Security Stallions Blog "Musings of all things infosec…"

15Sep/09Off

Daily Digs – 09.15.2009

Amazing, I actually started tonight's digs before 10pm.  Then I realized that I hadn't read most of what I marked for tonight so it'll take me just as long by the time I actually get this one posted.  I just can't beat time these days!

The 'ctricky and Web Application Security' blog had a post on some great insight of things to ask during an app sec test.  I've never actually run across this particular scenario before but the point is that JS pop-up warnings mean nothing to your proxy and may present warnings that the tester will never see (like "If you do this you'll break all of prod").  Anyway, read the post for the full rundown.
[BToD Target Scope and Precautions]

VeriSign's new DDoS attack protection service is an interesting topic for me.  I've dealt with countless large enterprise carrier services along with the architecture around load balancing and multi-homed environments.  So offloading all of your traffic in an event (i.e. throwing the BGP switch) to VeriSign seems a tad bit scary, oh - but no worries they'll route the good traffic back.  The other thing is all of the Netflow data VeriSign collects (to do this) is an interesting concept.  To me, architecturally, this looks like a bad idea and maybe I'll just have to dig into this one a little more.  For now you can start your own opinions by starting to read about it at the link.
[VeriSign Extends DDoS Attack Protection]

Work in defense?  Then COTS is something you probably deal with on a daily basis.  The funny thing is that when I started my career in the defense industry a lot of proprietary hard and software were being gutted for COTS.  Even I knew (as I started out as a System Engineering Associate), that the square peg they were jamming in the round hole didn't fit.  Apparently the cyclical monster is coming around in the DOD on this one.
[DoD Rethinking Build Versus Buy]

West side what?  Go figure - China modeling how to take down the US power grid for fun.  Reminds me of a conference I was at a few years ago in which a consultant disclosed some interesting facts about the substation and grid connections the Mall of America has in it's substructure.  We then learned how to shut the lights off in all of the neighboring communities that particular day.
[DHS to Review Report on Vulnerability in West Coast Power Grid]

This was one of the best / most disturbing banking related articles I've read in a while.  It's also why you shouldn't do most any online business with HSBC.  I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block.  This one's just downright "special" (and not really from today, but I ran across it in my feeds).
[So Funny I Forgot To Laugh]

This one came across the OSF data loss incidents list and it made me think.  Do you really think Jones General Store has any idea of PCI?  It's so focused today in big business and infrastructure security yet these types of processes still exist in hundreds of thousands of small businesses day in and day out.  In fact, this past weekend, I saw more carbon copies of card data at a local art fair than I'd care to pretend were still around.
[University Hill Shops Burglarized; Credit Cards Stolen]

As of this posting less than 19 hours until the Social Engineering Framework is released.  Mark it on your smartphone yo.
[Social Engineering: Exploiting Human Vulnerabilities]

All you need to know about this one: "Operation Hot Date", Dumb Sheriff in Florida, and Craigslist for your evening entertainment.
[Another Sheriff Goes After CL]

That's all he wrote for tonight boys and girls.  We'll leave you with some links to peruse, but without the colorful commentary.  Take care and keep your stick on the ice!  Also, first person to tweet "I won the easter egg hunt at www.securitystallions.com" and @s me in the message wins a $20 Starbucks gift card (first person = one winner).  Figuring out where to find me on Twitter should be trivial.  Get your tweet in before 10:30pm on Wednesday, September 16th 2009 Central.

[Does IBM Have a Fix for Banking Infrastructure?]
[Security Attitudes]
[Thoughts on the Cult of Schneier]
[Pwnage Tool and iPhone 3.1]
[AMD 'Eyefinity' Powers 24 Monitors]
[A BSoD and Possibly More]
[No TCP/IP Patches for XP]
[OpenDNS Announces Premium Cloud Services]

Tagged as: , , , , , , , , , , , , , , , , , No Comments
14Sep/09Off

Daily Digs – 09.14.2009

Well, "daily" has been more like "weekly" as of late, but the digs are back.

I think this one is good on a few fronts, but mostly from a humorous perspective.  Joe Lieberman and Susan Collins should stick to whatever they do best - and that doesn't include addressing "cyber crime".  They're proposing a public / private relationship so that the government (really?) can help them defend against attacks.  OK, didn't the FBIs website just get defaced recently?  Unless the blunt plan is to put up some sort of subsidy (which I'm not at all endorsing) the government is just going to spin up more useless programs that are run by people who just-don't-get-it.
[Committee Examines Growing Cyber Threat to Businesses]
[FBI Jobs Site Gets Hacked]

Unique is not random is not secure.  I'm not sure that's a complete sentence, but it sums up the article on Newsoft's Tech Blog rightfully.  For a run down of examples on the differences in the three concepts hit up the link.
[Unique is Not Random is Not Secure]

The Consumerist ran a story this morning with video from LiveLeak on a man installing a skimmer.  I'd have to say that I'm definitely more cognizant when using ATMs that are non-bank affiliated and portable.  At one point in time I really didn't like ATMs that sucked the card into the machine, however today it makes sense as less risk to me.
[Guy Installing Skimmer on ATM]

I can honestly say I really didn't know much about 'RNS' before I read this article today, but the Fed seems to have cracked down a few of the key members.  I'm not sure why the title references RNS as an '0Day' group however.
[Fed Crackdown on 'RNS' Signals Death to Oldest 0Day Group Online]

Don't have the cash or time to go to one of the big name cons?  ChrisJohnRiley posted an article about the first online hacker con entitled SecurityTubeCon.  There's a call for papers (& vid) out until October 20th, so get your talk ready to go!
[First Online Hacker Conference]

That's all the time we have for comments tonight, but we'll leave you with some other links to ponder.  Thanks for stopping by!

