The blog has moved…

After much thought and consideration, I decided to move my blog from wordpress.com to my own domain.  The decision has nothing to do with the service provided by wordpress.com. I have never had any problems with this blog while it has been hosted by wordpress.com.

There are other things I want to do with the blog that will be easier if I have more control over the software and how it is setup.

So, it now lives here: http://www.infosecramblings.com.

If you are subscribed to the RSS feed via http://feeds.feedburner.com/InfosecRamblings, you shouldn’t need to do anything.  The changes I will make to the feed should be transparent to you.  If you are are subscribed to the https://infosecramblings.wordpress.com/feed, you will either need to change to the feedburner feed or use http://www.infosecramblings.com/feed instead.

Kevin

Interesting Information Security Bits for 11/07/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. Virtualization: How to Isolate Application Traffic
   Lori has penned a nice article pointing out how we can use VLANs to isolate application traffic. She makes and excellent point in the article, “we’ve grown to use VLANs as an architectural tool rather than a security tool, and often don’t consider how valuable such a simple, existing technology can easily be applied to more emerging, cutting edge concepts.”
2. Typical Injection Points in a Web Application | Startup Security
   Damon fills us in on some good spots to check for vulnerabilities in web applications.
3. Discovering Rogue Access Points With Nmap
   Nifty way to detect rogue wireless APs from the wireside.
4. Researcher: Android may not need antivirus software
   Now I’m not saying you have to have anti-virus software for your mobile device, but I sure don’t agree with several of the statements made in this article.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Interesting Information Security Bits for 11/06/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. TaoSecurity: Defining Security Event Correlation
   Richard has a good post up on defining security event correlation. Go check it out.
2. Why use Firefox << Techdulla
   Techdulla tells us why he uses Firefox for his browser. I agree with everything he says and will add that putting the AdBlock add-on into place makes it even better.
3. HiR Information Report: Xorg.conf for OpenBSD MacBook / Parallels
   Ax0n is here to help you get Xorg running on your Mac using Parallels.
4. Android-Powered G1 Gets Antivirus Software — Google Android — InformationWeek
   Looks like you can get Anti-virus software for your G1 phone.
5. Once thought safe, WPA Wi-Fi encryption is cracked
   Oops. Time to upgrade to WPA2. Okay, you don’t have to run out right now and do it, but it looks like some researchers have found a method of getting the TKIP key in a short time frame.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Interesting Information Security Bits for 11/05/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. CSI Stick – So who has a copy of your phone? << SANS Computer Forensics, Investigation, and Response
   This is both very cool and very scary. Tool that allows you to quickly and easily suck the data out of a cell phone or smart phone. So much for locking the keyboards on those puppies.
2. Assuming the breach: What is good pen-testing?
   Planet Heidi has some good guidance for effective pen testing. You should go read it if do them and, more importantly, if you get the results.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Interesting Information Security Bits for 11/04/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. /dev/random >> Blog Archive >> Critical dns2tcp Vulnerability!
   Looks like dns2tcp has a vulnerability that needs to be taken care of. Time to upgrade.
2. TrueCrypt – Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux – Documentation
   A new version of Truecrypt is out. Version 6.1 was released on October 31st, 2008.

   Hat tip: Xavier at http://blog.rootshell.be

3. Research Blog – Research – SecureWorks
   A very nice description and review of the worm that is trying to take advantage of MS08-067.
4. PCI Blog – Compliance Demystified >> Blog Archive >> Cloud computing security and PCI
   Another good article about PCI and cloud computing.
5. Tenable Network Security: Log Correlation Engine 3.0 Released
   Like the title says, Tenable has released a new version of their Correlation engine.
6. Man cops to $1m phony bar code shoplifting scheme * The Register
   Real life shopping cart hacking 🙂
7. Security at the point of sale
   An interesting article about the different ways that thiefs are exploiting retail checkout systems.
8. Core Security finds critical Adobe Reader hole | Latest Security News – CNET News
   Looks like it’s time to patch Adobe Reader again.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Resources to increase your info security knowledge and benefit your infosec career…

@GeekGrrl posted a note on her blog asking this question:

1) How would you recommend getting started on a career toward Network Security/Network Pen Tester?

She has some follow-up questions to that first one requesting some specific information. Go read her post and then come back.
.
.
.
.
Okay, here is what I suggested. Obviously, not exhaustive.

Here is a good blog post that might help.

http://www.leune.org/blog/kees/2008/10/-tips-for-getting-started-1.html

1) Certs –

• If you want to be technical, I would start with the SANS GSEC cert. Make sure you go for the GOLD cert and not just the silver. This cert will give you a good base to build on.
• From there, move on to firewalls, ids, etc.  as appropriate.  SANS certs are the best technology agnostic certs around.

2) Cons

• Defcon – cheap and worthwhile.
• Keep doing what you are doing, watch and read the presentations after they are posted. Garret Gee over at Infosecevents usually posts links to archives when he comes across them.

3) Associations

• See if there is an Infragard chapter nearby.  Free and often strong in cyber security.
• Start a chapter of http://www.naisg.org/. You will probably learn more and meet more people that can help you doing this than anything else.

