Wednesday, October 22, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Swiss Researchers Sniff Password from Wired Keyboard [Darknet - The Darkside]

Posted: 22 Oct 2008 05:17 AM CDT

Now this is an interesting twist on an oldschool method of hacking, the monitoring of electromagnetic radiation. You’d think it’d be easier to sniff the traffic from a wireless keyboard, but generally it’s not as they tend to be encrypted. Where as the electromagnetic radiation given off by a wired keyboard is not shielded or...

Read the full post at darknet.org.uk

Grecs’s Infosec Ramblings for 2008-10-21 [NovaInfosecPortal.com]

Posted: 21 Oct 2008 11:59 PM CDT

The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security? [BlogInfoSec.com]

Posted: 21 Oct 2008 10:20 PM CDT

On May 10, 2006, President Bush signed an Executive Order creating the nation’s “first ever” Identity Theft Task Force.  The purpose of this ad hoc committee, chaired jointly by the Attorney General and by the Chair of the Federal Trade Commission (FTC), was “to help law enforcement officials investigate and prosecute identity thieves, educate consumers and businesses on ways they can protect themselves, and increase the safeguards on personal data held by the Federal government.”

Less than a year later, the Task Force produced its final report, Combating Identity Theft:  A Strategic Plan.  Approximately 20% of the pages comprising the largest chapter, “Strategy to Combat Identity Theft,” were devoted to issues concerning information security, including material pertaining to data breaches in the private and public sectors.  In addition, the report discusses many topics familiar to information security professionals:  theft of sensitive documents, dumpster diving, hacking, phishing, spyware, pretexting, and stolen media (such as laptops) containing data that promote identity theft.

At approximately the same time that the Task Force was drafting its Strategic Plan, six federal agencies-the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the FTC-were developing a new set of regulations also intended to reduce the threat of identity theft.  Their final rules, formally titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003,” was issued on October 31, 2007, and will take effect on November 1, 2008.

(...)
Read the rest of The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security? (1,298 words)

© sdekay for BlogInfoSec.com, 2008. | Permalink | No comment | Add to del.icio.us
Post tags: , , , , , , , ,

Feed enhanced by Better Feed from Ozh

McAfee tries to take NAC back to the stone age [StillSecure, After All These Years]

Posted: 21 Oct 2008 03:45 PM CDT

NAC caveman I have been reading about it in bits and pieces for about a week now, but reading Tim Greene's column this morning confirmed it for me. McAfee the company that usually buys whatever innovation it needs, tried to build their own NAC system and in doing so is trying to take us back to the stone age of NAC. I guess we should not be surprised that a dinosaur of a company would have us perform NAC with caveman tools.

Lets be clear, McAfee has offered NAC for a while now. It was called MNAC and was part of the uber-suite.  Everyone agreed it was pretty weak and not much of a NAC product.  It really had no provision for guest or unmanaged devices.  Other than the agent acting as a reverse firewall it depended entirely on either Cisco NAC framework or Microsoft NAP to perform network enforcement.  The need for guest or unmanaged device control and network based enforcement was painfully obvious. 

So taking a page from the GEICO caveman. McAfee is seeking to move NAC back to the stone age. They took their expensive Intruvert derived, "purpose built" IPS and re-purposed it for NAC.  So now McAfee has a network based NAC product.  Sure, you just have to buy a few or a dozen expensive "purpose built" IPS boxes that now have I guess, a "purpose built" NAC on there as well and place them all over your network. Now they can block unmanaged devices and provide network based NAC enforcement even if you are not one of the two people who use the Cisco NAC framework or you don't yet have Microsoft NAP.

This is a page out of Juniper UAC v1 back in 2005 or so.  It didn't scale then and it doesn't scale now.  At best this is a finger in the dike strategy until McAfee realizes that they have to do it the McAfee way. They just can't build innovation and they have to go out and buy a NAC company.  In the meantime, I don't expect anyone but the most diehard McAfee customers will find much merit in this retro approach to NAC!

Schneier on Security: Quantum Cryptography [Security Circus]

Posted: 21 Oct 2008 02:16 PM CDT

lm2ntcrack - Microsoft Windows NT Hash Cracker (MD4 -LM) [Darknet - The Darkside]

Posted: 21 Oct 2008 01:08 AM CDT

We have covered quite a lot of Password Cracking tools and it’s not often a new one comes out, this one is for quite a specialised purpose (not a general all-purpose password cracker like John the Ripper or Cain & Abel), although you do need to use it alongside JTR. This tool is for instantly cracking [...]

Read the full post at darknet.org.uk

Links for 2008-10-20 [del.icio.us] [HiR Information Report]

Posted: 21 Oct 2008 12:00 AM CDT

Grecs’s Infosec Ramblings for 2008-10-20 [NovaInfosecPortal.com]

Posted: 20 Oct 2008 11:59 PM CDT

NoScript Force SSL [.:Computer Defense:.]

Posted: 20 Oct 2008 02:17 PM CDT

I've always commented that I'm not a big fan of NoScript... I find browsing "modern" websites to be almost impossible with the plugin installed. For this reason, I don't know how popular it is with "the masses". That being said, I use it because a hindrance is better than a gaping security hole.

However, I've now found what I feel to be the best feature in NoScript. The ability to force HTTPS. Sites like Linkedin have always had issues with provided adequate HTTPS support. There are other sites that are HTTPS only, yet don't redirect HTTP to HTTPS. I've always found these issues to be frustrating. NoScript has solved these problems.

I've inserted a number of common websites I visit into the force HTTPS dialog and now, even if they have flakey HTTPS support that pushes you to HTTP on every request, I'm always using HTTPS. If I type in a address manually to a site that's configured only for HTTPS, NoScript forces the connection over to HTTPS and I no longer curse and go to the address bar to add the 's'.

This is an amazing feature and has greatly increased the value of NoScript in my eyes. Given that this isn't the core focus of the plugin, it's probably the single greatest addition that could have occured.

Update

Marcin just pointed out that LinkedIn public profiles don't exist over HTTPS (treguly (http) works, treguly (https) doesn't)

To resolve this, simply add www.linkedin.com/in/ to the "never force https connections" portion of NoScript.

Forget The IT Security Strategy, Just Get R Done! [BlogInfoSec.com]

Posted: 20 Oct 2008 06:00 AM CDT

In recessionary times, how many organizations say, “We need to send more people to training, increase our travel budgets, and hire some strategy people? ” These activities just don’t happen. Why is that? Let’s say that you are nearing retirement and have put in place a 10 year plan to the full-time career choice to prefect that golf-swing. You are 3 years into the plan, and your company has been sold, your job has been eliminated, gas prices have doubled, and popcorn for the movies has made that luxury obsolete!  Do you say, well, developing that plan was a waste of time? Do you just wing it? Do you resolve to work till you are 90 and live in a tent?

The reality is that in life we are continually reacting and readjusting to our external environment. Change is happening to us all the time, whether we are an active participant in influencing the outcomes or whether or not we are 'waiting’ to see what happens next. Many times we come to recognize this is true by only looking in the rearview mirror and evaluating the decisions that we have made.

Some of us are planning for the next steps, and looking years into the future, while some of us choose to live in the present moment. As Eckhart Tolle describes in his book, “The Power of Now”, having a present-minded focus is very valuable, as in the present, no problems really exist and we are always able to cope with the current situation. Stress and tension come when our minds examine past experiences and project imaginary future outcomes which may or may not ever happen. Does this mean that we should never plan for the future? Certainly not, as Spencer Johnson, co-author of the One-Minute Manager, postulates in his parable entitled “The Present”, we need to 1) learn from the past, 2) live in the present, and 3) plan for the future. This simple parable contains the key concept for developing an effective strategy - build one that is not static, one which incorporates the lessons from the past, which will permit us to do the right things in the present, by thinking about the challenges that we may potentially face in the future, as well as the position where we want to be to help our organizations to be the most successful.

(...)
Read the rest of Forget The IT Security Strategy, Just Get R Done! (651 words)

© tfitzgerald for BlogInfoSec.com, 2008. | Permalink | No comment | Add to del.icio.us
Post tags: , , , , , , , ,

Feed enhanced by Better Feed from Ozh

DarkMarket Carding (Credit Card Fraud) Site Part of FBI Sting [Darknet - The Darkside]

Posted: 20 Oct 2008 05:39 AM CDT

You may remember the story about the Pro ATM Hacker ‘Chao’ and his Tips a while back, apparently that was the start of a big global sting operation on credit card fraud. Chao was admin/moderator on a community of carders (where they bought/sold stolen credit card info) called DarkMarket and the first to be busted, it [...]

Read the full post at darknet.org.uk

[French] CNIS (Computer, Network & Information Security) magazine [Francois Ropert weblog]

Posted: 20 Oct 2008 04:22 AM CDT

Un nouveau magazine trimestriel au format papier et en site Internet de sécurité IT vient de sortir! C’est l’oeuvre de Marc Olanié et Solange Belkhayat-Fuchs. Félicitations à eux, ils ont vraiment beaucoup bosser sur ce projet, longue vie à CNIS!

Le site Internet: http://www.cnis-mag.com/

La couverture du premier numéro : 

Et le la table des matières:

   

  • Parcours de RSSI - Eric Detoisien, Responsable Sécurité Informatique, BRED Banque Populaire
  • Dossier sur la sécurité et le RFID
  • Juridique - Analyse cryptologie, la fin de l’histoire ? par Olivier Itéanu
  • Juridique - Analyse ISO15489, pour mieux protéger les informations par Benoît Louvet
  • Enquête Stratégie - RSSI et IT risk manager: Un même combat ?
  • Parcours d’expert - Bruce Schneier, CTO de British Telecom Couterpane
  • Parcours d’expert - Philippe Courtot, CEO de Qualys
  • Tendance technologie - Coder sécurisé: méthodes et principes

 

 Bonne lecture!

Grecs’s Infosec Ramblings for 2008-10-19 [NovaInfosecPortal.com]

Posted: 19 Oct 2008 11:59 PM CDT

Colin Powell Endorses Barack Obama [Vincent Arnold]

Posted: 19 Oct 2008 10:33 PM CDT

I believe this endorsement speaks for itself. Of particular note was a comment where he discussed the concerns from members of the republican party that Barack “might” be Muslim.

“Well, the correct answer is, he is not a Muslim, he’s a Christian. He’s always been a Christian,” he said. “But the really right answer is, what if he is? Is there something wrong with being a Muslim in this country? The answer’s no, that’s not America. Is there something wrong with some seven-year-old Muslim-American kid believing that he or she could be president? Yet, I have heard senior members of my own party drop the suggestion, ‘He’s a Muslim and he might be associated terrorists.’ This is not the way we should be doing it in America.”

More:

Source

Quantum Crypto - Schneier Commentary in Wired [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 19 Oct 2008 10:21 PM CDT

While ordinarily I have to admit I find some of Bruce's stuff a bit... harsh and pointy, I read his recent commentary on Quantum Cryptography in Wired and found myself nodding my head in agreement.

I don't think it's a secret I tend to be a realist when it comes to security; and often find myself arguing against the concept of "piling on" when there are much weaker links in the chain. Bruce's assertion that the level of extra security gain from quantum crypto (the assurance that no one is listening in) is great but we have bigger problems. Well, no kidding!

I can't remember whom I was talking to about this at OWASP '08 (I think it was RSnake... I'm fairly sure) but the other person's assertion was that encrypting/signing stuff is inherently broken for most applications. Interesting huh? I'm fairly certain it was RSnake (now that I think about it) that said this, referencing MITM (man-in-the-middle) attacks. I include my PGP key in my signature on my personal email - but how do you really know it's coming from me and it wasn't altered along the way? Did I give it to you in person, and did you verify it was really me? See, this builds upon the interesting basic question of how much trust do you have in any given system. Do you trust the PGP key-maintenance system? And if you do, why? Think it over for a minute.

Cryptography really depends on the mechanism of distribution of the key(s), and how "trusted" that mechanism is. Within the ranks of the DoD, I imagine but don't have any first-hand knowledge, they've probably built their own key management system that is ~100% trusted (or darn near 100%). But I digress.

Quantum crypto is a wonderful theoretical concept - but another one of those things that has very little real application beyond academia. Bummer... neat idea though.

ISSA - Baltimore Chapter Infosec Meetup Event - Wednesday, 10-22: Network Pen Testing [NovaInfosecPortal.com]

Posted: 19 Oct 2008 05:40 PM CDT

Here is some information regarding this week’s Wednesday ISSA - Baltimore Chapter infosec meetup event. You can’t go wrong attending a general pen test talk! There’s always something more to learn.

For more information on the ISSA - Baltimore Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISACA - NCA Chapter Infosec Meetup Event - Wednesday, 10-22: ERP and Continuous Audit Monitoring [NovaInfosecPortal.com]

Posted: 19 Oct 2008 05:25 PM CDT

Here is some information regarding this week’s Wednesday ISACA - National Capital Area (NCA) Chapter infosec meetup event.

  • Who: Don Adams
  • What: ERP and Continuous Audit Monitoring
    • This full-day conference will provide participants an overview of (1) Oracle Security and controls, (2) automating ERP application audits using real-life examples in an SAP environment, (3) Continuous Controls Monitoring, and (4) Governance Risk and Compliance 101 - GRC Perspectives and Building Blocks within SAP 101.
  • When: 10/22, 8:00 AM - 4:45 PM EST
  • Where: Ronald Reagan Building & International Trade Center (1300 Pennsylvania Avenue NW;  Washington, DC 20004; the Federal Triangle metro stop is located on site and Metro Center is two blocks away)

For more information on the ISACA - NCA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISSA - DC Chapter Infosec Meetup Event - Tuesday, 10-21: Endpoint Security 2.0 [NovaInfosecPortal.com]

Posted: 19 Oct 2008 04:42 PM CDT

Here is some information regarding this week’s Tuesday ISSA - DC Chapter infosec meetup event. This looks to be a very interesting session on whitelisting applications. I’ve been thinking for a while that this is probably the only way we’re going to make a dent in curving the proliferation  of malware. It’s useless trying to play detect and react. The security industry needs to be more proactive and whitelisting may be one tool that we can use. It’s been done with firewalls and many companies are now doing it for web sites as well. Applications are probably next in line.

  • Who: Daniel Teal, CoreTrace
  • What: Endpoint Security 2.0: The Emerging Role of Application Whitelisting Solutions
    • Traditional endpoint security solutions are becoming less effective against the constantly changing threats of today. Anti-virus, anti-adware, host IPS, and other solutions have been defeated by skilled attackers and insider threats. This session will review the limitations of current generation products and present new technologies being developed by the security industry-most notably application whitelisting solutions–that can address the ever changing threats organizations face.
  • When: 10/21, 6:30 - 8:00 PM EST
  • Where: Radio Free Asia (2025 M Street NW; Washington, DC 20036; in the first floor conference room)

For more information on the ISSA - DC Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

OWASP NYC Talks Posted.. [extern blog SensePost;]

Posted: 19 Oct 2008 04:38 PM CDT

The full videos from the OWASP NYC Conf have been posted.

At least one BlackHat re-run, but some look well worth the watching.. Most people can grab the videos and slide decks [here], SensePost'ers (except for those actually currently living in NY) can grab selected talks locally [here]

Sysadmin Sunday: Apache Name Based Hosting mini-howto [HiR Information Report]

Posted: 19 Oct 2008 08:00 AM CDT

Apache Name Based Hosting configuration
by Asmodian X

Contents
1. Description
2. Getting started
3. Base Filesystem Layout
4. Base Configuration
5. Name based hosting configuration (WWW only)
6. Name based hosting configuration (SSL single site)
7. Implementing the configuration

1. Description

Apache name based hosting configuration using Debian Linux or Ubuntu Linux Server edition. This is intended for intermediate Linux/UN*X administrators. You will require the Apache mod_vhost module, along with apache2, openssl and whatever other apache services you want.

2. Getting started

If you have not already installed apache ...

At the Ubuntu/Debian Linux prompt:

$sudo apt-get install apache2
$sudo a2enmod vhost_alias
$sudo a2enmod ssl


3. Base Filesystem Layout
htdocs layout:

/data/sites
• ssl
⁃ symlink to site folder in www
• www
⁃ site_url
⁃ htdocs
⁃ cgi-bin


This could easily be turned into Suse's standard of /srv/www/sites/www ...etc . the site_url needs to be exactly what the end user will type in as their dns url. so there needs to be a folder

called host.example.com as well as www.host.example.com. This is easily accomplished with symlinks in Linux.

Config layout: (based off of ubuntu/debian standard)

/etc/apache
• sites_available
• sites_enabled
• modules_available
• modules_enabled
• ssl
⁃ sitename
⁃ certificate file

The ssl directory could easily be in /etc/ssl but this is up to you.

4. Base Configuration
This is the default Debian/ubuntu apache.conf file. No changes were made here.

ServerRoot "/etc/apache2"
LockFile /var/lock/apache2/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>
<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ServerTokens Full
ServerSignature On
Include /etc/apache2/conf.d/
Include /etc/apache2/sites-enabled/
Listen 80
Listen 443

5. Name based hosting configuration (WWW only)

UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
DirectoryIndex index.html index.shtml index.php index.htm
<Directory /data/sites/www>
Options FollowSymLinks
AllowOverride All
</Directory>
<VirtualHost *:80>
Servername host.example.com
CustomLog /var/log/apache2/access_log.host.vhost vcommon
VirtualDocumentRoot /data/sites/www/%0/htdocs/
VirtualScriptAlias /data/sites/www/%0/cgi-bin/
</VirtualHost>

WWW name based hosting requires the use of the mod_vhost apache2 module. Any interface that apache is listening to will check to see what hostname was being called and match it to a directory name in /data/sites/www/.

6. Name based hosting configuration (SSL single site)

UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
DirectoryIndex index.html index.shtml index.php index.htm
<Directory /data/sites/ssl>
Options FollowSymLinks
AllowOverride All
</Directory>
<VirtualHost 1.2.3.4:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/generic/generic.crt
Servername host.example.com
CustomLog /var/log/apache2/access_log.host.vhost vcommon
VirtualDocumentRoot /data/sites/ssl/host.example.com/htdocs/
VirtualScriptAlias /data/sites/ssl/host.example.com/cgi-bin/
</VirtualHost>

Alternatively you can add another virtual host for port 80 in-case you want to exclude this site from the name based section above.

SSL wants a static port, IP or both. Its easier to have a static IP but either will do. Also, you will need a dedicated ssl certificate for each site (lest you get an SSL error message on the client side) or you need to get a Wildcard SSL certificate for your domain. This is assuming you are assigning sites under the example.com domain such as site1.example.com, site2.example.com ...etc.

If you are dealing with different DNS names for each site then individual certificates are needed.

7. Implementing the configuration
When installing the configuration take these steps:

1. Remove the /etc/apache2/sites_enabled/default configuration symlink
2. Create the generic name based hosting files (listed above) into files in the /etc/apache2/sites_available folder.
3. Create symlinks from the sites_available configuration files into the sites_enabled folder.
4. restart apache.

Links for 2008-10-18 [del.icio.us] [HiR Information Report]

Posted: 19 Oct 2008 12:00 AM CDT

Grecs’s Infosec Ramblings for 2008-10-18 [NovaInfosecPortal.com]

Posted: 18 Oct 2008 11:59 PM CDT

Cloud Computing, Virtualization and IT Diseconomies [ARCHIMEDIUS]

Posted: 18 Oct 2008 06:19 PM CDT

Cloud computing has become a reality, yet the hype surrounding cloud has started to exceed the laws of physics and economics.  The robust cloud (of all software on demand that will replace the enterprise data center) will crash into some of the same barriers and diseconomies that are facing enterprise IT today.   Certainly there will always [...]

No comments: