Sunday, October 26, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

DNS based GSLB demystified (part 2/3) [Francois Ropert weblog]

Posted: 26 Oct 2008 04:42 AM CDT

Impacts of DNS caching When using DNS, DNS responses are cached for a specific period of time by resolvers and clients. This time is configurable and is called TTL (time to live). When the client cache expires and the application calls the same name it sends a new DNS request. If the resolver cache has not expired, it replies directly, If the resolver cache expired, the GSLB mechanism runs again. Setting a TTL to "0" means « no cache »

Gartner: Oracle & VMware Tied For Most Secure Hypervisor? [Rational Survivability]

Posted: 26 Oct 2008 04:31 AM CDT

I was reading an interesting article from James Maguire from Datamation that outlined various competitors in the virtualization platform space.

In the article, James referenced a Gartner slide that comparatively summarized hypervisor selection criteria including the maturity of features, pricing, management and ultimately security.  Unfortunately the presentation source of the slide was not cited, but check this out:
Gartner-virt-chart
What I found very interesting was the security section which equated the security capability/maturity criteria of Oracle with that of VMware while at the same time demonstrating that the overall maturity/stability of Oracle was not has highly ranked. 

Since Oracle's hypervisor is based upon Xen and Citrix/XenSource is not ranked as high, it leaves me scratching my head.

Given that this chart references hypervisor selection to YE08, it more than likely does not take into consideration the coming vNetwork/VMsafe API's; it's unclear if this section is a measure of VMM "security" based upon published vulnerabilities, an assessment of overall architecture, the availability of security solutions in the ecosystem...

This is a very interesting assertion and I'd really like to get the entire document that describes how this was quantified and what it means.  Anyone know which report this came from?

/Hoff

links for 2008-10-25 [Srcasm]

Posted: 26 Oct 2008 01:05 AM CDT

I'm whole again! [StillSecure, After All These Years]

Posted: 25 Oct 2008 10:20 PM CDT

The toughest thing to repair from my blog hack incident back in August was that the kind, thoughtful folks (we know who you are, be afraid, very afraid) who did it decided to try and save Typepad some disk space and deleted a whole bunch of my posts from Feb 2008 through early August.  As I have mentioned before, Typepad does not have a restore from deleted feature.

As I have also said before as a result of knowing some folks at Typepad I was able to get a back up of my blog.  They showed me how to manually set up a file to import the deleted posts.  That was fine for doing one or two at a time, but almost 300 blog posts was just a bit much.  I tried and tried to figure out the best way to do this.  Finally I gave up.

Instead I handed it over to handy, dandy Jake Reynolds, IT magician person. Jake took the file onto his shiny Mac, did some scripting and tonight I imported 6 files and presto! 6 months worth of blog files restored! I am not sure the indexing of them is synced yet, but that should take a day or two I guess.

In the meantime, all 1300+ of my blog articles are now available again.  At some level I feel like this is closing another chapter on the whole experience of August.

Reblog this post [with Zemanta]

Ridiculing the Ridiculous: Terrorist Tweets [Emergent Chaos]

Posted: 25 Oct 2008 09:09 PM CDT

A group of soldiers with the US Army's 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft.

Realizing that mentioning the word "terrorist" can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter.

Surpassing the threat-analysis skill of super-spy Chad Feldheimer from the recent documentary "Burn After Reading," they mention not only the threat of "socialists," "communists," and "anarchists," in using Twitter to "communicate with each other and to send messages to broader audiences," but the wider and more up-to-date threats from "religious communities," "atheists," "political enthusiasts," "human rights groups," "vegetarians," and last but not least, "hacktivists." They notably left out delinquent teenagers, so one presumes they don't use systems like Twitter.

The Military Intelligence group also discovered that people can use GPS in phones like the Nokia 6210 and Nokia Maps to know where they are. This could let terrorists who want to illegally cross a border know where that border is, or to know that a certain large triangular stone thing is the Pyramid of Cheops (category: Attraction).

The report's cutting edge thinking also discusses how terrorists could use voice-changing software such as AV Voice Changer Diamond to make prank phone calls and effectively hide under an abaya.

The full report, marked "For Official Use Only," can be found here. It also redacts with a dark gray splash of ink the email address of sarah.e.womer@ugov.gov, from whom you can get a copy of the report if you do not have access to INTELINK, Cryptome, or the Federation of American Scientists.

I think the report speaks for itself. I just can't make this stuff up, apart from the bit about hiding under an abaya.

Bloblive was a blast! [Srcasm]

Posted: 25 Oct 2008 07:52 PM CDT

As most of you who follow me know, I love to talk.  I can and will talk to almost anyone I come in contact with and even more than that, I love to hear new ideas.  I went to an event called bloblive put on by ideablob in Phildaelphia recently where people got to get up and share ideas that they had.  They ranged from food carts to community financed physicians and everything in between.  I thoroughly enjoyed each and every one of the presenters.  At this event, a good friend of mine spoke about her idea.

Gloria discussed the idea of “a la carte business assistant services”.  These could include doing the books, sending emails or event running customer service duty when you’re unavailable as an entrepreneur.  Check out her presentation below and her company at Red Stapler Consulting or her interview by Jonny Goldstein.

In addition, if you’re willing to sit back with a bag-o-popcorn and laugh your butt off, go ahead and catch my impromptu presentation on how to build up free wireless in Philadelphia — Correctly.

With great privilege comes great responsibility [StillSecure, After All These Years]

Posted: 25 Oct 2008 07:40 PM CDT

How many of us have grown up hearing about the sacrifices of our forefathers enabling our freedoms and lifestyle.  How many of you have believed that the dream of home ownership, regular vacations, bountiful food and freedom to be and do almost anything is your birthright?  If you are anything like me, you have taken the lifestyle you and your family lead for granted. 

Over the last few months and weeks though I have thought a lot about what so many of us take for granted.  Life, liberty, the pursuit of happiness are more than just words.  Being able to quench your hunger by just opening the refrigerator is not the natural state of man. Buying electronics, toys and other luxuries is not a God given right.  There really have been huge sacrifices made for us to live the life we lead.  Whether we talk about brave men and woman giving their blood so that we can live the way we live or people scrimping and saving, doing without - in the hope of a better life for their children, every generation has done what they had to. They have risen to the challenges of their day. Their only hope being that the generation who comes next will have it better than they did. 

A review of history shows that almost every generation comes to a crisis point where the life we lead and the life we want for our children is in jeopardy.  Every generation must rise up to meet this challenge.  For the most part we have been blessed that the generations who have gone before us have risen up to meet this challenge.  In every generation leaders have arisen to lead the charge, but it is up to the rank and file to overcome.  Tom Brokaw wrote about one such generation in his book "The Greatest Generation". Our grandparents and great-grandparents who suffered through the great depression and then made the world "safe for democracy". The next generation who overcame the morass of Vietnam, but eventually vanquished the threat of Communism and the Cold War. Earlier generations built an economic powerhouse that rivaled any of the great empires of antiquity. Our ingenuity and innovative culture has accelerated the pace of progress beyond anything imagined before. All of this resulting in a way of life that would seem impossible to humans just a hundred or so years ago.

Our generation has enjoyed the life that these accomplishments and sacrifices have enabled.  But I think now is the time for our generation to step up and pay back.We are at our crisis point.  Between global events with terrorism, energy and environmental issues.  Coming to grips with living on borrowed money and perhaps borrowed time.  An economy that maybe is not as fundamentally sound and strong as we have believed. A society that is too absorbed in me, to care too much about us, our problems all seem to be coming home to roost at the same time.

How we respond and face all of these challenges simultaneously will determine not only how we get by these times, but what kinds of lives our children will lead.  It is time to really show that we don't take all of our bounty for granted. We need to show that we are willing to do what we have to in order to continue and to prosper.  We as a generation have to step up, be counted, meet the challenges and continue the tradition of our forefathers. The future of our planet and species is dependent on it!

Reblog this post [with Zemanta]

Patching The Cloud? [Rational Survivability]

Posted: 25 Oct 2008 07:05 PM CDT

PatchingJust to confuse you, as a lead-in on this topic, please first read my recent rant titled "Will You All Please Shut-Up About Securing THE Cloud...NO SUCH THING..." 

Let's say the grand vision comes to fruition where enterprises begin to outsource to a cloud operator the hosting of previously internal complex mission-critical enterprise applications. 

After all, that's what we're being told is the Next Big Thing™

In this version of the universe, the enterprise no longer owns the operational elements involved in making the infrastructure tick -- the lights blink, packets get delivered, data is served up and it costs less for what is advertised is the same if not better reliability, performance and resilience.

Oh yes, "Security" is magically provided as an integrated functional delivery of service.

Tastes great, less datacenter filling.

So, in a corner case example, what does a boundary condition like the out-of-cycle patch release of MS08-067 mean when your infrastructure and applications are no longer yours to manage and the ownership of the "stack" disintermediates you from being able to control how, when or even if vulnerability remediation anywhere in the stack (from the network on up to the app) is assessed, tested or deployed.

Your application is sitting atop an operating system and underlying infrastructure that is managed by the cloud operator.  This "datacenter OS" may not be virtualized or could actually be sitting atop a hypervisor which is integrated into the operating system (Xen, Hyper-V, KVM) or perhaps reliant upon a third party solution such as VMware.  The notion of cloud implies shared infrastructure and hosting platforms, although it does not imply virtualization.

A patch affecting any one of the infrastructure elements could cause a ripple effect on your hosted applications.  Without understanding the underlying infrastructure dependencies in this model, how does one assess risk and determine what any patch might do up or down the stack?  How does an enterprise that has no insight into the "black box" model of the cloud operator, setup a dev/test/staging environment that acceptably mimics the operating environment? 

How does one negotiate the process for determining when and how a patch is deployed?  Where does the cloud operator draw the line?   If the cloud fabric is democratized across constituent enterprise customers, however isolated, how does a cloud provider ensure consistent distributed service?  If an application can be dynamically provisioned anywhere in the fabric, consistency of the platform is critical.

I hate to get all "Star Trek II: The Wrath of Khan" on you, but as Spock said, "The needs of the many outweigh the needs of the few."  How, when and if a provider might roll a patch has a broad impact across the entire customer base -- as it has had in the hosting markets for years -- but again the types of applications we are talking about here are far different than what we we're used to today where the applications and the infrastructure are inextricably joined at the hip.

Hosting/SaaS providers today can scale because of one thing: standardization.  Certainly COTS applications can be easily built on standardized tiered models for compute, storage and networking, but again, we're being told that enterprises will move all their applications to the cloud, and that includes bespoke creations. 

If that's not the case, and we end up with still having to host some apps internally and some apps in the cloud, we've gained nothing because we won't be able to eliminate the infrastructure needed to support either.

What about it?  Do you see cloud computing as just an extension of SaaS and hosting of today?  Do you see dramatically different issues arise based upon the types of information and applications that are being described in this model?  We've seen issues such as data ownership, privacy and portability bubble up, but these are much more basic operational questions.

This is obviously a loaded set of questions for which I have much to say -- some of which is obvious -- but I'd like to start a discussion, not a rant.

/Hoff

*This little ditty was inspired by a Twitter exchange with Bob Rudis who was complaining that Amazon's EC2 service did not have the MS08-067 patch built into the AMI...Check out this forum entry from Amazon, however, as it's rather apropos regarding the very subject of this blog...

Insecurity Theatre [Emergent Chaos]

Posted: 25 Oct 2008 03:56 PM CDT

viva viagra rocket.jpg
"It's been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?" federal Judge William Pauley III asked.

Sachs, from West Babylon, said cops just laughed as he passed through the Queens Midtown Tunnel on his way into the city Sept. 8.

Sachs also claimed he drove his "missile" through the Lincoln Tunnel five times, and was only stopped twice.

"They checked license and registration, but not the missile," he said.

"You're telling me that when you drove up to the Lincoln Tunnel -" Pauley said.

"They saluted," said Sachs, who is representing himself in court.

So reports the New York Post, "Security Lapse Let in Naughty Fake Rocket."

I was going to comment, but I think I'll just salute.

A security lesson from the Joe the Plumber snooper [SOURCE Conference Blog]

Posted: 25 Oct 2008 03:22 PM CDT

First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management.

The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:

“We’re trying to pinpoint where it came from,” she said. The investigation could become “criminal in nature,” she said. Brindisi would not identify the account that pulled the information on Oct. 16.

Records show it was a “test account” assigned to the information technology section of the attorney general’s office, said Department of Public Safety spokesman Thomas Hunter.

Brindisi later said investigators have confirmed that Wurzelbacher’s information was not accessed within the attorney general’s office. She declined to provide details. The office’s test accounts are shared with and used by other law enforcement-related agencies, she said.

Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed.

It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly.

A security lesson from the Joe the Plumber snooper [Zero in a bit]

Posted: 25 Oct 2008 03:22 PM CDT

First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management.

The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:

“We’re trying to pinpoint where it came from,” she said. The investigation could become “criminal in nature,” she said. Brindisi would not identify the account that pulled the information on Oct. 16.

Records show it was a “test account” assigned to the information technology section of the attorney general’s office, said Department of Public Safety spokesman Thomas Hunter.

Brindisi later said investigators have confirmed that Wurzelbacher’s information was not accessed within the attorney general’s office. She declined to provide details. The office’s test accounts are shared with and used by other law enforcement-related agencies, she said.

Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed.

It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly.

Here they come! [Security Circus]

Posted: 25 Oct 2008 12:47 PM CDT

As I (and not just I...) predicted yesterday, here are the first two trojans abusing the new MS vuln: Spy-Agent.da as well as Gimmiv.a

Of course, exploit details are already available, so making a viable trojan is now just a game.

The sleepy summit in China... :) [Security Circus]

Posted: 25 Oct 2008 12:06 PM CDT

0872_3f34_400

The sleepy summit in China... :)

This posting includes an audio/video/photo media file: Download Now

Tim Callan at Net.Finance East [Tim Callan's SSL Blog]

Posted: 25 Oct 2008 11:57 AM CDT

If you're going to Net.Finance East this coming week, make sure you arrive on time on the first day. That's because I'm giving the second keynote. I'll go over proven techniques to increase consumer confidence in your site and how those techniques are known to increase customers' likelihood to do business online. Make sure you come up and talk to me afterward. I'll also be in attendance for the entire two days, so you can catch me in the sessions or on the show floor as well.

PaulDotCom Security Weekly - Episode 127 Part II - October 23, 2008 [PaulDotCom]

Posted: 25 Oct 2008 11:51 AM CDT

Larry does a tech segment, and we discuss the stories for the week.

Again, apologize for the sound quality.

  • Sponsored by Core Security, listen for the new customer discount code at the end of the show
  • Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
  • Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
  • Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
  • Be sure to check out "Maltego" from Paterva, try the community edition for free!
  • Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
  • Full Show Notes
  • HackNakedLust.jpg

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

PaulDotCom Security Weekly - Episode 127 Part I - October 23, 2008 [PaulDotCom]

Posted: 25 Oct 2008 11:49 AM CDT

We are joined by two special guests, Larry does a tech segment, and we discuss the stories for the week.

I do apologize for the sound quality, we are still working some of the kinks out of our new system. We will be replacing the recording laptop for next week, which seems to have been the cause of the background noise.

  • Sponsored by Core Security, listen for the new customer discount code at the end of the show
  • Sponsored by Astaro, download a free trial of the Astaro Security gateway today!
  • Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more.
  • Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program
  • Be sure to check out "Maltego" from Paterva, try the community edition for free!
  • Don't forget to sign up for our Mailing List, Forums, and log into our IRC Channel!
  • Full Show Notes
  • bastard-debian.jpg

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian

Email: psw@pauldotcom.com

Direct Audio Download

Audio Feeds:

Here they come! [Security Circus]

Posted: 25 Oct 2008 11:24 AM CDT

As I predicted yesterday, here's a nasty trojan that uses MS out-of-cicle emergency patch... forerunner of the botnets-to-come. It's called Gimmiv.A or Spy-Agent.da, and it looks like a worm-in-the-making.

For now it "just" steals information and posts them remotely.

Some exploit code also appeared on Milw0rm, it doesn't yet make the exploit a piece of cake, but I wouldn't rely on the exploit unreliability to defend our networks.

Once again, people, patch.

US Military Wants Packs Of Robots To Hunt Humans [Liquidmatrix Security Digest]

Posted: 25 Oct 2008 07:35 AM CDT

Well, to hunt down the bad kind or “uncooperative” ones anyway. This has a weird humour element as it manages to conjure an image of Bender calling to “kill all humans”.

From New Scientist:

The latest request from the Pentagon jars the senses. At least, it did mine. They are looking for contractors to provide a “Multi-Robot Pursuit System” that will let packs of robots “search for and detect a non-cooperative human”.

One thing that really bugs defence chiefs is having their troops diverted from other duties to control robots. So having a pack of them controlled by one person makes logistical sense. But I’m concerned about where this technology will end up.

So, the author is concerned where this tech could end up?

The US military wants a droid army. What could possibly go wrong?

Oh, riiight.

For the full article read on.

Article Link

Creating 64-bit Applications with VS2008 Express [From a malicious attacker]

Posted: 25 Oct 2008 07:00 AM CDT

This post provides step by step instructions on how to create 64-bit applications using Visual C++ 2008 Express Edition. There are a large number of related posts on forums and other venues, but these don't really boil things down.

Step 0: Install VS 2008 Express
Download and install Visual C++ 2008 Express Edition.

Step 1: Install Platform SDK
Install the appropriate Platform SDK. For example, if you run Vista, install the Vista Platform SDK. This package will contain IA64 versions of the VC tool chain.



Step 2: Launch Platform SDK Command Line
Launch a Platform SDK command shell by clicking Start -> Microsoft Windows SDK -> CMD Shell. Note that I typed 'cl' in the command prompt and got back information indicating that this version of cl targets x64.


Step 3: Launch VC Express From Command Line
Launch VCExpress from the Platform SDK command like this:
cd C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE
VCExpress.exe /useenv
The location of your VCExpress.exe may be different. After entering the command, Visual C++ Express should pop up. Most of the work is done at this point, there are just a few project configuration tweaks to make.

Step 4: Verify Environment Paths
Verify that the VC++ paths are correct by going to Tools -> Options -> Projects & Solutions -> VC++ Directories. Your settings should resemble those shown in the screenshots below.

Note that the executable paths include the x64 tool chains.









Include paths are shown to the left and library paths shown below on the right.







Step 5: Configuration Tweaks
One you've verified that paths are setup correctly, it's time to make a few small changes. Change the target machine to be x64 as shown below. These have to be made per project, so open up a project you'd like to build targeting x64. In my case, I just created a dummy application using a Win32 template.

Open the properties page of the project (right click the project in the browser bar on the left and click properties). You should see something looking like the screenshot below.



Next, verify that Debug Information Format is set to Zi, as shown below.


Finally, ensure that Register Output is set to "No" as shown below.

You should be all set now! Build the solution and see for yourself.

Security Flaw In T-Mobile’s Google Phone [Liquidmatrix Security Digest]

Posted: 24 Oct 2008 09:08 PM CDT

Well, that certainly didn’t take very long now did it?

From NY Times:

Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.

Mr. Miller, a former National Security Agency computer security specialist, said the flaw could be exploited by an attacker who might trick a G1 user into visiting a booby-trapped Web site.

Tricking a user into surfing an infected site? Nevah.

The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.

I guess we can safely say that, yes, that would be unpleasant.

Article Link

UPDATE: Well, I posted this just yesterday and now it appears that there are serious problems with T-Mobile’s G1 mobile email service. They are actively working to address the issue.

Tags: , , ,

Reader contributions of SSL haiku [Tim Callan's SSL Blog]

Posted: 24 Oct 2008 08:00 PM CDT

Longtime readers of The SSL Blog will remember that in the past I have published haiku about SSL, including a haiku about EV SSL.

Apparently I'm not the only one. Reader Troy Kitch offers this gem:

I found a green bar

I say, it was pretty perfect

EV SSL

Reader Patricia Damron shared this haiku with me, complete with her own personal philosophy on security:

Worthy engineers

Encrypting everything Net

Nothing is secure

Friday Update: It’s 0day Week! [securosis.com]

Posted: 24 Oct 2008 06:06 PM CDT

Holy 0day Batman!
What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in a part of the code base that was patched already for a very similar problem.
What’s even more interesting is that this was discovered due to active exploits in the wild. I’ve been known to be a little persnickety about definitions, and I’ve never liked that we call all unpatched vulnerabilities zero-days. In my book, a true 0day is a vulnerability that is being actively exploited but we don’t know about it. The bad guys have information we don’t and are using it against us. When the details are public, but no patch is available, I just consider that an unpatched vulnerability. But who am I to say- I still consider hackers good guys.

On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff.
On that note, it’s time to head off and start decorating for our annual Evilsquirrel Halloween Party. We have about 13 tubs of decorations we’ve collected since my old roommates and I started holding parties around 1995 or so. I even have homemade animatronics I built using microcontrollers and other geeky stuff.
Yeah, I fear for my impending children too, but the neighborhood kids love us. At least the ones who don’t pee themselves when the motion sensor kicks off.

Webcasts, Podcasts, and Conferences:

Favorite Securosis Posts:

  • Rich: Your Simple Guide to Endpoint Encryption. I’ve been writing a lot about market issues lately, and I really enjoy it when I can give out practical advice.
  • Adrian: WAF vs. Secure Code vs. Dead Fish. Look folks, we’re far too polarized politically in this country to fight out over which of these things solves our problem better, when both are equally good and bad.

Favorite Outside Posts:

  • Adrian: Rsnake captures the everyman experience and puts the fun back into Internet browsing. I mean, can’t we all just get along?
  • Rich: Andy reminds us what it’s like to work in the real world. Researchers, analysts, and vendors often forget what it’s like to be in the trenches, even though most of us have been there. I think it’s refreshing to read about Andy’s pain. Er… maybe that wasn’t the best way to say that.

Top News:

Blog Comment of the Week:
Windexh8er’s comment on the Microsoft vulnerability post:
So even though this sort of thing is less common as SDLs mature further (honestly Microsoft is doing a much better job in this space — but legacy code that's in the OS is still there). This just goes back to the position wherein do corporations really need client side processing? Some may have valid reasoning (i.e. graphics / architecture / modeling / etc), but for the majority of the end users out there in corporate America they really don't need a fully functional end system. In a Microsoft environment I'd like to see the next iteration of OS go to stripped down systems like you can leverage in Server2k8 — obviously most "work" today from a variety of different locations and the laptop has overwhelmingly displaced the standard desktop workstation for day to day business. With that respect the standard installation should be minimalistic at best. Stripped stack, host based filtering (in and out), no user rights with the exception of approved applications and then strictly managed socket / protocol connections to approved devices. Give them what they need through established connections. At that rate client processing goes way down and visibility and control sky rockets. It's far too much for any given internal IT / IS departments to manage numerous deployed apps and multiple desktop configurations in the state business as usual is running today. Everyone I know has a corporate laptop (these are big businesses right) but all of these users can pretty much all connect to outside networks and do casual computing — even if it's restricted, it's still wide open enough to let the user infect themselves unknowingly. I'd love to do a formal PoC, like this, with one of my large clients. Cost savings alone over the course of 5 years after implementation would be reason enough to justify a path like this. I realize it's nothing ground breaking, but the design and architecture down to the n-th degree would make it truly stand out as unique and original in today's networks.

-Rich

Arista Networks: Cloud Networking? [Rational Survivability]

Posted: 24 Oct 2008 05:32 PM CDT

ChildScratchingHead Arista Networks is a company stocked with executives whose pedigrees read like the who's-who from the networking metaverse.  The CEO of Arista is none other than Jayshree Ullal, the former senior Vice President at Cisco responsible for their Data Center, Switching and Services and Andres von Bechtolsheim from Sun/Granite/Cisco serves as Chief Development Officer and Chairman.

I set about to understand what business Arista was in and what problems they aim to solve given their catchy (kitchy?) tagline of Cloud Networking™

Arista makes 10GE switches utilizing a Linux-based OS they call EOS which provides high-performance networking. 

The EOS features a "...multi-process state sharing architecture that completely separates networking state from the processing itself. This enables fault recovery and incremental software updates on a fine-grain process basis without affecting the state of the system."

I read through the definition/criteria that describes Arista's Cloud Networking value proposition: scalability, low latency, guaranteed delivery, extensible management and self-healing resiliency.

These seem like a reasonable set of assertions but I don't see much of a difference between these requirements and the transformative requirements of internal enterprise networks today, especially with the adoption of virtualization and real time infrastructure. 

Pawing through their Cloud Networking Q&A, I was struck by the fact that the fundamental assumptions being made by Arista around the definition of Cloud Computing are very myopic and really seem to echo the immaturity of the definition of the "cloud" TODAY based upon the industry bellweathers being offered up as examples of leaders in the "cloud" space.

Let's take a look at a couple of points that make me scratch my head:

Q1:     What is Cloud Computing?    
A1: Cloud Computing is hosting applications and data in large centralized datacenters and accessing them from anywhere on the web, including wireless and mobile devices. Typically the applications and data is distributed to  make them scalable and fault tolerant. This has been pioneered by applications such as Google Apps and Salesfore.com, but by now there are
hundreds of services and applications that are available over the net, including platform services such as Amazon Elastic Cloud and Simple Storage Service.

That's  a very narrow definition of cloud computing and seems to be rooted in examples of large, centrally-hosted providers today such as those quoted.  This definition seems to be at odds with other cloud computing providers such as 3tera and others who rely on distributed computing resources that may or may not be centrally located.

Q4:     Is Enterprise Cloud Computing the same as Server Virtualization? 
A4:     They are not. Server Virtualization means running multiple virtualized operating systems on a single physical server using a Hypervisor, such as VMware, HyperV, or KVM/XVM .  Cloud computing is delivering scalable applications that run on a remote pool of servers and are available to users from anywhere. Basically all cloud computing applications today run directly on a physical server without the use of virtualization or Hypervisors. However, virtualization is a great building block for enterprise cloud computing environments that use dynamic resource allocation across a pool of servers.

While I don't disagree that consolidation through server virtualization is not the same thing as cloud computing, the statement that "basically all cloud computing applications today run directly
on a physical server without the use of virtualization or Hypervisors" is simply untrue.

Q5:     What is Cloud Networking?  
A5:     Cloud Networking is the networking infrastructure required to support cloud computing, which requires fundamental improvement in network scalability, reliability, and latency beyond what traditional enterprise networks have offered.  In each of these dimension the needs of a cloud computing network are at least an order of magnitude greater than for traditional enterprise networks.

I don't see how that assertion has been formulated or substantiated.

I'm puzzled when I look at Arista's assertion that existing and emerging networking solutions from the likes of Cisco are not capable of providing these capabilities while they simultaneously seem to shrug off the convergence of storage and networking.  Perhaps they simply plan on supporting FCoE over 10GE to deal with this?

Further,  ignoring the (initial) tighter coupling of networkng with virtualization to become more virtualization-aware with the likes of what we see from the Cisco/VMware partnership delivering VN-Link and the Nexus 1000v, Ieaves me shaking my head in bewilderment.

Further, with the oft-cited example of Amazon's cloud model as a reference case for Arista, they seem to ignore the fact that EC2 is based upon Xen and is now offering both virtualized Linux and Windows VM support for their app. stack.

It's unclear to me what problem they solve that distinguishes them from entrenched competitors/market leaders in the networking space unless the entire value proposition is really hinged on lower cost.  Further, I couldn't find much information on who funded (besides the angel round from von Bechtolsheim) Arista and I can't help but wonder if this is another Cisco "spin-in" that is actually underwritten by the Jolly Green Networking Giant.

If you've got any useful G2 on Arista (or you're from Arista and want to chat,) please do drop me a line...

/Hoff

EFF Offers NSA Spoof T-Shirts [Liquidmatrix Security Digest]

Posted: 24 Oct 2008 05:03 PM CDT

This is rather funny capper to a long week. The EFF, in a bid to raise donations, has made t-shirts with their spoof of the National Security Agency’s logo on them. Very amusing.

From EFF:

A few weeks back, we produced a new graphic to accompany our new case against the government, Jewel v. NSA, challenging the Bush administration’s illegal spying program. The graphic is a retooling of the NSA’s logo, featuring a glowering eagle using his talons to illegally plug into the nation’s telecommunications system — with the help of telecom giant AT&T.

This is available for a donation of $65 or more. Very cool shirt and the money helps to fund a great cause.

Article Link

Will You All Please Shut-Up About Securing THE Cloud...NO SUCH THING... [Rational Survivability]

Posted: 24 Oct 2008 04:02 PM CDT

Cloudy-finger How'd ya like this picture of "THE Cloud..."

This love affair with abusing the amorphous thing called "THE Cloud" is rapidly  approaching meteoric levels of asininity.  In an absolute fit of angst I make the following comments:

  1. There is no singularity that can be described as "THE Cloud."  There are many clouds, they're not federated, they don't natively interoperate at the application layer and they're all mostly proprietary in their platform and operation.  They're also not all "public" and most don't exchange data in any form. The notion that we're all running out to put our content and apps in some common repository on someone else's infrastructure (or will) is bullshit.  Can we stop selling this lemon already?

    Yay!  More people have realized that outsourcing operations and reducing both OpEx and CapEx by using shared infrastructure makes sense.  They also seem to have just discovered it has some real thorny issues, too.  Welcome to the 90's. Bully!

    Just like there are many types of real billowing humid masses (cumulonimbus, fibratus, undulatus, etc.) there are many instantiations of resource-based computing models that float about in use today -- mobile.me, SalesForce.com, Clean Pipes from ISP's, Google/Google Apps, Amazon EC2, WebEx -- all "cloud" services.  The only thing they have in common is they speak a dialect called IP...
     
  2. The current fad of butchering the term "Cloud Computing" to bring sexy back to the *aaS (anything as a service) model is embarrassing.  More embarrassing is the fact that I agree with Larry Ellison wherein he stated:

    "The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. I can't think of anything that isn't cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"

    A-Freaking-Men.
     
  3. It ain't new, folks. Suggesting that this is a never-before-seen paradigm that we've not faced prior and requires "new" thinking as to privacy, trust models, security as a service layer and service levels mocks the fact that the *aaS model is something we've been grappling with for years and haven't answered.  See #2.  I mean really.  I've personally been directly involved with cloud-models since the early 90's.  Besides the fact that it's become (again) an economically attractive and technologically viable option doesn't make it new, it makes it convenient and marketable.
     
  4. Infrastructure Gorillas are clouding the issue by suggesting thier technology represents THE virtual datacenter OS.  Microsoft, Citrix, VMware, Cisco.  They all say the same thing using different words.  Each of them claiming ownership as the platform/OS upon which "THE cloud" will operate.  Not one of them have a consistent model of securing their own vDCOS, so don't start on how we're going to secure "IT."

    (Ed: In fairness just so nobody feels left out, I should also add that the IaaS (Infrastructure as a service)/integrator gorillas such as IBM and HP are also in the mix -- each with their own flavor of service differentiation sprinkled on top.)

If you thought virtualization and its attendant buzzwords, issues and spin were egregious, this billowy mass of marketing hysteria is enough to make me...blog ;)

C'mon, people. Don't give into the generalist hype.  Cloud computing is real.  "THE Cloud?"  Not so much.

/Hoff

(I don't know what it was about this article that just set this little rant off, but well done Mr. Moyle)

Oracle APEX Vulnerability Comment [securosis.com]

Posted: 24 Oct 2008 11:45 AM CDT

I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically:

  • Don’t leave development tools and accounts/environments on production databases, especially those that serve web content.
  • Don’t leave development schemas and associated users/grants/roles on production database servers. This just increases complexity and potentially-overlooked security holes.
  • Occasionally run checks for weak passwords. There are free tools available for most of the common database platforms like Oracle Password Checker, SQL Ping, Scuba, and others (just be careful where you download them); there are vendors that offer this for sale as part of their assessment suite (Fortinet, Application Security); or you can write your own. Some look for a small subset of known default passwords, so I recommend using one where you can edit the dictionary as you see fit.
  • At least a couple of times a year, review the database accounts for accounts that should not be there, or accounts with execute privileges that should not have them. Once again, I believe there are free tools, vendor tools, and as scripts available from database user groups, that can accomplish this task and be customized to suit your needs.

APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservation, run some assessments to catch this class of vulnerability and not just this issue.

-Adrian

Fake Fish and Security [Emergent Chaos]

Posted: 24 Oct 2008 11:04 AM CDT

fish on a dish.jpg There was a very interesting article in the New York Times, "Fish Tale has DNA Hook," in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors:
Dr. Stoeckle was willing to divulge the name of one fish market whose products were accurately labeled in the test: Leonards’ Seafood and Prime Meats on Third Avenue. John Leonard, the owner, said he was not surprised to find that his products passed the bar code test. “We go down and pick the fish out ourselves,” he said. “We know what we’re doing.” As for the technology, Mr. Leonard said, “it’s good for the public,” since “it would probably keep restaurateurs and owners of markets more on their toes.”
I was amused by this, but Robin Hanson had an interesting comment:
This is a huge fraud rate. Will diners continue to tolerate it? Probably, yes - I suspect diners care more about affiliating with impressive cooks and fellow diners than they do that fish is correctly labeled.
I think that there's a related phenomenon in software security. It's hard to accurately identify secure or insecure software. It's usually easier to look at other elements of what makes a program useful. Which makes for a very fishy market.

Photo: "Dinner at Masa: O! Fishy fishy fishy fish" by mobil'homme.

No comments: