Posted: 19 Oct 2008 02:42 AM CDT
Luckily there are creative people who will take even one of the most annoying things - SPAM - and turn it into something positive, that is, artwork. Artist Linzie Hunter has created a series of “one-liners” where she took spam subject lines and experimented with hand-lettering, turning them into works of art. Below is the cover [...]
Posted: 18 Oct 2008 01:14 PM CDT
My friend Victor is back to the blogosphere. He built a blog platform just for his new blog, Visigodos.org.
He blogs about a series of things, but mostly on software development and security. His last post (VP, you need to develop something to link directly to an specific post!) about vulnerabilities related to debugging code is pretty interesting.
Welcome back, VP!
Posted: 18 Oct 2008 12:01 PM CDT
Airport security in America is a sham—"security theater" designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease. –The Things He Carried - The Atlantic (November 2008) - a MUST READ
Posted: 18 Oct 2008 10:26 AM CDT
Posted: 18 Oct 2008 10:25 AM CDT
Posted: 18 Oct 2008 10:25 AM CDT
Posted: 18 Oct 2008 10:11 AM CDT
The EFF issued a challenge on Thursday to the blanket retroactive immunity that has been granted to telecom providers in the wake of the warrantless wiretapping.
I wonder how this will play out in the waning moments of the current administration?
For the full piece read on.
Posted: 18 Oct 2008 10:11 AM CDT
Posted: 17 Oct 2008 04:04 PM CDT
I had a bit of a discussion with someone this morning on the nuances of partial disclosure and their effectiveness/risk within the greater security stage. The discussion was sparked by a recent post by Dan Kaminsky at www.doxpara.com. In this post Dan is essentially saying that partial disclosure in general is a bad idea; however it is occasionally required if the scope of the issue is so large and potentially dangerous that disclosure at any point would put a significant portion of the computing populous at risk. What Dan is afraid of (and I believe rightfully so) is that the research community and their affiliated companies and marketing machines realizes the fact that partial disclosure generates revenue. When distilled down, partial disclosure can be used as a way of putting FUD out there in an effort to generate buying impulses. Not everyone will directly attempt to utilize partial disclosure as a money making machine; However, I believe the majority of business minds will. They'll either do it with the approval of their researcher or occasionally without. Sometimes the researcher themselves will recognize the positive brand impact and money that can come from partial disclosure and exercise this model directly. So what do we do about this? We create a group to help police the partial disclosure process. We create a way for the populous to know if the released partial details is real or is it FUD.
The second part of our discussion centered around who should be responsible for vetting security related partial disclosure. Dan suggested that a group of security researchers be responsible for the determination if a particular vulnerability should be partially disclosed. This is where I disagree with Dan a bit. There are no parties that can truly act impartially within the security research community when it comes to vetting disclosure. We all have a stake, either directly or indirectly, at the release and disclosure of such information. I suggest that a higher level group that contains people outside of the general security research community be put in charge of vetting the legitimacy of a particular partial disclosure. They could bring in subject matter security experts as required but the group itself must be sufficiently removed from the process to be properly impartial while bringing in the technical expertise only on a consultative basis. The technical details are factual, the risk impact is always subjective.
Maybe I'm being too pessimistic in thinking that the abuse of partial disclosure is imminent. Maybe I'm being too altruistic in thinking that a group of people even at a higher level could ever be impartial enough to properly vet partial disclosure requests. But I do know one thing, this topic is very touchy and will certainly require a large scale effort and significant hand holding if it is ever going to come to fruition.
As always, comments are welcome...
Posted: 17 Oct 2008 02:05 PM CDT
Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably shouldn’t be surprised, given my previous employers typically launched PR tours this time of year, but even Rich has been a little surprised at the volume of discussions. We have been in full swing with a packed calendar the last couple of weeks, and it shows no sign of letting up through November. If I am a little slow returning your email in the morning that is why. And I’ve got to admit it is more interesting being on the receiving end of the equation that delivering the same information 100 times. The breadth of technologies and companies is very exciting, for me at least, and as a result I am digging deep into a number of technologies I have not had a chance to play with while working for a vendor. I have been seeing a lot of solid advancements from several companies, so that makes the calls interesting as well.
On a personal note I was watching Iron Man last night on DVD. Great movie. But how many of you saw the movie trailer with Samuel L. Jackson at the end? No? Surprised the heck out of me that after the credits finished, there was a little teaser where no one … practically no one … would see it. Pretty cool! Oh, and Rich may have seen two coyotes in the park near his house, but I have discovered a family of tarantulas living on my back porch. We were having drinks on the patio when this 7″ fuzzy spider cruised by us a few nights ago. Last night a couple smaller ones were climbing the wall about 10 feet off the ground as if gravity simply did not apply to them. They are fascinating to watch.
Webcasts, Podcasts, and Conferences:
Favorite Securosis Posts:
Favorite Outside Posts:
Blog Comment of the Week:
Jim Hietala’s comment on my “Will Database Security Vendors Disappear” post:
I don’t know the database security market all that well, but it
strikes me that all of the points you made can be applied to every
individual security segment, including NAC, endpoint security, DLP,
e-mail security, and on and on. Certainly the trust one applies to all,
breadth of function in most cases applies, and too many choices I think
does as well. Doesn't bode well for the health of the security start-up
market in the next couple of years…
No Securosis company meeting this week, so I am off for a little recon work. More on this later.
Posted: 17 Oct 2008 11:58 AM CDT
Pardon me while I adjust the focus on my binoculars… yes, it is indeed Friday. There’s a weekend just over the next hill.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
And something for the audiophiles…
Feeling a little punch drunk, healthier than yesterday, looking forward to a relaxing weekend. You have one, too!
Posted: 17 Oct 2008 10:49 AM CDT
Blogging is out, "Tweeting" is in. Twitter is the new black, it's the latest and greatest, it's.. well weird. I've posted on my thoughts regarding microblogging in the past (here). "At first I was afraid, I was petrified", but then I realized just how useful this type of medium can be. I've since found myself adopting this technology as a way to keep up with the latest and greatest information security minutia directly from the people that are creating it. With groups of people such as the Security Twits along with the researchers I know personally, it's a very useful 1:Many discussion medium. The down side of the microblogging thing is that it's been taking away from my time/energy to create real blog entries for my reader(1). I promise this will change soon.
In the mean time, follow me on twitter (txs_) if you wish to join in the interesting conversation. I'm always keen to hear what my reader(1) has to say.
Posted: 17 Oct 2008 06:31 AM CDT
October's Security Patch Release from Microsoft has seen 11 patches provided. Four of the patches were identified as Critical, six as Important, and one as Moderate. An advisory release was also provided, but not listed with a MS08- number, which provided killbit settings for a number of third party ActiveX controls and set the killbit for Microsoft controls mentioned in MS02-044, MS08-017, MS08-041, MS08-052. Several of the patched vulnerabilities were under active attack prior to patch release and sample exploit code has since been released for several other vulnerabilities. It is imperative that these patches are applied at the earliest opportunity.
It should also be noted that this month marks the start of the Microsoft Active Protections Program (MAPP), and Microsoft have already provided Severity Guidance for this month's patches.
It should also be noted that Apple released a Security Update last week, which is now available from the Software Update Apple Menu item for OS X 10.4.x and 10.5.x users. Details for Apple's updates can be found here.
Posted: 17 Oct 2008 01:28 AM CDT
In a week when Microsoft released eleven patches, and an advisory, and Apple released a Security Update (actually released last week), some people might have been forgiven for missing Oracle's quarterly patch release, which coincided with Microsoft's releases this month.
41 vulnerabilities were patched in the release for a broad range of Oracle products, including Siebel, BEA, PeopleSoft and JD Edwards applications.
The next quarterly mass update from Oracle is due on January 13, 2009, which matches with Microsoft's scheduled patch release for January 2009.
