Wednesday, October 15, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Catalyst On Tour: Michael Santarcangelo in Kansas City [HiR Information Report]

Posted: 14 Oct 2008 10:59 PM CDT

Michael Santarcangelo is Catalyst On Tour! Next week, his travels will bring this nomadic security expert right here to Kansas City. For those who don't know, he wrote the recently-released book Into The Breach. I've invited him to talk to the Cowtown Computer Congress , so he'll be at the meeting on October 23rd (7pm, Javanaut at 39th and Wyoming). We'll likely partake in food and drink afterwards, and continue the conversation. Trust me, this is someone you want to meet.

Will You All Please Shut-Up About Securing THE Cloud...NO SUCH THING... [Rational Survivability]

Posted: 14 Oct 2008 06:42 PM CDT

Cloudy-finger How'd ya like this picture of "THE Cloud..."

This love affair with abusing the amorphous thing called "THE Cloud" is rapidly  approaching meteoric levels of asininity.  In an absolute fit of angst I make the following comments:

  1. There is no singularity that can be described as "THE Cloud."  There are many clouds, they're not federated, they don't natively interoperate at the application layer and they're all mostly proprietary in their platform and operation.  They're also not all "public" and most don't exchange data in any form. The notion that we're all running out to put our content and apps in some common repository on someone else's infrastructure (or will) is bullshit.  Can we stop selling this lemon already?

    Yay!  More people have realized that outsourcing operations and reducing both OpEx and CapEx by using shared infrastructure makes sense.  They also seem to have just discovered it has some real thorny issues, too.  Welcome to the 90's. Bully!

    Just like there are many types of real billowing humid masses (cumulonimbus, fibratus, undulatus, etc.) there are many instantiations of resource-based computing models that float about in use today --,, Clean Pipes from ISP's, Google/Google Apps, Amazon EC2, WebEx -- all "cloud" services.  The only thing they have in common is they speak a dialect called IP...
  2. The current fad of butchering the term "Cloud Computing" to bring sexy back to the *aaS (anything as a service) model is embarrassing.  More embarrassing is the fact that I agree with Larry Ellison wherein he stated:

    "The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. I can't think of anything that isn't cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"

  3. It ain't new, folks. Suggesting that this is a never-before-seen paradigm that we've not faced prior and requires "new" thinking as to privacy, trust models, security as a service layer and service levels mocks the fact that the *aaS model is something we've been grappling with for years and haven't answered.  See #2.  I mean really.  I've personally been directly involved with cloud-models since the early 90's.  Besides the fact that it's become (again) an economically attractive and technologically viable option doesn't make it new, it makes it convenient and marketable.
  4. Infrastructure Gorillas are clouding the issue by suggesting thier technology represents THE virtual datacenter OS.  Microsoft, Citrix, VMware, Cisco.  They all say the same thing using different words.  Each of them claiming ownership as the platform/OS upon which "THE cloud" will operate.  Not one of them have a consistent model of securing their own vDCOS, so don't start on how we're going to secure "IT."

    (Ed: In fairness just so nobody feels left out, I should also add that the IaaS (Infrastructure as a service)/integrator gorillas such as IBM and HP are also in the mix -- each with their own flavor of service differentiation sprinkled on top.)

If you thought virtualization and its attendant buzzwords, issues and spin were egregious, this billowy mass of marketing hysteria is enough to make ;)

C'mon, people. Don't give into the generalist hype.  Cloud computing is real.  "THE Cloud?"  Not so much.


(I don't know what it was about this article that just set this little rant off, but well done Mr. Moyle)

Google Calendar Syncing, MobileMe, and iCal [Random Thoughts from Joel's World]

Posted: 14 Oct 2008 05:20 PM CDT

Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time.

Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me.

So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abandon it right away.

So I started looking into Apps that would sync my calendars for me. So I came up with BusySync.

So I took the following steps, since my calendar was maintained in iCal, YMMV, but good luck:
1. I exported my iCal calendar and put it on my desktop.
2. Logged into Google Calendar and imported my iCal calendar into Google Calendar (took a few seconds, I have a rather large calendar).
3. Deleted my local calendar in iCal.
4. Fired up BusySync and told BusySync to Sync my Google Calendar to local iCal.
5. Viola.

Since BusySync syncs a calendar to a "local" calendar (as opposed to a "subscribed" calendar) everything works fine, in fact, MobileMe will sync your calendar right down to your iPhone.

Problem Solved.

Subscribe in a reader

Phishing adapts to use financial meltdown to its advantage [Tim Callan's SSL Blog]

Posted: 14 Oct 2008 05:15 PM CDT

We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind.'s Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns.

This Can't Be Good: Uranium Mining the Grand Canyon [The Falcon's View]

Posted: 14 Oct 2008 05:00 PM CDT

Just when you think the Bush administration can't make a mess of anything else, you run across this little story about how the Bureau of Land Management has decided to reject the direction of Congress and declare itself free of...

Why is Tim Cook carrying a Blackberry? [Random Thoughts from Joel's World]

Posted: 14 Oct 2008 04:59 PM CDT

Considering Apple makes the iPhone, a direct competitor to the Blackberry, why, at today's Apple event, was Tim Cook wearing a Blackberry on his hip? Um, whoops?

Sorry Mr. Cook, just noticed it. No complaint here, not bitching, just noticed it :)

Subscribe in a reader

A (Tentative) Wish-List for a Better, More Secure, Web Browser [Security Provoked]

Posted: 14 Oct 2008 04:28 PM CDT

Web browsers are where the client machine rubber meets the Web server road. So it stands to reason that strong Web browser security is paramount—far more effective than relying on thousands of Web application/ plug-in developers to write more secure code.

There are definitely some browser developers that are making strides in the right directions, but none of them are quite there yet. I’m still thinking through this, but if I were writing my wishlist for a more secure Web browser today (and, well… I am) then here’s what it would be:

1. It has to work. This is absolutely the most important piece of the puzzle. The trouble is, the most effective ways browsers have thusfar come up with to improve security also cause some truly damaging impacts on performance.

2. It has to be built like a platform, not like a singular application. Once upon a time, the Web was a series of static pages, and the Web browser was an application that let you find and view those static pages. Times have changed, however, and now the browser itself plays host to many rich, Web-based applications. Thus, browser development should be treated more like operating system development. Some browsers–Google Chrome, principally–are beginning to make strides in this direction. (As my fellow CSIers, Kristen Romonovich and Robert Richardson, said from the get-go, Chrome is more a Windows competitor than it is an Internet Explorer competitor.)

3. It needs a modular–not monolithic–architecture. In a modular architecture, the browser is divided into at least two components–generally speaking, one that interacts with the client machine, and one that interacts with the Web and operates from within a sandbox. The main benefit is that it’s a great defense against drive-by malware downloads. If an attacker compromises the Web-facing component of the browser, they won’t automatically gain full access to the client machine with user privileges. They’ll only gain access/privileges to whatever the Web-facing component needs. Internet Explorer 8 (beta) and Google Chrome (beta) use modular architectures. The OP Browser still in development by researchers at the University of Illinois uses a more granular modular architecture that splits the browser into five components.

Yet monolithic architectures are used by all the major browsers today. (Monolithic architectures are kind of like real-estate brokers who represent both the buyer and the seller–you just can’t quite trust them.)

4. It has to support some sort of process isolation. In essence, isolating processes means that when one site/ object /plug-in crashes, it doesn’t crash the entire browser.

5. Its security policies cannot rely heavily on the user. Average users should not be expected to understand the intricacies of privacy and security settings. They shouldn’t be expected to dig into their Internet options, flip JavaScript on and off and on and off again, disable plug-ins, delete nefarious cookies, or anything else.

6a. It’s got to figure out how to securely handle plug-ins.
6b. It’s got to figure out how to securely handle JavaScript.

The troubles with plug-ins are that they tend to run as one instance–so process isolation doesn’t really work with them–they’re given unchecked access to all the browser’s innards, and they tend to assume/require the user’s full privileges. In order to allow plug-ins to run properly, Chromium (the modular, open-source Web browser architecture used by Google Chrome) runs them outside of the sandbox, and with the user’s full privileges–so the browser can’t do anything to save the user’s machine from malicious downloads through an exploited plug-in.

The OP Browser has some very innovative ways of handling plug-ins. Rather than using the Same Origin Policy–which prohibits scripts and objects from one domain from accessing/loading content (scripts/objects) from another domain–the browser applies to plug-ins a “provider domain policy,” in which the browser can label the Web site and the plug-in content embedded in that Web site with separate origins. The plug-in’s origin will be the domain that’s hosting the plug-in content, which is not necessarily the same as the domain of the page you’re viewing. (So if you were here on and I’d embedded an Adobe Flash media file from YouTube, the OP browser could recognize the page’s origin as and the Flash file’s origin as The benefit here is that you can add a site to your “trusted” list–thereby allowing plug-ins and allowing any plug-in content that originates from that trusted site–without needing to allow plug-in content that is running on the trusted site but originates from untrusted sites. This greatly mitigates the risks of cross-domain plug-in content… however a) there are some cases where this policy will prevent plug-ins from operating properly and b) as Robert Hansen, CEO of SecTheory pointed out to me, the primary vector for cross-domain content attacks (XSS, CSRF) is JavaScript, not plug-ins.

Yet, browsers (the OP browser included) continue to apply the same origin policy to JavaScript, and there are many JavaScript-based attacks–JavaScript hijacking, for example–that sidestep the same origin policy.

The trouble is, none of the browser companies have really figured out yet how to securely handle JavaScript in a way that doesn’t disrupt one’s browsing experience and/or require security-savvy action from users. The NoScript plug-in for Firefox is a good tool, but a) it’s not a standard Firefox feature, and b) it’s a bit advanced for the average user. Other browsers allow you to simply disable JavaScript, but doing so means the user won’t be able to enjoy some of the fun, quintessentially Web 2.0 things the Internet now has to offer. Further, JavaScript is automatically enabled on any sites on the user’s “trusted” list, so malicious JavaScript on a legitimate site continues to be a problem.

Web browsers’ inability to elegantly handle JavaScript-related threats, is a big problem, because it means that we all must rely upon the individual Web site developers to keep their sites free of cross-site scripting flaws and cross-site request forgery vulnerabilities.

Part of the trouble may be that currently available rendering engines, used for parsing HTML and executing JavaScript, are error-prone and written in generally insecure languages. (So if you’re a young researcher, maybe “Creating a more secure HTML rendering engine” would make a good thesis project. Pretty please?)

I’m still thinking some of this through, so do let me know if you disagree, see errors in my judgment, or think something else should be on this list.

Also: should one browser be expected to do everything? How likely are you (and your users) to use one browser for everyday activities and another browser for more delicate activities?

