Spliced feed for Security Bloggers Network |
| Catalyst On Tour: Michael Santarcangelo in Kansas City [HiR Information Report] Posted: 14 Oct 2008 10:59 PM CDT Michael Santarcangelo is Catalyst On Tour! Next week, his travels will bring this nomadic security expert right here to Kansas City. For those who don't know, he wrote the recently-released book Into The Breach. I've invited him to talk to the Cowtown Computer Congress , so he'll be at the meeting on October 23rd (7pm, Javanaut at 39th and Wyoming). We'll likely partake in food and drink afterwards, and continue the conversation. Trust me, this is someone you want to meet. | ||
| Will You All Please Shut-Up About Securing THE Cloud...NO SUCH THING... [Rational Survivability] Posted: 14 Oct 2008 06:42 PM CDT
This love affair with abusing the amorphous thing called "THE Cloud" is rapidly approaching meteoric levels of asininity. In an absolute fit of angst I make the following comments:
If you thought virtualization and its attendant buzzwords, issues and spin were egregious, this billowy mass of marketing hysteria is enough to make me...blog ;) C'mon, people. Don't give into the generalist hype. Cloud computing is real. "THE Cloud?" Not so much. /Hoff (I don't know what it was about this article that just set this little rant off, but well done Mr. Moyle) | ||
| Google Calendar Syncing, MobileMe, and iCal [Random Thoughts from Joel's World] Posted: 14 Oct 2008 05:20 PM CDT Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time. Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me. So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abandon it right away. So I started looking into Apps that would sync my calendars for me. So I came up with BusySync. So I took the following steps, since my calendar was maintained in iCal, YMMV, but good luck: 1. I exported my iCal calendar and put it on my desktop. 2. Logged into Google Calendar and imported my iCal calendar into Google Calendar (took a few seconds, I have a rather large calendar). 3. Deleted my local calendar in iCal. 4. Fired up BusySync and told BusySync to Sync my Google Calendar to local iCal. 5. Viola. Since BusySync syncs a calendar to a "local" calendar (as opposed to a "subscribed" calendar) everything works fine, in fact, MobileMe will sync your calendar right down to your iPhone. Problem Solved.  Subscribe in a reader | ||
| Phishing adapts to use financial meltdown to its advantage [Tim Callan's SSL Blog] Posted: 14 Oct 2008 05:15 PM CDT We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind. WashingtonPost.com's Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns. | ||
| This Can't Be Good: Uranium Mining the Grand Canyon [The Falcon's View] Posted: 14 Oct 2008 05:00 PM CDT Just when you think the Bush administration can't make a mess of anything else, you run across this little story about how the Bureau of Land Management has decided to reject the direction of Congress and declare itself free of... | ||
| Why is Tim Cook carrying a Blackberry? [Random Thoughts from Joel's World] Posted: 14 Oct 2008 04:59 PM CDT Considering Apple makes the iPhone, a direct competitor to the Blackberry, why, at today's Apple event, was Tim Cook wearing a Blackberry on his hip? Um, whoops?   Sorry Mr. Cook, just noticed it. No complaint here, not bitching, just noticed it :) Subscribe in a reader | ||
| A (Tentative) Wish-List for a Better, More Secure, Web Browser [Security Provoked] Posted: 14 Oct 2008 04:28 PM CDT Web browsers are where the client machine rubber meets the Web server road. So it stands to reason that strong Web browser security is paramount—far more effective than relying on thousands of Web application/ plug-in developers to write more secure code. There are definitely some browser developers that are making strides in the right directions, but none of them are quite there yet. I’m still thinking through this, but if I were writing my wishlist for a more secure Web browser today (and, well… I am) then here’s what it would be: 1. It has to work. This is absolutely the most important piece of the puzzle. The trouble is, the most effective ways browsers have thusfar come up with to improve security also cause some truly damaging impacts on performance. 2. It has to be built like a platform, not like a singular application. Once upon a time, the Web was a series of static pages, and the Web browser was an application that let you find and view those static pages. Times have changed, however, and now the browser itself plays host to many rich, Web-based applications. Thus, browser development should be treated more like operating system development. Some browsers–Google Chrome, principally–are beginning to make strides in this direction. (As my fellow CSIers, Kristen Romonovich and Robert Richardson, said from the get-go, Chrome is more a Windows competitor than it is an Internet Explorer competitor.) 3. It needs a modular–not monolithic–architecture. In a modular architecture, the browser is divided into at least two components–generally speaking, one that interacts with the client machine, and one that interacts with the Web and operates from within a sandbox. The main benefit is that it’s a great defense against drive-by malware downloads. If an attacker compromises the Web-facing component of the browser, they won’t automatically gain full access to the client machine with user privileges. They’ll only gain access/privileges to whatever the Web-facing component needs. Internet Explorer 8 (beta) and Google Chrome (beta) use modular architectures. The OP Browser still in development by researchers at the University of Illinois uses a more granular modular architecture that splits the browser into five components. Yet monolithic architectures are used by all the major browsers today. (Monolithic architectures are kind of like real-estate brokers who represent both the buyer and the seller–you just can’t quite trust them.) 4. It has to support some sort of process isolation. In essence, isolating processes means that when one site/ object /plug-in crashes, it doesn’t crash the entire browser. 5. Its security policies cannot rely heavily on the user. Average users should not be expected to understand the intricacies of privacy and security settings. They shouldn’t be expected to dig into their Internet options, flip JavaScript on and off and on and off again, disable plug-ins, delete nefarious cookies, or anything else. 6a. It’s got to figure out how to securely handle plug-ins. The troubles with plug-ins are that they tend to run as one instance–so process isolation doesn’t really work with them–they’re given unchecked access to all the browser’s innards, and they tend to assume/require the user’s full privileges. In order to allow plug-ins to run properly, Chromium (the modular, open-source Web browser architecture used by Google Chrome) runs them outside of the sandbox, and with the user’s full privileges–so the browser can’t do anything to save the user’s machine from malicious downloads through an exploited plug-in. The OP Browser has some very innovative ways of handling plug-ins. Rather than using the Same Origin Policy–which prohibits scripts and objects from one domain from accessing/loading content (scripts/objects) from another domain–the browser applies to plug-ins a “provider domain policy,” in which the browser can label the Web site and the plug-in content embedded in that Web site with separate origins. The plug-in’s origin will be the domain that’s hosting the plug-in content, which is not necessarily the same as the domain of the page you’re viewing. (So if you were here on GoCSIBlog.com and I’d embedded an Adobe Flash media file from YouTube, the OP browser could recognize the page’s origin as GoCSIBlog.com and the Flash file’s origin as YouTube.com.) The benefit here is that you can add a site to your “trusted” list–thereby allowing plug-ins and allowing any plug-in content that originates from that trusted site–without needing to allow plug-in content that is running on the trusted site but originates from untrusted sites. This greatly mitigates the risks of cross-domain plug-in content… however a) there are some cases where this policy will prevent plug-ins from operating properly and b) as Robert Hansen, CEO of SecTheory pointed out to me, the primary vector for cross-domain content attacks (XSS, CSRF) is JavaScript, not plug-ins. Yet, browsers (the OP browser included) continue to apply the same origin policy to JavaScript, and there are many JavaScript-based attacks–JavaScript hijacking, for example–that sidestep the same origin policy. The trouble is, none of the browser companies have really figured out yet how to securely handle JavaScript in a way that doesn’t disrupt one’s browsing experience and/or require security-savvy action from users. The NoScript plug-in for Firefox is a good tool, but a) it’s not a standard Firefox feature, and b) it’s a bit advanced for the average user. Other browsers allow you to simply disable JavaScript, but doing so means the user won’t be able to enjoy some of the fun, quintessentially Web 2.0 things the Internet now has to offer. Further, JavaScript is automatically enabled on any sites on the user’s “trusted” list, so malicious JavaScript on a legitimate site continues to be a problem. Web browsers’ inability to elegantly handle JavaScript-related threats, is a big problem, because it means that we all must rely upon the individual Web site developers to keep their sites free of cross-site scripting flaws and cross-site request forgery vulnerabilities. Part of the trouble may be that currently available rendering engines, used for parsing HTML and executing JavaScript, are error-prone and written in generally insecure languages. (So if you’re a young researcher, maybe “Creating a more secure HTML rendering engine” would make a good thesis project. Pretty please?) I’m still thinking some of this through, so do let me know if you disagree, see errors in my judgment, or think something else should be on this list. Also: should one browser be expected to do everything? How likely are you (and your users) to use one browser for everyday activities and another browser for more delicate activities? We’ll be devoting the next issue of the Alert–CSI’s members-only publication–to browsers and other elements of client-side Web security issues. We’ll also be discussing some of during the CSI 2008 conference next month. Tuesday, Nov. 18 Gunter Ollman of IBM-ISS will present a full 60-minute session on “Man-in-the-Browser Attacks,” and, also on Tuesday, browser security will be discussed during the Web 2.0 Security Summit, moderated by Jeremiah Grossman (CTO, WhiteHat Security) and Tara Kissoon (Director of Information Security Services at VISA, Inc.). | ||
| Public Relations and Security [Ascension Blog] Posted: 14 Oct 2008 04:26 PM CDT As I'm sure that most people reading this blog are aware, we here in the United States are in the midst of an election. As I've been watching our candidates out on the campaign trail I have been reminded that perception is as important (if not more important) than substance. The candidates are bouncing around the country communicating their message. As the country is in financial crisis, communication is critical. Communication is also critical when a company is facing crisis. I've been considering two security incidents and how they are being handled in terms of public relations. Now what I'm going to give should not be considered legal advice and I'm of course not a public relations expert. I do however have an opinion and feel that both of these situations are being handled poorly. The first case is that of the World Bank. Fox News is reporting that the World Bank is in the middle of a security incident. Apparently the World Bank Group's computer network has been compromised for over a year. The Bank controls $25 Billion a year in funds to the developing world and holds one of the world's largest repositories of sensitive data concerning the world's economy. One of the systems is reported to have held contract-procurement data. (I can't help but wonder how many contracts have been won based on compromised data?) Now no matter what the specifics of the breach(s) are, what is important for this post is how the World Bank is handling it. Currently the World Bank's tactic is to deny what is happening despite the leak of internal memo's which paint a different story.
The second case is that of the Massachusetts Bay Transit Authority (MBTA). For those of you who don't already know, several students from the Massachusetts Institute of Technology (MIT) who intended to give a presentation at DEFCON explaining vulnerabilities that they discovered with the MBTA's fare card system. These students were hit with a restraining order and forbidden to present their paper (apparently the information had already been released on CD's given to the conference attendees – I wasn't there; that is just what I heard). (The restraining order has since been reversed by the court) Again, I don't want to get into the specifics of who did what and when. That is for the court to decide. What I'm concerned with for this post is how the company handled the situation. The NBTA elected to go on the offensive and use the legal system to keep the information from getting out. Ironically the action had the reverse effect causing the incident to be widely publicized. (See the so called Streisand Effect). Having a security incident is a nightmare and won't endear you to stockholders but can the actions a company takes actually make the situation worse? I believe so. Let's look at these two stories. In one case we have a company that feels that loud public denials of the situation are the way to go and on the other hand we have a company that is doing all it can to hide the details of their vulnerabilities. Their very actions are calling public attention to the incidents. Imagine the situation at the World Bank. If the Bank had issued a statement that it was their policy not to comment on security incidents until they have been resolved there would probably have been some hoopla over it but it would have most likely have died down rather quickly. As it is now we have a denial in the presence of apparent evidence to the contrary. That just invites increased scrutiny by the news media. In the case of the NBTA you have an organization that is trying to suppress information. The simple act of suppression is going to bring about increased attention. During hunting season (and it's always hunting season) why paint a larger target on yourself than you need to? The time to decide on how to handle the public relations side of an incident is before an incident actually happens. Too much disclosure can be just as harmful as too little disclosure. Of course you won't know the details or the specifics of an incident before it happens but a company can decide whether or not it should comment and if so what it should be. There may be legal considerations so legal needs to be part of this process. Guidelines should be set forth to determine what criteria need to be met before certain information is released in company statements. Personally I'd recommend acknowledging that an incident has happened and that to restrict comments until the incident is actually over. Now I'm sure that will probably draw fire from some of you out there and that is okay. By all indications, both of these companies are still in the midst of these incidents. They are still investigating what has happened and are still in the process of instituting controls to keep the incident from reoccurring. The key at this point is to manage the public relations aspects of an incident rather than have them manage you. | ||
| Reconnaissance: don't post what you don't want found [Kees Leune] Posted: 14 Oct 2008 02:36 PM CDT This week's topic of the computer security class that I teach was reconnaissance. The amount of information that is "out there", available for an attacker who wants to build a profile of his target is overwhelming. The things that we discussed today weren't very advanced or outlandish, but they were generally knew to my students (undergrads). Here are some take-homes:
| ||
| Log management [Liquid Information] Posted: 14 Oct 2008 02:11 PM CDT Now that Anton Chuvakin left LogLogic, it made me think about log solutions in general. Basically I was thinking about a log management solution and what I would like it to be, for a small and maybe mid-size business. LogLogic and other players in the area are probably more suitable for large businesses with lots of data to log, but would probably work as well. Mainly I was thinking of easy navigation and keeping the system as simple as possible. The ideas I have are simple but features would add complexity. Also the gathering of logs would add complexity in some of the log sources. You would have different sections for different type of logs; firewall log, operating system log, application log, webserver log, database log, ids/ips log and so on. Each section would have the assets that produce the log and you could either get X amount of last entries in the category or drill down on a specific asset. In the asset view you see latest logs and could dig into a vulnerability assessment report or latest IDS events regarding the asset. In the IDS section there could be a possibility to correlate against the attacked service if the vulnerability assessment format allows some parsing. The system could even do filtering or highlighting based on some specific values which would give a view of interesting log entries across the whole log data available. You would also be able to search for specific terms in a broad or finetuned manner, however it could be accomplished. The gathering and sorting of the log data would require some planning on how to do it and there would also need to be automation on log rotation (how long to keep logs, how old logs would get compressed and so on). Maybe even some kind of user management system should be in place, e.g. what assets/log group a person is allowed to see, and so on. Not sure if something like this already exists, but I'm a little bit tempted to begin a small project on this (yeah, I know... I still got unfinished ones hanging around), as the concept isn't that difficult if we talk about small volume data. It would just require some careful planning. The ideas I was rolling around would however require some hacks that either work well or are prone to errors, but require modifications on the asset side. Anyways, it is good to play around with ideas, even though the log management concept isn't anything new. You never know what you end up with. | ||
| VMware Acquires BlueLane: Further Differentiation Through Security [Rational Survivability] Posted: 14 Oct 2008 01:42 PM CDT
BlueLane is the maker of solutions that protect both physical and logical infrastructure which includes ServerShield and VirtualShield. The company has of late focused wisely on Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of BlueLane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments. The notion of enabling in-line patch-proxying as well as the "IPS-like" in-line vulnerability mitigation capabilities for VM's and additional VMM protection make this very interesting indeed. You can read more about BlueLane's approach on their website. I also interviewed Allwyn Sequeira on my blog. VMware's acquisition of Blue Lane comes as no surprise as it became clear to me that in order to continue to strengthen the underlying platform of the hypervisor itself, I wrote earlier this month prior to rumors of Blue Lane's acquisition by other bloggers that as part of a successful differentiation strategy: VMware will make additional acquitisions in the security space. Yes, I know this sounds heretical given the delicate balance most "platform" providers keep with their ecosystem partners, but VMware have already shown that they are ready to buy as well as build and ally with prior acquisitions and security will continue to be a key differentiator for them. They've done it once already with Determina, they'll do it again.