Posted: 17 Oct 2008 01:05 AM CDT
I (Chris) recently completed a training session in Australia and while meeting with the Visa representatives in the Asia Pacific region I was surprised to learn about some of the initiatives in the region. Visa has sponsored a program that resulted in the entire country of Malasia employing end-to-end encryption for payment card transactions. This is a tremendous step forward in data security and demonstrates that end to end encryption is viable. Thailand, and Australia are also moving quickly toward end-to-end encryption in addition to chip and PIN with the support of card brands in the region. As anyone that has read any of Aegenis’ writings knows, we are big proponents of end-to-end encryption and other technologies that reduce the risk to payment card data, as well as minimize the need for PCI DSS. Recently we published a whitepaper on the topic of Cardholder Data and whether encrypted data is, or is not, Cardholder data. It is my position that the categorization of data is predicated not upon the use of encryption rather upon the key management processes. You can read the paper here.
To truly be able to reduce the risk to cardholder data, it is going to require more than compliance with any standard. Companies are going to have to begin looking at methods to remove the value of data or protect the data during the entire transaction cycle.
Posted: 16 Oct 2008 11:20 PM CDT
I’m off to Chicago for the weekend to meet up with some college buddies. I’m scared of the brutality I’m about to endure. With that I need to get my weekly Husker pick in a bit early. Saturday’s game will be played at my alma mater in the friendly confines of Jack Trice Stadium in Ames, IA. The ‘Skers are an 8 point favorite and I don’t think they cover.
Nebraska 34 Iowa State 27
Looking back I am 3-3 on my predictions…for what its worth.
Posted: 16 Oct 2008 09:02 PM CDT
Posted: 16 Oct 2008 04:26 PM CDT
Some enterprising young students from the University of Skovde in Sweden came up with what we think is a great informational poster for Snort. So good in fact that we got a copy and have posted it on snort.org for all to see.
Many thanks to Simon Wallin and Gustav Calson for taking the time to read the documents on snort.org and asking good and pertinent questions about Snort and Snort architecture, which resulted in a definite A+ project and for allowing us to post it for the world to see. If this doesn't give you a good idea of how snort works and what it is, nothing will.
Here's a link to the poster: http://www.snort.org/vrt/docs/white_papers/snortposter.pdf
Posted: 16 Oct 2008 02:51 PM CDT
Yesterday was the SANS Webcast on "Combining Network, Web App and Wireless into the Ultimate Penetration Test," I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.
The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.
The example used in the webcast was using an open wireless connection that a business might use for guest Internet access, to gain access to the businesses network. It starts with using various wireless attach methods to discover and attack clients on the network. By intercepting employee Internet traffic over the wireless network they inject an exploit and use BeEF to escalate access and bind a reverse shell to the client to gain access to the businesses internal network. Once they have access into the businesses network they start to scan the network, compromise services and exploit clients on the network.
This was only part 1 of a 3 part series. Part 2 is said to be release middle of next month. My first impression is that it's a good series and I am looking forward to the others. We have so many specialist in security I see it all the time in my classes. I have students that just do "Windows" or just do "Linux" or just do "Networking." That is great and they discuss that in the webcast, we need people that know each of these technologies cold, but as they say in the webcast do you want to pigeon hole yourself?
I have always tried to keep a balance when it comes to my skills. Now due to my 13+ years of experience I am viewed mostly as a System and Network "type" of IT Professional. But I have also over the years learned and worked with Programming from Assembly to JAVA and even done Web App development from Perl/CGI to PHP and even Wireless networking.
What it all comes down to is that nobody can know it all but personally I think we should all know what is possible and understand our skills and limits. Collaboration is another key component that is important. I think that is why there is such a huge network of Ethical Hackers and Penetration Testers out there all willing to share what the know and exchange knowledge so freely.
If you're interested in Pen Testing and have the time, I would suggest checking Part 1 of the series. When your done please post a comment and let me know what you thought about it.
Posted: 16 Oct 2008 09:00 AM CDT
The Times of London is out today with a provocatively titled piece: “Internet phone calls are crippling fight against terrorism” and leads with this:
And goes on to mention issues security officials have with the new world of online communication:
It is indeed a challenging problem. How do government security services exercise their legitimate need to have access to some communications-related data in the pursuit of a crime when the communications providers are no longer easy to identify?
In the old days of just the PSTN, the communications carriers were easy to identify and easy to work with… in the sense that jurisdiction was usually rather clear since the provider was based in the country where the communication was taking place. Government security services could work with those companies to be able to do lawful intercept and other such actions.
VoIP changes all of that. From a technical perspective, geography goes out the window. You can use a software product created by a company from anywhere in the world to communicate with someone else. It can be encrypted. It can use different protocols. It can be unencrypted yet go over an encrypted VPN.
THERE IS NO CENTRAL CONTROL!
And without central control, there is no central way for a government agency to be able to easily obtain that communications data.
So what do you do? Do you create (and somehow futilely attempt to enforce?) draconian and Orwellian legislation that gives government agencies extremely broad powers to access Internet-carried information? (As it sounds like is happening in the UK?) Do you try to have industry entities voluntarily assist security agencies? Do you give up and admit that it’s next to impossible to really get all this kind of information?
There’s a balance to be struck somewhere in there - and finding that balance is going to be one of the toughest policy issues we all will confront over the next few years.
I can see both sides… as a strong privacy advocate, I do not want the government to have broad powers to intercept and view Internet traffic - the potential for abuse and mis-use is far too high in my opinion. Yet at the same time as a father and husband I can assure you that if something were ever to happen to any of my family, I would want law enforcement to have access to every tool imaginable to track down the perpetrators and bring them to justice.
Where’s the line? What’s the right approach?
No easy answers…
Posted: 16 Oct 2008 08:26 AM CDT
Sun is up, coffee is hot and the news has been delivered - good morning.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
And something a little lighter… Have a great Thursday.
Posted: 16 Oct 2008 12:10 AM CDT
The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules.
It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise a web server and reach vulnerable databases behind it.
The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful!
Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more.
Posted: 15 Oct 2008 11:07 PM CDT
…and I’m just living in it. You’d have to be the intellectual equivalent of a plant to not know that the third and final presidential debate was tonight. What was on the television in my house? Go, Diego, Go! I was stuck watching the debate online on my laptop. Ridiculous!
Deigo = 46″ big screen
Future President = 4″ image on a laptop
Posted: 15 Oct 2008 10:59 PM CDT
Thought I’d give a little update on my experience with the Client Endpoint Integrity client. Of those of us testing the client I’m the only one testing it on a laptop so I’m able to experience the client in a different manner than a desktop computer would. As for the experience when connected to the corporate network the client is barely noticeable. Every 60 minutes the client does a scan and tells me I failed the scan. Stupid client. How dare it tell me I fail?! We are testing this with scan notification activited. So once an hour a balloon pops up in the system tray notifying me that the scan has started. A few seconds later the scan is complete and another balloon pops up with a success or failure. That’s it. In the management interface I can see exactly what end point and user is in compliance or not. The status of these endpoints is reported on the dashboard so its part of the first screen you see after logging into the management server.
I mentioned the laptop earlier because I wanted to touch on the behavior of the CEI client when away from the corporate network. When my laptop is away from the corporate network the client simply does not launch. The ActiveX component is still installed and enabled but the client does not launch.
Any downsides or things I don’t like about the client? Maybe one thing. When the CEI scans are enabled the client is activated by launching a web browser. My only knock against the client is the behavior of the web browser after the client launches. The browser is ”hijacked” and displays a page with a message thanking me for logging in and installing the CEI client. After the client is launched the browser closes. Sometimes I catch myself thinking “what the hell just happened to IE? I know I just opened it.” I’m fairly certain I know why this behavior exists. In previous versions the browser didn’t close and there would be the occasional event where web access would not be allowed because the authentication had not completed. By closing the browser this buys a little time to ensure that authentication has completed before being able to access the internet.
Posted: 15 Oct 2008 07:28 PM CDT
Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble that analyst types get all hot and bothered about, when he dropped the bombshell- one of our favorite groups of products could be in serious trouble.
For the record, we hadn’t started happy hour yet.
Although everyone on the vendor side is challenged by such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal.
Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try to keep this concise.
There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble.
I’m not kidding, I really hated writing this post. This isn’t an “X is Dead”, stir the pot kind of thing, but a concern that one of the most important linchpins of information-centric security is at risk. To use Adrian’s words:
Posted: 15 Oct 2008 01:46 PM CDT
It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.
I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...
HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.
I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.
Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?
How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?
I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?
I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.
I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|