Security Stallions Blog "Musings of all things infosec…"

2Feb/100

Doing it Wrong – Uncryption of the Enterprise

Doing it Wrong (DiW)
Jay Jacobs and David Meier

Dave: First I'd like to take this opportunity to say "Hi!" to all three SecurityStallion readers out there. I know things have been a bit sparse since September last year but that's changing in 2010. The Digs are back and there's also some new article formats we're going to be throwing around. So with that lead in I'd like to welcome the infamous Jay Jacobs. Jay is one of the more realistic security practitioners I've had the chance to work with (albeit indirectly) and I'm pleased that we can do this type of spot together respectably titled: "Doing it Wrong". But what is this and why should you care? Over to Jay for the explanation...

Jay: Dave and I have had many discussions on various topics and "doing it wrong" stuck out as a title because that's what I kept thinking about Dave and I think Dave kept thinking about me. These posts should reflect that mutual respect. I also like the title, not just the initial Ha-Ha-ness, but also because it reminds me that we learn best from mistakes. If I would have gotten Sendmail working right away, I might not be able to spoof email with telnet. Realizing I'm doing it wrong means that I may be able to fix it. I look forward to challenging my way of thinking here.

Dave: Seriously Jay, you're still using Sendmail? That's a whole other DiW I guess! But, back to the meat: Uncryption of the Enterprise. So what does that really mean? Well, I've been around the track a few times (from a consulting perspective - it's really just like NASCAR, left turn, left turn, left turn...) and I tend to get riled up when things in the enterprise, that should be encrypted, are being tossed around the network, well, unencrypted. In fact often times when I bring up the fact that maybe those NTP updates should be encrypted or that OSPF adjacency is left ripe for the picking, or even FTP still being used as a primary transport facility in very, very, very large enterprises! WTF people? W-T-F? The best (and oft heard) excuse by far has to be from a monitoring perspective: "well then we can't see what's going on". The simple answer to that: if it's important enough to encrypt (PII, authentication data, sensitive information, etc...) and you don't have access to a point where you can extract, or view that data in flight - then maybe, just maybe, you shouldn't be privy to said data in the first place. I know, this might be a real shocker, but just because you're sitting in the SOC or NOC doesn't mean that because you can control the data flow that it's implied you should be able to read it. Encrypt if you have it, right? Jay? I mean, really, why not?

Jay: Yeah, I was still using Sendmail on my 286, but decided to upgrade for Y2K. Encrypt if you have it? There's a saying around cryptography, encrypting data is easy, it's the decryption that gets you. It's really easy to sit on a high horse (or Stallion, Dave) and say that everything should be encrypted, it's a whole different ball game to actually do it. As soon as data gets encrypted, a key is created, and then two things happen:

  1. Auditors flip to a new tab in their spreadsheet because a whole new set of controls around cryptography and key management must be understood, or at least implemented. Most IT folks, rather than view this as a development opportunity, see this as just more ways to screw up, which leads to...
  2. The typical IT admin gets a glazed look on their face and a mad rush ensues to find someone else to dump this crazy "encryption" on. Normally intelligent people all of a sudden look like their being asked to captain the Titanic on her maiden voyage.

These two things are exasperated by overly-protective frameworks and compliance controls that treat all the keys like they are dipped in gold then encrusted with diamonds. Generally speaking, a key is just a long password (with a few caveats). So, while encrypting NTP is a no-brainer in theory, in reality the key management in the products stink and nobody wants to sign a form saying that they understand and accept their key custodian responsibilities (thanks for that one PCI).

Where to Fix (WTF)

Dave: I can see Jay's point (to a degree). To manage keying (as a process) and the keys themselves is a complex undertaking in large organizations. Fundamentally, however, encryption is a component of the enterprise. The task is simplifying it where it can be simplified. Use it as it was meant to be used: to keep things private. And don't, I repeat, don't use it as an afterthought or add-on unless there is no other option. If encryption wasn't designed into your system of systems from the beginning adding it after the fact usually buys you as much improved posture as the hunchback of Notre Dame.

Jay: That's the rub, nobody is capable of designing encryption in because everyone does it differently, people should get together and make some type of open and interoperable key management protocol. Because rather than simply saying everyone ought to turn on encryption everywhere, I think it's more appropriate to say that we need to focus on the support structure to implement encryption. Something like meetings once a week, "Cryptos Anonymous" I'd call it, where normally well-adjusted admins show up and say, "Hi, I'm Jay and I'm a key custodian". Either that, or a well defined key management governance structure with tools to back it up. Then we can start talk about encrypting the world.