[Windows Autoplay Behavior Updated]
[Gustav, the Hackerspace Twitter Bot]
[Loan Officer Indicted for Fraud and ID Theft]
[Dradis 2.4 Released]
[PhoneCrypt is Available for the iPhone (and entirely overpriced)]
[20 Temporary / Disposable Email Services]
[Hacker's Hideaway ARP Attack Tool Released]
[SourceFire's Vulnerability Report for September Screencast]
[Practical Intrusion Analysis Book Review]

Tagged as: , , , , , , , , , , , , , No Comments
8Sep/09Off

Daily Digs – 09.08.2009

Good evening ladies and gentlemen!  I almost inadvertently said it was Monday and it feels like forever since the last digs.  I've been out of pocket and/or busy unfortunately and digs usually takes a little time to get together.  But they're back and for our Labor Day week we started out with a lot of great articles.  On to the show...

First up is the SMB vulnerability.  Ahhhh, flashback to the early 90s when BSODs were all the rage and ripe for the picking.  Microsoft has handed us a blast from the past - providing this undocumented feature in Vista and Windows 7!  I'm sure you've already read about this one today, but if not here's the original source:
[Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D]

As a strong proponent for great OSS I noticed today that OSSEC v2.2 is out.  Now sporting some fabulous WordPress plugin functionality and some other extra bells and whistles.  Check the changelog for all the dirt.
[OSSEC v2.2 Released]

Are you a web dev that happens to be working with Flash?  Sucks to be you.  I mean HP has just the thing to help make sure your code doesn't completely suck!  HP SWFScan to the rescue.  (Disclaimer: I haven't tried this software so I'm not vouching / recommending this in any way)
[HP SWFScan]

Apparently beer and pizza can is some great brainstorming food because 'cktricky' and 'jack_mannino' came up with how to use Burp through TOR to maintain your anonymity.  Mubix is the voice for the screencast if you're a fan.  Yeah, there's vid for all ya'll #lazyweb folk.  No reading required.
[Obfuscating your IP using a Burp/TOR/Privoxy Combo]

I'm not sure where some of these organizations come from but here's a new one for me: ITIPA (Industry Trust for IP Awareness).  Yeah, not overly obvious but these guys came up with the all-clever 'Generation Y-Pay' label that they've given to the bulk of 16 to 34 year olds.  I fit this age range and gladly pay for all of my digital media.  Well, not always gladly, but I see the value and effort required to produce.  We're not all leechers ITIPA, maybe it's just those Brit youngsters.
[Generation Y-Pay]

Bored on your morning commute?  There's plenty of people out there that'll yammer their perspective on just about anything related to security these days.  Chris John Riley's compiled a great list.  Some of them are great and some of them sound like a broken record of Core Impact / Nessus advertisements, let's be honest.  Either way you can't beat the price!
[Filling Your iPod]

Ars has a fabulously more-in-depth-than-I-probably-needed article on the status of IPv4.  I don't agree with the general FUD laced throughout, but it's something to keep in mind.  Dust off those IPv6 books you bought from the last round of "OMG-THE-INTARWEBZ-IZ-ENDING-OH-HAI-IPV6", you'll need it - eventually.
[2010 Could be the Last Year of IPv4]

Not exactly the typical security relation here, but security in a different way.  More like security of interoperability when venturing into uncharted waters with regards to new tech.  Enter TomTom's OpenLR.  OpenLR will enhance your once boring drive to the grocery store through whizbang location based services that you'll wonder how you lived without.  OK, maybe not, but it's never a bad idea to be the first to open things up a bit - especially when it can be rather costly to build proprietary data stores that constantly repeated and generally lack optimum updates when it comes to the GPS market.  The times they are a-changin'.
[TomTom Launches Open Source Navigation Product]

Apparently DHS wants to be accountable to PCI these days.  Philosecurity brings us the info on what was retrieved from the ATS system in a real copy of an American citizen's record.  Scary scary.  Scary.
[What does DHS Know About You]

FUN STUFF - I just had to throw this in because apparently one of the largest games of Monopoly starts tomorrow.  Best be stayin' away from 4th Ave N in the 612 - all mine.
[Google Maps Giant Game of Monopoly]

I remember the days gone by when I used to rent a Nintendo on a Saturday morning and play non-stop until I had to return it the next day (my parents allowed computers but not consoles).  Now you can rent a botnet by the day!  Who'd have thunk?
[Want to Rent and 80-120k DDoS Botnet]

And here we go with some new trials and tribulations.  Some favorited tweets of the day:
--------------------------------------------------------------------------------------------------------

Tagged as: , , , , , , , , , , , , , , , , , , , , , No Comments
   

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

September 2009
M T W T F S S
« Aug   Feb »
 123456
78910111213
14151617181920
21222324252627
282930  

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er