Daily Digs – 08.11.2009
Well boys and girls it's only Tuesday. Yes Twitter, once again, is under siege, the Pirate Bay is having issues and Microsoft dropped a bombshell full of updates. Welcome to the daily digs...
The first article isn't exactly security focused. It is, in a way, because from my viewpoint network stability is a direct component to security. If information isn't accessible then it's no good, right? Sometimes. Either way, Lawrence Roberts (of ARPANET fame) has stepped back from today's slow, expensive routing platforms and decided to fix the brokenness, not from a bandwidth perspective, but flow. Now at first glance I thought his whole concept was CEF repackaged, but it's not. Just goes to show how much of the same crap Cisco can feed customers and get away with it year over year. Monolithic kernel: check, repackaged software that Cisco has no core competency in: check. It's good to see outside-the-box-thinkers like Hoff go over to players like Cisco, but at the end of the day he'll just get washed, dried and pressed into Cisco's typical mold. Anyway, on to the original story at hand:
[A Radical New Router]
Mu Dynamics today posted some vulnerabilities in Asterisk to their Labs site. Looks to be a case of the parsing blues (as Asterisk has had problems with this in the past). Glad to be running "PBX In A Flash - PIAF" these days as I can grab the latest Asterisk upgrades and compile with a few simple commands.
[Asterisk Bug Disclosed by Mu Dynamics]
In light of the fun WordPress bugs today eWeek was running an article about common PHP coding mistakes and what you can do about them. Personally I think the OWASP ESAPI toolkits are a better reference (where's Rails OWASP?), but to each their own. You can always learn something from another perspective, right?
[Common PHP Security Mistakes and What You Can Do About Them]
[OWASP ESAPI]
Wired was one of the first outlets to be seen running the story about the sentencing of the hacker with Aspergers sentenced to 55 months. The original sentence would have been only slightly longer, but because because of the disease it was said that Mr. Berkovich was more susceptible to recruitment. The actual hack was relatively impressive because of it's simplicity and reliability.
[Hacker with Asperger's Gets 55 Months]
The "insider threat", all too common right? What about "insider risk"? Dennis Kuntz over at the Security Catalyst ran a nice clip this afternoon talking about the separation of defining insider threat and risk. Maybe it's time to start looking at it again (or for the first time).
[Insider Threat or Risk?]
Not a day goes by that we can't get around something new, clever, lame or exciting directly tied to PCI. That's why I feel morally obligated to tell you that 1.2.1 is now official. Yeah, sure, it's not really any real defining changes but more-so fixes. Go check out Branden Williams rundown of what's new.
[PCI DSS Goes 1.2.1]
Gunnar Peterson sets up the story about why a simple DTD can DoS your XML parser. Old security bugs never die, says Gunnar, until you kill them.
[Behold the Power of Fuzzing]
Oh Forrester, you get paid to come up with this stuff? Forrester says all sec pros should drop what they're doing and focus on ways to secure the cloud because everyone knows the cloud is everything. I'd honestly have to say that Rob Whiteley isn't too in touch with the real world these days. Try hitting up your neighborhood Fortune 50 and see, actually, how much of their infrastructure is tied to SaaS, PaaS or IaaS.
[Data Has Become Too Distributed to Secure Says Magic 8-Ball Forrester]
That's all for the commentary we have today folks. Check back tomorrow for more! I'll leave you with today's grab bag...
-windexh8er
[Are you secure, or are you safe?]
[Adobe Flash Cookies Pose Vexing Privacy Questions]
[More Companies Monitoring E-Mail]
[Dasient Launches Web Anti-Malware Lite]
[Pirate Bay Sinks Under Electrical Storm]
Weekend Redux – 08.09.2009
Really? It's Sunday night already? Where has the weekend gone? Maybe this roundup of weekend security related articles will give you some enlightened reading before Monday jump starts your week yet again.
One slight clarification for the sight on our posting strategy: Daily Digs are Monday through Thursday evenings (should be posted between 6:00pm and 10:00pm Central from now on) and Weekend Redux will be Sunday evenings (before 10:00pm Central). Weekend Redux will be Friday, Saturday and Sunday's news jam packed into one post. That being said if we do a post on Friday night Weekend Redux will just be Saturday and Sunday. We're trying to find the best fit on traffic levels so we'll keep an eye on the traffic logs during different post times to try to maximize the usefulness to the bulk of any readers.
We're also looking forward to starting a sort of weekly challenge that will include an actual prize! Look forward to more details later in the week and our first shot at it this coming weekend. Also, as promised last week, we'll have our first screencast based on the winning votes of last week (sslsniff).
So it's a big week and it all starts now...
Generally when we see patents come out of Apple these days they're for new and interesting things that are useful to the customer. On Friday, however, we ran across a story on CNET about apple patenting some new ways to diagnose abused hardware.
[New Apple Patent Means No More Microwaving Your iPod]
Whether of not you're a fan of PCI it's always a good idea to know both sides of the story. In that case the post over on Chaordic Mind is some enlightened reading and, if true, makes Dave Hogan (CIO of the National Retail Federation) look like, well, kind of a schmuck.
