Posted: 21 Oct 2008 04:54 AM CDT
Roberto Saviano is under death threats for denouncing the criminal deeds of the Camorra in his book Gomorra, translated and read all over the world. His freedom is under threat as well as his autonomy as a writer, his chances to meet his family, to enjoy a social life, to have part in the public life, to travel in his own country. A young writer, guilty to have investigated the organized crime revealing its methods and its structure is forced to live an hidden, underground life, while the Camorra bosses send him death threats from their jails ordering him to stop writing for La Repubblica, his newspaper, and to keep silent. The State must do every effort to protect Saviano and to defeat the Camorra. But this is not a mere police case. It's a problem of democracy. Saviano's safe freedom concerns everyone of us as citizens. Signing this appeal we intend to take charge of it, as a personal commitment, urging the State at the same time to take on its responsibility, because it's intolerable that something like this could happen in Europe in 2008. –Repubblica - Appelli - dear reader of my soup, please consider signing this appeal for Roberto. Thank you very much.
Posted: 21 Oct 2008 03:44 AM CDT
Posted: 21 Oct 2008 12:03 AM CDT
Posted: 20 Oct 2008 07:22 PM CDT
It was three years ago Friday, on October 24, 2005, that I uploaded Blue Box Podcast #1, an 11-minute show where I introduced the show, talked about VoIP security news (To no surprise, I was talking about Skype security!), some projects of VOIPSA and some other podcasts people might find interesting. A week later, on Halloween 2005, Jonathan joined me in Blue Box Podcast #2 and we were off and running...
Three years later... 84 main Blue Box episodes (with one more recorded) .... 26 Special Editions (with about 10 in the queue)... almost 250,000 downloads... we're still here and, with an admitted bit of a rough patch this summer, are still going along creating shows and enjoying what we do.
Jonathan and I are planning to record a 3-year show on this coming Friday, October 24th, and if you have any comments you would like us to include in that show, please do get them to us by the end of the day on Thursday, October 23rd. You can send them to us via:
The show started out 3 years ago as really an experiment in seeing whether or not podcasting could be used to reach out to very specific audiences... and it's been both fun, amazing and interesting to see how well it's done.
Thank you to all of you who have continued to listen and contribute over the years!
Posted: 20 Oct 2008 05:54 PM CDT
According to the report, the Chinese hackers used and SQL injection attack that compromised the information of as many as 2,400 users:
Posted: 20 Oct 2008 02:15 PM CDT
I chose my new design for the site and I’m very happy with it. It took a bit of poking, prodding and modifications but it now looks fine in IE, Firefox and Safari/Chrome and I owe all the thanks to you, the readers. I’m constantly amazed at how quickly the internet moves — and they’re quality movements. Within only a few minutes of posting to my blog and sending out a tweet on Twitter, I got response, after response, after response. I didn’t need to put together a grand ‘ol survey and get a legal department involved in what I can and can’t ask you. I simply put my thoughts down to virtual pen and paper and voila, a masterpiece (or at least a new blog design) was chosen in mere minutes.
Today we’ve got some of the fastest communication methods available to us. One-to-one conversations via cell phone or IM are great for individual conversations, and one-to-many conversations can be held on messages boards and FriendFeed to share with the world. I think it’s great that we can communicate at the speed of light but there is a loss of privacy that comes with the advantage of speed. That’s why there are companies today that are providing new methods of communicating that also cover privacy and security.
Sites like OtherInbox let you stay anonymous (and cut down on spam) behind the mask you call an email address and tools like PGP allow for encrypted communications between parties that need to keep their secrets, secret. One of the largest challenges that all of these services will have to overcome is speed. It takes a bit of setup to get PGP running properly and for OtherInbox, you need to go through all of your accounts and change your email address to an OtherInbox address. These are barriers to entry that these organizations and others are successfully breaking through. OtherInbox is working on a way to change your email addresses automatically and companies like Passpack are taking public-private keys and making the process of sending secure messages simple.
All of these organizations have a lot of work ahead of them but they’re all well on their way to making security just as important as speed.
Posted: 20 Oct 2008 01:54 PM CDT
This posting includes an audio/video/photo media file: Download Now
Posted: 20 Oct 2008 12:54 PM CDT
In an effort to broaden the audience and topic base for the VRT blog, this week we are going to take a very high level view of what a network penetration test looks like from the tester's perspective. Some of the techniques and ideas behind a high-level network penetration test will be described. This entry is not intended to be create a world of savvy pentesters out there, as nothing can replace knowledge and experience gained from previous tests, but it should at least get people started down the road toward successful penetration testing. Also, knowing what a network pentester does during their assessment will also help the pentester's customers have a better understanding of the process.
This overview is written with an interest in ease of use with no regard for stealth.
A network penetration test, in its most simple form, can be described as multiple iterations of three steps -- reconnaissance, exploitation, and penetration. Each step leads to the next as well as back to the previous, providing more data for subsequent tests and attacks. Penetration adds new targets as more and more resources become available from new attack positions.
The first step of any penetration test is to become familiar with your target. For this discussion, we will assume the IP addresses for the target are known. The two most obvious steps for getting a high level view of your target are to find what ports are listening by using nmap and to get a basic understanding of your target's security posture by using a vulnerability scanner such as Nessus. Nmap will provide a list of all ports that are open (and are therefore potential attack vectors) and Nessus will attempt to provide a list of vulnerabilities found on the target hosts. Nessus's results cannot be taken at face value due to the nature of its testing, but it does provide a fairly broad view of what services are available, what service banners were provided, and guesses as to what vulnerabilities are present.
Using the reports from nmap and Nessus, we can begin to focus our attacks on hosts and services that further our goals of getting into the network. Most tests from Nessus do not actually perform an exploit. To attempt to exploit a vulnerability, an exploitation framework such as Metasploit, sample exploits from securityfocus.com or elsewhere on the 'Net, or a custom exploit needs to be used.
There are many types of exploits in the wild - denial of service, information leakage, arbitrary code execution, and escalation of privilege are but a few. Denial of service attacks are generally not very useful in penetration tests. If you DoS a machine, you cannot use that device to further your own attacks. This is, of course, unless that machine is preventing you from gaining deeper penetration into the network or provides logging functionality and stealth is desired. This is an advanced topic that won't be covered by this post. For now, we'll shuffle DoS attacks to the "store for the report" file and concentrate on vulnerabilities for which a working exploit that provides machine access is available.
Information leakage, which often does not get the credit its due when compared to the sexy arbitrary code execution, is an integral part of any pentest. Gaining additional information from a service, then feeding that new data through the complete penetration test cycle, is probably the single largest contributor to a successful pentest unless the network is widely vulnerable to a single code execution. For example, imagine a Web exploit that required knowledge of the valid Web root to work. Suddenly, a 404 Not Found that leaked the system path to the page is extremely useful.
Finally, the ultimate class of exploit, arbitrary code execution. With the ability to execute arbitrary code, anything is possible. This ability leads us to the next section, Penetration.
The goal of a network penetration test is to gain deep access into the network. This is different than a network vulnerability assessment, where the breadth of vulnerabilities is sought. By exploiting vulnerabilites in a penetration test, we attempt to access more and more systems as we get behind obstacles. The most obvious way to achieve this goal is to install our tools and agents on devices as we compromise them and then use those new hosts as launch points for further attacks. Once we have system level access on a device, we can connect to any other device available to that machine. Another means of achieving deeper access is by abusing a trust relationship where a deeper machine can be made to act inappropriately due to data put on a device we can reach directly. The cycle then repeats with reconnaissance, exploitation, and penetration using this new host as our starting point.
This discussion was of a high-level view of network penetration testing. Several components of a more advanced test were not covered, such as identifying target hosts, the large amount of research required for a successful penetration test, or how to actually do the exploitation. The key takeaway from this post should be that penetration tests are a very iterative process -- gather information, act upon that information, feed new information into the cycle, and repeat until the goal has been achieved.
Posted: 20 Oct 2008 12:03 PM CDT
This is an interesting paper that came out in September from Oracle about SQL injection. The problem is one of the OWASP Top Ten vulnerabilities as part of the family of attacks known as injection attacks.
Cross-site scripting (XSS) is also a type of an injection attack but has its own category in the OWASP hit parade.
Bruce Schneier also mentioned the Oracle paper last week in his blog.
Posted: 20 Oct 2008 09:58 AM CDT
Posted: 20 Oct 2008 09:14 AM CDT
A non-native English speaker I was in correspondence with thanked me for helping expand his vocabulary. It occurs to me that understanding English grammar and the use of prefixes and suffixes cn also help expnad your vocabulary. Here are some words not often found IN dictionaries. (Of course this is British English spelling, American English [...]
Posted: 20 Oct 2008 08:32 AM CDT
Synopsis: Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more
Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.
You may also listen to this podcast right now:
NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.
Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to firstname.lastname@example.org. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'email@example.com' to leave a comment there.
Thank you for listening and please do let us know what you think of the show.
This posting includes an audio/video/photo media file: Download Now
Posted: 19 Oct 2008 06:21 PM CDT
Greetings folks! Couple of updates in this post.
October's Herding Cats is up and ready for you to read! Pretty soon here I will be setting up a URL where you can download all the published versions of this column regardless of your membership status with the ISSA. Need a little time though baby birds. Until then, members of the ISSA can download the most recent version here. As you can tell, I have been reading a lot of James Patterson recently. Sorry about that.
Also, if you are going to be at the PCI Europe Community Meeting this week, look me up! I'll be wheels down in Brussels on Tuesday in time for the networking session. I am looking forward to meeting more of you this week.
I am transiting through London first, so if you are in London and want to grab a pint, drop me a line!
Posted: 19 Oct 2008 03:50 PM CDT
Posted: 19 Oct 2008 03:49 PM CDT
Posted: 19 Oct 2008 02:42 AM CDT
Luckily there are creative people who will take even one of the most annoying things - SPAM - and turn it into something positive, that is, artwork. Artist Linzie Hunter has created a series of “one-liners” where she took spam subject lines and experimented with hand-lettering, turning them into works of art. Below is the cover [...]
Posted: 19 Oct 2008 12:00 AM CDT
Posted: 18 Oct 2008 08:43 PM CDT
Posted: 18 Oct 2008 12:38 PM CDT
Posted: 18 Oct 2008 10:58 AM CDT
In only a couple weeks, many of the greatest minds in web application security will come together again for OWASP EU Summit in Algarve, Portugal. The Summit is a gathering whose main goal is, besides promoting the exchange of ideas on web application security, defining the future of OWASP itself. In other words: Do you want to help define the future of web application security? If so, the OWASP Summit is the place to be.
This year, the Summit will happen in November, from the 3rd to the 7th, in Portugal. It will offer a great selection of training and technical sessions, regarding the most important OWASP projects and themes. It will also host a business track dealing with the usage of OWASP generated documents and tools by companies worldwide and with the opportunities for these companies to help OWASP’s development. It will be a great opportunity to meet the people that make a difference in the web security arena.
I will be attending, as a reviewer for AntiSamy.NET and also to join in the discussion on browser and framework security, a workshop hosted by the Intrinsic Security Working Group. I’ll be flying out several days earlier to do a little tourism — gotta make the most of “training” days ;) — so if anyone has been to the area before and has any recommendations, I’d love to hear them.
Some of training being offered at OWASP EU Summit:
In summary, it will be an unparalleled opportunity to learn, share, and network.
Posted: 18 Oct 2008 02:27 AM CDT
California’s Governor, Arnold Schwarzenegger, vetoed the state legislator’s second attempt to pass a Consumer Data Protection Act. While the new bill softened some provisions found in the original, such as the requirement that a breached organization reimburse financial institutions for the cost of replacing credit cards, it remained a flawed bill in many respects.
By vetoing the bill, the Governor once again concluded that adequate protection already exists. Schwarzenegger wrote, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.”
I had a chance to talk about the proposed legislation last month. During the discussion, I expressed my hope that the Governor would again veto the bill because I saw it as an inadequate attempt to define appropriate data handling requirements with only one possible outcome…litigation.
The bill meant well, but falls short of providing any significant new value and includes minimal guidance on how to minimize the potential loss of data. Its technical focus is limited to storage and transmission suggesting that businesses:
These aren’t unreasonable requests…
Inappropriate customer data storage and transmission have been the leading culprits in several recent breaches. Unfortunately, storage and transmission breaches are only the tip of the iceberg. Businesses continue to lose sensitive data just through wireless access points, weak passwords, weak encryption, vendor default or contractor passwords, systems compromised by key loggers, trojans and more. Plain and simple: If a business handles a meaningful volume of credit card data, there is a high probability someone is looking for a way to get it.
Considering all the risks, and the reality that security can be expensive, don't we need legislation?
Perhaps… but not this legislation.
It didn't highlight many of the possible attack vectors and PCI already enforces everything the proposed legislation would offer. Given the California bill’s shortcomings, I wonder who the target audience was for the bill. Were they serious about requiring businesses to protect the data, or was their agenda focused on generating evidence to assign blame?
Clearly, the most meaningful consumer data protection comes from taking responsible and prudent steps to prevent data loss. Even under the best of circumstances, no one can guarantee that a loss will never occur and that’s where California led the way in disclosure legislation. In my opinion, this legislation was ill-conceived and I hope it won’t be back.
What do you think?
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|