Dave: "Encrypting the world" - <sinister laugh>Mua ha ha ha hahhhhhh!</sinister laugh>

Tagged as: , , , No Comments
1Feb/100

The Digs – 02.01.2010

Well.  Hi there!  I know, it's been a while.  So long, in fact, that I swear when I fired up this new post I could hear the gears of the backend squeak to life as they've been sitting idle since last September.  Yes, it's been far too long and much has and hasn't changed.  Why bore you with the details though?  Let's get back to where we left off.

One quick note before we get started.  A quick read would have noticed the name change to "The Digs".  I find it laughable now (the wonder of hindsight) that I had such high hopes for being able to do this every day.  Truth be told there's far too many things elsewhere and too little time.  Here's your new SLA: "The Digs" will appear on average 2-3 times per week catching up between posts.  And now, on to the digs...

First up is Gunnar.  I like Gunnar 1) because what he says is most often highly cogent and 2) because he has to deal with cold shitty winters too.  Thanks Gunnar.  Oh and thanks for finally bringing up APT.  There's a point in the post about the $6 billion in arms we're sending to Taiwan that will, likely, impose sanctions of what China buys from us in the future.  Here's my reply:  "Dear China, How's it going?  Don't worry about that whole Taiwan thing.  I've seen the shit we were selling to Taiwan a few years ago and you've got no worries.  Really, it's kind of like the toy you get out of a Cracker Jack box (because it'll all be yours eventually anyway).  If you don't understand the Cracker Jack thing I'm sure there's an article on Wikipedia.  Later China!".
[APT - The Sonny Response or the Michael Response?]

I like hardware.  Except when it sucks.  I'm often confused why small (and even medium sized) businesses buy hardware from large vendors (like those that start with a 'C' and end with an 'isco' - don't get me wrong, there is a time and a place along with an OC-12) when all they want to do is bring in some simple routing functionality, with a sprinkle of firewall and maybe, if they're feeling saucy, some IPsec on top.  So when I saw this new Netgear appliance and it's awesome price of roughly $275 I said to myself: "Wow, that underpowered old Linux kernel that will rarely ever be updated is just up my alley!".  OK, I didn't say that.  But, really, if you want that sort of thing people just pay someone to deploy and manage some pfSense boxes for you.  But if you're really still interested, by all means...
[Netgear Releases New Gateway Security Appliance]

OK, full disclosure here: I am the whipping boy over at Securosis (aka 'the intern').  But I'm glad someone said it (thanks Adrian!).  To all you big guns out there scrapping what you've got in house and churning out your next big thing - Agile & Scrum sux0r for your security.  Yeah.  SUX0R (with a capital zero).
[Firestarter: Agile Development and Security]

I laughed when I saw this next one.  Make sure you defrag your "Secure End Point Management (SEPM) server boys and girls!".  Well, for starters that implies it's probably running some old version of Windows.  Oh yeah, they state 2003 in the article.  Maybe it runs on Windows ME though, you never know.  Oh, and it's x86.  Awesome.  SEPM jokes anyone?  The article title just makes it sound incontinent or something.
[Defrag Your SEPM Server Regularly]

I'm not going to say much about this next gem I found over at NetWitness other than the fact that if you really think IDS started "several negative trends that are still affecting the psyche of security personnel today" then maybe the blue pill really is for you.
[IDS Legacy is Institutionalized Failure]

So last year I had a conversation with someone about IE6.  To preface - I know of a special place I visit on a regular basis during the week that still has IE6 as part of their base workstation build.  Anyway, so I had a conversation last year about when this individual thought IE6 would be irradicated from the environment.  And their answer was around 2012 or 2013 when XP wouldn't be their base OS.  I proceed to choke on my coffee.  They, on the other hand, were serious.  So I love to spam people like this with all of the love in the air for IE6 as of late.  Because, really, you thought even Microsoft could save such a fine piece of work?  Fat chance.
[Tide Turns Against IE6 as Usage Drops]

Let's round out our first post for 2010 (and hopefully not the last) with another great one that has to do with China.  The EFF has an article up about how US based companies need to shore up selling products that "selling Chinese authorities the surveillance equipment used to commit or facilitate human rights abuses".  This assumes that 1) China hasn't already ripped off IP from these companies which could be used to, well, remanufacture them and 2) that China doesn't have the upper hand from a monetary perspective right now.  Just food for thought.  Wasn't Cisco's source ripped off a few years ago anyway?  China could just always run a big virtual network with GNS3 anyway, right?  :)
[Seven "Corporations of Interest" in Selling Surveillance Tools to China"]

We'll leave you with these final links...  Thanks for reading!

[New Laws Close in on Hackers] - Seems rather timely, no?
[Cable Modem Hacker Faces Potential 40 Year Prison Term] - The Internet just wants to be free, what can I say?
[Researchers Uncover Security Vulnerabilities in Femtocell Technology] - Where "technology" should say "hardware" because, surprise surpsrise!  Your shitty embedded Linux hackery was reversed.
[Adobe Flash Security on Menu at BlackHat] - As if to say any Adobe technology hasn't been on the menu for the past, what, 5 years?  Keep on keepin' on Mr. Mike Bailey!

Tagged as: , , , , , , , , , No Comments
15Sep/09Off

Daily Digs – 09.15.2009

Amazing, I actually started tonight's digs before 10pm.  Then I realized that I hadn't read most of what I marked for tonight so it'll take me just as long by the time I actually get this one posted.  I just can't beat time these days!

The 'ctricky and Web Application Security' blog had a post on some great insight of things to ask during an app sec test.  I've never actually run across this particular scenario before but the point is that JS pop-up warnings mean nothing to your proxy and may present warnings that the tester will never see (like "If you do this you'll break all of prod").  Anyway, read the post for the full rundown.
[BToD Target Scope and Precautions]

VeriSign's new DDoS attack protection service is an interesting topic for me.  I've dealt with countless large enterprise carrier services along with the architecture around load balancing and multi-homed environments.  So offloading all of your traffic in an event (i.e. throwing the BGP switch) to VeriSign seems a tad bit scary, oh - but no worries they'll route the good traffic back.  The other thing is all of the Netflow data VeriSign collects (to do this) is an interesting concept.  To me, architecturally, this looks like a bad idea and maybe I'll just have to dig into this one a little more.  For now you can start your own opinions by starting to read about it at the link.
[VeriSign Extends DDoS Attack Protection]

Work in defense?  Then COTS is something you probably deal with on a daily basis.  The funny thing is that when I started my career in the defense industry a lot of proprietary hard and software were being gutted for COTS.  Even I knew (as I started out as a System Engineering Associate), that the square peg they were jamming in the round hole didn't fit.  Apparently the cyclical monster is coming around in the DOD on this one.
[DoD Rethinking Build Versus Buy]

West side what?  Go figure - China modeling how to take down the US power grid for fun.  Reminds me of a conference I was at a few years ago in which a consultant disclosed some interesting facts about the substation and grid connections the Mall of America has in it's substructure.  We then learned how to shut the lights off in all of the neighboring communities that particular day.
[DHS to Review Report on Vulnerability in West Coast Power Grid]

This was one of the best / most disturbing banking related articles I've read in a while.  It's also why you shouldn't do most any online business with HSBC.  I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block.  This one's just downright "special" (and not really from today, but I ran across it in my feeds).
[So Funny I Forgot To Laugh]

This one came across the OSF data loss incidents list and it made me think.  Do you really think Jones General Store has any idea of PCI?  It's so focused today in big business and infrastructure security yet these types of processes still exist in hundreds of thousands of small businesses day in and day out.  In fact, this past weekend, I saw more carbon copies of card data at a local art fair than I'd care to pretend were still around.
[University Hill Shops Burglarized; Credit Cards Stolen]

As of this posting less than 19 hours until the Social Engineering Framework is released.  Mark it on your smartphone yo.
[Social Engineering: Exploiting Human Vulnerabilities]

All you need to know about this one: "Operation Hot Date", Dumb Sheriff in Florida, and Craigslist for your evening entertainment.
[Another Sheriff Goes After CL]

That's all he wrote for tonight boys and girls.  We'll leave you with some links to peruse, but without the colorful commentary.  Take care and keep your stick on the ice!  Also, first person to tweet "I won the easter egg hunt at www.securitystallions.com" and @s me in the message wins a $20 Starbucks gift card (first person = one winner).  Figuring out where to find me on Twitter should be trivial.  Get your tweet in before 10:30pm on Wednesday, September 16th 2009 Central.

[Does IBM Have a Fix for Banking Infrastructure?]
[Security Attitudes]
[Thoughts on the Cult of Schneier]
[Pwnage Tool and iPhone 3.1]
[AMD 'Eyefinity' Powers 24 Monitors]
[A BSoD and Possibly More]
[No TCP/IP Patches for XP]
[OpenDNS Announces Premium Cloud Services]

Tagged as: , , , , , , , , , , , , , , , , , No Comments
14Sep/09Off

Daily Digs – 09.14.2009

Well, "daily" has been more like "weekly" as of late, but the digs are back.

I think this one is good on a few fronts, but mostly from a humorous perspective.  Joe Lieberman and Susan Collins should stick to whatever they do best - and that doesn't include addressing "cyber crime".  They're proposing a public / private relationship so that the government (really?) can help them defend against attacks.  OK, didn't the FBIs website just get defaced recently?  Unless the blunt plan is to put up some sort of subsidy (which I'm not at all endorsing) the government is just going to spin up more useless programs that are run by people who just-don't-get-it.
[Committee Examines Growing Cyber Threat to Businesses]
[FBI Jobs Site Gets Hacked]

Unique is not random is not secure.  I'm not sure that's a complete sentence, but it sums up the article on Newsoft's Tech Blog rightfully.  For a run down of examples on the differences in the three concepts hit up the link.
[Unique is Not Random is Not Secure]

The Consumerist ran a story this morning with video from LiveLeak on a man installing a skimmer.  I'd have to say that I'm definitely more cognizant when using ATMs that are non-bank affiliated and portable.  At one point in time I really didn't like ATMs that sucked the card into the machine, however today it makes sense as less risk to me.
[Guy Installing Skimmer on ATM]

I can honestly say I really didn't know much about 'RNS' before I read this article today, but the Fed seems to have cracked down a few of the key members.  I'm not sure why the title references RNS as an '0Day' group however.
[Fed Crackdown on 'RNS' Signals Death to Oldest 0Day Group Online]

Don't have the cash or time to go to one of the big name cons?  ChrisJohnRiley posted an article about the first online hacker con entitled SecurityTubeCon.  There's a call for papers (& vid) out until October 20th, so get your talk ready to go!
[First Online Hacker Conference]

That's all the time we have for comments tonight, but we'll leave you with some other links to ponder.  Thanks for stopping by!

[Windows Autoplay Behavior Updated]
[Gustav, the Hackerspace Twitter Bot]
[Loan Officer Indicted for Fraud and ID Theft]
[Dradis 2.4 Released]
[PhoneCrypt is Available for the iPhone (and entirely overpriced)]
[20 Temporary / Disposable Email Services]
[Hacker's Hideaway ARP Attack Tool Released]
[SourceFire's Vulnerability Report for September Screencast]
[Practical Intrusion Analysis Book Review]

Tagged as: , , , , , , , , , , , , , No Comments
8Sep/09Off

Daily Digs – 09.08.2009

Good evening ladies and gentlemen!  I almost inadvertently said it was Monday and it feels like forever since the last digs.  I've been out of pocket and/or busy unfortunately and digs usually takes a little time to get together.  But they're back and for our Labor Day week we started out with a lot of great articles.  On to the show...

First up is the SMB vulnerability.  Ahhhh, flashback to the early 90s when BSODs were all the rage and ripe for the picking.  Microsoft has handed us a blast from the past - providing this undocumented feature in Vista and Windows 7!  I'm sure you've already read about this one today, but if not here's the original source:
[Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D]

As a strong proponent for great OSS I noticed today that OSSEC v2.2 is out.  Now sporting some fabulous Wordpress plugin functionality and some other extra bells and whistles.  Check the changelog for all the dirt.
[OSSEC v2.2 Released]

Are you a web dev that happens to be working with Flash?  Sucks to be you.  I mean HP has just the thing to help make sure your code doesn't completely suck!  HP SWFScan to the rescue.  (Disclaimer: I haven't tried this software so I'm not vouching / recommending this in any way)
[HP SWFScan]

Apparently beer and pizza can is some great brainstorming food because 'cktricky' and 'jack_mannino' came up with how to use Burp through TOR to maintain your anonymity.  Mubix is the voice for the screencast if you're a fan.  Yeah, there's vid for all ya'll #lazyweb folk.  No reading required.
[Obfuscating your IP using a Burp/TOR/Privoxy Combo]

I'm not sure where some of these organizations come from but here's a new one for me: ITIPA (Industry Trust for IP Awareness).  Yeah, not overly obvious but these guys came up with the all-clever 'Generation Y-Pay' label that they've given to the bulk of 16 to 34 year olds.  I fit this age range and gladly pay for all of my digital media.  Well, not always gladly, but I see the value and effort required to produce.  We're not all leechers ITIPA, maybe it's just those Brit youngsters.
[Generation Y-Pay]

Bored on your morning commute?  There's plenty of people out there that'll yammer their perspective on just about anything related to security these days.  Chris John Riley's compiled a great list.  Some of them are great and some of them sound like a broken record of Core Impact / Nessus advertisements, let's be honest.  Either way you can't beat the price!
[Filling Your iPod]

