One quick note before we get started.  A quick read would have noticed the name change to "The Digs".  I find it laughable now (the wonder of hindsight) that I had such high hopes for being able to do this every day.  Truth be told there's far too many things elsewhere and too little time.  Here's your new SLA: "The Digs" will appear on average 2-3 times per week catching up between posts.  And now, on to the digs...

First up is Gunnar.  I like Gunnar 1) because what he says is most often highly cogent and 2) because he has to deal with cold shitty winters too.  Thanks Gunnar.  Oh and thanks for finally bringing up APT.  There's a point in the post about the $6 billion in arms we're sending to Taiwan that will, likely, impose sanctions of what China buys from us in the future.  Here's my reply:  "Dear China, How's it going?  Don't worry about that whole Taiwan thing.  I've seen the shit we were selling to Taiwan a few years ago and you've got no worries.  Really, it's kind of like the toy you get out of a Cracker Jack box (because it'll all be yours eventually anyway).  If you don't understand the Cracker Jack thing I'm sure there's an article on Wikipedia.  Later China!".
[APT - The Sonny Response or the Michael Response?]

I like hardware.  Except when it sucks.  I'm often confused why small (and even medium sized) businesses buy hardware from large vendors (like those that start with a 'C' and end with an 'isco' - don't get me wrong, there is a time and a place along with an OC-12) when all they want to do is bring in some simple routing functionality, with a sprinkle of firewall and maybe, if they're feeling saucy, some IPsec on top.  So when I saw this new Netgear appliance and it's awesome price of roughly $275 I said to myself: "Wow, that underpowered old Linux kernel that will rarely ever be updated is just up my alley!".  OK, I didn't say that.  But, really, if you want that sort of thing people just pay someone to deploy and manage some pfSense boxes for you.  But if you're really still interested, by all means...
[Netgear Releases New Gateway Security Appliance]

OK, full disclosure here: I am the whipping boy over at Securosis (aka 'the intern').  But I'm glad someone said it (thanks Adrian!).  To all you big guns out there scrapping what you've got in house and churning out your next big thing - Agile & Scrum sux0r for your security.  Yeah.  SUX0R (with a capital zero).
[Firestarter: Agile Development and Security]

I laughed when I saw this next one.  Make sure you defrag your "Secure End Point Management (SEPM) server boys and girls!".  Well, for starters that implies it's probably running some old version of Windows.  Oh yeah, they state 2003 in the article.  Maybe it runs on Windows ME though, you never know.  Oh, and it's x86.  Awesome.  SEPM jokes anyone?  The article title just makes it sound incontinent or something.
[Defrag Your SEPM Server Regularly]

I'm not going to say much about this next gem I found over at NetWitness other than the fact that if you really think IDS started "several negative trends that are still affecting the psyche of security personnel today" then maybe the blue pill really is for you.
[IDS Legacy is Institutionalized Failure]

So last year I had a conversation with someone about IE6.  To preface - I know of a special place I visit on a regular basis during the week that still has IE6 as part of their base workstation build.  Anyway, so I had a conversation last year about when this individual thought IE6 would be irradicated from the environment.  And their answer was around 2012 or 2013 when XP wouldn't be their base OS.  I proceed to choke on my coffee.  They, on the other hand, were serious.  So I love to spam people like this with all of the love in the air for IE6 as of late.  Because, really, you thought even Microsoft could save such a fine piece of work?  Fat chance.
[Tide Turns Against IE6 as Usage Drops]

Let's round out our first post for 2010 (and hopefully not the last) with another great one that has to do with China.  The EFF has an article up about how US based companies need to shore up selling products that "selling Chinese authorities the surveillance equipment used to commit or facilitate human rights abuses".  This assumes that 1) China hasn't already ripped off IP from these companies which could be used to, well, remanufacture them and 2) that China doesn't have the upper hand from a monetary perspective right now.  Just food for thought.  Wasn't Cisco's source ripped off a few years ago anyway?  China could just always run a big virtual network with GNS3 anyway, right?  :)
[Seven "Corporations of Interest" in Selling Surveillance Tools to China"]

We'll leave you with these final links...  Thanks for reading!

[New Laws Close in on Hackers] - Seems rather timely, no?
[Cable Modem Hacker Faces Potential 40 Year Prison Term] - The Internet just wants to be free, what can I say?
[Researchers Uncover Security Vulnerabilities in Femtocell Technology] - Where "technology" should say "hardware" because, surprise surpsrise!  Your shitty embedded Linux hackery was reversed.
[Adobe Flash Security on Menu at BlackHat] - As if to say any Adobe technology hasn't been on the menu for the past, what, 5 years?  Keep on keepin' on Mr. Mike Bailey!

The first article isn't exactly security focused.  It is, in a way, because from my viewpoint network stability is a direct component to security.  If information isn't accessible then it's no good, right?  Sometimes.  Either way, Lawrence Roberts (of ARPANET fame) has stepped back from today's slow, expensive routing platforms and decided to fix the brokenness, not from a bandwidth perspective, but flow.  Now at first glance I thought his whole concept was CEF repackaged, but it's not.  Just goes to show how much of the same crap Cisco can feed customers and get away with it year over year.  Monolithic kernel: check, repackaged software that Cisco has no core competency in: check.  It's good to see outside-the-box-thinkers like Hoff go over to players like Cisco, but at the end of the day he'll just get washed, dried and pressed into Cisco's typical mold.  Anyway, on to the original story at hand:
[A Radical New Router]

Mu Dynamics today posted some vulnerabilities in Asterisk to their Labs site.  Looks to be a case of the parsing blues (as Asterisk has had problems with this in the past).  Glad to be running "PBX In A Flash - PIAF" these days as I can grab the latest Asterisk upgrades and compile with a few simple commands.
[Asterisk Bug Disclosed by Mu Dynamics]

In light of the fun WordPress bugs today eWeek was running an article about common PHP coding mistakes and what you can do about them.  Personally I think the OWASP ESAPI toolkits are a better reference (where's Rails OWASP?), but to each their own.  You can always learn something from another perspective, right?
[Common PHP Security Mistakes and What You Can Do About Them]
[OWASP ESAPI]

Wired was one of the first outlets to be seen running the story about the sentencing of the hacker with Aspergers sentenced to 55 months.  The original sentence would have been only slightly longer, but because because of the disease it was said that Mr. Berkovich was more susceptible to recruitment.  The actual hack was relatively impressive because of it's simplicity and reliability.
[Hacker with Asperger's Gets 55 Months]

The "insider threat", all too common right?  What about "insider risk"?  Dennis Kuntz over at the Security Catalyst ran a nice clip this afternoon talking about the separation of defining insider threat and risk.  Maybe it's time to start looking at it again (or for the first time).
[Insider Threat or Risk?]

Not a day goes by that we can't get around something new, clever, lame or exciting directly tied to PCI.  That's why I feel morally obligated to tell you that 1.2.1 is now official.  Yeah, sure, it's not really any real defining changes but more-so fixes.  Go check out Branden Williams rundown of what's new.
[PCI DSS Goes 1.2.1]

Gunnar Peterson sets up the story about why a simple DTD can DoS your XML parser.  Old security bugs never die, says Gunnar, until you kill them.
[Behold the Power of Fuzzing]

Oh Forrester, you get paid to come up with this stuff?  Forrester says all sec pros should drop what they're doing and focus on ways to secure the cloud because everyone knows the cloud is everything.  I'd honestly have to say that Rob Whiteley isn't too in touch with the real world these days.  Try hitting up your neighborhood Fortune 50 and see, actually, how much of their infrastructure is tied to SaaS, PaaS or IaaS.
[Data Has Become Too Distributed to Secure Says Magic 8-Ball Forrester]

That's all for the commentary we have today folks.  Check back tomorrow for more!  I'll leave you with today's grab bag...

-windexh8er

[Are you secure, or are you safe?]
[Adobe Flash Cookies Pose Vexing Privacy Questions]
[More Companies Monitoring E-Mail]
[Dasient Launches Web Anti-Malware Lite]
[Pirate Bay Sinks Under Electrical Storm]

A week or two ago I asked the Twitterverse who Adobe's CSO was and if they didn't have one who was responsible for software security / quality.  Either way I'm not sure any professional in the industry today would have very good things to say about the path Adobe has been on recently.  That leads us to the CNet article comparing Adobe to Microsoft pre-2002.
[Is Adobe the Next (pre-2002) Microsoft?]

If you market yourself as a "security" company and the majority of your products revolve around securing end user desktops you might just want to be able to pass the VB100 test.  El Reg ran an article this afternoon showing how CA and Symantec end up with a big fat fail.
[Top Vendors Flunk Vista Anti-Virus Test]

Dave Lewis posted an article on Liquid Matrix today about Shipley the Troll.  OK, so Peter Shipley's not really a troll in the actual sense, but he's sure acting like one.
[Patent Trolls Go After Network Security Vendors]

Sometimes I wonder.  Really, I do, if what people write really translates in their head or not to something actually being logically feasible.  DarkReading has an article up about "weaponizing" an iPod Touch.  They go on to talk about how a researcher has outfitted his Touch with Metasploit and some other tools.  Even with Ruby 1.9.x Metasploit takes 5+ minutes to load and the fact that you're limited to wireless access only severely limits your success with regards to LAN race condition attacks.  Really guys -- there are better small form factors out there.  But, hey, if you like to shove square pegs in round holes for fun go for it!
[Weaponizing Apple's iPod Touch]

TrendMicro has a great review of KOOBFACE over on the blog today.  The diagram by itself is worth the click through so head on over and read all about it.
[The Real Face of KOOBFACE]

We'll close out today's (short) post with a little bit of irony.  I did a double take when I saw the title of this article and had to visit the actual site to validate it was even true.  But, yes, Symantec is suggesting that people use VirusTotal "when in doubt".  Yes, BigYellow throwing people over the fence to double check their awesome powers of AV.
[Symantec Says Check VirusTotal]

Well ladies and gents, this particular post has come to a close.  Yes, it's a little light, but hopefully the link content is good quality reading!  We even spared you one of thousands of links to the Twitter DoS.  We know you already know, why bother? 

Thanks for stopping by and, as always, feel free to comment!

--windexh8er

First up we have the top 10 threats for 2011.  2011?  We're not even to 2010 yet -- but ISF has staked claims already.  And the #1 threat for 2011 is...  [drumroll] CRIMINAL ATTACKS!  I knew, it blew my mind too.  I wouldn't have actually posted this, but I'm wondering what good this information even is at this point?  Feel free to comment.
[Top 10 Threats for 2011]

Shawn Moyer and Nathan Hamiel pushed out the bits for MonkeyFist yesterday.  The tool is a new spin on CSRF, the new spin being of the 'dynamic' fashion.  Check out the article over at DarkReading or just hit up the Hexagon Security Group's lab directly.
[MonkeyFist Launches Dynamic CSRF]
[Hexagon Security Group Labs]

The Thundercats are go over at Adobe finally.  Flash is now patched, so if you haven't updated recently get on it!
[Adobe Flash Vulnerability Patched]

A slightly creepy video showing Equilibrium Networks UI showing the Slammer worm mixed in with other traffic on a gigabit testbed.  I rescind, the video isn't creepy - just the voiceover.
[Slammer Video]

ThreatFire has an article up shedding some light on Clampi.  Although not too technically deep it's an interesting short read if you're not in "the-Clampi-know".
[Clamping down on Clampi]

As Kaspersky says, "with great power comes great responsibility".  How ironic.  Anyway, they've been doing some research on shortened URLs and have posted some great info.
[Twitter Short URL Statistics]

Catchy article headlines always get a quick glance from me and this one was no exception.  Although highly likely that the content is driven by product line the point is something I've seen not be an issue, when it should be a big one, over the past few years.  The sprawl of today's growing LANs is, seemingly, becoming a big concern.
[Survey Says: IT Managers Concerned About LAN Sprawl]

Big red, big yellow, at the end of the day they both suck in my book.  The Office of Inadequate Security is running an article that catches Steve Redman in his own words.
[McAfee Keeps Leaked Details to Itself]

Well, well, it was only a matter of time before research cleared that first step towards attacking AES with some level of reliability.  While the practicality isn't there yet, and there are suggestions on the table to mitigate the problem found, AES as it stands shelf life has just lost a few years.
[Practical AES Attacks Get Closer]

And for this Friday we'll close out with a new (to me) packet generator.  Like we need a new tool for that you ask?  Hyenae has some cool features that may just come in handy over those other tools.
[Hyenae: Platform Independent Network Generator]

If you're at DEFCON consider yourself privileged.  That's all we've got for today, so enjoy the weekend!

--windexh8er