something on day one for the sessions. I have to tell you I was quite pleased with the turnout. I should note that due to my limited time this year I was only able to snap a few pics. James had the camera clicking away so I would imagine that we’ll see some postings from him.
I was pleased to sport my “staff” badge for the limited time I was actually able to attend this year. Sadly, I did not, er, plan well for the conference from a personal perspective. Next year I’ll make sure that I book them time off.
The lunch hour panel session was an interesting affair. Chris Hoff set the tone of the panel and fell on his sword as the token American in the process. I was very happy to see him showing off the tats and jeans. The number of suits on the stage was a little disconcerting. But, what are you gonna do?
I’m really pleased with the feedback that I’ve received from speakers and attendees alike. I’m sorry that I didn’t get to meet a bunch of people that were there. But, glad to everyone who made it out. I’m hoping that I’ll be able to continue with Sector to help it grow for next year. Oh yeah, and book the damn time off.
As if I wasn’t run ragged enough already, I managed to squeeze in a gig with the boys last Saturday night at the Pilot in Toronto.
And miles to go…
Posted: 10 Oct 2008 05:54 PM CDT
OWASP APPSEC 2008 Conference Videos are online
Posted: 10 Oct 2008 04:47 PM CDT
Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|