Posted: 13 Nov 2008 12:37 PM CST
In an effort to make people more security conscious (and to promote themselves) Lumension (formerly Securewave) are giving away 1Gb Secured sticks. Simply play the flash game and identify 10 security risks among the employees, register and you're on your way to receive a free USB stick as well as being into a draw to win 1 of 3 Lumension software security suites - HP server included!
Put yourself to the test and go grab one ... http://www.lumensiontheoffice.com
Posted: 13 Nov 2008 07:18 AM CST
This is an interesting story, I’ll be watching how it develops - it’s not often you see a bounty for online crimes and especially one as enticing as 1 million dollars! That’s a hell of a sum for nailing down some dodgy hackers who are running an extortion scam after a data leak. I really wonder where [...]
Read the full post at darknet.org.uk
Posted: 13 Nov 2008 06:14 AM CST
This post is for my fellow bloggers in the Security Bloggers Network. If you are planning on attending or would like to attend the SC Magazine World Congress this December at the Javits Center in NYC, you are eligible for a press pass. The pass allows you to attend sessions and the exhibits for free, as well as more perks.
If you would like to apply for your press credentials please contact me at firstname.lastname@example.org by Monday. Please include your SBN member blog URL to verify your membership. I am submitting the final list to the SC Mag folks Monday evening.
Also, for the analyst and mainstream media community we will be having a StillSecure cocktail hour. If you would like an invite please contact me at email@example.com as well.
It should be a great show and I hope to see many SBN members at there.
Related articles by Zemanta
Posted: 13 Nov 2008 05:57 AM CST
Just Jim and I today talking about news and adding some ranting (as usual).
Segment 1: InfoSec News Update and various ranting
This posting includes an audio/video/photo media file: Download Now
Posted: 13 Nov 2008 04:12 AM CST
A colleague recently asked me, “When did my personal information become someone else’s property?” It’s a vital question, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.
But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.
Data as Property
Intellectual Property law does not generally treat personal information as property. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. You can’t patent personal information, and it certainly isn’t a trade secret. In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.
However, data often behaves like property, and so it is treated as such. Like property, personal information has value. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. Next, like any form of property, personal information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency. And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.
Some laws recognize that personal information has value. For example, United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters. Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. Even tort law says that some forms of privacy come from a trademark ownership of one’s name and likeness. And breach notification laws seem to assert that companies which collect personal information “own” it.
Data as Self
But that isn’t the whole story. Unlike every other form of property, you can’t alienate personal information (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. Personal information is different from property, since property is presumptively alienable.
In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.” In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.
When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.
Data IS Self
In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the very term “Identity Theft” epitomizes the clash between the Data as Property and Data as Self theories of personal information: First, you have an alter-ego digital “identity” or Data Self; and second, your Data Self is subject to theft and abuse, like property.
Fortunately, the 13th Amendment ended slavery, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and we are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.
Aaron Titus is the Privacy Director for the Liberty Coalition, and welcomes feedback.
1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
Posted: 13 Nov 2008 12:00 AM CST
Posted: 12 Nov 2008 09:54 PM CST
I get so busy with work stuff, worrying about the economy, who will win an election, are we secure, that I sometimes forget what is really important. What is really important is spending time with my family and watching my two little babies grow up to be boys. I was reminded of that again tonight. A friend gave us tickets to the Florida Panthers hockey game. It was last minute and the two boys and I ate dinner, jumped in the car and headed down to the Bank Atlantic Center.
The Panthers do a great job putting on a show for the kids. Though the arena is less than half full, they have all kinds of contests and other kid related promotions and activities. My boys really enjoy going to Panther games.
I on the other hand really enjoy going to anything with my two sons. It never fails that they do and say things that make me realize how fast they are growing up and how lucky I am to have them. Tonight when they sang the Star Spangled Banner instead of having to tell them to stand, they both got right up. My youngest son Bradley took off his hat and held it over his heart. Watching this little 7 year old standing there at attention with his hat over his heart, singing the words to the National Anthem, I was pretty close to tears.
After this a commercial on the scoreboard talked about going to a local college and getting an education so that you "can go places". My 9 year old son Landon looked at me and said, "Dad that is what I want to do, I want to go to college so I can be like you and go places." I was so touched that he would want to be like me. I had to explain to him that going places was more than just actually going to different places, but that there was another meaning to it. I thought about it. I don't want him to have to go to different places, but I sure as heck hope that he does "go places". But the simple way he said this which encompassed how he thinks about me was enough to make me realize how blessed I am to have these two boys.
So remember time marches on and the little ones don't stay little forever. If you are lucky enough to have kids, cherish every day and moment you can spend with them. Before you know it, they aren't little anymore.
Posted: 12 Nov 2008 08:19 PM CST
Spam Drops After Internet Providers Disconnect a California Hosting Firm
By Brian Krebs
washingtonpost.com Staff Writer
The volume of junk e-mail sent worldwide dropped drastically today after a Web hosting firm identified by the computer security community as a major host of organizations allegedy engaged in spam activity was taken offline, according to security firms that monitor spam distribution online.
While its gleaming, state-of-the-art, 30-story office tower in downtown San Jose, Calif., hardly looks like the staging ground for what could be called a full-scale cyber crime offensive, security experts have found that a relatively small firm at that location is home to servers that serve as a gateway for a significant portion of the world’s junk e-mail.
The servers are operated by McColo Corp., which these experts say has emerged as a major U.S. hosting service for international firms and syndicates that are involved in everything from the remote management of millions of compromised computers to the sale of counterfeit pharmaceuticals and designer goods, fake security products and child pornography via email.
But the company’s web site was not accessible today, when two Internet providers cut off MoColo’s connectivity to the Internet, security experts said. Immediately after McColo was unplugged, security companies charted a precipitous drop in spam volumes worldwide. E-mail security firm IronPort said spam levels fell by roughly 66 percent as of Tuesday evening.
Posted: 12 Nov 2008 06:39 PM CST
After a great week in Michigan, tonight we pack up and prepare to head to Ohio tomorrow. Friday promises to be busy and exciting – and then on Saturday, we head to Maryland (Metro DC) for a week. Which brings me to the gifts I promised:
Join a conversation, get a free copy (hardcover) of Into the Breach
First – while in Maryland, I am attending CSI next week in support of the CompTIA Trustmark. It turns out that a chapter of Into the Breach examines how to evaluate, build and improve "third party trust" – what we need for success with our service providers and other vendors.
CompTIA Trustmark is hosting a handful of "catalyst conversations" to discuss my findings and examine how the industry handles this today, and what we can do in the future. This is not a sales pitch; rather, this is an opportunity to come together and work toward a common solution.
For those invited to attend, CompTIA will present you will your own copy of Into the Breach – which I will promptly autograph for you. Drop me an email – securitycatalyst (gmail) if you want to join us.
This leads me to my second offering…
Not going to CSI? Do you want to?
CSI was generous enough to share with me two ways for you to get involved:
* I can offer (I think) a free conference pass with full access – based on response. Here's the deal – share with me the biggest challenge you face in changing how people protect information. The best answer gets a signed copy of the book and a pass to the show (I'll hand you the book at the show).
* If you are already planning to attend, you can get 25% off your registration with code: BLOG25
I will do my best to both tweet (twitter id: catalyst) from CSI and report on interesting talks/findings from the floor. I will also be taking a limited number of vendor meetings to learn more about the products and solutions that make it easier for people to protect information. Shoot me a note if there is a product you want me to check out and report back on.
Posted: 12 Nov 2008 05:22 PM CST
Sometimes when you try to explain something you can't help but muddy the waters. That is exactly what happened to Tim Greene in this article he wrote about endpoint based NAC in Network World. Hey I am not knocking Tim though. I get some of my best material from his column. Anyway, in this weeks adventure Tim is seeking to compare the pros and cons of endpoint based NAC to other types of NAC technologies. He has the same old regular guest stars featured, Rob Whitley of Forrester, Ofir Arkin and a couple of special guest star NAC customers. I am not going to regurgitate Tim's entire article. Instead lets go to the
Here is the background. There are three types of NAC
Also, whether the NAC system is based on testing before or during a device logging on or just waiting until you see something bad is another way of separating the real deal from the pretenders in NAC.
So with that as a background here is what Tim wrote and what I say:
Come on Tim that is so 2005. I don't even think Ofir is pushing that crap anymore. Yes spoofed and static IPs are a challenge, but not fatal. There are many best practices to overcome this type of issue, not the least of which is an RDAC (remote device activity capture) or scan on connect module such as StillSecure Safe Access NAC has. Also depending on your switch and DNS/DHCP vendor you can handle this problem that way as well.
Tim, the "theoretical" problem of trusting an endpoint to report on itself is more real than that. Ask Richard Stiennon if you have any questions. In fact this is a reason why some people choose not to go endpoint based NAC. However, that is not the major downside to endpoint based NAC. The major downside is there is no guest access solution. What do you do if the endpoint does not have the agent installed and you can't make them install the agent. Saying that you than need a second type of NAC is not elegant as Rob Whitley says. In fact it is downright ugly. When you consider that guest or unmanaged access is the biggest driver in NAC, that pretty much sinks the endpoint based NAC approach.
Guys, if the only defense you have is IPS, that is fine, but lets not say that is an effective NAC solution for guests. You are bound by what the IPS can detect and it takes a lot of IPS boxes usually. Not a scalable model at all. Of course you could wait for McAfee to resurrect the Lockdown appliances. It didn't work before and it probably won't work now.
Now wouldn't it be great if there was one NAC solution that covered all of these bases from one management console? You bet. If you are looking for one that does that let me know or check out StillSecure Safe Access!
Posted: 12 Nov 2008 04:47 PM CST
There’s been a lot of discussion on cloud computing in the blogosphere and general press lately, and although I’ll probably hate myself for it, it’s time to jump in beyond some sophomoric (albeit really funny) humor.
Chris Hoff inspired this with his post on TCG IF-MAP; a framework/standard for exchanging network security objects and events. Its roots are in NAC (Network Access Control), although as Alan Shimel informs us, there’s been very little adoption to date.
Since cloud computing is a crappy marketing term that can mean pretty much whatever you want, I won’t dig into the various permutations here. For this post I’ll be focusing on distributed services (e.g., grid computing), online services, and SaaS. I won’t be examining “cloud filtering” and other network-only services.
Chris’s posting, and most of the ones I’ve seen, are heavily focused on network security concepts as they relate to the cloud. But if we look at cloud computing at the macro level, there are additional layers which are just as critical (in no particular order):
Down the road we’ll dig into these in more detail, but any time we start distributing services and functionality over an open public network with no inherent security controls, we need to focus on the design issues and reduce design flaws as early as possible. We can’t just look at this as a network problem- our authentication, authorization, information, and service (layer 7) controls are likely even more important.
This gets me thinking it’s time to write a new framework- not that anyone will adopt it.
Posted: 12 Nov 2008 02:18 PM CST
Dr. Tippett is on tour to let the world know about the data breach investigations report that his team put together and published earlier this year. At the very least, the presentation was entertaining, but there were even some interesting bits here and there.
Dr. Tippett is a scientist.
Assume that someone says: We need to patch one per day.
In Tippett's view, that is a hypothesis and a hypothesis needs to be tested to determine its validity. These tests can be performed either by analyzing data, or by conducting a controlled experiment.
In many cases, Tippett claims, testing a hypothesis (we need more of product X) will show that the marginal benefits of deploying more (of the same) technology does not outweigh the marginal costs. For example, patching once a day instead of once a month might be much more expensive than the costs that are averted by it. If that hypothesis is proven to be true, patching once per month instead of once per day would be a colossal waste of resources. The costs would not outweight the benefits.
In an ideal risk-assessment scenario, sufficient data is available to estimate such a risk (defined as: likelihood ∙ impact) before a decision must be made, rather than in hindsight after a solution has been implemented.
Most organization lack the body of experience to be able to compute these risks at all, or at least in a way that is statistically significant enough to be usable. Most organizations are unwilling (or unable) to design and execute an experiment and draw conclusions based on the outcome of those experiments.
These two observations are the death-blow for a formal risk management approach to information security.
Until sufficient reliable data becomes available (at reasonable costs), organizations will never be able to build their information security programs based on a formal risk management approach.
Posted: 12 Nov 2008 12:35 PM CST
Growing financial pressures, unforeseen threats, and a volatile and rapidly changing business landscape — apt descriptions for both the world economy and this years Worldwide Infrastructure Security Survey.
Arbor Networks once again has completed a survey of the largest ISPs and content providers around the world. Some 70 lead security engineers responded to 90 questions covering a spectrum of Internet backbone security threats and engineering challenges. This fourth annual survey covered the 12-month period from August 2007 through July 2008.
A copy of the full report is available at http://www.arbornetworks.com/report
Posted: 12 Nov 2008 11:01 AM CST
VMware's biggest threat is virtualization-lite, or the confinement of the virtualization business case to hypervisor VLANS. VMware needs to get enterprises to the bigger picture, the full realization of the benefits of virtualization in the data center, including VMotion. Otherwise, deployments will only be limited to a subset of environments driven by novelty or perhaps [...]
Posted: 12 Nov 2008 10:48 AM CST
Alta Vista, Excite, Infoseek, Ask Jeeves - do any of these ring a bell? The back alleys of Silicon Valley are littered with the corpses of search engines that couldn't. Google has beaten most of these names into the annals of history. Only Yahoo and Microsoft (with their deep pockets) still put up some token resistance to the Borg-Google collective. Why? Do we like the Google color schemes? Do the double "0s" get us. Do we like the idea of advertiser based searching? No, No and no. We use Google because more than any other search engine out there, when we want to find something, Google finds it for us. The algorithms and intelligence Google uses results in what we are looking for. Forget Android, Google Apps, Google Maps and all of that other stuff, we use Google because their search renders the most relevant results.
Could there by a new player on the horizon that that gives us more relevant results? Could there be a "riot" in the search arena? If you believe what the folks at OneRiot say, there very well could be. In an age of social networking, this is a social search engine. OneRiot gives you search results not based upon how many links are there to that page. The results you get are based upon the popularity of those pages as measured by people on the net. This should result in links not to the wikipedia page, but to pages that real people look at when looking for a particular keyword. This could be the key to breaking out of the collective. To paraphrase what Jon Landau once said about Bruce Springsteen, I have seen the future of Internet search and its name is OneRiot.
Besides the search OneRiot plays on its social media roots and has some really great add ons. There are plug ins for my space (why no facebook guys?), twitter, web slices for IE8, etc. Check them out. Also you can make their searches better by installing their pulse checker.
OneRiot is based in Boulder, Co and in full disclosure I have some friends who work there. But don't let that hold you back. Go check out OneRiot and see for yourself that there can be more to search than being another drone of the collective.
Posted: 12 Nov 2008 10:04 AM CST
I've made no secret of my displeasure with the PCI Security Standards Council's lack of initiative when it comes to addressing the challenges and issues associated with virtualization and PCI compliance.
My last post on the topic brought to light an even more extreme example of the evolution of virtualization's mainstream adoption and focused on the implications that cloud computing brings to bear when addressing the PCI DSS.
I was disheartened to find that upon inquiring as to status of the formation of and participation in a virtualization-specific special interest group (SIG,) the SSC's email response to me was as follows:
On Oct 29, 2008, at 1:24 PM, PCI Participation wrote:
Thank you for contacting the PCI Security Standards Council. At this
time, there is currently no Virtualization SIG. The current SIGs are
Pre-Authorization and Wireless.
Please let us know if you are interested in either of those groups.
The PCI Security Standards Council
From: Christofer Hoff [mailto:firstname.lastname@example.org]
Sent: Wednesday, October 29, 2008 12:58 PM
To: PCI Participation
Subject: Participation in the PCI DSS Virtualization SIG?
How does one get involved in the PCI DSS Virtualization SIG?
So assuming that was the carrot approach, I'm happy to see that VMware has taken the route that only money, influence and business necessity can bring: the virtualization vendor 'stick.' To wit (and a head-nod to David Marshall:)
VMware is Joining PCI Security Standards Council as Participating Organization
As a participating organization, VMware will now have access to the latest payment card security standards from the council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organizations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents a significant aspect of an entity's protection against data criminals. By joining as a participating organization, VMware is adding its voice to the process.
"The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data," said Bob Russo, general manager of the PCI Security Standards Council. "By participating in the standards setting process, VMware demonstrates it is playing an active part in this important end goal."
Let's see if this leads to the formation of a virtualization SIG or at least a timetable for when the DSS will be updated with virtualization-specific guidelines. I'd like to see other virtualization vendors also become participating organizations in the PCI SSC.
Posted: 12 Nov 2008 09:45 AM CST
The problem is, the number is more like 4 in 4.
The new attack method that Dan discovered is only slowed by the updates everyone installed, it isn’t stopped. Now instead of taking seconds to minutes to compromise a DNS server, it can take hours.
Thus if you don’t put compensating security in place, and you’re a target worth hitting, the attacker will still succeed.
This is a case where IDS is your friend- you need to be watching for DNS traffic floods that will indicate you are under attack. There are also commercial DNS solutions you can use with active protections, but for some weird reason I hate the idea of paying for something that’s free, reliable, and widely available.
On that note, I’m going to go listen to my XM Radio. The irony is not lost on me.
Posted: 12 Nov 2008 07:34 AM CST
Posted: 12 Nov 2008 05:11 AM CST
I finally got around to testing Elcomsoft's WPA password cracking. If you'll remember, Elcomsoft announced last month that they could use the graphic card to crack WPA passwords 100 times faster than with a normal processor. I found it's not 100 times faster, but the acceleration is significant enough that if you do WiFi pentesting, you should probably get a graphics card to speed this up.
I ran their software on a number of systems. A screen shot of the results are below:
The systems are:
I tried out some other processors as well. Intel has shipped a new extremely-mobile processor (intended for cell-phones) called the "Atom". It has roughly a tenth the CPU power of the desktop processor.
A tested the MacBook Air. Its graphics accelerator is actually slower than the built-in processor. Its 9400m GPU only does 178 hashes-per-second, but the Core 2 Duo could do around 400 hashes-per-second.
Graphics cards work by having a lot of tiny/simple processors. Here is a breakdown of some typical processors:
In theory, the speed of the cracking software should correlate with the frequency multiplied by the number of cores. The card to get right now is probably the 9800 GX2. I just ordered one from Newegg for $274. It puts two chips together on a single card, which should make it faster (as well as cheaper) than the GT260. I spent another $200 to get a system to go around it.
Elcomsoft currently cannot handle different cards. Therefore, when cracking software on a MacBook Pro (which has a 9400m and a 9600m), you won't be able to use both simultaneously.
Posted: 12 Nov 2008 12:23 AM CST
Here is some information regarding this week’s Thursday OWASP - VA Local Chapter infosec meetup event. If you plan on attending, RSVP to Jeremy Epstein (email available in their post - linked below) so they can get your badge processing started.
For more information on the OWASP - VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.
Posted: 12 Nov 2008 12:02 AM CST
Here is some information regarding this week’s Wednesday ISACA - Central Maryland (CM) Chapter infosec meetup event. A little late on this one I guess.
For more information on the ISACA - CM Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.
Posted: 11 Nov 2008 02:33 PM CST
In my previous post titled "Cloud Computing: Invented By Criminals, Secured By ???" I described the need for a new security model, methodology and set of technologies in the virtualized and cloud computing realms built to deal with the dynamic and distributed nature of evolving computing:
This basically means that we should distribute the sampling, detection and prevention functions across the entire networked ecosystem, not just to dedicated security appliances; each of the end nodes should communicate using a standard signaling and telemetry protocol so that common threat, vulnerability and effective disposition can be communicated up and downstream to one another and one or more management facilities.
Greg Ness from Infoblox reminded me in the comments of that post of something I was very excited about when it became news at InterOp this last April: the Trusted Computing Group's (TCG) extension to the Trusted Network Connect (TNC) architecture called IF-MAP.
IF-MAP extends the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth.
Today's security systems – such as firewalls, intrusion detection and prevention systems, endpoint security systems, data leak protection systems, etc. – operate as "silos" with little or no ability to "see" what other systems are seeing or to share their understanding of network and device behavior.
This limits their ability to support coordinated defense-in-depth. In addition, current NAC solutions are focused mainly on controlling network access, and lack the ability to respond in real-time to post-admission changes in security posture or to provide visibility and access control enforcement for unmanaged endpoints. By extending TNC with IF-MAP, the TCG is providing a standard-based means to address these issues and thereby enable more powerful, flexible, open network security systems.
You can read more about the TCG's TNC IF-MAP specification here.
Posted: 11 Nov 2008 12:37 PM CST
The day has come! I can't tell you how many merchants have hounded me for compliance dates outside the US and Canada, and then looked at me like I just told them the sky was red when I could not provide them. Visa, Inc. has formally announced global compliance deadlines (thanks JKA!).
If you are a global retailer, or a retailer not based in the US or Canada, the pressure is now on to become compliant with the PCI Standard! Feel free to reach out to a VeriSign QSA if you need assistance!
Posted: 11 Nov 2008 11:59 AM CST
A recent analysis of a compromised web site by eSoft's Threat Prevention Team lead to the discovery of hidden links designed only to show up when viewed by web crawlers such as those used by Google, Microsoft and Yahoo.
The website reviewed, dancescape.tv, appears perfectly normal when viewed from standard browsers, but some PHP code has been injected that gives a long series of links designed to bump the PageRank of certain sites when viewed by a crawler.
The PHP code in question looks like this:
And resolves to this:
When viewing the page with a user agent of googlebot, you get a lot of links that weren't there before. Here's a screenshot of one of the less offensive examples:
In other instances, a ton of porn links and text are displayed instead of the pharmaceutical links shown here.
This just proves the trends from open compromise to secret compromise. Most malware already tries to hide itself; web site defacements seem also to be a thing of the past as compromised sites are used more and more for relaying attacks and for more stealthy, income earning purposes.
Posted: 11 Nov 2008 10:13 AM CST
I was reading an article on SlashFood titled "Drinking Straw: Friend or Foe" and chuckled at the parallels to the reflexive hyping, purchase and (oft failed) use of "solutions" in the security space. Sometimes I think we need a securitysnopes.com:
Recently, a friend passed along a tip from a dermatologist: Stop sipping through straws. The doctor said it was the number one cause of wrinkles.
Even more recently, at lunch one day my aunt relayed some info from her husband, an orthodontist. He said that drinking through a straw prevents cavities and tooth decay, since straws allow sugary beverages to bypass your teeth. When my aunt said this, everybody around the table (six women) stuck straws in their drinks.
But when I countered with the skincare side of the question, my aunt was the first to pluck her straw right back out again.
Brings new meaning to "security sucks." What's your favorite "security straw" analogy?
Posted: 11 Nov 2008 09:58 AM CST
Posted: 11 Nov 2008 09:58 AM CST
It has been an interesting two weeks – thanks to a catastrophic failure on the bulk of my web servers – thanks to an unannounced dreamhost switch/migration that results in their setting all permissions incorrectly. It's a long and boring story – loaded with insights for anyone involved in technology and customer service. But we're fixed – and I'm back.
The last few weeks have been pretty amazing; we have traveled the country from Upstate, NY to Kansas City…. Seattle…. And then back "East" to Detroit. We leave here on Thursday and head to Ohio for two days before heading on to the DC Metro area. CompTIA is sponsoring a book signing and give-away at the CSI show – so look for more details.
Last week – before the blizzards closed down sections of I-90 — we stopped on Monday at Mount Rushmore – and the entire family was taken with the effort on multiple levels. I was drawn to the history of the presidents – and will be spending more time learning about the character of these men, and the way they served themselves and their country. All very inspiring!!
Join the conversation. Take responsibility. Make a difference!
Discussion Forum Activity
I have noticed an exciting trend in the community – more and more people are coming together to "create." The community is reaching another level (and I will be forming a team of volunteers to help improve the available tools) – and it is exciting to realize that by working together, we really can make a difference. Here are some recent discussions ripe for contribution or learning:
Here are three community-based efforts that you can contribute to, or learn from:
Upcoming Opportunities to Work Together or Meet in Person:
List of community blogger and podcasters
(I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included)
What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)
Here are some recent blog posts from Community Members that you may have missed:
About the Security Catalyst Community
We are a positively focused and supportive community that unites passionate professionals to achieve three goals:
(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.
(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.
Signing Up for the Security Catalyst Community
Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).
Registration Overview (NOTE THE NAMING CONVENTION)
Select the register link
Follow the naming standard: firstname.lastname (include the period between first and last names)
Your account will be reviewed and approved
Jump in and share your thoughts!
Where is Michael - onTour Schedule & Updates
As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.
I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and "follow" and chat with me here: https://twitter.com/catalyst
Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out – and amazingly, don't really miss a beat!
Join The Security Catalyst LinkedIn Group
For active members of the Security Catalyst Communityhttp://www.linkedin.com/groups?gid=27010
Posted: 11 Nov 2008 09:21 AM CST
I was reading the RSA report on the Torpig/Sinowal trojan while stuck at the airport for several hours last Thursday. During my many hours of free time I overheard some IT executive discussing the difficulties of implementing data discovery and classification with his peers. I did not catch the name of the company, and probably would not pass it along even if I had, but the tired and whiny rant about their associated failures was not unique. Perhaps I was a bit testy about having to sit in an airport lobby for eight hours, but all I could think was “What is wrong with you? If hackers can navigate your data center, why can’t you?”
That’s where the RSA report just gelled my thoughts on the subject. If a small group, quite literally a handful of hackers, can use Torpig & BlaBla to steal hundreds of thousands of credit card numbers, steal accounts and passwords, install malicious software at multiple company sites … all without being provided credentials, access rights or a specific map of your IT infrastructure … why can’t your company classify its own data and intellectual property assets? You would think that a company, given a modest amount of resources, could discover, classify and categorize its own data. I mean, if you paid someone full time to do it, don’t you think you could get the job done?
Some of the irritating points that they raised …
“Data in motion made it difficult to track”: So what- the hacker tools are kept running and they never stopped scanning. Nor did they give up on the first try; rather they periodically modified their code to adapt for location and type of data, and they were persistent. You should be too.
“Difficulty to classify the data” and “Can’t find stuff you know is there”: So what- hire better programmers. Pressure vendors for better tools. Can’t afford expensive software? There is open source code out there to start with; hackers can do it- so can you. There are at least a dozen programmatic ways to analyze data, through content or even context, and probably even more ways to traverse/crawl/inspect systems. If the application your company uses can find it, so can you.
“Size of the project is difficult to manage”: So what- divide and conquer. Take a specific set of data you are worried about and start there. Compliance group breathing down your neck to meet XYZ regulation? Pick one category (customer accounts, credit card data, source code, whatever. Tune your tools and policies (you didn’t really think you were going to get perfection out of the box, did you?), address that problem, and move on. If you are starting with an ISACA or Cobit framework and trying to map a comprehensive strategy, stop making the problem more complex than it is. Hackers went for low hanging fruit- you should too.
“The results are not accurate”: So what- you’re not going to be 100% right all the time. The hackers aren’t either. Either accept 95-99% accuracy, or try something different. Or maybe your policy is out of line with reality and needs to be reconsidered.
“Expensive” and “Takes too much in the way of resources”: No chance! If hackers can run malware for 18 months at TJX and related stores UNDETECTED, then the methods used are not resource hogs, nor did they invest that much money in the tools.
Sometimes you’ve just got to stop whinin’ and git ‘er done!
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|