4) Books

• Security Engineering is a great source.
• For web app security testing the “The Web Application Hacker’s Handbook” book by PortSwiggger is great.

5) Other

• http://www.learnsecurityonline.com/ is a great site.
• http://www.hackquest.de/ a challenge site.
• http://www.hackthissite.org/ another one.
• The WebGoat project by OWASP is also cool.
• Damn Vulnerable Linux is interesting.

Finally, VirtualBox is a great free virtualization platform for Windows and Linux that will let you setup VMs like DVL to hack against.

Go ahead and offer up your suggestions in the comments.

UPDATE: On the drive home I today, I was still thinking about this question and I realized I left off one things that an individual can do that will probably reap more benefits than any of the items listed above.

Find a mentor.

Find somebody who has been in the business for a while who is willing to let you bounce questions off of them and is willing to give you the benefit of their experience when you hit situations that you are not familiar with. Somebody who can offer you those second opinions that can be so helpful.

Here is a link to a bunch of articles on finding a mentor and the mentoring relationship. The articles are not infosec related at all, but still apply.

http://www.inc.com/guides/growth/24509.html

Kevin

Interesting Information Security Bits for 11/03/2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

1. Microsoft: Trojans are huge and China is tops in browser exploits | Latest Security News – CNET News
   An interesting report has been put out by Microsoft that is worth a gander.
2. Google patches Android security flaw | Latest Security News – CNET News
   There is a patch available for your G1 phone. Better go get it done if you haven’t already.
3. Cloud Computing: It’s the destination, not the journey that is important
   Lori has a very good point here. You should go read her article because it applies to all of us.
4. PortSwigger.net – web application security: [MoBP] Filtering and deleting content
   Interesting things going on with the Burp Suite. New features and a major release just around the corner.
5. PortSwigger.net – web application security: [MoBP] The new target site map
   More cool stuff.
6. ToorCon X Presentations | Infosec Events
   Yup, more reading.
7. OWASP NYC AppSec 2008 Video | Infosec Events
   and watching.
8. Network Security Blog >> PCI Compliance in the Cloud: Get it in writing!
   Martin has written a article that you should read if you have any responsibility for PCI.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Who needs employee exit procedures and disaster recovery plans are for whimps…

This article talks about the conviction of Pryavrat Patel for actions he took after his long-term contract employment with Pratt-Read was terminated.

Now, what Mr. Patel did was definitely wrong, but frankly, Pratt-Read should probably put some thought into how they dealt with the situation too.  It took them two weeks to recover from the actions of Mr. Patel and, per the article, were actually using paper and pencil at one point to keep the business running.

So, how do you bake a fail-cake?

Ingredients:

1. Long-term system administrator.
2. No apparent backups.
3. No apparent disaster recovery plan.

Directions:

Have system admin work on systems for 8 years.  Terminate said administrator. Leave remote access available to administrator and also leave access rights in place. Wait one month and break out pad and pencil to manage business when the systems can’t be used after administrator visits via remote access.

This isn’t the first story of a fired employee/contractor retaining access after being fired and causing mischief, nor will it be the last. However, it does drive home a few things we really ought to be doing in order to protect our business. Not only from situations like this, but in general.

The short list of failures I see in this story are:

1. No process to terminate remote access and revoke access rights.
2. Apparently, no backups.
3. Apparently, no disaster recovery plan or a very poor one if it existed

So kids, make sure you change those passwords and disable the accounts of your departing personnel. Make double sure you change the administrative user passwords on all systems that said individual accessed, have a business continuity and disaster recovery plan, and backup your systems.  Finally, test those plans and backups.  If they don’t work, you are still in the same spot as if you didn’t have them in the first place.

Kevin

Recap: RSA Europe 2008 Day 2

Hello again. Day 2 of RSA Europe 2008 was a busy one.  I attended several sessions during the day and then the Security Catalyst, Security Bloggers, Security Twits get together happened that evening. This post will only talk about the day.  The meet-up post will be later. Without further ado, let’s get to it.

‘The New Face of Cybercrime’ Film Screening and Executive Panel Discussion
Fortify

Fortify commissioned the creation of a short film that explores what cybercrime looks like in today’s world. The film was well done and does a good job of showing that cybercrime is no longer about how many defacements malicious individuals can rack up. It isn’t about bragging rights on which systems were hacked.  Cybercrime is big business these days.

Those perpetrating it are doing it for money.  As such, they don’t want to get kicked out of you systems and don’t want anybody to know they are there.  It is a different world and we need to be vigilant and focused if we are going to be successful in protecting our enterprises.

Blinded by Flash: Widespread Security Flash Developers Don’t See
Prajakta Jagdale, Security Researcher, Hewlett-Packard

Prajakta’s session was an interesting one. She showed us how most current problems we find in web apps also exist in Flash based applications.  This includes things like XSS, cross-domain privilege escalation, data injection and others. She also showed some interseting things that can be done with some Action Script functions like onMetaData, a video related function, setClipboard, which does exactly what it says and runtime instantiation.

Of more concern is her finding of client side authentication and other client side issues in a disturbing percentage of applications.

The Future of Privacy
Bruce Schneier, Security Technologist and CTO, BT Counterpane

Bruce always has interesting things to say.  I will share that most of what he talked about is stuff that he has been talking about in his essays and on his blog. That being said, here are a few nuggets that resonated with me.

1. Data is a byproduct of the information age – systems are not generating scads and scads of data on you because they are malicious. It just happens as more and more facets of our lives are moderated by computers. Think about email, telephone calls, credit card purchases, books bought via Amazon.  All of these generate data.
2. Ephemeral data is now stored – In the past the conversation you had in the hall with your co-worker disappeared as soon as it was over. Now, with email, instant messaging, skype and other methods of electronic transport becoming more and more the primary method of communication, those conversations are sticking around.
3. We aren’t in control of that data – We don’t have the ability to delete all the data that is being built up about us because we don’t control it. Again, this isn’t malicious, it’s just the way things are in the information age.

The rest of the keynote was quite interesting as he delved into many facets of what will be happening moving forward.

Hackernomics
Herbert H. Thompson, Ph. D., Chief Security Strategist, Peope Security

Dr. Thompson gave a great talk that drove home even more that we are in an era where the motives of today’s attackers are no longer about the ‘cool’ factor.  It is a business and we are being faced with well financed and motivated attackers who are interested in what we have as opposed to just wanting to take us down. He posits Five Laws of Hacker Economics which is worth a read.  Good stuff.

Another good day at the conference.

Kevin

Technorati Tags: rsa europe 2008, hackernomics, cybercrime

Recap: RSA Europe 2008 Day 1

Hi there folks. I am home and somewhat rested from my trip to London for the RSA Europe 2008 conference. It was a great trip and i enjoyed the conference.  Below is a recap of my first day.  This is going to be long, so hang in there 🙂

Information Security: From Ineffective to Innovative
Arthur W. Coviello, Jr. – Executive Vice President EMC

If I had to compress Mr. Coviello’s talk into a few concise points, they would be the following:

1. Concentrating all our information security efforts at the perimeter is an ineffective model in today’s world.
2. The data we are tasked with protecting must become central to our thought processes when determining how to protect our enterprises.
3. Information security must be business aligned.

Point number 1: Our perimeters have become quite porous.  This is by design.  As such, customers, partners and others have much more access to internal systems than ever before.  This means that perimeter defenses are inadequate in dealing with attacks that are targeted at the data contained in the applications which are published to the world.  It’s the old crunchy shell vs. chewy center problem.

Point number 2: As alluded to above, in many cases the data and applications most important to the enterprise are being published to the internet or to trusted third parties in such a manner that perimeter controls are next to useless in protecting them.  We must start thinking of ways to protect the data where it sits and ensuring that the applications we publish are developed as securely as possible.

Point number 3: Finally, Mr. Coviello said that information security must become business aligned.  We used to be fear driven, i.e. we must protect ourselves from the evil out “there”. That has morphed into our current situation where we are often compliance driven, i.e. regulation x must be complied with therefore we must do y. The next step is to be business driven.  We need to understand what the business needs to accomplish, what the keys to the kingdom are, and how to protect them in a manner that is risk appropriate and as unobtrusive to the user as possible.

I agree with all the points he made. It will be a challenge, but we will benefit greatly if we can become an integral part of the business process and start protecting the crown jewels instead of the walls that contain them.

Managing your own Security Career
Chris Batten – Managing Director, Acumin

Mr. Batten offered some insight into how to manage you information security career.  His prescription for managing your career is summed up in three statements:

1. Know yourself
2. Know others
3. Do a gap analysis

Know yourself: If you don’t know yourself, i.e. strengths, weaknesses, goals, how can you plot a course to get you to where you want to go.

Know others: If you don’t know what others expect or how they perceive you, how can you navigate the course you have plotted to get to where you want to go.

Do a gap analysis: Once you know yourself, know others and have determined where you want to go, do a gap analysis of where you are now and what the next step is in your chosen course. Notice the next step part.

He mentioned that planning for ten years down the road is probably not the best use of your time.  Things change.  Another statement he made is the career path should be your career path, not the company’s career path for you.  Determine what you want to do and make that happen either.

A Dialogue with ENISA
European Network and Information Security Agency

In this press only event, ENISA presented two white papers, one which has already been published, “Security and Privacy in Massively Multiplayer Online Games“, and “Web 2.0 Security and Privacy” which will be released in the near future.  The summaries were both interesting.

I never realized that there was so much real money at stake in the virtual worlds that have been developed in the last few years. Time became short, so we did not have a chance to talk much about the Web 2.0 paper, but a couple points that were raised are that users are going to be faced with more and more behavioural marketing and that the browser is the new OS. Not suprising, but intersesting none the less. I will be reading up on it when it is pubished and will report back then.

While I went to several other talks, these three were the most interesting to me and this is long enough already 🙂 Updates for Days 2 and 3 will be along in the next couple days.

Kevin