[Dave Hogan Doesn't Know PAN]
Thinking about IPv6 lately? It's been one of those on and off topics in the industry for the last ten years, but it's one of those technologies that is great to have in your back pocket for spur-of-the-moment chats. The more you know, the better you are, so why not stay ahead of the curve, right? Richard Bejtlich has a review of "IPv6 Security" up on his site. The guy (Richard) must be a speed reader who can just absorb books because his level of consistency and thoroughness of reviews is second to none.
[Review of IPv6 Posted]
ThreatPost posted an article Friday that had a link to Nate Lawson's Google Tech Talk. I watched the entirety of it over lunch and was amazed at Lawson's depth of simplifying crypto to some sound fundamentals and got some new insight to the shortcomings of some encryption implementations that have, thus far, been left alone -- but probably won't be in the next twelve months.
[Nate Lawson - Crypto Strikes Back!]
The Security Shoggoth (a new addition to the feeds) has the announcement of part two to "Automating Malware Analysis" in HAKIN9 (security mag). I read the first article in the last edition and look forward to picking up the recently released copy. Either way, the blog post has some insight if you're not up for spending the $$$ on HAKIN9 (which is, in itself, a tad on the expensive side).
[Automating Malware Analysis Part 2]
I wasn't going to post any TWITTER-DDOS-OMG-PONIES-UNICORNS-FAILWHALE-LOLCATZ links, but I read one that kind of got under my skin. Stefan Tanase posted a guest editorial on ThreatPost that's ripe with hypocrisy. In paragraph two he states he's "not a political commentator" but implies, a few paragraphs later, that the attack was rooted via a "government". Sorry Stefan, your piece sucked and just added to the FUD of Twitter crap articles that flooded everyone's readers late last week.
[Cutting Through the Twitter DDOS Hype]
CNET had a very entertaining piece up on Friday about NORAD's alternate command center with some rare photo opportunities.
[NORAD's Alternate Command Center Illustrated]
It seems odd, when everyone is buzzing about shutting down social network access the U.K. is Defence Ministry is, well not exactly encouraging it, but more so encouraging good use of.
[U.K. Defence Ministry Encourages Troops to Use Social Media]
While I haven't had a chance to yet fully read the announcement in the Federal Register, it sounds as if enforcement of HIPAA has shifted from CMS to the Office for Civil Rights. If you're interested in that sort of news it may (or may not) be a worthy read.
[HIPAA Security Rule Enforcement Shifts to OCR]
The Office of Inadequate Security has a new "Bits 'n Pieces" posted. Some of the highlights include cloning cards to aggravated identity theft, oh joy!
[Bits 'N Pieces]
Oh Iowa, if it's not enough you're at the butt of my Midwestern jokes (I grew up and live in the Midwest), but you like to hand out SSNs too? The Des Moines Register has an article up on how hundreds of Iowa's top officials and board members social security numbers were available via a public site. Guess someone needs to talk to Kevin Riggins down there!
[Social Security Numbers Visible on State Site]
Exotic Liability posts podcast number 30 over the weekend. Topics for this show include VoIP, Fuzzers, DNS and more!
[Libsyn - Exotic Liability Podcast #30]
Jack Daniel doesn't post a whole lot to the "Uncommon Sense Security" blog, but when he does it's generally entertaining. Jack's talking about smart people saying dumb things this time and it's all too common. David Rice of "Geekonomics" are in his sights this time, hit the link for the great post.
[Smart People Saying Dumb Stuff Again]
Cloud for Clunkers? Only Mr. Hoff could come up with that sort of intro. While it feels like Hoff's insights have a deeper rooted interest these days (since Cisco - and who can blame him?) his posts are generally great reads.
[The Cloud for Clunkers Program]
More Black Hat presentation videos are being posted the further we drift from when the big event was. SensePost has part 5 of 5 of the series up, this one focused on XSS in Apple's MobileMe service. I particularly liked the concise delivery of the message in the conclusion - the unintended consequences directly related to web interfaces for controlling cloud services. Good stuff!
[Black Hat Presentation Demo: MobileMe]
An old trick, but a good one. Neighbors stealing your Internet? Don't cut them off right away, have some fun first! (I know, I know, this isn't new but seemingly it hit Digg again and it's been a while since I've toyed with any traffic on the honey pot AP in my place of residence.)
[Upside-Down-Ternet]
Tr.im gets the axe. 
I'm actually rather sad because this means the monopoly of URL shorteners just got, well, shorter.
[URL Shortener Tr.im Gets Cut Off]
Finally we come to our last link. Dave Kerb, tonight, has released the "Tor Backdoor". Although not anything earth shattering if you're a security nut, you'll want to be in the know!
[Tor Backdoor Released]
And that's it for the first official installment of the weekend redux! I truly hope everyone had a safe and enjoyable past couple of days. Stop back tomorrow for Monday's daily digs!
--windexh8er
Tags
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |
Random Musings
Twitter: windexh8er
- Zoom whitening - more painful than expected but white white teeth!
- Inception in VIP at Showplace Icon FTW to celebrate resignation! Wooo hooo!
- Coke has hybrid electric delivery trucks, interesting. http://twitpic.com/27usw6
- Mog vs Rdio, the battle for my $10/month... (Mog is now on Android)
- Wow... TrueCrypt 7 benchmarks at 1GB/sec encrypt and decrypt on the i7 in the MBP. Too bad FileVault doesn't use AES-NI. :(