This point was at the heart of my debate with Simon Crosby, Citrix Systems' CTO (see here and here); We need a unified secure ecosystem to start with instead of worrying about securing the ecosystem's products. Form a business perspective it takes a mixture of resolve, market dominance, and confidence to cannibalize a section of your ecosystem, but it's the right thing to do in this case in order to offset competitive forces and help customers solve some really nasty issues. I made mention of this point with emerging security ISV's at Vmworld, and was asked several times whether I really thought VMware would do this. The odd question that inevitably came next was "were does that leave security ISV's like us?" You can guess my answer. Honestly, I'm sure most of them were hoping to be bought for the same reason. So, will this cause a run on alignment to support Hyper-V over VMware? I don't think so. ISV's who were hinging their hopes for success solely on VMware understand this risk. Microsoft has no API facility like vNetwork/VMsafe, so the options for reasonable and rational installation of their products are limited. Citrix is in the same boat. This is the reason my next set of VirtSec presentations will focus on Hyper-V. On a side note, I was one of Blue Lane's first customers for their patch proxy product and have been an ardent supporter of their approach for many years, despite taking quite a bit of crap for it from purists and pundits who had difficulty rectifying the approach in comparison to traditional IPS'. This is a good thing for VMware, VMware's customers and Blue Lane. Congratulations to the BlueLane team. | ||
| Loss Prevention is not Risk Management [How is that Assurance Evidence?] Posted: 14 Oct 2008 01:34 PM CDT I have been giving a lot of thought about how to deal with Risk Management recently. I have talked to a few people and I have come to realize the title of this post. Many of my colleagues only talk about making sure the data doesn't get released, corrupted or unreachable. In my own little head, this to me is loss prevention. Retailers do it all the time, they put those annoying tags on the clothes so that you can try them on properly, to make sure that they don't experience a loss. I'm not saying that the RM and LP are not related, they are. But a loss prevention is the implementation of controls is not a risk management. I am define risk management as (like Wikipedia): a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. Most of the time, I have started the risk assessment process with a threat identification, where we list out all the threats. The question is "Do we care?" The answer of course is "No". Stick with me now. Has the person in charge ever turned to you in the beginning of the incidentresponse ever turned to you and said "I have the Risk Assessment here can you tell me which threat succeeded and which control failed?" Maybe a few but not many, the question that they asked me was, "What failed and (delicately) how do we get the shit back in the horse?" Results not causes. In the heat of the moment, I haven't met anyone that said "I spent three days with a CVSS calculator determining that the threat is a 2, xxxxxxx turned into a ... You know the next steps, list of threats paired to vulnerabilities, and if you are using the 800-30 then you do the arbitrary but necessary likelihood and impact. To come up with a risk. And their was much rejoicing. Yea! I have checked the proverbial box, submitted my POA&M and now I will retire to the veranda for coffee without a care in the world, right? Wrong. My perception is that we are working this thing backwards, at least in the Federal government space (which is all I am really familiar with). With the Feds, we know the controls we are going to implement (800-53 or CNSS 1253). And then we know what we don't want to happen, you know ... bad stuff that gets us in the Washington Post or dragged up the Hill. So let me lay this out, the threats are changing, there are always new vulnerabilities (the only constant is change ), the likelihoods and impacts are subjective so why should we expect anything from that process. Or at best, something we can take action upon. I have watched many smart people stand up new firewalls, IDPS, NAC solutions, SOCs, AV, whatever and still in the end something gets missed or the human element gets in the way. Because simply implementing and monitoring controls without the understanding of the risks those controls are protecting against is not good. It is just doing Loss Prevention. | ||
| Dave Aitel on Static Analysis Tools [CGISecurity - Website and Application Security News] Posted: 14 Oct 2008 12:03 PM CDT Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and... | ||
| 6 new modules for Cobia [StillSecure, After All These Years] Posted: 14 Oct 2008 11:09 AM CDT
We have been continuing development with Cobia. The reason we did not put out a lot of press is that a lot of the work we are doing with Cobia is not readily apparent to the eye. There has been a lot of behind the scenes and back end work on the architecture that will allow it to scale. We have also been working on adding more modules. We just made available the latest release of Cobia with 6 new modules! Including: · VPN · DNS · Gateway anti-virus · Anti-spam · Anti-spyware · URL filtering Again, a lot of the work here is in the back end, but go check it out and take it for a ride. There is more yet to come, as our developers and R&D team is hard at work on continuing to develop this exciting platform! | ||
| The Daily Incite - 10/14/08 - Drafting a team [Security Incite Rants] Posted: 14 Oct 2008 09:47 AM CDT  October 14, 2008 - Volume 3, #82 Good Morning: Thus I'm going to share my philosophy on hiring, for what that's worth. First of all, finding the wrong person is FAR more damaging than not getting everything done. So right now, I'm spending a lot of time talking to folks I know, figuring out where their heads are at and whether they are willing and able to make a change. But as much urgency as I feel because I know I'm dropping stuff, it's not so much that I'm going to just put barely a warm body in place to ease the pain.
Incite 4U Please be patient as I evolve the format of TDI to something that will work, given I can spend a lot less time on it during the week. Having a day job kind of puts a crimp on these fun, little hobbies. Today I'm going to try a hybrid format. Let me know if you think it sucks.
| ||
| [Chinese]PCI-SSC发表最新版本PCI-DSS v1.2 [Telecom,Security & P2P] Posted: 14 Oct 2008 09:41 AM CDT
另外同时发布还有1.2版本相对于1.1版本的更改。按照官方网站的消息,v1.1版本还将继续有效至今年年底,也就是2008年12月31日。 总体来说,新版本变化不是很大。下面是12个要求的主要变化总结,希望对大家有所帮助。 要求1:Install and maintain a firewall configuration to protect cardholder data 要求2:Do not use vendor-supplied defaults for system passwords and other security parameters 要求4:Encrypt transmission of cardholder data across open, public networks 要求5:Use and regularly update anti-virus software or programs 要求6:Develop and maintain secure systems and applications 要求7:Restrict access to cardholder data by business need to know 要求8:Assign a unique ID to each person with computer access 要求9:Restrict physical access to cardholder data 要求10:Track and monitor all access to network resources and cardholder data 要求11:Regularly test security systems and processes 要求12:Maintain a policy that addresses information security for employees and contractors | ||
| PaulDotCom Security Weekly - Episode 126 Part I - October 9, 2008 [PaulDotCom] Posted: 14 Oct 2008 06:22 AM CDT Paul and Larry are in the studio with special guest Ed Skoudis!
 Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian Email: psw@pauldotcom.com Audio Feeds: | ||
| Larry Seltzer on wildcard SSL Certificates [Tim Callan's SSL Blog] Posted: 13 Oct 2008 10:55 PM CDT | ||
| On The Increasing Intelligence of Field Devices [Digital Bond] Posted: 13 Oct 2008 10:25 PM CDT Recently I’ve attended a few training classes/sales pitches on some new field devices coming into the market, and a trend that I’m seeing is more and more of them are being built on x86 processors running embedded Windows operating systems. A lot of things can come from this trend, more features, a larger pool of operators/developers, better integration with other devices, to name a few, but there are also the disadvantage of more exposure, both in the increased likelihood to be connected to business networks (directly or indirectly) and in attackers increased knowledge of the platforms. Not to argue for security through obscurity, but to a network scanner the difference between various Windows systems are minimal and even if the control system components aren't being targeted, a few wrong turns on the corporate network an attacker looking for HR information could be throwing some nasty stuff at your devices. The problem here however is not that these devices are getting more powerful, or more feature rich, far from it, it's that those responsible for administering the devices might not even be aware of the issues this would bring. An analogous situation happened on the corporate side of the DMZ not too long ago, a worm called "Code Red" was running rampant through many networks and printers were being knocked over (Xerox and HP if I remember correctly) due to them running what was essentially Windows 2000 sp0 and an upatched IIS server. In many cases those managing the printers had no idea that the systems were vulnerable, and if they did there was no patch available from Xerox or HP, even though it had been patched from Microsoft more than a month before. This is another vital reason to regularly examine your networks for any unneeded services. I see a lot of similarities between PLCs and cellular phones, until very recently they've both been by most standards "dumb" devices, but now there isn't a whole lot that your desktop computer can do that your cell phone can't. And where previously they were locked into one network and only worked with your service providers' services they're now active on many different types of networks and connecting to all sorts of other devices. The cellular phone companies have had to put a lot more thought into security (on both ends) that they had to in the past, and their networks are no longer just a single protocol but a vast array of different ones often intermingled and layered on top of one another, and they're still trying to figure out patching too. In the end its about everyone in the chain, from the upstream providers (be it MS, vxWorks, etc) to the vendor and on down to the end user themselves to be as knowledgeable about the features, risks, and mitigations provided by each layer as possible. As our field devices get smarter and more interconnected the management of those systems will be necessity become more complex. The only thing worse than not being prepared to address a risk is not knowing about it. | ||
| 1001 [Random Thoughts from Joel's World] Posted: 13 Oct 2008 07:58 PM CDT Some insight. So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested. Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day. Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not. I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email. Speaking of which, I need to do another "processing" email post, as I've changed alot about that. Subscribe in a reader | ||
| Posted: 13 Oct 2008 06:27 PM CDT  Microsoft updated Security Advisory (951306) last week. A vulnerability exists from last April that allowed local privilege escalation. The update to the advisory was made since there is now exploit code online. There is currently no patch available but a workaround is possible:
Check the Advisory for more information. (Photo under creative commons from post406's photostream) | ||
| Estonia publishes Cyber Security Strategy [Security4all] [Belgian Security Blognetwork] Posted: 13 Oct 2008 05:53 PM CDT  Everybody remembers the Cyberattacks on Estonia from last Year (also dubbed the first Internet War)? If you don't, watch this video from Defcon. The Estonian Cyber Security Strategy committee, part of the Minitry of Defense, has written a Cyber Security Strategy in an attempt not to fall victims to similar attacks again. You can get the report online: Abstract: The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.The report also talks about the need for internal cooperation and mentions the United Nations, European Union, NATO, Council of Europe, the OSCE, OECD and other professional organizations and the roles that they can play. Download the document for more information. Related posts:
| ||
| Security Bloggers Meeting at RSA Europe 2008 (updated) [Security4all] [Belgian Security Blognetwork] Posted: 13 Oct 2008 02:22 PM CDT  Kevin Riggins from Infosecramblings proposed a Security Bloggers/Twits meeting during the RSA Europe 2008 conference on Tuesday the 28th of October at 8 PM. The location hasn't been set yet. If you are interested in joining us, drop a message with Kevin UPDATE: It's final: Tuesday the 28th at 8:00 PM. The Novotel London Excel bar is the location. More info here. Previous post: (Photo under creative commons from ggee's photostream) | ||
| Bluetooth sniffing and cracking WPA-PSK [Liquid Information] Posted: 13 Oct 2008 01:14 PM CDT Seems that people really look to find information on how to crack WPA-PSK and how to sniff bluetooth traffic. I thought of posting something about these, especially because there has been some new information on bluetooth sniffing and cracking WPA and I rather want people hitting here than on the old posts. The cool stuff: Bluetooth sniffing. This is accomplished with flashing a cambridge silicon radio equipped bluetooth adapter which can be flashed with the firmware from Frontline (which sounds suspiciously illegal). Too bad that my DBT-120 dongle hardware version is B4 and not C1, so I can't try it out just for own educational purposes. I actually recall the dongle reverting back to old information after the device was unplugged. The WPA cracking stuff: Elcomsoft has increased the cracking speed to 100 times faster with using two NVidia GPUs. Does this pose a real threat to WPA-PSK and the "you're good to go with a 20-char passphrase"? I doubt that if you're just a home user. Seems also that others think somewhere along the lines, but I am not a math guy so I do not know the actual figures and time it would actually take. Does someone have actual figures how this would compare to earlier situation? Even if it would be a risk, just add a few characters and it becomes obsolete again. I use all the available space for the WPA-PSK key so I don't feel worried (63 chars). | ||
| Chinese hacker books and the Falun Gong [The Dark Visitor] Posted: 13 Oct 2008 12:41 PM CDT
Book title: Chinese hackers No doubt, many of you are wondering what to get us for the holidays. Well, worry no more, China’s Xinhua Online Bookstore has you covered. Checked out their selection on hacking and found a total of 270 books on the subject. While many of these are just translations from the US and other sources, they did have original manuscripts such as the one above. Got bored after the first hundred or so titles and a thought hit me, what would happen if I searched for books on the Falun Gong (法轮功)?
Looking for “Taiwanese Independence” and “Free Tibet” simply returned zero hits. (Amazon.cn also kicked me off for Falun Gong search) NOTE: The thing about holiday gifts was a joke, a JOKE. Sometimes my online humor doesn’t translate very well and I get e-mails asking if I was serious. | ||
| Posted: 13 Oct 2008 11:49 AM CDT Uninformed is pleased to announce the release of its 10th volume which iscomposed of 4 articles: Engineering in Reverse - Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS Author: Skywing - Using dual-mappings to evade automated unpackers Author: skape Exploitation Technology - Analyzing local privilege escalations... | ||
| VMWorld 2008: Forecast For VMware? Cloudy...Weep For Security? [Rational Survivability] Posted: 13 Oct 2008 09:50 AM CDT This post was written prior to the opening of the Partner Day/Technology Exchange, based solely upon information that is publicly available. No NDA's were harmed during the making of this blog... So now that I can talk about it outside of the embargo, VMware is announcing extensions to its product roadmap and product marketing to deliver what it calls its "virtual datacenter OS:"
The components that make up the VMware's virtual datacenter OS are: Each of these components have service/product definitions below them. While it's exciting to see VMware's strategy around its version of the datacenter OS, it's going to be a bumpy ride as we continue to see how Microsoft, Cisco and VMware all interact and how these roadmaps align -- or don't. Remember, despite how they play nice, each has their own bottom line to watch and it's every man for himself. It's quite clear we're going to have some very interesting security challenges bubbling up to the surface; we barely have our arms around what we might call virtualization v1.0 -- we've a lack of maturity in solutions, operations, visibility and security and we're pulling the trigger on what's sure to be a very contentious security model...or lack thereof. In the vApplication services, there is a direct call-out titled "Security" in which VMware's ESX 3i's size is touted as it's current security feature (rolleyes) and in 2009 we see the following:
There's nothing new here, except the dependence upon VMsafe, ISV's and virtual appliances...I think you know how I feel about that. In line with my posts regarding the Cisco vSwitch for ESX (what I'm calling the cSwitch,) the "Infrastructure vServices" component hints at the development of three major investment points: vCompute, vNetwork and vStorage. In vNetwork, you'll notice the 2009 arrival of the following three elements which are very interesting, indeed:
I'll be interested to see what distributed networking actually means -- there's a session today on that, but coupled with the cSwitch, I wonder if it means more than just plugging into virtualcenter/VFrame for management. Let's not forget how some of the elements in vCompute will effect networking and security such as VMDirect which provides "intelligent" VMM bypass and allow direct access from the VM's...all in the name of performance. I wrote about that here a couple of days ago. It looks as though we might see some policy extensions to afford affinity such that policies travel with the VM!? The notion of vCloud is being desrbied as the notion of portability, mobility and supportability of applications that can be developed and deployed inside an enterprises' "internal cloud" and then handed off to an "external cloud" providers service offerings. It's really the "infrastructureless infrastructure" play. One thing that immediately comes to mind when I hear words "federation" -- as I assume it might to any security professionals ears -- is the issues surrounding exposure of AAA (authentication, authorization and accounting) between internal and external credential stores and how this intersects with SOA environments. As more details come to light, I'll be adding my thoughts about where (if at all) security really plays into this evolving strategy. Gotta shower and get to the con. /Hoff |
And I know that's not going to scale.
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
| Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment