Monday, October 27, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Morning morning blues and rants... [Malta Info Security]

Posted: 27 Oct 2008 11:15 AM CDT

Another week, yet another Monday as exams draw in closer.

This morning my thin client (Epatec/ebox 3850 w/Debian) has shown me the hand all of a sudden and refuses to power on. My linksys router (WRT54GL with DDWRT v24 SP2 Eko 10600) also seems to be playing up. Every so often whilst streaming from my Dreambox (500S) connected over a WPA_WDS connection I would get suddenly disconnected !?!?! Disabling the WiFi adapter and re-enabling it kinda gets me to reconnect but it's d**n frustrating when it happens during the best part of a film you're really into. (wife hates it too and give me bad looks)

Nevertheless - yes - I've spent several hours researching, troubleshooting and tweaking to no avail :-( Curiously it is not a case of WiFi drivers on my netbook (EeePC 901) playing up -- as even my NokiaN95 seems to disconnect right at the same time my netbook got disconnected. I really don't feel like reverting to the original Linksys firmware -- so we'll wait and see... patience is a virtue (or so they say)

On to something more positive this morning ... everybody likes lists - especially top 10 lists. This morning I encountered an article which talks about the coolest security jobs. Well I come in ranking @ number 7 and number 1 seeing that I also teach Computer Forensics for the NCC Advanced Diploma course :-) ... Not bad ! -- according to a survey conducted by the SANS Institute.

Here a summary of the list according to Sans:

1. Information security crime investigator/forensics expert.
2. System, network and/or Web penetration tester.
3. Forensics analyst
4. (Tie) Incident response, incident handler
4. (Tie) Security architect
6. Vulnerability researcher
7. (Tie) Network security engineer
7. (Tie) Security analyst
7. (Tie) Sworn law enforcement officer specializing in information security crime
10. (Tie) CISO/ISO or director of security
10. (Tie) Application penetration tester

The top-ranking "coolest" IT security jobs according to non-government security employees:

1. (Tie) System, Network, and/or Web penetration tester
1. (Tie) Information security crime investigator/forensics expert
3. Forensics analyst
4. Vulnerability researcher
5. Application penetration tester
6. Security architect
7. CISO/ISO or director of security
8. (Tie) Incident response, incident handler
8. (Tie) Sworn law enforcement officer specializing in information security crime
10. Security evangelist

Catch the full article here...

Richard Bejtlich gave 5 stars to: OSSEC Host-Based Intrusion Detection Guide [Andrew Hay]

Posted: 27 Oct 2008 06:33 AM CDT

ossecLet’s just say that I was pleasantly surprised this morning when I read Richard Bejtlich’s 5 star review of the OSSEC Host-Based Intrusion Detection Guide (review is here). Richard is known to be quite vocal when he doesn’t like a particular book and it sounded like he had a very hard time finding things wrong with our book.

I especially like his comment on his blog about how addictive the OSSEC WUI is. He’s right. I too hit refresh constantly to see what new logs have arrived :)

I know that lots of people base the purchase of their next book based on Richard’s reviews and Daniel, Rory, and I do appreciate the honest and positive review. Thanks Richard, you’ve made my week!

At RSA Europe 2008 - Talks of interest [EnableSecurity]

Posted: 27 Oct 2008 05:39 AM CDT

Currently at RSA Europe in London and the Keynote is about to start. While we’re being given a Discovery Channel styled lecture on Alan Turing, I’ve been marking the sessions that have a potential of being interesting. Marked the following:

  • Security Remodelling - Benjamin Jun
  • Locking the Back Door: New Backdoor Threats in Application Security by Chris Wysopal
  • A dialogue with ENISA
  • VoIP Threats and Countermeasures by David Endler (conflicts with the talk by Chris Wysopal)
  • Evolving threat landscape: Do we have to trade off browser functionality for security and privacy? Craig Spiezle (Microsoft)
  • Security Testing in Web 2.0 World by Billy Hoffman
  • SQL Smuggling by Avi Douglen
  • Regular expressions as a basis for Security Products are dead by Steve Moyle
  • Blinded by Flash: Widespread security risks flash developers don’t see by Prajakta Jagdale
  • Mobile Banking and Identity Theft: Can your phone protect your identity? Patrick Bedwell

Then there’s quite a few “special interest groups” that look intriguing as well.

Meanwhile Arthur W. Coviello of RSA is talking about why the way we do security fails, and suggesting a better approach. Talk about Information Risk Management Stategy, and picking on regulations and compliance.

I’ll be posting live updates on If any visitors are around, feel free to send me a msg.


Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk [Jeff Jones Security Blog]

Posted: 27 Oct 2008 02:00 AM CDT

This report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just those issues affecting the commonly installed desktop operating system components.

The key findings for 1H08:
  • The four vendors fixed a total 585 vulnerabilities in 1H08. 26.8% affected multiple vendors and of those, only 8 were fixed on the same day – the rest had an average 35 day delay between the first available fix and the last available fix..
  • Microsoft had the lowest average Days of Risk for all vulnerabilities fixed at 24.22 days, with the next closest vendor at 72 days.
  • For desktop OS vulnerabilities, Windows Vista had the fewest vulnerabilities in 1H08 at 21. The next lowest number was Windows XP SP2 at 26.
  • Windows Vista customers experienced full or partial mitigation for 46% of the 26 vulnerabilities affecting Windows XP SP2 in 1H08, but also experienced one additional vulnerability in new code.

In addition to these measurements for the vendors and products, the body of the report also provides weighted analysis which provides a lesser consideration for lower severity issues. Please read the full report for details.

This posting includes an audio/video/photo media file: Download Now

Save us from the other people [Security For All]

Posted: 27 Oct 2008 01:48 AM CDT

We are the other people
You’re the other people too

“Mother People” - Frank Zappa

So just who is it that messes up great security plans and policies? You know those folks who’s boneheaded stunts compromise even the best security efforts? The people who use webmail accounts for company business. The people who write their login credentials on little yellow stickies taped to their displays. After extensive research I have found incontrovertible evidence that it’s the other people.

That’s right. The other people. But here’s the bad news, pilgrim. Frank Zappa had it exactly right - we are the other people and you’re the other people too.

Sometimes the other people are those pesky end users, such as the guy described in this article from Nicholson Security who logs on to his company’s VPN remotely from Starbucks and then proceeds to the rest room for 15 minutes leaving his laptop unattended and unsecured. Sure, it’s easy to conclude that the guy in question is an idiot who should spanked. But consider this - he’s just a guy trying to get his job (in this case a realtor) done. Like all other people. Like you. Like me.

My goodness, we’re being mighty understanding here. Does this herald a kinder, gentler Security for all? You wish! Seriously, why would you expect a realtor to understand why it’s important to not leave the company LAN wide open to anyone including roving security pros? Okay so this is a particularly bad example since the guy left his laptop completely unattended in a Starbucks, so in all likelihood he is an idiot. But forgetting that for a second, didn’t he get the standard education about his company’s security policy? I’m guessing that what he got was a quick “this is how you access Outlook from the new Citrix system” either from the office admin or from the IT guy who installed the new Citrix system. And armed with that information set out to sell some houses.

Sure it’s easy to find numerous examples of ignorant end users who bypass security policy just so they can get their jobs done as efficiently as possible. But what about the guys who create and enforce those policies. Sorry to say, they are other people too. Other people tend to take too much for granted with respect to the skill level and “tech savviness” of their constituent users. For the next example, I submit my own experience. In fact the very experience that prompted me to write this.

My brother is developmentally delayed. That’s the currently PC version of mentally handicapped. For his birthday this year I got him an iMac. I set it up, got him on the internet, signed him up for a webmail account and showed him how to get started. Since all he wanted to do is take pictures with his digital camera, load them into iPhoto, send them to our Mom and surf the web, it wasn’t a very difficult training session. After about a week, he discovered that his email wasn’t working. Turns out I hadn’t set up his outgoing SMTP server correctly and consequently no one was responding to his emails since he wasn’t able to send them. So I went over to fix it and discovered a number of unsent messages responding to phishing sites that were attempting to steal his information. Yikes! But all he knew was that these sites had some cute picture or swell program that he wanted, and he had to join so he could get it. My epiphany happened at this point. It had not even occurred to me to warn him about these kind of sites, since I just automatically assumed that everybody knew about that. Bad assumption. We are the other people.

So let’s kick it up to a different level. What about the software project manager who cuts the QA time in order to get the product out the door in the (unrealistic) timeframe imposed by senior management in response to marketing intel with respect to market windows. It’s easy to say that the project manager is wrong because scrimping on QA will certainly lead to a lower quality product which translates to more bugs and vulnerabilities in the product. But the schedule was imposed by senior management, so it’s their fault. But senior management has reason to believe that if this schedule isn’t met, the product’s revenue will be substantially negatively affected because the marketing window will be missed. And then the shareholders will not be happy (read heads will roll). Yep, other people just trying to do their jobs.

So the premise in the Nicholson Security article is borne out: people will always be the weakest link in security. I suspect that this sad fact comes from everyone trying to do too much with too little time and resources to do it correctly. Because that’s what it takes to compete in a global economy. We are the other people. You’re the other people too.


If it’s on the web it must be true. Or not. [Security For All]

Posted: 26 Oct 2008 11:00 PM CDT

Just in time for Halloween is this article by Alice LaPlante in InformationWeek, 7 Fantastic Internet Hoaxes. The really scary thing about this list of hoaxes is that I remember almost all of them. You can read Alice’s original article to get the details but a summary list is provided for your convenience.

Test your internet savviness or suckerness (just like in the womens magazines!). How many do you remember? Variants count.

7. Bigfoot Captured!
Last August a Bigfoot hunting group lit up the Internet with claims it had found the 500-lb. body of Sasquatch in the woods of northern Georgia.

6. Snowball, the Giant Mutant Cat of Ontario
This photo of a man holding a giant (supposedly 87 pounds) cat first appeared on the Internet in April 2000. An e-mail that wove a story around the photo began circulating a year later. The cat’s purported owner, a Roger Degagne, supposedly found Snowball as a kitten near a nuclear power plant in Chalk River, Ontario, Canada — the implication being that toxic waste had caused its grotesque size.

5. The Last Tourist
Within a month of Sept. 11, a photograph began circulating the Internet that supposedly showed a tourist on top of the World Trade Center right before one of the terrorist-piloted planes hit.

4. Good Times Virus
This is just one example of a whole category of hoaxes, known as “virus hoaxes,” which warn about the dangers of a particular piece of malware with the potential to wreak irreparable damage on users’ computers. This particular virus was supposed to be attached to an e-mail message with the subject heading “Good Times,” that if opened, would rewrite the recipient’s hard drive and result in other disastrous scenarios, many of which were technically unfeasible.

3. Bill Gates’ Millions Giveaway
This hoax, which appeared in early 2001, claimed that Bill Gates of Microsoft was conducting a beta test of new software and would send money to all those who forwarded the message to others.

2. Petition to Ban Religious Broadcasting
This, like so many chain-letter hoaxes, has mutated over the years. It started out in 1996 claiming that the atheist Madalyn Murray O’Hair, who brought the lawsuit that led to the Supreme Court decision to ban prayer from public schools, was petitioning the FCC to ban all religious programming. It then spawned other chain letters asserting that atheists were attempting to forbid Christmas music in public places and remove references to God from popular television shows like Touched by an Angel.

1. Save Amanda Bundy
This chain letter has been in circulation since as early as 1997, and falls into a general category of “sympathy” hoaxes. There are a large number of variations of this letter in circulation, and many of them reference a sentimental poem “Slow Dance,” supposedly written by this young girl who is dying of cancer.

So how did you do? Check out your score for fantastic prizes! Okay so there’s no prizes, but check anyway.

If you can recall:

0: Newcomer. I’m surprised that you found your way to this blog post. Let me be the first to welcome you to the internet.

1 - 3: Experienced. Just wait, you’ll get to see them all. Probably before this time next year. This stuff just keeps getting recycled over and over again.

7: Cynical. Clearly you are mistaken since everyone knows that #3 is true. I’m waiting for my money right now.

If you know of any clever hoaxes - or want to start one - feel free to comment here. We’ll see what we can do to get into Snopes without litigation or prosecution.

And if you know Bill Gates - or if you are Bill Gates (hey, it could happen) - could you find out what happened to my money? I forwarded that email to 100 people just like the message said to do. I’ll bet those darn atheists took it to finance their effort to ban religious broadcasting.


Terrorist Twits? [StillSecure, After All These Years]

Posted: 26 Oct 2008 06:35 PM CDT

Image representing Twitter as depicted in Crun...

Image via CrunchBase

Read an interesting article in Yahoo tech today about a US Army report on the potential use of Twitter by terrorists and other subversive groups. After initially rolling my eyes about the government going a little to far, I began to see who Twitter could be used by terrorists and the like.  Twitters ability to provide "live" coverage of an event is something that some of us in the security industry have used at infosec shows.  The example cited by the article about activists at the Republican National Convention using twitter to report on police movements and positions is compelling. You can see how twitter could be used for that type of thing.

But than I think the report goes to far:

"Twitter has also become a social activism tool for socialists, human rights groups, communists, vegetarians, anarchists, religious communities, atheists, political enthusiasts, hacktivists and others to communicate with each other and to send messages to broader audiences," the report said.

Hacktivists refers to politically motivated computer hackers.

"Twitter is already used by some members to post and/or support extremist ideologies and perspectives," the report said

If all they are doing is disseminating their ideas, I think it is protected under freedom of speech. It would be good to see a court hold that "tweeting your mind" is a protected form of communication and expression.

Reblog this post [with Zemanta]

My Sunday Morning Reading [Network Security Blog]

Posted: 26 Oct 2008 10:27 AM CDT

I haven’t had the time to blog much lately, but I still try to keep up on my reading.  Here are a few of the articles that are open in a Firefox tab on my right screen.  Meanwhile Spore is patching on my left screen so I can get back to vital Sunday morning projects like building a civilization.

  • MS08-067 - An out of band update is always a big deal.  I’ve read a number of rumors about why this update was pushed, but nothing I’d call 100% reliable yet.
  • More on the Sequoia e-voting machines -  No surprise, I’m reading more on direct-recording electronic (DRE) voting machines.  This election has the potential to explode if the vote is close anywhere and DRE’s were involved.   I can already hear the lawyer’s sharpening their claws.
  • Speaking of surprises - They found problems with DRE’s already in some precincts during early voting.  This will probably be hushed up by a judge or blown off as human error.
  • Be careful what you tweet - A vulnerability has been found in Twitter that may allow your protected tweets to be seen.  Not that you should be tweeting anything that sensitive anyways.
  • Oh noes!  The terrorists will use Twitter too! - So what?  Does that mean we should leap to our default stance of bugging all of Twitter on the off chance a terrorists might be using it?
  • The big data aggregators agree to a code of conduct - But will they stick to it?  Only time will tell.
  • From the “Terminator” files - The Army is looking for someone to develop hunter bots.  Have they read any popular sci-fi in the last 30 years?  This is how the world ends!

Back to relaxing for the weekend. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Inside Netsecurify [GNUCITIZEN]

Posted: 26 Oct 2008 04:03 AM CDT

Netsecurify is a free, automated information security testing tool which we exclusively offer to organizations and initiatives which desperately need security services but cannot afford to buy. In today’s market conditions this pretty much includes everybody. The Netsecurify project is very special to us. The following sequence of screenshots shows what it is inside.

Netsecurify Demo 01 Netsecurify Demo 02 Netsecurify Demo 03 Netsecurify Demo 04 Netsecurify Demo 05 Netsecurify Demo 06 Netsecurify Demo 07 Netsecurify Demo 08 Netsecurify Demo 09

Keep in mind that this is just a demo. For now, you have to start tests manually. In the future you will be able to schedule them in advance and get notifications when your tests are completed.

We are looking for types of organizations to join our initiative. First, we need more organizations that can make use of Netsecurify’s free penetration testing service. It is free and very good! Do not miss this offer. Second, we need organizations who are willing to sponsor the project through our special, extremely targeted, advertising platform.

Let us know if you are interested by contacting us from our contact page (as usual).

gnucitizen information security gigs part of the cutting-edge network:

recent posts from the gnucitizen cutting-edge network:

Funny Insights about the Financial Crisis
Script Kiddies
Join Hakiri
Symbiotic Companies
Why the Reputation Security Industry will withstand the Credit Crunch
Microsoft disputes the Google Privacy Policy
Reputations in Crisis (simple plan)
Try Netsecurify
WP Blogsecurify Wordpress Security Plugin
Hacking the Stock Market for Fun and Profit

WP Blogsecurify 1.0 [GNUCITIZEN]

Posted: 26 Oct 2008 03:09 AM CDT

The WP Blogsecurify 1.0 plugin is out. It was announced on the Blogsecurify blog and I am going to announce it here once again just in case you somehow missed the news.

WP Blogsecurify 1.0

WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team - a special division of GNUCITIZEN Information Security Think Tank.

WP Blogsecurify protects your blog by:

  • forcing users to login over a secure communication channel.
  • protecting session identifiers from incidental session leaks.
  • hiding database errors which could be caused by malfunctioning plugins.
  • protecting the entire user session from session hijacking and side-jacking attacks.

This plugin is designed to be simple and effective. Future versions will protect against SQLI and XSS attacks. We are also planning to integrate WP Blogsecurify with our free social media security testing engine.

In simple words, the current version will do a pretty good job to project your user session from session hijacking and session side-jacking attacks. It requires you to have SSL enabled. If you don’t have SSL on port 443 and you are locked out because the plugin is enable then you have to remove wp-blogsecurify from the wp-content/plugins directory in order to allow yourself back in.

gnucitizen information security gigs part of the cutting-edge network:

recent posts from the gnucitizen cutting-edge network:

Funny Insights about the Financial Crisis
Script Kiddies
Join Hakiri
Symbiotic Companies
Why the Reputation Security Industry will withstand the Credit Crunch
Microsoft disputes the Google Privacy Policy
Reputations in Crisis (simple plan)
Try Netsecurify
WP Blogsecurify Wordpress Security Plugin
Hacking the Stock Market for Fun and Profit

Grecs’s Infosec Ramblings for 2008-10-25 []

Posted: 25 Oct 2008 11:59 PM CDT

Excuse me Mr. Bill Gates, Chinese hackers not putting up with your crap! [The Dark Visitor]

Posted: 25 Oct 2008 10:48 PM CDT

The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).

The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.

The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?).  The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows.  It does not effect the computer’s ability to function.

From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.

The website for the group that released the patch is here.  The message attached to the download reads as follows:

“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!

We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”

A few interesting comments on the boards you might like to read.  Don’t have the time to translate, so I give you the Google xlations.  No, they aren’t 100% accurate but they will give you the feel of the conversation.

Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong.  Good for them!

Update (jumper 1543GMT OCT 26):  The site hosting the anti-anti-piracy patch is overloaded:

Bandwidth Exceeded!


CCS Infosec Conference Event []

Posted: 25 Oct 2008 10:15 PM CDT

ACM SIGSAC will be having their CCS infosec event next week as well. Here are the logistics for this year’s conference:

  • What: CCS
    • The annual ACM CCS Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences.
  • When: 10/27 - 10/31/2008
  • Where: Hilton Alexandria Mark Center (5000 Seminary Road, Alexandria, VA 22311)

For more information on the CCS, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See ACM SIGSAC’s conference page for more information.

Techno Forensics Conference Infosec Event []

Posted: 25 Oct 2008 10:30 AM CDT

TheTrainingCo will be holding this year’s Techno Forensics Conference infosec event next week. This is the second of the many conferences this week. Here are the logistics for this year’s conference:

  • Who: TheTrainingCo
  • What: Techno Forensics Conference
    • Techno Forensics 2008 is presented by NIST, Maryland InfraGard, ICFP,  and University of Fairfax. The conference is founded on the principles of standardization in the field of digital evidence investigation. The conference will cover many of the general disciplines in the areas of digital evidence investigation to include some of the latest information on software and hardware solutions. Unlike other forensic conferences that are limited to law enforcement only or are vendor specific in nature, this conference will be open to everyone currently involved in computer forensics, digital evidence, or anyone having an interest in these rapidly growing fields. Conference agenda topics will cover a range of the digital disciplines which include: Fundamentals of acquisitions, Terabyte storage and preparing for it, Building a forensics lab, fly away kits, black bag forensics, e-discovery and special instructor lead focused classes on Basics of FAT, NTFS, macintosh, and linux file systems and dealing with their data. Other areas covered are intrusion detection, network level forensics, and cellular, handheld, and wireless forensics. Digital law and evidence handing will also be covered in break out sessions.
  • When: 10/27 - 10/29/2008
  • Where: NIST (100 Bureau Drive, Gaithersburg, MD 20899; in Administration Bldg. 101)

For more information on the Techno Forensics Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See TheTrainingCo’s conference page for more information.

Federal IA Conference Infosec Event []

Posted: 25 Oct 2008 10:10 AM CDT

FBC will be having this year’s Federal IA Conference infosec event next week. This is the first of several conferences that will be happening. It looks to be a busy week in DC! Here are the logistics for this year’s conference:

  • Who:FBC
  • What: Federal IA Conference
    • The 8th Annual Federal Information Assurance Conference (FIAC 2008) will be held at its new location: The Ronald Reagan Building/International Trade Center in downtown Washington, DC. The new venue will allow for an increased participation by attendees due to its centralized location within the Federal Government community located in Washington, DC. The location is Metro accessible, provides on –site parking, and there are several hotels within walking distance of the building. The Plenary session and Keynote address will take place in the Atrium Ballroom while the Vendor Exposition will be held in the Atrium Hall. The breakout sessions and the 3rd day Tutorials will be conducted in the Continental, Hemisphere, and Polaris rooms. The FIAC 2008 Conference will also feature a new structure consisting of session "Threads" which will take the place of the standard "Track" designations we have used in the past. Each "Thread" will pair together related session topics for those who wish to follow through with a certain topic to expand on the information received from the original session. This will allow an attendee to gain a full understanding of a certain topic without having to attend an entire two day "Track". The Plenary Session, Keynote Address, and Lunch Sessions will remain as they have in the past with full participation for all attendees. This year the Plenary Session will fully discuss the Federal Government's National Cyber Security Initiative by offering explanations, timetables, and exploring the effects on Federal Government agencies and their employees of the President's comprehensive plan.
  • When: 10/27 - 10/29/2008
  • Where: Ronald Reagan Building & International Trade Center (1300 Pennsylvania Avenue NW;  Washington, DC 20004; the Federal Triangle metro stop is located on site and Metro Center is two blocks away)

For more information on the Federal IA Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See FBC’s conference page for more information.

North Korea: Cell phone restrictions and food shortage [The Dark Visitor]

Posted: 25 Oct 2008 08:08 AM CDT

Cnet News reports on North Korea restricting the use of cell phones in order to keep news of developing food crisis from getting outside the country:

Vitit Muntarbhorn, the UN investigator from Thailand, claims the clampdown on cell phone and long-distance telephone calls was to prevent people from reporting on food shortages, the Web site reported.

The site also said that recent visitors to the country have reported that the North Korean government has been confiscating cell phones.


Harvesting The Wind - e2 series [The Converging Network]

Posted: 25 Oct 2008 06:28 AM CDT

Wind_energy I don't know how I missed it but PBS has had a series called e2 about sustainable living that I came across last night while flipping channels at 2am. The episode playing was Harvesting The Wind, showing how the state of Minnesota, local communities, farmers and entrepreneurs in southwest Minnesota haven't waited for our energy policy impotent Federal government to move agressively into alternative energies.

The episode showed how entrepeneurs are helping farmers bring wind farming to their land. Part of the solution is to use Federal alternative energy tax credits, which the investors receive along with 99% of the revenues from the eletricity generated. The farmers provide the land, get 1% and are also receive maintenance fees for upkeep of the wind machines. After 10 years, the investors recoup their investment + profits and the ownership flips to the farmers. Multiple farmers have banded together to make larger purchases of wind machines which helps reduce equipment and installation costs. 

Business is so good that a propeller manufacturing plant was located in the area. The propellers are the most difficult piece of equipment to ship from Europe, making that an obvious choice for manufacture in the local area. The plant employees 300 people from the community. Rather than the oil business model where big business comes in and owns everything, the state very conciously designed wind energy to be community based. All in all, this seem like a very synergistic approach to bringing wind engergy to market.

Windmill I grew up on the plains of Nebraska and spent a good amount time in Ogallala at Lake McConaughey. Lake McConaughey is a man made lake, built to provide consistent water (and lots of it) for farming and irrigation water in mid and eastern Nebraska.  There's also a power generation station located at the dam. The wind can howl when it roars across the plains of Nebraska. There were many days during the summer when we'd have to resort to water skiing in small coves that offered some protection from the wind. The windmill is a common site across the plains, providing water to cattle on what would otherwise be some difficult land to raise livestock. 

Growing up on the windy plains for Nebraska, I often thought, why don't we have windmills that can generate power from all this wind. That was back during the '70's gas crisis, when a coal fired power plant was being built at Sutherland, NE. Energy was on everyone's mind. I moved from a Chevelle Malibu gas eater to a Datsun (Nissan) economy car so I could afford traveling back home from college.

I guess we just didn't have the technology back then to jump on the wind engergy bandwagon. I wish the US had the foresight to continue investing in wind generation technology, instead of allowing businesses in Europe take the lead. I hope the learnings from Minnesota will help state and local governments bring more wind energy to market while our Federal government gets its act together.

Script Kiddies [GNUCITIZEN]

Posted: 25 Oct 2008 04:22 AM CDT

According to Wikipedia: In hacker culture, a script kiddie is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities.

Greetings from the Gold Coast

We continue: Script kiddies have at their disposal a large number of effective, easily downloadable malicious programs capable of harassing even advanced computers and networks.

Alright! A bit off topic. Would you call yourself a racist? Probably not. Take the Harvard Implicit Association Test (IAT) for race. Take it as many times as you want. Are you surprised of the results? Good!

Anyway, according to Wikipedia, I do not know a single person involved in the information security industry today that does not fit the description of a script kiddie. Even the best and the baddest hackers I know can easily be named script kiddies if they change their handle to something you are not familiar with. Here is why:

  • Script Kiddies are juveniles - All malicious hackers are juveniles (mind or body) regardless of their skills and abilities.
  • Script Kiddies use tools they don’t write - Like you write everything you use? Life is short! Successful people build themselves on the top of the experience and the work of those before them. Why reinvent the wheel?
  • Script Kiddies have at their disposal large repository of downloadable tools - You mean like Backtrack? Or perhaps any standard Linux distribution?
  • Script Kiddies deface websites and scan the internet for known vulnerabilities - Hackers are opportunists. Skill sometimes is not enough. You need to be lucky too.
  • Script Kiddies cannot program - It is perceived that 1337 security researchers are those who know ASM and C and perhaps perl, python or ruby. A junior web developer knows 10 times more languages and has experience with a lot more programming environments.
  • Script Kiddies’ objective is to try to impress their friends or gain credit - Everybody wants some type of credit even when they claim that they don’t. They lie. In our human nature there are a driving forces bigger then wealth and these are credit, approval and acceptance among your family and peers.

And this is pretty much all I would like to say about the script kiddies. Make up your own mind.

gnucitizen information security gigs part of the cutting-edge network:

recent posts from the gnucitizen cutting-edge network:

Funny Insights about the Financial Crisis
Script Kiddies
Join Hakiri
Symbiotic Companies
Why the Reputation Security Industry will withstand the Credit Crunch
Microsoft disputes the Google Privacy Policy
Reputations in Crisis (simple plan)
Try Netsecurify
WP Blogsecurify Wordpress Security Plugin
Hacking the Stock Market for Fun and Profit

Will Farrell as George Bush endorses McCain [The Converging Network]

Posted: 25 Oct 2008 01:40 AM CDT

Enjoy this video. Will Farrell with Tina Fey as G W Bush and Sarah Palin is a hoot!  

Grecs’s Infosec Ramblings for 2008-10-24 []

Posted: 24 Oct 2008 11:59 PM CDT

  • HACKING EXPOSED VOIP: Supposedly a very dangerous book. #
  • SHADOWSERVER: Watch those botnets. #
  • VOIPSA THREAT TAXONOMY: Something interesting for all you VoIP sec guys to check out. Suppose to be publishing a best practices guide too. #
  • CWSANDBOX: Prob already know this but this is a nice online tool for analyzing malware. #
  • LIVE FORENSICS: New tools have expanded investigations to include memory analysis. #
  • FRIDAY’S NEWSBITES: Here’s your end of week dose of news from SANS. #

New Cobia modules - The vision is still alive [The Converging Network]

Posted: 24 Oct 2008 10:01 PM CDT

Cobia_logo A week or so ago, Alan Shimel announced on his blog that StillSecure released some new modules for the Cobia platform. Cobia is a software platform for networking and security that runs on general purpose Intel computing hardware. VPN, DNS, anti-virus/spyware/spam, and URL filtering were added to Cobia. You can check out/download/find out more about Cobia on the Cobia website.

I had the pleasure of working on and launching Cobia as well as StillSecure's award winning NAC, IPS and vulnerability management products. It's been almost  a year since I decided to leave my post as StillSecure CTO, and I'm still very thankful and proud of the work the team past and present does there. There are a lot of great people at the company and I appreciate that they've kept the Cobia vision alive and continue to move the ball down field on all the products.

I've often said that being CTO is the best job in the company and so many people I worked with at StillSecure helped make that a reality for me. A wise man once told me that you know you've done a good job building something signifcant when you create a team who can eventually execute without're job is to work yourself out of a job. I'm glad that's the case with StillSecure.

Thanks everyone and congratulations on the new Cobia functionality.

No comments: