Steve on Security

http://www.theregister.co.uk/2010/03/01/aurora_resistence_futile/

Full paper here .  iSecPartner’s recommendations are good.  However, while comprehensive and technically accurate, I think it would be beneficial to have an accompanying set of “triage” recommendations (Use GPOs to disable LANMAN hashes; perform egress filtering and alerting; never EVER EVER login with admin credentials – use sudo or runas; migrate to token based authentication).

Chris Merritt over at Lumension did a quick analysis of the HHS breaches of healthcare data for ~4Q09.  It pretty well repeats what most of us in the security industry have been harping on for years regarding healthcare information:

1. Theft (not accidental loss) is the biggest vector both in terms of # of incidents and total records compromised
2. The endpoint, NOT the datacenter, is your weak link

The picture is a bit different with respect to financial information and PII (application and endpoint security), but time after time we’ve shown that if I can pop your desktops, I can use them to pop your datacenter.

http://www.fyrmassociates.com/tools.html

GuestStealer v1.1 [ Download ] GuestStealer allows for the stealing of VMware guests from vulnerable hosts based on the Directory Traversal Vulnerability detailed in CVE-2009-3373 and VMSA-2009-0015. GuestStealer was released at ShmooCon 2010 during Tony Flick’s ‘Stealing Guests…The VMware Way‘ presentation. Requirements Perl interpreter LWP::Simple perl module XML::Simple perl module Data::Dumper perl module Crypt::SSLeay perl module Instructions perl gueststealer-v1.1.pl -h <Host> -p <Web Access UI Port> -s <SSL Web Access UI> -t <Server Type> -o <Output Directory> -h = The target host (IP Address or Host Name) -p = Port for the Web Access UI (Defaults: ESX/ESXi = 80/443, Server = 8222/8333) -s = Is the Web Access UI utilizing SSL (yes/no) -t = Target type (server/esx/esxi) -o = Output directory Example Usage: perl gueststealer-v1.1.pl -h 192.168.1.2 -p 8333 -s yes -t server -o /tmp NessusPBE [ Download ] NessusPBE simplifies the process of understanding Nessus output by transforming the data into an actionable format. Specifically, NessusPBE reads in .nbe formatted Nessus reports and creates spreadsheets that can be opened by most office suites, including Microsoft Excel and OpenOffice Spreadsheet. NessusPBE creates three spreadsheets: a list of services identified by Nessus, a list of open ports whose service was not identified by Nessus, and a list of Nessus’ findings. Requirements Perl interpreter Nessus output in the .nbe format Instructions From a command line: ./NessusPBE.pl -i <input .nbe> -o <output prefix> Example: ./NessusPBE.pl –i AcmeBank.nbe –o AcmeBankNessus Open the resulting output files: <output-prefix>-OpenPorts.csv <output-prefix>-UnknownPorts.csv <output-prefix>-VulnList.tsv Example: AcmeBank-OpenPorts.csv AcmeBank-UnknownPorts.csv AcmeBank-VulnList.tsv

Just saw a new google adwords phish this morning.  Nothing earth shattering, but well done in the google minimalist style:

Screencap of the phish email

If you view the mail headers, you’ll see that the email was bounced off (yet another) open .edu relay, copeland.udel.edu.  Update your blacklists – in this case, MXLogic didn’t catch it.

eMail headers

Thought others might like my list of  Security feeds that I scan daily.  Some are very  active, some less so, and some defunct.  I get between 250 and 1200 items a day in this cluster, and can scan through, select, and flag interesting content in about 30 minutes a day using google reader.   Provided as a shared bundle from within google reader.

Man, this thing is sweet.  It took a bit of tinkering and resizing to get the migration from my old Maxtor 160G SATA-RAID setup to the new 128G SSDNow, but it was well worth it, and I added a lot to my toolkit along the way:

• built a USB MultiPass (I call it my U3-SwissBlade) with gParted, CloneZilla and several other nifty tools
• broke the RAID on my Maxtors
• Resized my partitions to fit on the 128G SSDNow using gParted
• Installed my SSDNow as my primary SATA drive
• used CloneZilla to do a disk-to-disk partition copy from the Maxtor to the SSDNow (this took a few tries since I had failed to move all partitions to the right after resizing and free up slack space — you really CAN’T get 160G onto a 128G drive!)
• Went through a few boot sequences until I discovered that my fstab was referencing root by UUID and thus GRUBbooting from the SSDNow and immediately mounting the old Maxtor for the rest of the OS Load.  Grrrrrgggggggggggh.  (Note, get confortable with the vol_id utility so you can find the unique UUIDs for all your drives and update your fstab to use UUIDs instead of device sequence numbers like sda, sdb, etc).
• uuidgen
  tune2fs /dev/sdb1 -U <numbergeneratedbyuuidgen>
  verify with vol_id /dev/sdb1
  vol_id /dev/hdaX

Performance is excellent.  My VMs load near instantly and no more disk thrashing.

I put one of the SSDNows in my old Dell D630 and it has made significant improvements in performance as well.  I may get another year or two out of this laptop after all.  Well worth the $230 I spent.

I’m interested in getting a SSDNow V+ to see if the write performance justifies the increased cost, but not until I do some benchmarking of my system to see if I am write-bound or not.

Having problems using unetbootin to install certain packages on your USB multipass?  Discovered recently that syslinux version differences between packages (like GParted) and unetbootin can cause nasty errors at boot:

SYSLINUX 3.72 2008-09-25 EBIOS copyright (cc) 1994-2008 H. Peter Anvin
Unknown keyword in configuration file: UI
Could not find kernel image:  linux
boot:

FIX:   Use a current syslinux or syslinux.exe (version 3.82 at the time of this writing, download here) to re-prep the USB stick:

Where z: is the drive letter of the USB drive.  This will install the newer version of syslinux on the USB drive and resolve those keyword issues.

syslinux z:

Tonight I perfected it.  Adjust to suit your tastes (e.g. leave off the hot stuff if you like)

Ingredients:

• 12″ thin crust
• 6 oz finely shredded mozarella
• 5 oz pizza sauce (or tomato sauce)
• 1 roma tomato, halved and sliced into 1/8″ slices
• 1/4  red onion, sliced in 1/4″ rings and quartered
• 1/4 cup pepper rings
• 1/3 green pepper, diced
• 2 TBsp Feta cheese
• Sliced Pepperoni
• 8 oz Chorizo, cooked, crumbled
• 8 oz spicy Jimmy Dean sausage, cooked, crumbled
• 1/2 cup mushrooms, sliced
• 3 cloves garlic, minced
• 3 pieces thick cut bacon, crumbled
• 2 Tbsp  capers
• 1 jalapeno, seeded, halved and sliced

1. Preheat oven to 450
2. Spread sauce on crust to within 1/2″ of outer edge
3. Evenly distribute mozarella
4. Evenly spread all other ingredients (meat first, then veggies, then feta cheese)
5. Cook in 450 degree oven for 9 minutes

Remove pizza.  Let cool for 7 minutes.  Slice.  Serve.  Enjoy.

I have seen this error in various software and it’s terribly annoying.  It most often pops up in outlook every single time you create an email, appointment or other object.  I thought it was originally isolated to the LinkedIn toolbar, but then it started happening with various MapiLab add-ins and other objects.  I have tried diagnosing binaries using reflector, analyzing the subject XML, etc. but the fix was ridiculously simple.   I must have wasted at least 10 hours of my life chasing “errors” that are nothing more than annoyances and don’t break any application functionality.  To turn these goofy errors OFF in MSOffice products:>

1. Go into the application’s Options (i.e. click the Office Button  and select “Options”)
2. Select “Advanced” from the navigation pane on the left.
3. Find the “Show add-in user interface errors” checkbox and unselect it.
   
4. Click the OK button.

Outlook operates a little differently:

1. Start Microsoft Office Outlook.
2. On the Tools menu, click Options.
3. In the Options dialog box, click the Other tab, and then click Advanced Options.
4. In the Advanced Options dialog box, select Show add-in user interface errors, and then click OK.
5. Click OK to close the Options dialog box.

A recent exchange with Delta Airlines went something (actual, EXACTLY) like this:

Welcome!
Note: During your chat session, Delta agents may be able to view your delta.com transactions. Additionally, chat conversations are recorded and monitored by Delta Air Lines.
Please wait while we contact the next available agent…
You are now speaking with Morris!
Morris: Hi! My name is Morris. How may I help you?
Morris: Hi! How may I assist you today?
Steve Goldsby : I just checked in online, and tried to print my boarding pass . When I do, I get a “page not found” error from the website. If I go back to my itinerary and try to “reprint” boarding pass, I get the same “page not found” error. Can you fix this or email me my boarding pass in PDF format so I can print it and avoid the lines at the airport? SkyMiles #: <xxxxxxxxxxxxxx>
Morris: Steve, I apologize for the inconvenience you faced on Delta.com; please give me a moment while I look into the matter for you!
Steve Goldsby : thanks.
Steve Goldsby : i also notice the flight is oversold. if you have seats on an ealrier flight, I would be happy to consider an earlier flight.
Morris: Let me check that for you. Just one moment.
Morris: I see on your reservation that you have already checked in, be rest assured you will get a print of the boarding pass at the airport.
Steve Goldsby : right. i don’t want to wait in line.
Morris: I will not be able to send a print of the pass via chat.
Morris: Did you receive my last response?
Steve Goldsby : i did.
Steve Goldsby : since the flight is oversold, is there an option to move to an earlier flight?
Morris: On the seat map I see that two seats are available 33 B and 36 F.
Steve Goldsby : okay. when i checked in the website said:
Steve Goldsby : Your flight is oversold. Delta is seeking volunteers with flexible travel plans to exchange their seats for compensation. Go ahead and check in below. If interested in volunteering see your gate agent at the airport.
Morris: To check in, print your boarding card and check your bags online, please go to our home page, click on the Itineraries and Check In under the tab Traveling and Check In, retrieve your reservation with your name and the confirmation number or ticket number, on the trip details page you will see the area at the top that says Check In, please click on that link and follow the instructions. You will also be able check in your bags online.
Steve Goldsby : I did that. website returns this error page at the “print boarding pass” page
Steve Goldsby : Requested Page Not Found The requested page could not be found on delta.com: * We may have removed the page or changed its web address. * Bookmark or link you clicked on might be incorrect. * Web address may have been mistyped. Recheck it to make sure it’s correct. How to Find Your Page: Use our Search tool to help you find what you’re looking for, or start again from our home page. If you still need assistance, try our Live Chat option with a customer service representative, or contact us for help.
Steve Goldsby : so I contacted you  for help.
Morris: please call our Online Customer Support Desk at 1-888-750-3284 and our Representatives will be glad to help.
Steve Goldsby : What’s the vector victor? Roger roger.
Steve Goldsby : i’ll call customer support.
Morris: Is there anything else I may help you with?
Morris: Thanks for choosing Delta have a nice day.
Morris left the chat.
Your chat has ended.  Thank you for speaking with us.
Please help us improve our service by clicking on the following link to take a short survey: CLICK HERE

Just noticed over at Commtouch Cafe that the gmail trickery is ongoing . They did a good job of comparing the real gmail site with a forgery, pointing out the obvious differences.  Got me to thinking so I did a little search (using google!) and came up with several phonies.  (Search criteria:  intitle:”gmail: email from google”  “lots of space” “mobile access” “less spam”) I don’t have the time right now, but it would be an interesting exercise to find linked pages… you’d probably find some XSS on the originating site, or an evil web proxy at the other end.  Maybe a project for my next layover at the airport.

real Gmail page

Fake Gmail screencap

There’s a free (as in beer) search service over at Stolen ID Search that allows you to search their database of stolen identity information to There’s a free (as in beer) search service over at Stolen ID Search that allows you to search their database of stolen identity information to see if you’re a victim of identity theft. These guys claim to have information on 120 million+ compromised accounts. Doesn’t require you to give up the farm to find out if you’ve been popped. If there’s a match, Stolen ID Search also offers a fee-based service to get additional information on how the data was compromised, where it was discovered and instructions on what to do next for $15. see if you’re a victim of identity theft.  These guys claim to have information on 120 million+ compromised accounts.  Doesn’t require you to give up the farm to find out if you’ve been popped.  If there’s a match, Stolen ID Search also offers a fee-based service to get additional information on how the data was compromised, where it was discovered and instructions on what to do next for $15.

Nice little cheatsheet from the NSA that I leave behind with clients.  Gives them enough information to get the job done without overwhelming them with unnecessary information. http://www.nsa.gov/ia/_files/factsheets/I731-002R-2007.pdf

Goorecon recently broken when querying for email addresses (e.g. ruby goorecon.rb -e icsinc.com).   Sometime between when goorecon was written and now, google changed their formatting of reposnses for email addresses from:

emailaddress@<br>icsinc.com  to   emailaddress@<em>icsinc.com

Easy fix is to change the following line in goorecon.rb

response.scan(/[\w.-]+@<b>#{target}/o) { |t|

to

response.scan(/[\w.-]+@<[^>]+>#{target}/o) { |t|

This will keep the code flexible enough so that if google ever changes the highlighting tag (formerly <b> but now <em>) to some other html tag, goorecon will still correctly draw out emaill addresses.

Great list of cheat sheets for by Jeremy Stretch over at Packetlife

Wireshark Display Filters

Okay, process patents in this space have gone too far.  I’m googling for some information for a presentation today, and I come across a WIPO patent titled: “SYSTEM AND METHOD FOR PROVIDING NETWORK PENETRATION TESTING”. The “inventors” (and yes, I’m using that term loosely) are Fernando Federico Russ Alejandro David Weil  Matias Ernesto Eissler  Francisco Javier Dibar  Hector Adrian Manrique.  A quick search shows these guys in other patent activity.  What’s disturbing is that this patent appears to have been filed in 2008, but the process described doesn’t seem terribly innovative.  Client side pen testing with a bunch of legal and process fluff thrown in to make it look sexy.  Surely metasploit would be prior art, among other tools and frameworks.  How do these folks get away with this.  I need to go do my research on these inventors, and CORE SDI INC to get a complete picture.  If anyone out there has input, I’d sure like to hear it.

I thought I’d reached the end of the Internet, but apparently I missed this little gem of content.  It actually brought tears to my eyes.  Tears of joy, because finally someone understands me and my kind.  I’m willing to bet that at least one out of three readers of this blog can relate.  So look to your right, and look to your left.  If it ain’t them… well, you’re the nerd. Definitely worth the 8 minute read (40 seconds if Mubix’s recommendation works).

I finally had enough retuning Firefox every time I loaded Backtrack4. You see, some apps (like firefox) are built using GTK, but Ubuntu/Backtrack run use KDE. The result is that no matter how you tune your X-theme, Firefox still looks like poo. The fix is to do some trickery with KDE->GTK->Qt bindings, look at Bug #193538, or just load a Firefox theme that addresses this problem. My preference is KFirefox: Firefox Theme for KDE4. Pointy clicky, draggy droppy, and you have a svelte firefox under Ubuntu.

Interesting Social component. This and similar research may have implications with social engineering to increase likelihood of success. Article is over at BoingBoing http://www.boingboing.net/2009/07/12/baby-pictures-in-los.html

Interesting read over at Digital Soapbox on the “X-Rumer” Russian Spam tool. This nasty little tool handles CAPTCHA’s, sites requiring registration, etc. I’d be interested in seeing who else has fallen prey to and verified this thing.

VERY well articulated and fast read at http://www.securitycatalyst.com/did-i-think-this-through/. having been in the business for some time, I can tell you this is where most of our security ninja’s make their mistake — beating the client over the head with a club like a baby seal.

Sometimes when you’re right, you’re wrong.

Hey, if you want to live in a cave but use 21st century technology… well… as a wise man once told me: “LIFE isn’t fair”. http://www.wired.com/dangerroom/2009/07/infrared-beacons-guiding-cia-drone-strikes-qaeda-claims/. Can I get a BOOMya?!?!?!?!

http://secforall.info/2009/07/08/abusing-pdfs/
Joe Webster has a great writeup on easy and effective steganography tricks using PDFs as your host. 9/10.

I recently became aware of the Cesidian alt-root run by the “Hon Most Rev Dr Cesidio Tallini“. This guy is definitely out there.

Why am I posting this? I can’t explain why, but I haven’t seen anything this bizarre in a long time, and I see some bizarre stuff. Apparently he lives on Long Island and has proclaimed himself the head of that nation. He also has these “micronations,” which consist of a rock in the ocean with a pelican sitting on it. This guy is comprehensive in his delusion – his Amazon Store has books on how to start your own nation, pirates (“arrggh matey” not “ihackstuff”), and a field guide to mushrooms.

If nothing else, I entertained myself for 30 minutes

The audio version of “Into the Breach: Protect your Business by Managing People, Information, and Risk” has just been released. Great if you have a stack of books on the nightstand but some free time in the car/airport/etc.

Check out a snippet of the audio version of the book at: http://www.securitycatalyst.com/innovation/security-catalyst-podcast/

02.07.2009 Decompilation Injection – Maty Siman, CISSP
Press Release (PR) Press Release (PR)

Checkmarx Research Labs present a novel way to protect .NET assemblies against reverse-engineering and recompilation. By injecting them with commands that are activated only at the recompilation stage, the application retroactively detects the reverse-engineering process and acts upon it.

http://checkmarx.com/NewsDetails.aspx?id=18&cat=3

Good visual aid for the recently updated kon-boot over at http://www.irongeek.com/i.php?page=security/kon-boot-from-usb

Okay, maybe not new, but what a sexy marketing term for it. From the article:

The scam works like this: The criminal calls a target, claiming to be the fraud department of the target’s bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim’s bank, and bridges the call, while placing his portion of the call on mute.

When the bank’s fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer’s answers. Depending on the institution, the answers may include the victim’s Social Security number or national ID number, a PIN or password, and/or the amount of last deposit or location of the last transaction.

The criminal then calls the bank back (ostensibly reaching a different customer service representative), supplies the personal information needed to access the victim’s account, and begins to initiate a series of wire transfers out of that account into another that he controls.
http://voices.washingtonpost.com/securityfix/2009/07/high_crimes_using_low-tech_att.html

update your ACLS at http://isc.sans.org/diary.html?storyid=6739&rss

http://www.boingboing.net/2009/07/06/dont-copy-that-flopp-1.html

H4×0r humor

http://www.darknet.org.uk/2009/07/multiiso-livedvd-v1-0-backtrack-knoppix-ophcrack/
MultiISO LiveDVD is an integrated Live DVD technology which combines some of the very popular Live CD ISOs already available on the internet. It can be used for security reconnaissance, vulnerability identification, penetration testing, system rescue, media center and multimedia, system recovery, etc. It’s a all-in-one multipurpose LiveDVD put together. There’s something in it for everyone.

A few barriers to entry.

• First, read the research summary: http://www.cmu.edu/news/archive/2009/July/july6_ssnprediction.shtml
• Then, discover that the “death master file” is $14k plus update costs: http://www.ntis.gov/products/ssa-quarterly.aspx

Likely copies of this running around the “blackhat” underground, and it would only take a few identity thefts to cover the cost of the database, but the script kiddie populace should effectively be excluded.

http://www.wired.com/threatlevel/2009/07/aleynikov/

Great article on one of the outcomes of a good logging and compliance program. Moral of the story? Blowfish, UUencode then tunnel everything through SSL! $400k a year wasn’t enough? #fail

From Chuvakin’s blog, a little light humor, with a bit too much reality.. follow the link for more.

Nobody Is That Dumb … Oh, Wait XII

Many, many moons ago I had this brilliant series “Nobody Is That Dumb … Oh, Wait“ (the last one was back in March) where I made fun of people making dumb security claims with apparent – and often scary! – seriousness. Somehow I neglected this series, but a few days ago I was shown a super-shining example of sheer stupidity of immense proportions.

It all started in a remote country of Norway where one particular journalist discovered a horrible evil (mmm… Evil!) that threatens all life in the Universe (mmmm… Multiverse!): honeypots. Specifically, the English translation of the printed original from their “Aftenposten” newspaper starts like this:

“Unethical and unacceptable, says computer experts.”

Reeeeally? OMFG, thanks for enlightening me that an idiot in Norwegian is spelled “c-o-m-p-u-t-e-r e-x-p-e-r-t”

Good analysis of current framework (ISO 27005) and gaps over at http://riskmanagementinsight.com/riskanalysis/?p=641

Sexy, and source forthcoming. This could open up many new possibilities for tinkerers – http://www.cryptohaze.com/bruteforcers.php

PaiMei, is a reverse engineering framework consisting of multiple extensible components. The framework can essentially be thought of as a reverse engineer’s swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as fuzzer assistance, code coverage tracking, data flow tracking and more. http://code.google.com/p/paimei/

Looks like Twitter has been mass suspending accounts today. From what I can piece together, it’s holiday-related spam barrage, probably nimrods out there tinkering with their new knowledge from Month of Twitter Bugs.

This is actually a well done framework viable for implementation in the organization. Jump to http://www.cert.org/resiliency/rmm.html

Of note:

Great article at computer world - let the social engineering begin.

Good start to a framework for quantifying databreach hard- and soft-costs over at Securosis. Warrants further inputs from business units to catch any stragglers, but seems viable. Hard to track the costs surrounding loss in equity value… like when do you consider the recovery from the incident as starting and finishing? I wonder what ChoicePoint, TJX or Heartland might say.

Behavioral marketing involves serving up ads to a particular individual based on his or her previous online behavior, and many folks consider it evil in the manner of George Orwellian “1984″ government. Check out the Network Advertising Initiative for information on which behavioral advertising sites have cookies on your machine and pointy-clicky feature for for opting out.

An interesting read over at The Center for the Digital Future at the USC Annenberg School that indicates (to me) that the efficacy of social engineering, phishing and other attacks will increase as society becomes less engaged personally with relationships and more comfortable / dependent upon the online connections they have formed. Is Facebook making society sheep to the slaughter?

Just got back from my 20-year high school reunion and had time to catch up on my reading. After getting through CyberSecurity training: the battle over mandates over at Federal Computer Week, I felt compelled to jot a few notes.

The article references a measure sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) that would direct the Commerce Department to “develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.” Notable quote: “It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure” (emphasis mine).

I think we all see the problems with this.

Problem 0: “Unlawful” is a land-mine. My COO has a catch-phrase that I like: Don’t run FROM something, run TO something. His point is that fear-based decisions are nearly always bad decisions. By introducing terminology in a requirement such as “unlawful” you are creating a big red flag for anyone that might even be remotely interested in your problem.
Problem 1: Certification doesn’t necessarily imply capability. Certifications only prove that at a particular point in time you had the knowledge required to pass a test. It is not an indicator that you retained the knowledge, that you understood the material you tested on, or that you are able to do the job currently on the table. We all know “paper tigers”, those consultants that have multiple certifications but lack the applied and practical skills to return significant value. I have personally been involved in follow-on engagements to clean up after a highly-credentialed vendor whose deliverables lacked actionable recommendations, parity with budget constraints, or a realistic implementation timeline. It is important to be able to properly qualify vendors and team members before engaging them.

Problem 2: Certifications provide a false sense of security if considered out of context. I have seen cases where HR was screening candidates based solely on a laundry list of Security and IT certifications. The business unit couldn’t understand why they couldn’t get qualified candidates until we discovered that HR was filtering out highly qualified consultants who simply lacked the ‘appropriate’ number of certifications. Too many organizations rely on certifications as exclusive evaluation criteria but provide little weighting to other items such as past performance, experience in their vertical, background checks, or depth of technical ability.

Problem 3: Certification requirements may introduce barriers that exclude highly qualified talent. I agree that certifications are a good differentiator when selecting a vendor or a solution. That is, when all other factors are equal, certifications make good “tie breakers”. However, they are poor discriminators – they are not unique to any vendor or solution. We all know highly qualified consultants that cannot or will not spend money on a certification costing thousands of dollars when they know it provides on value to their clients. For instance, the PCI Qualified Security Assessor certification costs over $25,000 to achieve and $10,000 per year to maintain. My firm chose not to pursue this certification and focuses instead on pre-audit services such as control selection and risk mitigation to help our clients pass the audit.

Problem 4: Certification Lifecycle is Short. I may be a little over-dramatic here, but the point is valid. The pace and velocity of change in IT is dramatic. Very few certifications provide foundational knowledge that survive over time. The CISSP is one exception as it does a deep dive into many axiomatic areas (think role-based access controls, risk models, etc).

Problem 5: Vendor Certifications are Problematic in Information Security. Many certifications are vendor centric. While this is a good thing for network- and systems-administrators (i.e. the ‘wrench turners’), its value erodes in the information security disciplines. Vendor-centric certifications often skew security theory to their product lines, and there is no independent oversight body. You are better served by balancing a combination of a technical degree, certifications and real-world experience rather than having a checklist of certifications. Consider that University degrees communicate that the candidate has a broad range of exposure to the discipline, has the ability to self-teach new material, and buckle down to achieve goals they really don’t want to (anyone remember Music Appreciation class?).

Problem 6: These requirements will trickle down to and strangle industry. The federal government has the ability to get their fingers into just about everything. In this case, the Commerce Department can pull levers like interstate trade to impose their will on business. Also, as the largest single customer in the nation, the Federal government can, has, and will continue to impose these requirements on a large percentage of commercial enterprises through contract flow-down provisions Having served the federal government for over 12 years, I continue to see such onerous requirements creep into solicitations and contract vehicles, making the cost of serving our customers untenable. We are so handcuffed by ‘checklist’ requirements that there is little funding left over to return real value to our customer, squeezing our margins, and degrading our service delivery.

Every day I see clients make these kinds of mistakes and pay the consequences. Clients who don’t understand their own needs and copy-and-paste someone else’s requirements into their solicitation. Clients who think compliance equals security. Clients who release requests-for-proposal (RFPs) where the “successful bidder must assign a to this project”.

I’d be interested in other’s thoughts on this one.

Google relaunched its malware finding search engine, AntiMalvertising.com. In classic google manner, you can pass it a target website or domain via the url (ala http://www.google.com/safebrowsing/diagnostic?site=google.com) and get some interesting results. In this example, you’ll see that google has indeed been a vector, and its’ nice to see that they’re not filtering out their own results. Honesty’s the best policy.

There’s also a nice Google API interface. If you have a little spare time and want to see the size, scope and intensity of malware infected sites, you can use the SafeBrowsing site and search for patterns like

“Malicious software is hosted on”
or
“Yes, this site has hosted malicious software”

Because it’s all built on the google search engine, you can do nifty search modifiers too, like this query:

“Yes, this site has hosted malicious software” inurl:site=*.com

Of course, I find it suspicious that

“Yes, this site has hosted malicious software” inurl:site=*.gov

doesn’t return any .gov sites in the USA, especially considering that I know there are dozens of them. Maybe this is a safety filter that google built in to protect our national critical infrastructure?

Today I went in to update my google docs site with some new information for my team. For some reason (call it early morning fog), I went to googledocs.com instead of docs.google.com. The site rendered nothing, but did throw up a browser authentication dialog. I tried a few nonsense userid/password combinations with no satisfaction. Just for grins, I created a gmail account and tried those credentials to see if the site was proxying the information through in a credential-trolling exercise, but continued to be presented with an authentication dialog.

McAfee says it’s not evil but I’m not convinced. I’ll continue to check this out this week.

I’ve experienced just about every email/phone/web fraud you can think of. Nigerian email scams, phishing, XSS, and phone calls from folks pretending to want to “verify” my credit card information. Today I experienced a new one that is more brute force than the others I’ve seen.

Warning sign #1 – unsolicited call
I was driving to an appointment and the OnStar line in my Tahoe rang. This is is unusual because I only use that line for the occasional outbound call when I’m stuck in traffic, and only a couple of people have it, none of whom bother to call it. I answered the call, and after a couple of seconds…

Warning Sign #2 – AVR
I got an automated voice response system (AVR), one that appeared to be very very old. It sounded, in fact, like the old Software Automatic Mouth. I didn’t have a recorder going, but the general message that came out of this was “Your credit card shows suspicious activity. Press one to verify this activity or two to leave”. Intrigued, I pressed one.

Warning Sign #3 –
After pressing 1, the AVR moved on. The AVR never told me anything to help me identify which account it might be talking about (e.g. by giving me the last 4 of an account number). What the AVR *did* do, however, was ask me to enter my credit card number. Since I was in the Tahoe, I didn’t have a keypad. Trying to use the OnStart AVR to enter a (bogus) credit card number was less than successful, so the call ultimately dropped.

I suspect that the system is driven by some public record data sources, or partially complete transaction data pilfered from a commercial database, and that the AVR is simply robo-dialing for the missing pieces. For instance, if the AVR had my name and address, it would need to acquire the CC#, expiration date and verification number. You can imagine other scenarios based on various data sources (an e-tailer transaction log with everything except the credit card number which was encrypted?)

This is an interesting attack model. Mildly more expensive than e-mail, less obvious as an attack as it used AVR (albeit a crappy one), and the ability to automate.

If anyone out there has experienced this ‘retro-phishing’, I’d sure like to know.

phone

I love it. If he had it for a year, there’s no telling how many times he used it to make a point with a . Jump to Browsers hacked in seconds in Pwn2Own contest