Interesting Information Security Bits for 10/18/2008

October 18, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. The Art of Software Security Assessment >> Bugs vs. Flaws
    A really interesting post about definitions and approaches to application security issues and testing. Read the comments too. Really good stuff.
  2. HiR Information Report: Response: “Is Twitter the newest data security threat?”
    Ax0n answer’s the question that Lori presented the other day.
  3. Telecom Immunity Law Challenged In Court — Telecom Amendments Act — InformationWeek
    The Electronic Frontier Foundation is challenging the Telecom Amendments Act that gave telecom providers retroactive immunity from prosecution for domestic wiretapping they did at the behest of the government. This is a very good thing.
  4. Two new IRS systems have major security weaknesses, federal report says
    Wow. The apparent delinquency in the systems discussed here is atrocious, particularly for the type of system being discussed, i.e. the one that keeps and manages our tax returns.
  5. Altor Networks Introduces Virtual Firewall – Application and Perimeter Security News Wire – Dark Reading
    I can’t comment on the effectiveness of the product, but it is nice to see this type of product starting to appear.
  6. BeCrypt Cryptographic Library Gets Cert – Host security News Wire – Dark Reading
    I’ve use BeCrypt products for quite some time and have found them to be excellent. They now have a library that is FIPS 140-2 certified.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin


Interesting Information Security Bits for 10/17/2008

October 18, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. The IT Security Guy: Autumn 2008 Edition of 2600 on Newstands
    Looks the Autumn 2008 edition of 2600 is out already. Go get yours.
  2. StillSecure, After All These Years: StillSecure, After all these years, Podcast 59 – Mike Murray
    Alan and Mitchell have a new podcast up. Mike Murray visits with them about the impact current economic conditions might have on the security market.
  3. C S R C – Systems Administration
    NIST has released their Guide to Securing Microsoft Windows XP. Always good stuff.

    Hat tip: @danphilpott

  4. USB Goodies 2008 – Room362.com
    This is an awesome list of goodies for infosec and information technology peoples. Ah, who am I kidding, it’s a great list of goodies for any geek :) The tools will soon be available as a downloadedable package on BitTorrent.
  5. NIST.gov – Computer Security Division – Computer Security Resource Center
    From the webpage:
    The intent of the assessment case is to provide helpful information and purposefully not to limit the flexibility of an assessor in applying his or her own judgment as to the ‘right’ set of assessor actions to assess a control in a specific information system or organization. Rather, the assessment cases provide worked examples for organizations to use in developing their assessment plans.
  6. Uncommon Sense Security: Security Twits Road Trip Photos
    A group of Security Twits recently hopped in an RV together and made the trip to DayCon. Here are the pictures from the trip.
  7. Survey: 88% of Mumbai’s wireless networks easy to compromise | Zero Day | ZDNet.com
    Not good, not good at all.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin


But, that was fiction, wasn’t it?

October 17, 2008

In this post, I talked about Cory Doctorow’s fiction book Little Brother.  I briefly mentioned the excessive surveillance implemented by the government as a result of an event that occurred in the book. However, the focus of that post wasn’t the surveillance, but that any system can be designed in such a way that the designer cannot break it.

I think that is still a valid point, but let’s look at the issue of excessive surveillance today.  In the book, everybody in the San Francisco area is essentially watched all the time.  Through tracking of how people move around via public transit id cards, to the laptops provided to students at school which monitor and report on the students online activities, to spending patterns based on credit and debit card usage and through the the populace itself.

The government has convinced a large portion of the populace that this level of daily scrutiny is for their own good.  It is necessary so that the terrorists can be caught. Furthermore, it is the people’s responsibility to report suspicious activity.  We are talking about a situation in which essentially all rights to privacy have been suspended. Now, in Little Brother, this is only occurring in the San Francisco area because of a terrorist attack.

In this post, I talk about a mini-series being aired in the United States right now by PBS called “The Last Enemy.”  In this fictional program, we have moved beyond a locality being under constant watch.  The entire United Kingdom is being watched by a program called T.I.A or Total Information Awareness.  T.I.A. is fed data from every system the government has and many public sector systems too.  It gives the government the ability to see every move of every person within its database.  It is even able to infer the existence of someone who has not gotten their national identity card by the interactions of people who do have their card.  Again a situation where all rights to privacy have been suspended, whether the people know it or not.

By now, I am sure you are saying to yourself, “What is the point you are trying to make?” Well, apparently, there is a possibility that fiction could quickly become truth. This article on the BBC news website talks about a bill that will be introduced in November in the United Kingdom.  From the article:

Details of the times, dates, duration and locations of mobile phone calls, numbers called, website visited and addresses e-mailed are already stored by telecoms companies for 12 months under a voluntary agreement.

The data can be accessed by the police and security services on request – but the government plans to take control of the process in order to comply with an EU directive and make it easier for investigators to do their job.

Information will be kept for two years by law and may be held centrally on a searchable database.

So, it seems that we are moving beyond fictional representations of this type of behavior.  And lest we forget, the United States has been dealing with issues along these same lines for some time now. We hear about wire taps being put in place without warrants and Internet Service Providers allowing governmental agencies to install equipment that monitors all data moving over their backbones.

Let’s look at one final fictional rendition of a totalitarian state which controls its populace ruthlessly, George Orwell’s 1984. I leave you with two quotes from this book and let you draw your own conclusions as to where we are headed if we are not careful.