We’ll be devoting the next issue of the Alert–CSI’s members-only publication–to browsers and other elements of client-side Web security issues. We’ll also be discussing some of during the CSI 2008 conference next month. Tuesday, Nov. 18 Gunter Ollman of IBM-ISS will present a full 60-minute session on “Man-in-the-Browser Attacks,” and, also on Tuesday, browser security will be discussed during the Web 2.0 Security Summit, moderated by Jeremiah Grossman (CTO, WhiteHat Security) and Tara Kissoon (Director of Information Security Services at VISA, Inc.).

Public Relations and Security [Ascension Blog]

Posted: 14 Oct 2008 04:26 PM CDT

As I'm sure that most people reading this blog are aware, we here in the United States are in the midst of an election.  As I've been watching our candidates out on the campaign trail I have been reminded that perception is as important (if not more important) than substance.    The candidates are bouncing around the country communicating their message.  As the country is in financial crisis, communication is critical. 

Communication is also critical when a company is facing crisis.  I've been considering two security incidents and how they are being handled in terms of public relations.   Now what I'm going to give should not be considered legal advice and I'm of course not a public relations expert.  I do however have an opinion and feel that both of these situations are being handled poorly.

The first case is that of the World Bank.  Fox News is reporting that the World Bank is in the middle of a security incident.  Apparently the World Bank Group's computer network has been compromised for over a year.  The Bank controls $25 Billion a year in funds to the developing world and holds one of the world's largest repositories of sensitive data concerning the world's economy.   One of the systems is reported to have held contract-procurement data.  (I can't help but wonder how many contracts have been won based on compromised data?)

Now no matter what the specifics of the breach(s) are, what is important for this post is how the World Bank is handling it.  Currently the World Bank's tactic is to deny what is happening despite the leak of internal memo's which paint a different story. 

Deny Everything, Admit Nothing

The second case is that of the Massachusetts Bay Transit Authority (MBTA).  For those of you who don't already know, several students from the Massachusetts Institute of Technology (MIT) who intended to give a presentation at DEFCON explaining vulnerabilities that they discovered with the MBTA's fare card system.   These students were hit with a restraining order and forbidden to present their paper (apparently the information had already been released on CD's given to the conference attendees – I wasn't there; that is just what I heard).  (The restraining order has since been reversed by the court)

Again, I don't want to get into the specifics of who did what and when.  That is for the court to decide.  What I'm concerned with for this post is how the company handled the situation.  The NBTA elected to go on the offensive and use the legal system to keep the information from getting out.   Ironically the action had the reverse effect causing the incident to be widely publicized.  (See the so called Streisand Effect). 

Having a security incident is a nightmare and won't endear you to stockholders but can the actions a company takes actually make the situation worse?  I believe so.  Let's look at these two stories.  In one case we have a company that feels that loud public denials of the situation are the way to go and on the other hand we have a company that is doing all it can to hide the details of their vulnerabilities.  Their very actions are calling public attention to the incidents. 

Imagine the situation at the World Bank.  If the Bank had issued a statement that it was their policy not to comment on security incidents until they have been resolved there would probably have been some hoopla over it but it would have most likely have died down rather quickly.  As it is now we have a denial in the presence of apparent evidence to the contrary.  That just invites increased scrutiny by the news media. 

In the case of the NBTA you have an organization that is trying to suppress information.   The simple act of suppression is going to bring about increased attention.  During hunting season (and it's always hunting season) why paint a larger target on yourself than you need to?   

The time to decide on how to handle the public relations side of an incident is before an incident actually happens.  Too much disclosure can be just as harmful as too little disclosure.  Of course you won't know the details or the specifics of an incident before it happens but a company can decide whether or not it should comment and if so what it should be.  There may be legal considerations so legal needs to be part of this process. Guidelines should be set forth to determine what criteria need to be met before certain information is released in company statements.   

Personally I'd recommend acknowledging that an incident has happened and that to restrict comments until the incident is actually over.  Now I'm sure that will probably draw fire from some of you out there and that is okay.  By all indications, both of these companies are still in the midst of these incidents.  They are still investigating what has happened and are still in the process of instituting controls to keep the incident from reoccurring.   The key at this point is to manage the public relations aspects of an incident rather than have them manage you. 

Reconnaissance: don't post what you don't want found [Kees Leune]

Posted: 14 Oct 2008 02:36 PM CDT

This week's topic of the computer security class that I teach was reconnaissance. The amount of information that is "out there", available for an attacker who wants to build a profile of his target is overwhelming. The things that we discussed today weren't very advanced or outlandish, but they were generally knew to my students (undergrads). Here are some take-homes:

  1. Don't underestimate the amount of intel that can be found on social networking sites, such as LinkedIn, Facebook, Myspace, Twitter. It will be almost impossible to control what gets posted, so make sure that you know what information is there. Search for your organization and for your key employees and see what information is posted. Be aware of what others can find out about you as a target and act accordingly.
  2. Be creative with search engines; check Johnny Long's Google Hacking Database. While you are there, order a copy of his book and support charity. Play around with the Goolag scanner to figure out what you can find.
  3. Maltego is awesome; use it, play with it, and learn from using it.
  4. Don't list anything in whois records that you do not have to. Do not list names, email addresses,  titles, street addresses, etc. if you do not absolutely have to. Instead of a real name, list a job function. Instead of an individual's email address, list a functional email address. If you do list an individual's email address, make sure that the first part of the email address isn't also the user's login. List a P.O. Box, rather than a physical address. Real names and email addresses can be used for social engineering, physical addresses can be used for site visits (for example, to search for WiFi bleeding)
  5. Use split DNS and do not allow zone transfers.
  6. Most of all, abide by the adagio: don't post online what you don't want to be found

Log management [Liquid Information]

Posted: 14 Oct 2008 02:11 PM CDT

Now that Anton Chuvakin left LogLogic, it made me think about log solutions in general. Basically I was thinking about a log management solution and what I would like it to be, for a small and maybe mid-size business. LogLogic and other players in the area are probably more suitable for large businesses with lots of data to log, but would probably work as well.

Mainly I was thinking of easy navigation and keeping the system as simple as possible. The ideas I have are simple but features would add complexity. Also the gathering of logs would add complexity in some of the log sources.

You would have different sections for different type of logs; firewall log, operating system log, application log, webserver log, database log, ids/ips log and so on. Each section would have the assets that produce the log and you could either get X amount of last entries in the category or drill down on a specific asset. In the asset view you see latest logs and could dig into a vulnerability assessment report or latest IDS events regarding the asset. In the IDS section there could be a possibility to correlate against the attacked service if the vulnerability assessment format allows some parsing. The system could even do filtering or highlighting based on some specific values which would give a view of interesting log entries across the whole log data available.

You would also be able to search for specific terms in a broad or finetuned manner, however it could be accomplished. The gathering and sorting of the log data would require some planning on how to do it and there would also need to be automation on log rotation (how long to keep logs, how old logs would get compressed and so on). Maybe even some kind of user management system should be in place, e.g. what assets/log group a person is allowed to see, and so on.

Not sure if something like this already exists, but I'm a little bit tempted to begin a small project on this (yeah, I know... I still got unfinished ones hanging around), as the concept isn't that difficult if we talk about small volume data. It would just require some careful planning. The ideas I was rolling around would however require some hacks that either work well or are prone to errors, but require modifications on the asset side.

Anyways, it is good to play around with ideas, even though the log management concept isn't anything new. You never know what you end up with.

VMware Acquires BlueLane: Further Differentiation Through Security [Rational Survivability]

Posted: 14 Oct 2008 01:42 PM CDT

Bluelane_vs From comes the news that VMware has acquired BlueLane Technologies

BlueLane is the maker of solutions that protect both physical and logical infrastructure which includes ServerShield and VirtualShield.  The company has of late focused wisely on
the latter which provides application-aware firewalling, inter-VM flow visibility and analytics, application policy control, and intrusion prevention capabilities.

Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of BlueLane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments.

The notion of enabling in-line patch-proxying as well as the "IPS-like" in-line vulnerability mitigation capabilities for VM's and additional VMM protection make this very interesting indeed.  You can read more about BlueLane's approach on their website.  I also interviewed Allwyn Sequeira on my blog.

VMware's acquisition of Blue Lane comes as no surprise as it became clear to me that in order to continue to strengthen the underlying platform of the hypervisor itself, I wrote earlier this month prior to rumors of Blue Lane's acquisition by other bloggers that as part of a successful differentiation strategy:

    VMware will make additional acquitisions in the security space.  Yes, I know this sounds
    heretical given the delicate balance most "platform" providers keep with their ecosystem
    partners, but VMware have already shown that they are ready to buy as well as build and
    ally with prior acquisitions and security will continue to be a key differentiator for them. 
    They've done it once already with Determina, they'll do it again.

I think it's actually an excellent move as it continues on the path of not only helping to ensure that the underlying virtualization platform is more secure, but the elements that ride atop on it are equally "security enabled" also. 

This point was at the heart of my debate with Simon Crosby, Citrix Systems' CTO (see here and here);
focusing solely on VMM resilience and leaving the ISVs to sort out security was a bad idea.  It  leads to more siloes, less integration, more complexity and overall a less secure environment.

We need a unified secure ecosystem to start with instead of worrying about securing the ecosystem's products.

Form a business perspective it takes a mixture of resolve, market dominance, and confidence to cannibalize a section of your ecosystem, but it's the right thing to do in this case in order to offset competitive forces and help customers solve some really nasty issues.

I made mention of this point with emerging security ISV's at Vmworld, and was asked several times whether I really thought VMware would do this.  The odd question that inevitably came next was "were does that leave security ISV's like us?"  You can guess my answer.  Honestly, I'm sure most of them were hoping to be bought for the same reason.

So, will this cause a run on alignment to support Hyper-V over VMware?  I don't think so.  ISV's who were hinging their hopes for success solely on VMware understand this risk.  Microsoft has no API facility like vNetwork/VMsafe, so the options for reasonable and rational installation of their products are limited.  Citrix is in the same boat.

This is the reason my next set of VirtSec presentations will focus on Hyper-V.

On a side note, I was one of Blue Lane's first customers for their patch proxy product and have been an ardent supporter of their approach for many years, despite taking quite a bit of crap for it from purists and pundits who had difficulty rectifying the approach in comparison to traditional IPS'.

This is a good thing for VMware, VMware's customers and Blue Lane. Congratulations to the BlueLane team.

Loss Prevention is not Risk Management [How is that Assurance Evidence?]

Posted: 14 Oct 2008 01:34 PM CDT

I have been giving a lot of thought about how to deal with Risk Management recently. I have talked to a few people and I have come to realize the title of this post. Many of my colleagues only talk about making sure the data doesn't get released, corrupted or unreachable. In my own little head, this to me is loss prevention. Retailers do it all the time, they put those annoying tags on the clothes so that you can try them on properly, to make sure that they don't experience a loss. I'm not saying that the RM and LP are not related, they are. But a loss prevention is the
implementation of controls is not a risk management. I am define risk management as (like Wikipedia):

a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.

Most of the time, I have started the risk assessment process with a threat identification, where we list out all the threats. The question is "Do we care?" The answer of course is "No". Stick with me now. Has the person in charge ever turned to you in the beginning of the incident
response ever turned to you and said "I have the Risk Assessment here can you tell me which threat succeeded and which control failed?" Maybe a few but not many, the question that they asked me was, "What failed and (delicately) how do we get the shit back in the horse?" Results not causes. In the heat of the moment, I haven't met anyone that said "I spent three days with a
CVSS calculator determining that the threat is a 2, xxxxxxx turned into a ... ."

You know the next steps, list of threats paired to vulnerabilities, and if you are using the 800-30 then you do the arbitrary but necessary likelihood and impact. To come up with a risk. And their was much rejoicing. Yea! I have checked the proverbial box, submitted my POA&M and now I will retire to the veranda for coffee without a care in the world, right? Wrong.

My perception is that we are working this thing backwards, at least in the Federal government space (which is all I am really familiar with). With the Feds, we know the controls we are going to implement (800-53 or CNSS 1253). And then we know what we don't want to happen, you know ... bad stuff that gets us in the Washington Post or dragged up the Hill.

So let me lay this out, the threats are changing, there are always new vulnerabilities (the only constant is change ), the likelihoods and impacts are subjective so why should we expect anything from that process. Or at best, something we can take action upon.

I have watched many smart people stand up new firewalls, IDPS, NAC solutions, SOCs, AV, whatever and still in the end something gets missed or the human element gets in the way. Because simply implementing and monitoring controls without the understanding of the risks those controls are protecting against is not good. It is just doing Loss Prevention.

Dave Aitel on Static Analysis Tools [CGISecurity - Website and Application Security News]

Posted: 14 Oct 2008 12:03 PM CDT

Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and...

6 new modules for Cobia [StillSecure, After All These Years]

Posted: 14 Oct 2008 11:09 AM CDT

cobia One question that I get asked often by press, analysts and other folks I speak to is what is new with Cobia, our open secure network platform.  It seems the idea of Cobia really caught the fancy of a lot of people who heard about it. Frankly we have been low key about it here at StillSecure, but that doesn't mean that there has not been work going on. 

We have been continuing development with Cobia.  The reason we did not put out a lot of press is that a lot of the work we are doing with Cobia is not readily apparent to the eye. There has been a lot of behind the scenes and back end work on the architecture that will allow it to scale. We have also been working on adding more modules.  We just made available the latest release of Cobia with 6 new modules! Including:



· Gateway anti-virus

· Anti-spam

· Anti-spyware

· URL filtering

Again, a lot of the work here is in the back end, but go check it out and take it for a ride.  There is more yet to come, as our developers and R&D team is hard at work on continuing to develop this exciting platform!

The Daily Incite - 10/14/08 - Drafting a team [Security Incite Rants]

Posted: 14 Oct 2008 09:47 AM CDT

Today's Daily Incite

October 14, 2008 - Volume 3, #82

Good Morning:
My first, and perhaps biggest adjustment in re-entering the working world is to realize I can't do everything myself. Remember I've spent the past 3 years literally doing everything. The Boss helped out with some office administrata, and that was helpful, but ultimately I was responsible and had to manage all of my activities. At this point, I have a limited team at eIQ, so I'm doing a lot of stuff myself right now. Not because we don't have the open positions, rather because I want to make sure I find the right folks.Draft the best athlete And I know that's not going to scale.

Thus I'm going to share my philosophy on hiring, for what that's worth. First of all, finding the wrong person is FAR more damaging than not getting everything done. So right now, I'm spending a lot of time talking to folks I know, figuring out where their heads are at and whether they are willing and able to make a change. But as much urgency as I feel because I know I'm dropping stuff, it's not so much that I'm going to just put barely a warm body in place to ease the pain.

I usually get asked what skills I'm looking for. The answer is a question: "what are you good at?" I draft for talent. I try to get the best people I can, and figure out what they'll do later. Obviously I can't put two world class PR folks on a small team, but I don't really have any preconceived notions at to what the team will look like. I know what we need to get done and I know what kinds of folks I like to work with, but I go with talent and fill in the gaps myself.

I do this because historically the talented folks are able to pick up more slack and learn more about the job functions than folks that are content with their little areas of expertise. Basically they will scale better as the operation scales. I like most of my team to have aspirations to have my job some day. Of course, not everyone can be a leader all the time, but I like to see leadership qualities in everyone. You never know who is going to need to step up at any time, so again I opt for talent and drive over experience and bad habits.

So yes, I'm building a team and thus far it's fun. It'll be a lot more fun when I can have some other hands on deck to focus on all the details that a marketing group needs to manage.

Back to phone screening (and the other 20 things on my list for today). Have a great day. 

Photo: "NFL draft from the floor" originally uploaded by Ryan Lejbak

Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4U

Please be patient as I evolve the format of TDI to something that will work, given I can spend a lot less time on it during the week. Having a day job kind of puts a crimp on these fun, little hobbies. Today I'm going to try a hybrid format. Let me know if you think it sucks.

  1. VMWare takes Blue Lane out to the camp fire, or should I say fire sale. They didn't even do a press release. The news is from The good news is that security for the virtualized data center is important. The bad news is that it isn't a stand alone market. Blue Lane was early into the space and given the economic backdrop, wasn't going to be able to raise more money to wait for the market to develop. If it develops. So VMWare buys the technology and security will be a feature. At least parts of security. Hat tip to Hoff who has some thoughts on the deal as well.
  2. If Risk Management is for the birds (according to Dark Reading anyway), what the hell are we supposed to do? Yes, I've been very critical regarding wacky attempts to truly quantify risk. Yet, ultimately we have to allocate resources based on something. I don't much care whether it's based upon some internal algorithm or a qualitative survey of the senior team, as long as your approach to figuring out what is important is consistent and has been bought into by the senior team.
  3. Evidently due diligence is for the birds as well. A couple of Seattle VCs are taken for a ride by some unscrupulous start-up execs that were cooking the books. This isn't security related, but it's kind of interesting. Don't these funds require real audits to take place? Don't they monitor the cash balances? Or do they just nod their heads as they rush between the 12 board meetings a month they attend? And 40 folks pay with their jobs. Make that 42 since the VCs on that companies board need to be tossed.
  4. Good, I don't have to go buy a new wireless access point. Rob Graham assures us that WPA is not obsolete, given the recent press around a brute force attack that supposed to accelerate how quickly you can break it. The good news is just make your passphrase a little longer and it'll still take a few years to crack it, with substantial compute power. And if Rob says it's so, then it's so. He's got one of the biggest brains in the business.
  5. I'll be at Information Security Decisions early next month, giving a new version of my REACT FASTER pitch. The fine folks at TechTarget were kind enough not to pull my session, even after I became a vendor puke. Though I gave the vendor-neutral blood oath. To preview a little bit on how you can sort of fake "getting ahead of the threat," there is the idea of reputation. Symantec is using it to underlie how they evaluate files. It's not a new approach, and it's not a panacea. But it's worked in email security and now in web filtering, so I think it's an interesting technical approach to trying to get a bit more information about the intent of who you are connecting to (or who is connecting to you).
  6. Finally a use for SMS besides to annoy my friends with short messages. Or is that Twitter? Anyway, Check Point is now using SMS as a 2nd authentication factor and given the ubiquity of mobile devices, this isn't a bad idea. Again, not new, but as a feature on some boxes already deployed in the field, it's something we don't see too much in security. Something that makes the user experience better.
  7. Barracuda give back. Well, not exactly but they are making their reputation service black list available to the public. Of course you need to know what to do with it, and if you do, then you are somewhat unique. The rest of the world just wants the problem to go away, which is why they use Barracuda or Postini or any of the other 10 that are still left in this market.

[Chinese]PCI-SSC发表最新版本PCI-DSS v1.2 [Telecom,Security & P2P]

Posted: 14 Oct 2008 09:41 AM CDT

在我们国庆节期间,2008年10月1日,PCI安全标准委员会PCI-SSC在其官方网站发布了最新数据安全标准PCI-DSS版本v1.2.  PCI-DSS的官方网页目前可以下载到最新的1.2版本的PDF和DOC文件。目前官方网站只有英文版可以下载,联系组织者Shawn说,简体中文版在翻译中,应该很快可以发布,和大家见面。



要求1:Install and maintain a firewall configuration to protect cardholder data

要求2:Do not use vendor-supplied defaults for system passwords and other security parameters
主要变化是删除了关于"禁止SSID广播"的描述。将其留给企业组织自己决定。事实上不少企业组织使用广播SSID来提供Guest VLAN等服务。

要求3:Protect stored cardholder data
主要变化是移除了关于SHA-1,Triple-DES和AES的描述,而是只强调强加密,具体的算法可以参照NIST等其他标准。另外,移除了关于使用”Active Directory”的描述,而是只强调使用本地用户帐号数据库。

要求4:Encrypt transmission of cardholder data across open, public networks

要求5:Use and regularly update anti-virus software or programs

要求6:Develop and maintain secure systems and applications

要求7:Restrict access to cardholder data by business need to know
主要是一些格式和措辞的改变,例如从Computing resources and cardholder information变为System components and cardholder data.

要求8:Assign a unique ID to each person with computer access

要求9:Restrict physical access to cardholder data

要求10:Track and monitor all access to network resources and cardholder data

要求11:Regularly test security systems and processes

要求12:Maintain a policy that addresses information security for employees and contractors

PaulDotCom Security Weekly - Episode 126 Part I - October 9, 2008 [PaulDotCom]

Posted: 14 Oct 2008 06:22 AM CDT

Paul and Larry are in the studio with special guest Ed Skoudis!

  • Sponsored by Core Security, listen for the new customer discount code at the end of the show
  • Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
  • Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
  • Want to register for any SANS conference? Please visit for our referral program
  • Be sure to check out "Maltego" from Paterva, try the community edition for free!
  • Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
  • Full Show Notes
  • Jabba_Slave_Leia_listing.jpg

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian


Direct Audio Download

Audio Feeds:

Larry Seltzer on wildcard SSL Certificates [Tim Callan's SSL Blog]

Posted: 13 Oct 2008 10:55 PM CDT

I always enjoy the insights of eWeek's Larry Seltzer. Here's his take on wildcard certificates.

On The Increasing Intelligence of Field Devices [Digital Bond]

Posted: 13 Oct 2008 10:25 PM CDT

Recently I’ve attended a few training classes/sales pitches on some new field devices coming into the market, and a trend that I’m seeing is more and more of them are being built on x86 processors running embedded Windows operating systems.  A lot of things can come from this trend, more features, a larger pool of operators/developers, better integration with other devices, to name a few, but there are also the disadvantage of more exposure, both in the increased likelihood to be connected to business networks (directly or indirectly) and in attackers increased knowledge of the platforms.  Not to argue for security through obscurity, but to a network scanner the difference between various Windows systems are minimal and even if the control system components aren't being targeted, a few wrong turns on the corporate network an attacker looking for HR information could be throwing some nasty stuff at your devices.

The problem here however is not that these devices are getting more powerful, or more feature rich, far from it, it's that those responsible for administering the devices might not even be aware of the issues this would bring.  An analogous situation happened on the corporate side of the DMZ not too long ago, a worm called "Code Red" was running rampant through many networks and printers were being knocked over (Xerox and HP if I remember correctly) due to them running what was essentially Windows 2000 sp0 and an upatched IIS server.   In many cases those managing the printers had no idea that the systems were vulnerable, and if they did there was no patch available from Xerox or HP, even though it had been patched from Microsoft more than a month before.   This is another vital reason to regularly examine your networks for any unneeded services.

I see a lot of similarities between PLCs and cellular phones, until very recently they've both been by most standards "dumb" devices, but now there isn't a whole lot that your desktop computer can do that your cell phone can't.  And where previously they were locked into one network and only worked with your service providers' services they're now active on many different types of networks and connecting to all sorts of other devices.   The cellular phone companies have had to put a lot more thought into security (on both ends) that they had to in the past, and their networks are no longer just a single protocol but a vast array of different ones often intermingled and layered on top of one another, and they're still trying to figure out patching too.

In the end its about everyone in the chain, from the upstream providers (be it MS, vxWorks, etc) to the vendor and on down to the end user themselves to be as knowledgeable about the features, risks, and mitigations provided by each layer as possible.  As our field devices get smarter and more interconnected the management of those systems will be necessity become more complex.  The only thing worse than not being prepared to address a risk is not knowing about it.

1001 [Random Thoughts from Joel's World]

Posted: 13 Oct 2008 07:58 PM CDT

Some insight.

So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested.

Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day.

Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not.

I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email.

Speaking of which, I need to do another "processing" email post, as I've changed alot about that.

Subscribe in a reader

Microsoft updates security advisory for local exploit for Windows Server [Security4all] [Belgian Security Blognetwork]

Posted: 13 Oct 2008 06:27 PM CDT

Microsoft updated Security Advisory (951306) last week. A vulnerability exists from last April that allowed local privilege escalation. The update to the advisory was made since there is now exploit code online. There is currently no patch available but a workaround is possible:

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect customers who have applied the workarounds listed below on their computers. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs

(Source: Microsoft Technet)

Check the Advisory for more information.

(Photo under creative commons from post406's photostream)

Estonia publishes Cyber Security Strategy [Security4all] [Belgian Security Blognetwork]

Posted: 13 Oct 2008 05:53 PM CDT

Everybody remembers the Cyberattacks on Estonia from last Year (also dubbed the first Internet War)? If you don't, watch this video from Defcon.

The Estonian Cyber Security Strategy committee, part of the Minitry of Defense, has written a Cyber Security Strategy in an attempt not to fall victims to similar attacks again. You can get the report online:

The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

It is an essential precondition for the securing of cyberspace that every operator of a computer, computer network or information system realizes the personal responsibility of using the data and instruments of communication at his or her disposal in a purposeful and appropriate manner.

Estonia's cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. This will be accomplished through the implementation Tof national action plans and through active international co-operation, and so will support the enhancement of cyber security in other countries as well.
The report also talks about the need for internal cooperation and mentions the United Nations, European Union, NATO, Council of Europe, the OSCE, OECD and other professional organizations and the roles that they can play.

the document for more information.

Related posts:
(Photo under creative commons from ♥ China ♥ guccio Photostream)

Security Bloggers Meeting at RSA Europe 2008 (updated) [Security4all] [Belgian Security Blognetwork]

Posted: 13 Oct 2008 02:22 PM CDT

Kevin Riggins from Infosecramblings proposed a Security Bloggers/Twits meeting during the RSA Europe 2008 conference on Tuesday the 28th of October at 8 PM.

The location hasn't been set yet. If you are interested in joining us, drop a message with Kevin

UPDATE: It's final: Tuesday the 28th at 8:00 PM. The Novotel London Excel bar is the location. More info here.

Previous post:
(Photo under creative commons from ggee's photostream)

Bluetooth sniffing and cracking WPA-PSK [Liquid Information]

Posted: 13 Oct 2008 01:14 PM CDT

Seems that people really look to find information on how to crack WPA-PSK and how to sniff bluetooth traffic. I thought of posting something about these, especially because there has been some new information on bluetooth sniffing and cracking WPA and I rather want people hitting here than on the old posts.

The cool stuff: Bluetooth sniffing. This is accomplished with flashing a cambridge silicon radio equipped bluetooth adapter which can be flashed with the firmware from Frontline (which sounds suspiciously illegal). Too bad that my DBT-120 dongle hardware version is B4 and not C1, so I can't try it out just for own educational purposes. I actually recall the dongle reverting back to old information after the device was unplugged.

The WPA cracking stuff: Elcomsoft has increased the cracking speed to 100 times faster with using two NVidia GPUs. Does this pose a real threat to WPA-PSK and the "you're good to go with a 20-char passphrase"? I doubt that if you're just a home user. Seems also that others think somewhere along the lines, but I am not a math guy so I do not know the actual figures and time it would actually take. Does someone have actual figures how this would compare to earlier situation? Even if it would be a risk, just add a few characters and it becomes obsolete again. I use all the available space for the WPA-PSK key so I don't feel worried (63 chars).

Chinese hacker books and the Falun Gong [The Dark Visitor]

Posted: 13 Oct 2008 12:41 PM CDT

Book title: Chinese hackers

No doubt, many of you are wondering what to get us for the holidays. Well, worry no more, China’s Xinhua Online Bookstore has you covered.

Checked out their selection on hacking and found a total of 270 books on the subject.  While many of these are just translations from the US and other sources, they did have original manuscripts such as the one above.

Got bored after the first hundred or so titles and a thought hit me, what would happen if I searched for books on the Falun Gong (法轮功)?

Looking for “Taiwanese Independence” and “Free Tibet” simply returned zero hits.

( also kicked me off for Falun Gong search)

NOTE: The thing about holiday gifts was a joke, a JOKE.  Sometimes my online humor doesn’t translate very well and I get e-mails asking if I was serious.


Uninformed Journal Release Announcement: Volume 10 [CGISecurity - Website and Application Security News]

Posted: 13 Oct 2008 11:49 AM CDT

Uninformed is pleased to announce the release of its 10th volume which iscomposed of 4 articles: Engineering in Reverse - Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS Author: Skywing - Using dual-mappings to evade automated unpackers Author: skape Exploitation Technology - Analyzing local privilege escalations...

VMWorld 2008: Forecast For VMware? Cloudy...Weep For Security? [Rational Survivability]

Posted: 13 Oct 2008 09:50 AM CDT

This post was written prior to the opening of the Partner Day/Technology Exchange, based solely upon information that is publicly available.  No NDA's were harmed during the making of this blog...

So now that I can talk about it outside of the embargo, VMware is announcing extensions to its product roadmap and product marketing to deliver what it calls its "virtual datacenter OS:"

VMware's comprehensive roadmap of groundbreaking new products expand its flagship VMware Infrastructure suite into a virtual datacenter OS. The virtual datacenter OS addresses customers' needs for flexibility, speed, resiliency and efficiency by transforming the datacenter into an "internal cloud" – an elastic, shared, self- managing and self-healing utility that can federate with external clouds of computing capacity freeing IT from the constraints of static hardware-mapped applications. The virtual datacenter OS guarantees appropriate levels of availability, security and scalability to all applications independent of hardware and location. 

The components that make up the VMware's virtual datacenter OS are:

  • Application vServices guarantee the appropriate levels of availability, security and scalability to all applications independent of hardware and location.
  • Infrastructure vServices subtract, aggregate and allocate on-premise servers, storage and network for maximum infrastructure efficiency.
  • Cloud vServices federate the on-premise infrastructure with third party cloud infrastructure.
  • Management vServices allow you to proactively manage the virtual datacenter OS and the applications running on it.

Each of these components have service/product definitions below them.  

While it's exciting to see VMware's strategy around its version of the datacenter OS, it's going to be a bumpy ride as we continue to see how Microsoft, Cisco and VMware all interact and how these roadmaps align -- or don't. 

Remember, despite how they play nice, each has their own bottom line to watch and it's every man for himself.Vcloud

It's quite clear we're going to have some very interesting security challenges bubbling up to the surface; we barely have our arms around what we might call virtualization v1.0 -- we've a lack of maturity in solutions, operations, visibility and security and we're pulling the trigger on what's sure to be a very contentious security model...or lack thereof. 

In the vApplication services, there is a direct call-out titled "Security" in which VMware's ESX 3i's size is touted as it's current security feature (rolleyes) and in 2009 we see the following:

  • VMware VMsafe provides x-ray visibility into virtual machine resources from the vantage point of the hypervisor, making it possible to monitor every aspect of the execution of the system and stop previously undetectable viruses, rootkits and malware before they can infect a system

  • Checkpoint, IBM, McAfee, Radware, TrendMicro and are announcing their plans to deliver VMSafe –integrated products in 2009 that provide superior protection to virtual machines than possible with physical machines or other virtualization solutions

There's nothing new here, except the dependence upon VMsafe, ISV's and virtual appliances...I think you know how I feel about that.

In line with my posts regarding the Cisco vSwitch for ESX (what I'm calling the cSwitch,) the "Infrastructure vServices" component hints at the development of three major investment points: vCompute, vNetwork and vStorage.  

In vNetwork, you'll notice the 2009 arrival of the following three elements which are very interesting, indeed:

  • Distributed Switch simplifies the setup and change of virtual machine networking
  • Network VMotion enables network statistics and history to travel with a virtual machine as it moves from host to host for better monitoring and security
  • Third party virtual switches plug into virtual networks and deliver value added network monitoring, security and QoS

I'll be interested to see what distributed networking actually means -- there's a session today on that, but coupled with the cSwitch, I wonder if it means more than just plugging into virtualcenter/VFrame for management.

Let's not forget how some of the elements in vCompute will effect networking and security such as VMDirect which provides "intelligent" VMM bypass and allow direct access from the VM's...all in the name of performance.  I wrote about that here a couple of days ago.

It looks as though we might see some policy extensions to afford affinity such that policies travel with the VM!?

The notion of vCloud is being desrbied as the notion of portability, mobility and supportability of applications that can be developed and deployed inside an enterprises' "internal cloud" and then handed off to an "external cloud" providers service offerings.  It's really the "infrastructureless infrastructure" play. 

One thing that immediately comes to mind when I hear words "federation" -- as I assume it might to any security professionals ears -- is the issues surrounding exposure of AAA (authentication, authorization and accounting) between internal and external credential stores and how this intersects with SOA environments.

As more details come to light, I'll be adding my thoughts about where (if at all) security really plays into this evolving strategy.

Gotta shower and get to the con.


No comments: