Posted: 27 Oct 2008 11:15 AM CDT
Another week, yet another Monday as exams draw in closer.
This morning my thin client (Epatec/ebox 3850 w/Debian) has shown me the hand all of a sudden and refuses to power on. My linksys router (WRT54GL with DDWRT v24 SP2 Eko 10600) also seems to be playing up. Every so often whilst streaming from my Dreambox (500S) connected over a WPA_WDS connection I would get suddenly disconnected !?!?! Disabling the WiFi adapter and re-enabling it kinda gets me to reconnect but it's d**n frustrating when it happens during the best part of a film you're really into. (wife hates it too and give me bad looks)
Nevertheless - yes - I've spent several hours researching, troubleshooting and tweaking to no avail Curiously it is not a case of WiFi drivers on my netbook (EeePC 901) playing up -- as even my NokiaN95 seems to disconnect right at the same time my netbook got disconnected. I really don't feel like reverting to the original Linksys firmware -- so we'll wait and see... patience is a virtue (or so they say)
On to something more positive this morning ... everybody likes lists - especially top 10 lists. This morning I encountered an article which talks about the coolest security jobs. Well I come in ranking @ number 7 and number 1 seeing that I also teach Computer Forensics for the NCC Advanced Diploma course ... Not bad ! -- according to a survey conducted by the SANS Institute.
Here a summary of the list according to Sans:
1. Information security crime investigator/forensics expert.
The top-ranking "coolest" IT security jobs according to non-government security employees:
1. (Tie) System, Network, and/or Web penetration tester
Catch the full article here...
Posted: 27 Oct 2008 06:33 AM CDT
Let’s just say that I was pleasantly surprised this morning when I read Richard Bejtlich’s 5 star review of the OSSEC Host-Based Intrusion Detection Guide (review is here). Richard is known to be quite vocal when he doesn’t like a particular book and it sounded like he had a very hard time finding things wrong with our book.
I especially like his comment on his blog about how addictive the OSSEC WUI is. He’s right. I too hit refresh constantly to see what new logs have arrived
I know that lots of people base the purchase of their next book based on Richard’s reviews and Daniel, Rory, and I do appreciate the honest and positive review. Thanks Richard, you’ve made my week!
Posted: 27 Oct 2008 05:39 AM CDT
Currently at RSA Europe in London and the Keynote is about to start. While we’re being given a Discovery Channel styled lecture on Alan Turing, I’ve been marking the sessions that have a potential of being interesting. Marked the following:
Then there’s quite a few “special interest groups” that look intriguing as well.
Meanwhile Arthur W. Coviello of RSA is talking about why the way we do security fails, and suggesting a better approach. Talk about Information Risk Management Stategy, and picking on regulations and compliance.
Posted: 27 Oct 2008 02:00 AM CDT
This report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just those issues affecting the commonly installed desktop operating system components.The key findings for 1H08:
In addition to these measurements for the vendors and products, the body of the report also provides weighted analysis which provides a lesser consideration for lower severity issues. Please read the full report for details.
This posting includes an audio/video/photo media file: Download Now
Posted: 27 Oct 2008 01:48 AM CDT
We are the other people
So just who is it that messes up great security plans and policies? You know those folks who’s boneheaded stunts compromise even the best security efforts? The people who use webmail accounts for company business. The people who write their login credentials on little yellow stickies taped to their displays. After extensive research I have found incontrovertible evidence that it’s the other people.
That’s right. The other people. But here’s the bad news, pilgrim. Frank Zappa had it exactly right - we are the other people and you’re the other people too.
Sometimes the other people are those pesky end users, such as the guy described in this article from Nicholson Security who logs on to his company’s VPN remotely from Starbucks and then proceeds to the rest room for 15 minutes leaving his laptop unattended and unsecured. Sure, it’s easy to conclude that the guy in question is an idiot who should spanked. But consider this - he’s just a guy trying to get his job (in this case a realtor) done. Like all other people. Like you. Like me.
My goodness, we’re being mighty understanding here. Does this herald a kinder, gentler Security for all? You wish! Seriously, why would you expect a realtor to understand why it’s important to not leave the company LAN wide open to anyone including roving security pros? Okay so this is a particularly bad example since the guy left his laptop completely unattended in a Starbucks, so in all likelihood he is an idiot. But forgetting that for a second, didn’t he get the standard education about his company’s security policy? I’m guessing that what he got was a quick “this is how you access Outlook from the new Citrix system” either from the office admin or from the IT guy who installed the new Citrix system. And armed with that information set out to sell some houses.
Sure it’s easy to find numerous examples of ignorant end users who bypass security policy just so they can get their jobs done as efficiently as possible. But what about the guys who create and enforce those policies. Sorry to say, they are other people too. Other people tend to take too much for granted with respect to the skill level and “tech savviness” of their constituent users. For the next example, I submit my own experience. In fact the very experience that prompted me to write this.
My brother is developmentally delayed. That’s the currently PC version of mentally handicapped. For his birthday this year I got him an iMac. I set it up, got him on the internet, signed him up for a webmail account and showed him how to get started. Since all he wanted to do is take pictures with his digital camera, load them into iPhoto, send them to our Mom and surf the web, it wasn’t a very difficult training session. After about a week, he discovered that his email wasn’t working. Turns out I hadn’t set up his outgoing SMTP server correctly and consequently no one was responding to his emails since he wasn’t able to send them. So I went over to fix it and discovered a number of unsent messages responding to phishing sites that were attempting to steal his information. Yikes! But all he knew was that these sites had some cute picture or swell program that he wanted, and he had to join so he could get it. My epiphany happened at this point. It had not even occurred to me to warn him about these kind of sites, since I just automatically assumed that everybody knew about that. Bad assumption. We are the other people.
So let’s kick it up to a different level. What about the software project manager who cuts the QA time in order to get the product out the door in the (unrealistic) timeframe imposed by senior management in response to marketing intel with respect to market windows. It’s easy to say that the project manager is wrong because scrimping on QA will certainly lead to a lower quality product which translates to more bugs and vulnerabilities in the product. But the schedule was imposed by senior management, so it’s their fault. But senior management has reason to believe that if this schedule isn’t met, the product’s revenue will be substantially negatively affected because the marketing window will be missed. And then the shareholders will not be happy (read heads will roll). Yep, other people just trying to do their jobs.
So the premise in the Nicholson Security article is borne out: people will always be the weakest link in security. I suspect that this sad fact comes from everyone trying to do too much with too little time and resources to do it correctly. Because that’s what it takes to compete in a global economy. We are the other people. You’re the other people too.
Posted: 26 Oct 2008 11:00 PM CDT
Just in time for Halloween is this article by Alice LaPlante in InformationWeek, 7 Fantastic Internet Hoaxes. The really scary thing about this list of hoaxes is that I remember almost all of them. You can read Alice’s original article to get the details but a summary list is provided for your convenience.
Test your internet savviness or suckerness (just like in the womens magazines!). How many do you remember? Variants count.
So how did you do? Check out your score for fantastic prizes! Okay so there’s no prizes, but check anyway.
If you can recall:
0: Newcomer. I’m surprised that you found your way to this blog post. Let me be the first to welcome you to the internet.
1 - 3: Experienced. Just wait, you’ll get to see them all. Probably before this time next year. This stuff just keeps getting recycled over and over again.
7: Cynical. Clearly you are mistaken since everyone knows that #3 is true. I’m waiting for my money right now.
If you know of any clever hoaxes - or want to start one - feel free to comment here. We’ll see what we can do to get into Snopes without litigation or prosecution.
And if you know Bill Gates - or if you are Bill Gates (hey, it could happen) - could you find out what happened to my money? I forwarded that email to 100 people just like the message said to do. I’ll bet those darn atheists took it to finance their effort to ban religious broadcasting.
Posted: 26 Oct 2008 06:35 PM CDT
Image via CrunchBase
Read an interesting article in Yahoo tech today about a US Army report on the potential use of Twitter by terrorists and other subversive groups. After initially rolling my eyes about the government going a little to far, I began to see who Twitter could be used by terrorists and the like. Twitters ability to provide "live" coverage of an event is something that some of us in the security industry have used at infosec shows. The example cited by the article about activists at the Republican National Convention using twitter to report on police movements and positions is compelling. You can see how twitter could be used for that type of thing.
But than I think the report goes to far:
If all they are doing is disseminating their ideas, I think it is protected under freedom of speech. It would be good to see a court hold that "tweeting your mind" is a protected form of communication and expression.
Related articles by Zemanta
Posted: 26 Oct 2008 10:27 AM CDT
I haven’t had the time to blog much lately, but I still try to keep up on my reading. Here are a few of the articles that are open in a Firefox tab on my right screen. Meanwhile Spore is patching on my left screen so I can get back to vital Sunday morning projects like building a civilization.
Back to relaxing for the weekend.
Posted: 26 Oct 2008 04:03 AM CDT
Netsecurify is a free, automated information security testing tool which we exclusively offer to organizations and initiatives which desperately need security services but cannot afford to buy. In today’s market conditions this pretty much includes everybody. The Netsecurify project is very special to us. The following sequence of screenshots shows what it is inside.
Keep in mind that this is just a demo. For now, you have to start tests manually. In the future you will be able to schedule them in advance and get notifications when your tests are completed.
Let us know if you are interested by contacting us from our contact page (as usual).
Funny Insights about the Financial Crisis
Posted: 26 Oct 2008 03:09 AM CDT
WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team - a special division of GNUCITIZEN Information Security Think Tank.
WP Blogsecurify protects your blog by:
This plugin is designed to be simple and effective. Future versions will protect against SQLI and XSS attacks. We are also planning to integrate WP Blogsecurify with our free social media security testing engine.
In simple words, the current version will do a pretty good job to project your user session from session hijacking and session side-jacking attacks. It requires you to have SSL enabled. If you don’t have SSL on port 443 and you are locked out because the plugin is enable then you have to remove wp-blogsecurify from the
Funny Insights about the Financial Crisis
Posted: 25 Oct 2008 11:59 PM CDT
Posted: 25 Oct 2008 10:48 PM CDT
The program seen above is a patch for the Microsoft “black screen of death” and was written by a female Chinese hacker group at the Guangdong Foreign Language, Foreign Trade University (Guangdong Foreign Studies University).
The patch keeps Chinese users, who are running pirated copies of Microsoft Windows, from having to refresh their computer screens every hour when the black screen pops up.
The Chinese hacker program was released on 15 October, five days before Microsoft’s pre-announced plan went into effect (Jumper, is this possible?). The black screen seems to have been a mere annoyance, designed by Microsoft to encourage people to purchase legal copies of Windows. It does not effect the computer’s ability to function.
From the comments I have read on a few boards, this does not seem to be one of the programs written to spread malware.
The website for the group that released the patch is here. The message attached to the download reads as follows:
“Excuse me Bill Gates, this time, I must once again oppose all of you [Microsoft]. I can’t let you introduce chaos into the Chinese system again for no good reason! For many years now, people have stolen Windows and just this year you decide do something about it? That is stupid!!
We are not the military but we have the same mission, to protect the sovereignty of the Chinese network.”
A few interesting comments on the boards you might like to read. Don’t have the time to translate, so I give you the Google xlations. No, they aren’t 100% accurate but they will give you the feel of the conversation.
Something to take note of, not all of the Chinese users are onboard with the “hate Microsoft theme.” There are a number of dissenting voices, saying that stealing intellectual property is wrong. Good for them!
Update (jumper 1543GMT OCT 26): The site hosting the anti-anti-piracy patch is overloaded:
Posted: 25 Oct 2008 10:15 PM CDT
For more information on the CCS, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See ACM SIGSAC’s conference page for more information.
Posted: 25 Oct 2008 10:30 AM CDT
For more information on the Techno Forensics Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See TheTrainingCo’s conference page for more information.
Posted: 25 Oct 2008 10:10 AM CDT
FBC will be having this year’s Federal IA Conference infosec event next week. This is the first of several conferences that will be happening. It looks to be a busy week in DC! Here are the logistics for this year’s conference:
For more information on the Federal IA Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See FBC’s conference page for more information.
Posted: 25 Oct 2008 08:08 AM CDT
Cnet News reports on North Korea restricting the use of cell phones in order to keep news of developing food crisis from getting outside the country:
Posted: 25 Oct 2008 06:28 AM CDT
I don't know how I missed it but PBS has had a series called e2 about sustainable living that I came across last night while flipping channels at 2am. The episode playing was Harvesting The Wind, showing how the state of Minnesota, local communities, farmers and entrepreneurs in southwest Minnesota haven't waited for our energy policy impotent Federal government to move agressively into alternative energies.
The episode showed how entrepeneurs are helping farmers bring wind farming to their land. Part of the solution is to use Federal alternative energy tax credits, which the investors receive along with 99% of the revenues from the eletricity generated. The farmers provide the land, get 1% and are also receive maintenance fees for upkeep of the wind machines. After 10 years, the investors recoup their investment + profits and the ownership flips to the farmers. Multiple farmers have banded together to make larger purchases of wind machines which helps reduce equipment and installation costs.
Business is so good that a propeller manufacturing plant was located in the area. The propellers are the most difficult piece of equipment to ship from Europe, making that an obvious choice for manufacture in the local area. The plant employees 300 people from the community. Rather than the oil business model where big business comes in and owns everything, the state very conciously designed wind energy to be community based. All in all, this seem like a very synergistic approach to bringing wind engergy to market.
I grew up on the plains of Nebraska and spent a good amount time in Ogallala at Lake McConaughey. Lake McConaughey is a man made lake, built to provide consistent water (and lots of it) for farming and irrigation water in mid and eastern Nebraska. There's also a power generation station located at the dam. The wind can howl when it roars across the plains of Nebraska. There were many days during the summer when we'd have to resort to water skiing in small coves that offered some protection from the wind. The windmill is a common site across the plains, providing water to cattle on what would otherwise be some difficult land to raise livestock.
Growing up on the windy plains for Nebraska, I often thought, why don't we have windmills that can generate power from all this wind. That was back during the '70's gas crisis, when a coal fired power plant was being built at Sutherland, NE. Energy was on everyone's mind. I moved from a Chevelle Malibu gas eater to a Datsun (Nissan) economy car so I could afford traveling back home from college.
I guess we just didn't have the technology back then to jump on the wind engergy bandwagon. I wish the US had the foresight to continue investing in wind generation technology, instead of allowing businesses in Europe take the lead. I hope the learnings from Minnesota will help state and local governments bring more wind energy to market while our Federal government gets its act together.
Posted: 25 Oct 2008 04:22 AM CDT
According to Wikipedia:
Anyway, according to Wikipedia, I do not know a single person involved in the information security industry today that does not fit the description of a script kiddie. Even the best and the baddest hackers I know can easily be named script kiddies if they change their handle to something you are not familiar with. Here is why:
And this is pretty much all I would like to say about the script kiddies. Make up your own mind.
Funny Insights about the Financial Crisis
Posted: 25 Oct 2008 01:40 AM CDT
Posted: 24 Oct 2008 11:59 PM CDT
Posted: 24 Oct 2008 10:01 PM CDT
A week or so ago, Alan Shimel announced on his blog that StillSecure released some new modules for the Cobia platform. Cobia is a software platform for networking and security that runs on general purpose Intel computing hardware. VPN, DNS, anti-virus/spyware/spam, and URL filtering were added to Cobia. You can check out/download/find out more about Cobia on the Cobia website.
I had the pleasure of working on and launching Cobia as well as StillSecure's award winning NAC, IPS and vulnerability management products. It's been almost a year since I decided to leave my post as StillSecure CTO, and I'm still very thankful and proud of the work the team past and present does there. There are a lot of great people at the company and I appreciate that they've kept the Cobia vision alive and continue to move the ball down field on all the products.
I've often said that being CTO is the best job in the company and so many people I worked with at StillSecure helped make that a reality for me. A wise man once told me that you know you've done a good job building something signifcant when you create a team who can eventually execute without you...you're job is to work yourself out of a job. I'm glad that's the case with StillSecure.
Thanks everyone and congratulations on the new Cobia functionality.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|