“The thought police would get him just the same. He had committed—would have committed, even if he had never set pen to paper—the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you.”

“It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself—anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face… was itself a punishable offense. There was even a word for it in Newspeak: facecrime…”

Kevin


Interesting Information Security Bits for 10/16/2008

October 16, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. Firefox 3.1 Beta Available For Download – Security Watch
    Nuff said.
  2. Security vendors cry foul over exploit tests * The Register
    And the vendors fire back at Secunia after yesterday’s report.
  3. Adobe patches Flash clickjacking and clipboard-poisoning bugs
    Adobe has fixed some stuff related to the clickjacking problem.
  4. Botnet Visualizations – RFI and SQL Injections | Security to the Core | Arbor Networks Security
    This is pretty cool stuff.
  5. /dev/random >> Blog Archive >> Asset Management Using Nmap
    Nice blog post on using some new nmap features to implement asset management in an way that does not break the bank.
  6. Detailed report on the Georgia Cyberwarfare incident | Security4all – Dedicated to digital security, enterprise 2.0 and presentation skills
    Security4All points out that a report is not available that discusses the Georgia Cyber Warfare incident.
  7. Is Twitter the newest data security threat?
    Lori has an insightful post about twitter and application of its ilk.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin


Interesting Information Security Bits for 10/15/2008

October 15, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Symantec launches online PC tech support services | News – Security – CNET News
    Give remote access to your system to Symantec and for $39.99 or $69.99 and they will solve your PC problems. I’ll leave you to come to your own conclusions here.
  2. Security policy being bypassed by employees, survey finds
    This article just reinforces that you have to make the security controls you put in place manageable and easy to use. You also need to make sure you are enabling your users to act securely. You, as a security professional, are doing your business a disservice if you force the users to make choices that place the business at risk because they can’t get their jobs done efficiently due to onerous or poorly designed security controls.
  3. Bush signs PRO-IP antipiracy law
    The PRO-IP Act has been signed into law. There is a bit of a difference of opinion as to if this is a good thing or not.

That’s it for today. Have fun!

Subscribe to my RSS feed here.

Kevin


Interesting Information Security Bits for 10/14/2008

October 14, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Using Cain to do a “Man in the Middle” attack by ARP poisoning (Hacking Illustrated Series InfoSec Tutorial Videos)
    Irongeek has a video up showing how to use cain for man in the middle attacks.
  2. The Security Catalyst >> Join me at the Microsoft Small Business Summit This Wednesday
    Michael (SecurityCatalyst) will be presenting at the Microsoft Small Business Summit on Wednesday. You can watch along live if you wish. Details inside.
  3. Grumpy Hacker News Network: OWASP EU Summit 2008
    The OWASP EU Summit 2009 has been annouced. It will take place in Portugal from November 3rd to the 7th.
  4. DarkMarket carder forum revealed as FBI sting * The Register
    This is great. The FBI setup a carder forum as a sting operation.
  5. Top security suites fail exploit tests
    Secunia has a report out in which 12 security suites are tested and don’t do very well at all. Read the report for the specifics, but if you throw a bunch of malware at a system that is un-patched, no amount of security software is going to protect you from getting infected.

If you like these posts, you can get them easily by subscribing to my RSS feed.

That’s it for today. Have fun!

Kevin


Interesting Information Security Bits for 10/13/2008

October 13, 2008

Good afternoon everybody! I hope your day is going well.
Here are today’s Interesting Information Security Bits from around the web.

  1. Schneier on Security: Threat Modeling at Microsoft
    Schneier points us to a white paper by Adam Shostack on Microsoft’s threat modeling methodology. I have only read the first part, but it looks interesting.
  2. McGrew Security Blog >> Blog Archive >> Slides for a forensics class lecture on ext2/3
    Welsey has put up the slides for a talk he is giving about ext2/ext3 file system forensics. You should go check them out.
  3. Apocalyptic Vulnerability Percentages – FUD 101 ha.ckers.org web application security lab
    A good read from RSnake about just how vulnerable are we.
  4. PPT_VeriSign_Webcast_Brazil_20081008.pdf (application/pdf Object)
    Slides from a threat briefing on Brazil that was given by Brazil last week.
  5. Carnal0wnage Blog: OWASP APPSEC 2008 Conference Videos Online
    Videos are out from the OWASP AppSec 2008 conference.
  6. Matasano Chargen >> Blog Archive >> Detecting Anonymizing Proxies
    A good article on how to detect anonymizing proxies on you network.
  7. Matasano Chargen >> Blog Archive >> Owning Networks With Soldering Irons and Radio Shack Parts
    A great walk through of Stephen’s experience with a recent pen test that required him to do some hardware hacking.
  8. Dell Launches SingleClick Remote Access – Host security News Wire – Dark Reading
    Dell is now offering a “Go to my PC” like service.
  9. Over half of U.K. firms have lost data
    Ouch. On top of the pure mind boggling statistic that 55% of British companies have had a breach and that 49% have had more than one, is the finding that only 10% were considered to be the result of malicious entities. Go take look.
  10. U.S. proposes digital signing of DNS root zone file
    The U.S . department is looking for comments on how to implement DNSSEC for records in the root zone.
  11. Error puts data on 30 million German phone users on Internet (AFP) by AFP: Yahoo! Tech
    Not once, but twice now, the Deutsche Telekom has lost personal data. Lots of it.

    Hat tip: @mckeay

That’s it for today. Have fun!
Kevin


Follow

Get every new post delivered to your Inbox.