Ars has a fabulously more-in-depth-than-I-probably-needed article on the status of IPv4.  I don't agree with the general FUD laced throughout, but it's something to keep in mind.  Dust off those IPv6 books you bought from the last round of "OMG-THE-INTARWEBZ-IZ-ENDING-OH-HAI-IPV6", you'll need it - eventually.
[2010 Could be the Last Year of IPv4]

Not exactly the typical security relation here, but security in a different way.  More like security of interoperability when venturing into uncharted waters with regards to new tech.  Enter TomTom's OpenLR.  OpenLR will enhance your once boring drive to the grocery store through whizbang location based services that you'll wonder how you lived without.  OK, maybe not, but it's never a bad idea to be the first to open things up a bit - especially when it can be rather costly to build proprietary data stores that constantly repeated and generally lack optimum updates when it comes to the GPS market.  The times they are a-changin'.
[TomTom Launches Open Source Navigation Product]

Apparently DHS wants to be accountable to PCI these days.  Philosecurity brings us the info on what was retrieved from the ATS system in a real copy of an American citizen's record.  Scary scary.  Scary.
[What does DHS Know About You]

FUN STUFF - I just had to throw this in because apparently one of the largest games of Monopoly starts tomorrow.  Best be stayin' away from 4th Ave N in the 612 - all mine.
[Google Maps Giant Game of Monopoly]

I remember the days gone by when I used to rent a Nintendo on a Saturday morning and play non-stop until I had to return it the next day (my parents allowed computers but not consoles).  Now you can rent a botnet by the day!  Who'd have thunk?
[Want to Rent and 80-120k DDoS Botnet]

And here we go with some new trials and tribulations.  Some favorited tweets of the day:
--------------------------------------------------------------------------------------------------------

Tagged as: , , , , , , , , , , , , , , , , , , , , , No Comments
31Aug/09Off

Daily Digs – 08.31.2009

It's Monday and, unfortunately, that means August 2009 is almost behind us.  That means, for many, back to school and the end of summer.  If only I was that lucky!  It's this time of year that the cool air and soon-to-be-colorful trees remind me of those days gone by of college campus life.  Enjoy it while you can you youngins!  On to the digs...

Uh oh!  Microsoft and the Linux kernel today faced exploit code being posted to milw0rm.  Although the Microsoft vuln is, obviously, getting much more attention do your due diligence to check both out.  The Microsoft exploit affects IIS5.0/6.0 and is a remote overflow while the Linux sploit code is the local NULL pointer dereference we've seen talked about more recently.  Get 'em while they're hot!
[Linux Kernel sock_sendpage()]
[Microsoft 5.0/6.0 FTPd Remote Root]

ThreatChaos is claiming Cisco better be watching their back due to a new integrated platform 3COM has just unveiled.  Basically the claim is that routing platforms are, and have been, a commodity for years now and that integrating security functionality (not sure how firewall functionality is "new" here since all of the features listed are, and have been in high-end firewall platforms for a considerable time now) will be the new defacto standard.
[Watch out Cisco]

MacPorts, today, get's a significant point release.  1.8.0 is out on the table now with disk images out for Snow Leopard if you've done a clean install over the weekend (I did).
[MacPorts 1.8.0 Released]

The TrendLabs Malware Blog has a good rundown of info around the trojan that's targeting Skype users.  The trojan hooks the send and receive APIs so that the voice conversations can be saved before any encryption is applied.  Trend says the trojan looks to be rather tame now with regards to the fact that it's not actively sending data out today, but that doesn't mean it won't in the future either.
[Trojan Targets Skype Users]

Now I'm not a big fan of SolarWinds utilities to begin with.  Sure, over the years I've used some of their utilities but when it takes multiple megs of proprietary code to install a TFTP server one has to wonder what's really packed in there.  The products themselves are rather underwhelming and there's far better free alternatives available.  But, if you'd like to mess with that coworker that is all about SolarWinds tools tell him/her to spin up the TFTP server for you to DoS.  The PoC code is there in the links as well.
[SolarWinds TFTP Server DoS]

Saint 7.1.1 was released today with some handy new features and vulnerability checks.  Check out the Security Database Tools site for the rundown.
[Saint 7.1.1 Released]

Could that medical imaging procedure you just had pose a serious risk to your long-term health?  CNET has published that 2% of all cancers could be attributed to radiation during CT scans alone.  Scary stuff.  So should more disclosure be required to help patients make a more informed decision?
[Medical-Imaging Procedures Always Worth the Risk]

The SSA is supposedly testing Microsofts HealthVault (their online health record service).  It's one thing for a particular hospital or clinic to do this, because then I can avoid them at all costs.  The SSA on the other hand, not very avoidable.  Who's making these decisions?
[SSA Testing Microsoft HealthVault]

When in doubt, reformat.  An interesting and, rather non-technical and unscientific, reasoning behind the motto.  Interesting for the perspective alone from a typical end user.  I got the chills when reading the part about IE 6.
[When in Doubt, Reformat]

So is the Conficker worm sitting dormant until an opportune time?  John Markoff has a slightly FUDish piece up that describes the "rogue software" as a ghost ship.  Maybe it was written by the Chinese government to see how far it could infect machines deep within the confines of the Pentagon?  But maybe our own government is behind it...  What do YOU think?
[Conficker Waiting to Strike]

And that's all for the commentary tonight boys and girls.  Here's some links that are news noteworthy as well!
-windexh8er

[Best Definition Ever]
[Security Solution for Craigslist]
[St. Luke Worker Accused of Stealing CC]
[Bill Tones Down Power to Shut Web]
[Trend Launches New Security Tracking Tool]

Tagged as: , , , , , , , , , No Comments
27Aug/09Off

Daily Digs – 08.27.2009

It's Thursday and so, so very close to the weekend!  That's the good news.  The bad?  I was surprised nobody picked up on the easter egg that was in yesterday's digs.  We'll do one again soon, so keep an eye out.  On to the short list for today (and it is a short list, as there wasn't a whole lot that was genuinely interesting).

Some juicy Skype trojan sourcecode is available for download.  Yes, you read that right, it's like it's being featured as your run of the mill download over on Megapanzer.  My favorite part?  The author says "If you don't like this...  well I can't help you".  Awesomesauce.
[Skype Trojan Sourcecode Available for Download]

I'm not the biggest fan of the "Insecurity Complex" blog over on CNET, but I'll give this one to Elinor.  Probably because I'm a fan of Dino and Charlie, but the article shed a little bit of extra light on both these hacker extraordinaires.
[Researchers Who Hack the Mac]

Get stuck on the Brucon wifi puzzle?  Didier Stevens to the rescue with a fabulous, and illustrated, run down of one way to solve.
[The Brucon Wifi Puzzle]

C'mon Greg - Apple's not completely ignorant.  The stance that "Apple doesn't want to tarnish the reputation..." because there's been little fanfare around the new malware detection in Snow Leopard is a slight stretch in my mind.  In the end it's a good thing and if Apple wanted to spin it they could just come out and say that it's there because a vast majority of platforms are now running virtualization or could potentially benefit in Boot Camp scenarios from it.  Rant rant rant that Apple is lackadaisical on the security front and then the only thing industry "experts" have to say is that it's hidden to avoid defeat?  You be the judge, but I'll take it for $29 and a slice of pie.
[Apples Secret Security Update]

DLP, aren't thou just like NAC - great in theory but el suck in reality?  Short answer: yes.  DLP is not "prevention" in any sense and for Symantec to market the product like that is just sheer bull shit.  DLP is signature based just like failing A/V of today with some lightly bake heuristics baked in to say that they can detect anomalies.  Long story short is that DLP is only useful (today) in situations where legit employees accidentally try to disseminate data or don't understand the problem with it.  But at the end of the day if I want to get it out the door big yellow's software surely won't stop me.  I'm more interested in how Symantec even lets blog posts like that get posted - Jonathan did a good job of throwing his company under the bus by explaining how Symantec "buys" security which screams "we-can't-develop-it-ourself".
[Could DLP Have Prevented the Goldman Sachs Issue]

Well boys and girls that's the short list for today.  Check back this weekend for the first redux in a while!
-windexh8er

Filed under: Daily Digs 2 Comments
26Aug/09Off

Daily Digs – 08.26.2009

When you miss two days of links they start to pile up in the, well, pile-o-links!  Lots of good info in the security space for this week so we'll get right to it.

First up is all about ignorance.  It seems, as reported by Larry Walsh, that security VARs do well when their customers are willing to take the look-the-other-way approach when it comes to security.  Not surprisingly when events do happen it gives the particular VAR called in an opportunity to upsell services.
[Survey Shows Ignorance Works in Security VARs' Favor]

Quine, who now runs the Security Twits group, got some XSS fixed in SimpleID's login page.
[Simple ID XSS vuln -- FIXED]

A new (as of yesterday) proof of concept for hijacking lightweight Cisco APs has been dubbed "skyjacking".  There's only a few thousand words that sound cool in front of "jacking", so hurry to get your exploit registered so you too can "jack" something!
[Cisco WLANs at Risk of Skyjacking]

Why Jon Green is trying to breath life into NAC is beyond me.  It's been beaten to a pulp as tech centric NAC vendors are fading left and right, but then again it's just a new elevator pitch for Aruba's wireless spread.  If you're interested in his pitch you can read it over on SC.
[Wi-Fi + NAC = BFF]

Maybe I'm not understanding this correctly but all the buzz around "cracking GSM" doesn't really have me worried.  Maybe the encryption schemes are the same but GSM != UMTS and all 3G phones generally have UMTS air interfaces today (iPhone, etc).  So, yes, theoretically you can eavesdrop on an iPhone users call, but only when operating using GSM.  Since GSM uses time division multiplexing it's not really all that astonishing that this can be done trivially today where as UMTS of most all carriers in the US use frequency division for multiplexing.  But, if you'd like to proclaim the sky is falling continue on soldier.
[iPhone Eavesdropping Coming Soon]

I have waaaaaaaaaaaaay too much knowledge of the FWSM.  In fact I know that the FWSM itself is actually missing a chip from production called "Titan" (used for handling multicast traffic which subsequently has to be offloaded to the Sup because it's missing creating a lot of overhead in certain conditions).  So I was giddy when I saw this article about the FWSM being prone to a DoS from specially crafted ICMP no less!  During my year long stint in getting far too cozy with FWSMs in large production environments we had found two similar bugs.  Let's just say I'm not a fan.
[Cisco Warns of FWSM Flaw]

All the cloudtards had much to say today with the announcement of Amazon's latest and greatest edition to it's line up.  Get ready for it: VPC boys and girls!  Yes, Amazon took their existing AWS architecture, segmented a few boxes, stuck an IPsec VPN in front of it and rebranded this amazing new service!  It's a whole new chapter in cloud services I tell you -- or wait, I've been able to offer that same service to my home network for the past ten years.  So if you wanted to stay connected to your shiny new VPC all year long you'd have to pay over $400 alone just in VPN connection fees.  Sounds like a profitable business model to me considering they probably run a few thousand terminations on one concentrator and split out the traffic on the back into L2 trunks or L3 VRFs.
[Amazon Introduces VPC (and cloud fanatics wet themselves)]

Mr. Peterson has had some interesting posts lately and I was intrigued by the title of his latest: Chuck E. Cheese's Authorization Protocol.  Bet Wireshark doesn't have a parser for that!
[Chuck E. Cheese's Authorization Protocol]

That's it for today, we'll leave you with the grab-bag-o-links!  First to comment gets a $10 Starbucks gift card, has to be within 24 hours of this post (which posted around 11:05pm Central).  Make sure to leave a valid email address!

[Majority of Charges Dropped Against Rogue Admin]
[Testing SNMPv3]
[John Cran's BSides Video]
[Study on the Analysis of Netbot and Design of Detection Framework]
[Ranum vs Nickerson on Penetration Testing]

Tagged as: , , , , , , , , , , , , , No Comments
24Aug/09Off

Daily Digs – 08.24.2009

It's Monday evening and time for another round of Daily Digs.  We'll be back to our regularly scheduled Weekend Redux this weekend.  Today I spent the afternoon at the Twin Cities OWASP mini-con and while it was generally pretty good only one of the three speakers were really that good and that was Pravir Chandra discussing OpenSAMM.  I would highly recommend checking it out.  That aside we're on to the digs...

The NYT Bits blog has some interesting insight into Clampi and real-time keystroke logging.  There's been considerably more press on Clampi as of late but this article has some interesting tidbits and if you're not in the know it's a good place to start.
[How Hackers Snatch Real-Time Security ID Numbers]

Registration for the GNU Hackers Meeting November 11-13 in Sweden was announced recently.  Brian Gough posted the info to the GNU forum.
[Registration Open for GNU Hackers Meeting]

Apple is shipping the next release of the OS X series this coming Friday (28th).  Although the linked article doesn't mention it  ZFS has all but disappeared from the documentation on Apple's site.
[Apple to Ship OS X Snow Leopard August 28th]

Need high quality random numbers?  Then you need the Simtec Entropy Key.  Product marketing aside understanding why and how the key can help is always good information to have under your belt.
[Simtec Entropy Key]

Cisco today released an active security advisory around BGP (specifically related to update functions).  Not surprising though as Cisco has recently been pushing advisories that are quite similar in nature.  I think you'll see more targeted attacks focusing on XR as it starts to finally gain more mainstream acceptance.  The modularity in XR allows easier updates, but that doesn't mean lots-o (broken) legacy code didn't get carried over.
[Cisco IOS XR Software Border Gateway Protocol Vulnerabilities]

Jim Manico has a post up today about when it's a good time/place to use OWASPs AntiSamy.
[When to use OWASP AntiSamy]

Stoned Bootkit got some updates today with new code release along with some extra documentation.
[File System Drivers]

Failures can often times be funny, so this list of failures in terrorism has a few good laughs.  My favorite line: "The bomb explodes, disintegrating Ahmed and showering his partner Sa'ad with retard bits".  While not exactly PC, it's some good reading.
[The 5 Most Embarrassing Failures in Terrorism]

That's it for tonight boys and girls, we'll leave you with a grab bag of other good links.
[Teenage Hackers: Making a Better World]
[Updated Groklaw: Apple vs. Pystar]
[Exactly Why Data Breaches Happen]
[Microsoft, Google and VMware Redefine the OS]
[Windows Incident Response: Virtualization]
[Pirate Bay Down After ISP Cuts Connection]
[Mass Infection Turns Websites Into Exploit Launch Pads]
[SubSeven is Back]
[Google to be Used to Control Botnets]
[Sony Debuts HD Security Cameras]
[Canada Takes Lead Role in Facebook Privacy Issues]

Tagged as: , , , , , , , , , , , , , , , No Comments
19Aug/09Off

Daily Digs – 08.19.2009

Good Wednesday-evening everyone!  We're over the hump on on our way to the weekend so let's get right to the digs...

First up is a little bit of interesting research from our friends over in Redmond on de-anonymizing the Internet.  The paper is all about a newly dubbed system called HostTracker.  The basis of this particular system is to "...track bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs."  But, before I muddle the topic anymore head on over to check out the PDF.
[De-Anonymizing the Internet Using Unreliable IDs]

Everyone's heard of the IronKey but today there was some buzz around some new functionality and that's with specific regard to malware protection on the new product.  The new functionality is by a company called Tresys and called FiST (File Sanitization Tool).
[Malware Protection on USBs from IronKey]

The SANS network forensics puzzle is still on like Donkey Kong!  Submissions need to be in by September 10th, so get a move on.
[Network Forensics Puzzle Contest]

Network World today is telling us that managed security services are all the rage.  Yeah, just like blink-tastic security boxes.  And firewalls.  The real question is what managed security services don't suck?  Hit the link for some statistics you, could very well have, lived without.
[Managed Security Services All the Rage]

Well thankfully you don't need to give up your SSN to get a room from Radisson or you might be in more hurt than you already are.  News out today that Radisson is disclosing a breach and to "review your account statements and credit report".  Thanks Captain Obvious!
[Radisson Hotels Suffer Data Breach]

Gunnar Peterson, representing the 6-1-2, has a fabulous story of - firewalls!  OK, not really, but read the article, it's been the most entertaining thing so far for me today.
[There Are No Firewalls]

Symantec identify your site as "dirty"?  They've got the worst-of for the summer of 2009 up and CNET has an article all about it.
[Dirtiest Websites of Summer]

There seems to be an inadvertent feature in version 3.0 of iPhone and iPod Touch software - the fact that deleted emails can be recovered!  Although reports say it's been fixed in 3.1 beta be wary of anything you think you may have deleted.
[iPhone Bug Keeps Deleted E-mails on Tap]

Rich and Co. over at Securosis have some new details up about the root cause of the Heartland breach.  Although the recommendations are high level it's obvious there are many who are struggling to even implement the bare minimum.
[New Details, and Lessons, on Heartland Breach]

Indictments indictments everywhere!  8 more were charged today for obtaining $22 million dollars worth of wireless devices from AT&T and T-Mobile without payment.  Ummm, say what?  Quite the little scam to abuse the dealer network systems.
[8 Indicted in $22m Fraud Against AT&T Wireless, T-Mobile]

Oh yay, a couple of cloud standardization efforts were made public this week.  If I had to shoot from the hip I'd say the OpenGroup initiative will probably be the end winner as it was entirely odd to see mention of "RESTful" in the first sentence of the A6 draft.  Honestly, I think more effort went into a coining descriptor and buzzwords than anything else (and even that doesn't make total sense to me - call me slow).  But anyway, CNET has the run down.
[Two Cloud Standardization Efforts Made Public]

We'll leave you tonight with some information around a very common tool most of us use on a daily basis.  Considering most people run a stock configuration digging through this rundown of 20 (quick) best practices might serve you well.
[Top 20 OpenSSH Server Best Practices]

That'll do it for tonight folks!  Take care and feel free to comment if you find the digs at all useful.
-windexh8er

Tagged as: , , , , , , , , , , No Comments
   Older Entries »

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

February 2010
M T W T F S S
« Sep    
1234567
891011121314
15161718192021
22232425262728

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er