Tuesday, October 21, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

"Roberto Saviano is under death threats for denouncing the criminal deeds of t..." [Security Circus]

Posted: 21 Oct 2008 04:54 AM CDT

Roberto Saviano is under death threats for denouncing the criminal deeds of the Camorra in his book Gomorra, translated and read all over the world. His freedom is under threat as well as his autonomy as a writer, his chances to meet his family, to enjoy a social life, to have part in the public life, to travel in his own country. A young writer, guilty to have investigated the organized crime revealing its methods and its structure is forced to live an hidden, underground life, while the Camorra bosses send him death threats from their jails ordering him to stop writing for La Repubblica, his newspaper, and to keep silent. The State must do every effort to protect Saviano and to defeat the Camorra. But this is not a mere police case. It's a problem of democracy. Saviano's safe freedom concerns everyone of us as citizens. Signing this appeal we intend to take charge of it, as a personal commitment, urging the State at the same time to take on its responsibility, because it's intolerable that something like this could happen in Europe in 2008. –Repubblica - Appelli - dear reader of my soup, please consider signing this appeal for Roberto. Thank you very much.

Luciana Littizzetto talks about school and university cuts ("Che tempo che fa... [Security Circus]

Posted: 21 Oct 2008 03:44 AM CDT

Luciana Littizzetto talks about school and university cuts ("Che tempo che fa - 19/10/08")

links for 2008-10-20 [Srcasm]

Posted: 21 Oct 2008 12:03 AM CDT

Blue Box's 3-year anniversary coming up on Friday... [Blue Box: The VoIP Security Podcast]

Posted: 20 Oct 2008 07:22 PM CDT

It was three years ago Friday, on October 24, 2005, that I uploaded Blue Box Podcast #1, an 11-minute show where I introduced the show, talked about VoIP security news (To no surprise, I was talking about Skype security!), some projects of VOIPSA and some other podcasts people might find interesting. A week later, on Halloween 2005, Jonathan joined me in Blue Box Podcast #2 and we were off and running...

Three years later... 84 main Blue Box episodes (with one more recorded) .... 26 Special Editions (with about 10 in the queue)... almost 250,000 downloads... we're still here and, with an admitted bit of a rough patch this summer, are still going along creating shows and enjoying what we do.

Jonathan and I are planning to record a 3-year show on this coming Friday, October 24th, and if you have any comments you would like us to include in that show, please do get them to us by the end of the day on Thursday, October 23rd. You can send them to us via:

The show started out 3 years ago as really an experiment in seeing whether or not podcasting could be used to reach out to very specific audiences... and it's been both fun, amazing and interesting to see how well it's done.

Thank you to all of you who have continued to listen and contribute over the years!

Technorati Tags: , , , , , , ,

Chinese hackers hit Japanese oil and gas company [The Dark Visitor]

Posted: 20 Oct 2008 05:54 PM CDT

According to the report, the Chinese hackers used and SQL injection attack that compromised the information of as many as 2,400 users:

The official Web site of the Japan Oil, Gas and Metals National Corporation was attacked by an overseas hacker and infected with viruses that can lift information from the personal computers of people who access the site, according to JOGMEC.

Hacking of JOGMEC’s Web site took place on several occasions from overseas, mainly from China.

Some observers have said the incident could be linked to gas exploration projects in the East China Sea. In June, shortly before the site was first hacked, Tokyo and Beijing reached their first ever agreement on joint gas-development projects–a major step in the longstanding dispute over the issue.

However, there was notable backlash expressed online from Chinese people who complained the agreement gave too many concessions to Japan. Harsh criticism of the Japanese government over the projects also was expressed on the bulletin boards and other sites mostly based in China.


Speed — It’s not always the best. [Srcasm]

Posted: 20 Oct 2008 02:15 PM CDT

I chose my new design for the site and I’m very happy with it.  It took a bit of poking, prodding and modifications but it now looks fine in IE, Firefox and Safari/Chrome and I owe all the thanks to you, the readers.  I’m constantly amazed at how quickly the internet moves — and they’re quality movements.  Within only a few minutes of posting to my blog and sending out a tweet on Twitter, I got response, after response, after response.  I didn’t need to put together a grand ‘ol survey and get a legal department involved in what I can and can’t ask you.  I simply put my thoughts down to virtual pen and paper and voila, a masterpiece (or at least a new blog design) was chosen in mere minutes.

Today we’ve got some of the fastest communication methods available to us.  One-to-one conversations via cell phone or IM are great for individual conversations, and one-to-many conversations can be held on messages boards and FriendFeed to share with the world.  I think it’s great that we can communicate at the speed of light but there is a loss of privacy that comes with the advantage of speed.  That’s why there are companies today that are providing new methods of communicating that also cover privacy and security.

Sites like OtherInbox let you stay anonymous (and cut down on spam) behind the mask you call an email address and tools like PGP allow for encrypted communications between parties that need to keep their secrets, secret.  One of the largest challenges that all of these services will have to overcome is speed.  It takes a bit of setup to get PGP running properly and for OtherInbox, you need to go through all of your accounts and change your email address to an OtherInbox address.  These are barriers to entry that these organizations and others are successfully breaking through.  OtherInbox is working on a way to change your email addresses automatically and companies like Passpack are taking public-private keys and making the process of sending secure messages simple.

All of these organizations have a lot of work ahead of them but they’re all well on their way to making security just as important as speed.

(Image) [Security Circus]

Posted: 20 Oct 2008 01:54 PM CDT


This posting includes an audio/video/photo media file: Download Now

Introduction to Network Penetration Testing [VRT]

Posted: 20 Oct 2008 12:54 PM CDT


In an effort to broaden the audience and topic base for the VRT blog, this week we are going to take a very high level view of what a network penetration test looks like from the tester's perspective. Some of the techniques and ideas behind a high-level network penetration test will be described. This entry is not intended to be create a world of savvy pentesters out there, as nothing can replace knowledge and experience gained from previous tests, but it should at least get people started down the road toward successful penetration testing. Also, knowing what a network pentester does during their assessment will also help the pentester's customers have a better understanding of the process.

This overview is written with an interest in ease of use with no regard for stealth.


A network penetration test, in its most simple form, can be described as multiple iterations of three steps -- reconnaissance, exploitation, and penetration. Each step leads to the next as well as back to the previous, providing more data for subsequent tests and attacks. Penetration adds new targets as more and more resources become available from new attack positions.


The first step of any penetration test is to become familiar with your target. For this discussion, we will assume the IP addresses for the target are known. The two most obvious steps for getting a high level view of your target are to find what ports are listening by using nmap and to get a basic understanding of your target's security posture by using a vulnerability scanner such as Nessus. Nmap will provide a list of all ports that are open (and are therefore potential attack vectors) and Nessus will attempt to provide a list of vulnerabilities found on the target hosts. Nessus's results cannot be taken at face value due to the nature of its testing, but it does provide a fairly broad view of what services are available, what service banners were provided, and guesses as to what vulnerabilities are present.

Using the reports from nmap and Nessus, we can begin to focus our attacks on hosts and services that further our goals of getting into the network. Most tests from Nessus do not actually perform an exploit. To attempt to exploit a vulnerability, an exploitation framework such as Metasploit, sample exploits from securityfocus.com or elsewhere on the 'Net, or a custom exploit needs to be used.


There are many types of exploits in the wild - denial of service, information leakage, arbitrary code execution, and escalation of privilege are but a few. Denial of service attacks are generally not very useful in penetration tests. If you DoS a machine, you cannot use that device to further your own attacks. This is, of course, unless that machine is preventing you from gaining deeper penetration into the network or provides logging functionality and stealth is desired. This is an advanced topic that won't be covered by this post. For now, we'll shuffle DoS attacks to the "store for the report" file and concentrate on vulnerabilities for which a working exploit that provides machine access is available.

Information leakage, which often does not get the credit its due when compared to the sexy arbitrary code execution, is an integral part of any pentest. Gaining additional information from a service, then feeding that new data through the complete penetration test cycle, is probably the single largest contributor to a successful pentest unless the network is widely vulnerable to a single code execution. For example, imagine a Web exploit that required knowledge of the valid Web root to work. Suddenly, a 404 Not Found that leaked the system path to the page is extremely useful.

Finally, the ultimate class of exploit, arbitrary code execution. With the ability to execute arbitrary code, anything is possible. This ability leads us to the next section, Penetration.


The goal of a network penetration test is to gain deep access into the network. This is different than a network vulnerability assessment, where the breadth of vulnerabilities is sought. By exploiting vulnerabilites in a penetration test, we attempt to access more and more systems as we get behind obstacles. The most obvious way to achieve this goal is to install our tools and agents on devices as we compromise them and then use those new hosts as launch points for further attacks. Once we have system level access on a device, we can connect to any other device available to that machine. Another means of achieving deeper access is by abusing a trust relationship where a deeper machine can be made to act inappropriately due to data put on a device we can reach directly. The cycle then repeats with reconnaissance, exploitation, and penetration using this new host as our starting point.


This discussion was of a high-level view of network penetration testing. Several components of a more advanced test were not covered, such as identifying target hosts, the large amount of research required for a successful penetration test, or how to actually do the exploitation. The key takeaway from this post should be that penetration tests are a very iterative process -- gather information, act upon that information, feed new information into the cycle, and repeat until the goal has been achieved.

Tips on Preventing SQL Injection [The IT Security Guy]

Posted: 20 Oct 2008 12:03 PM CDT

This is an interesting paper that came out in September from Oracle about SQL injection. The problem is one of the OWASP Top Ten vulnerabilities as part of the family of attacks known as injection attacks.

Cross-site scripting (XSS) is also a type of an injection attack but has its own category in the OWASP hit parade.

Bruce Schneier also mentioned the Oracle paper last week in his blog.

Atrivo / Intercage Demise Killing Storm Worm [Infosecurity.US]

Posted: 20 Oct 2008 09:58 AM CDT

According to Brian Krebs’ SecurityFix blog at The Washington Post (highly recommended reading - excellent research…), reports the Atrivo / Intercage death knell has created a rather poor environment for the propagation of the Storm Worm. We certainly hope this lasts (the dearth of spam and scams in our mailboxes)…Don’t count on it though… Atrivo Shutdown Hastened [...]

New Words [The InfoSec Blog]

Posted: 20 Oct 2008 09:14 AM CDT

A non-native English speaker I was in correspondence with thanked me for helping expand his vocabulary. It occurs to me that understanding English grammar and the use of prefixes and suffixes cn also help expnad your vocabulary.  Here are some words not often found IN dictionaries. (Of course this is British English spelling, American English [...]

Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more [Blue Box: The VoIP Security Podcast]

Posted: 20 Oct 2008 08:32 AM CDT

Synopsis:  Blue Box #84: New Cisco, Avaya, Nortel VoIP security vulnerabilities from VoIPShield, Skype in China, UCSniff and other new tools, news and more

Welcome to Blue Box: The VoIP Security Podcast #84, a 30-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

NOTE: Long-time listeners will note that the show notes above are in a less descriptive form than usual. After almost three years of using one wiki for preparing for our shows, Jonathan and I switched to using a new system and are still working out some of the details that will speed the input into show notes.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

This posting includes an audio/video/photo media file: Download Now

October Herding Cats and Off to Brussels! [Branden Williams' Security Convergence Blog]

Posted: 19 Oct 2008 06:21 PM CDT

Greetings folks! Couple of updates in this post.

October's Herding Cats is up and ready for you to read! Pretty soon here I will be setting up a URL where you can download all the published versions of this column regardless of your membership status with the ISSA. Need a little time though baby birds. Until then, members of the ISSA can download the most recent version here. As you can tell, I have been reading a lot of James Patterson recently. Sorry about that.

Also, if you are going to be at the PCI Europe Community Meeting this week, look me up! I'll be wheels down in Brussels on Tuesday in time for the networking session. I am looking forward to meeting more of you this week.

I am transiting through London first, so if you are in London and want to grab a pint, drop me a line!

It’s Sunday - Gone Fishing [Infosecurity.US]

Posted: 19 Oct 2008 03:50 PM CDT

Intego Warns MAC Users: MacGuard Is Malware [Infosecurity.US]

Posted: 19 Oct 2008 03:49 PM CDT

Intego, MAC security vendor is warning Apple Inc. (NasdaqGS: APPL) MAC OSX users of threats to harsh their mellow: Evidence of malware distributors targeting MAC users with the utilization of bogus security software, one of which, monikered MacGuard also has a Windows version of it’s nefarious product WinGuard. A short excerpt from the post follows, [...]

Spam Art [Commtouch Café]

Posted: 19 Oct 2008 02:42 AM CDT

Luckily there are creative people who will take even one of the most annoying things - SPAM - and turn it into something positive, that is, artwork. Artist Linzie Hunter has created a series of “one-liners” where she took spam subject lines and experimented with hand-lettering, turning them into works of art. Below is the cover [...]

Links for 2008-10-18 [del.icio.us] [Sicurezza Informatica Made in Italy]

Posted: 19 Oct 2008 12:00 AM CDT

Microsoft Norway Business Unit Charged With Accounting Fraud [Infosecurity.US]

Posted: 18 Oct 2008 08:43 PM CDT

Microsoft Norway’s owned FAST Search and Transfer has  been charged with accounting fraud in Oslo by Norwegian Economic Police; reports indicate Microsoft Corporation (NasdaqGS: MSFT) is cooperating fully… Microsoft’s Fast unit probed over accounting Microsoft’s Fast charged with ‘accounting fraud’ Legal Roundup: Google Appeals; Apple, Microsoft Sued; Fast Charged Microsoft to expand research center in Norway

Inspector General: IRS Systems Found Insecure - Again [Infosecurity.US]

Posted: 18 Oct 2008 12:38 PM CDT

Report: The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security Vulnerabilities A Treasury Inspector General for Tax Administration (TIGTA) Report (also available from the Infosecurity.US Public Documents Repository (.PDF), alludes to negligence in regards to systems deployment and implementation activities at the United States Department of the Treasury, Internal [...]

Looking forward to OWASP EU Summit Portugal [tssci security]

Posted: 18 Oct 2008 10:58 AM CDT

In only a couple weeks, many of the greatest minds in web application security will come together again for OWASP EU Summit in Algarve, Portugal. The Summit is a gathering whose main goal is, besides promoting the exchange of ideas on web application security, defining the future of OWASP itself. In other words: Do you want to help define the future of web application security? If so, the OWASP Summit is the place to be.

OWASP EU Summit 2008 Logo

This year, the Summit will happen in November, from the 3rd to the 7th, in Portugal. It will offer a great selection of training and technical sessions, regarding the most important OWASP projects and themes. It will also host a business track dealing with the usage of OWASP generated documents and tools by companies worldwide and with the opportunities for these companies to help OWASP’s development. It will be a great opportunity to meet the people that make a difference in the web security arena.

I will be attending, as a reviewer for AntiSamy.NET and also to join in the discussion on browser and framework security, a workshop hosted by the Intrinsic Security Working Group. I’ll be flying out several days earlier to do a little tourism — gotta make the most of “training” days ;) — so if anyone has been to the area before and has any recommendations, I’d love to hear them.

Don’t forget to check out the training and working sessions available.

Some of training being offered at OWASP EU Summit:

Training Courses
Monday, November 3, 2008 Tuesday, November 4, 2008
Advanced Web Application Security Testing (day 1 of 2) Advanced Web Application Security Testing (day 2 of 2)

Building Secure Web Services (day 1 of 2) Building Secure Web Services (day 2 of 2)
WebAppSec for Managers and Executives - The Road Less Travelled (1 day)

The Art and Science of Threat Modeling Web Applications (1 day)
Uncovering WebScarab’s Secret Treasures (1 day) Ajax Security (0,5 day AM)

Secure Programming with Java (1 day) -
Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI) (1 day) Securing WebGoat with ModSecurity (1/2 day PM)

Building Secure Web 2.0 Applications (1 day) Flash Player Security (1/2 day AM)
Web server/services hardening using SELinux (1 day)

Auditing Flash Applications (1/2 day PM)
Web Application Assessments (1/2 day PM) OWASP Top 10 - What Developers Should Know on Web Application Security (1/2 day)
Hacking OWASP Orizon Project v1.0 (1/2 day PM) OWASP Testing Guide (1/2 day PM)

In summary, it will be an unparalleled opportunity to learn, share, and network.

Governator Vetoes Bill [TriGeoSphere]

Posted: 18 Oct 2008 02:27 AM CDT

The GovernatorCalifornia’s Governor, Arnold Schwarzenegger, vetoed the state legislator’s second attempt to pass a Consumer Data Protection Act.  While the new bill softened some provisions found in the original, such as the requirement that a breached organization reimburse financial institutions for the cost of replacing credit cards, it remained a flawed bill in many respects.

By vetoing the bill, the Governor once again concluded that adequate protection already exists. Schwarzenegger wrote, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.”

I had a chance to talk about the proposed legislation last month. During the discussion, I expressed my hope that the Governor would again veto the bill because I saw it as an inadequate attempt to define appropriate data handling requirements with only one possible outcome…litigation.

The bill meant well, but falls short of providing any significant new value and includes minimal guidance on how to minimize the potential loss of data.  Its technical focus is limited to storage and transmission suggesting that businesses:
1.      Don’t store consumer data, even if it’s encrypted
2.      Encrypt data that is being transmitted on open networks

These aren’t unreasonable requests…

Inappropriate customer data storage and transmission have been the leading culprits in several recent breaches.  Unfortunately, storage and transmission breaches are only the tip of the iceberg.  Businesses continue to lose sensitive data just through wireless access points, weak passwords, weak encryption, vendor default or contractor passwords, systems compromised by key loggers, trojans and more.  Plain and simple: If a business handles a meaningful volume of credit card data, there is a high probability someone is looking for a way to get it.

Considering all the risks, and the reality that security can be expensive, don't we need legislation?

Perhaps… but not this legislation.

It didn't highlight many of the possible attack vectors and PCI already enforces everything the proposed legislation would offer. Given the California bill’s shortcomings, I wonder who the target audience was for the bill.  Were they serious about requiring businesses to protect the data, or was their agenda focused on generating evidence to assign blame?

Clearly, the most meaningful consumer data protection comes from taking responsible and prudent steps to prevent data loss. Even under the best of circumstances, no one can guarantee that a loss will never occur and that’s where California led the way in disclosure legislation.  In my opinion, this legislation was ill-conceived and I hope it won’t be back.

What do you think?

No comments: