Archive for April, 2008

Apr 30 2008

Microsoft giving police tools they can get for themselves

Published by under Government,Microsoft

This was looking like it could have been a great story for the conspiracy theorists in all of us: Microsoft is helping law enforcement agencies by giving them USB keys with forensics tools to help with cybercrime investigations. It can ‘decrypt passwords and analyze a computer’s internet activity’, something every good law enforcement agent needs. The Computer Online Forensic Evidence Extractor (Cofee) offers up 150 commands (what do they mean by ‘command’? Is that 150 tools or one tool with 150 commands?) and makes it easier for beleaguered cops to perform an investigation.

A number of people, most notably Mike Masnick, have jumped to the conclusion that this offers some sort of back door to law enforcement. Ed Bott fires back calling this inflammatory and rants a bit against the echo chamber that is the blogosphere. I can see why Mike would jump to the conclusion he did, that Microsoft was offering up some special sauce for criminal investigators, but as Ed points out, the tools included on the USB drive are all available elsewhere, MS has just made easier by putting them on one USB key.

Ed also points out another thing: the bad guys have had USB keys that do most, if not all, of the same things for years. The USB Switchblade works wonders, is freely available and probably is more dangerous than any of the tools in the Cofee suite. I wouldn’t be surprised if some of the more savvy forensics investigators haven’t been carrying USB Switchblades around for a couple of years.

This is twice in a week that I know of computer crime stories got blown out of proportion. Is it a trend or just a blip in the statistics? All I know is it feels weird to not be on the side being called paranoid.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Apr 30 2008

George Ou is back in the saddle

Published by under Blogging

Welcome back to the world of blogging, George. After a brief haitus, George Ou has rejoined us with his appropriately titled George Ou’s Blog: Technology for Mortals. He has a co-author on the site, Justin James, and already has more than a few posts up. George’s short write-up of a computer he built for just over $400 is nice, since I’m contemplating building another computer my self. Of course, I’m always contemplating building a new computer, it’s just getting buy in from the wife that’s a problem. I also think George and I will be taking different sides of many PCI-related stories.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Apr 29 2008

Network Security Podcast, Episode 103

Published by under Podcast

There were more than a few technical difficulties in recording tonight’s show. Thanks to Paul Asadoorian from PaulDotCom Security Weekly for hanging with us and getting a show recorded despite it all. If it hadn’t been for some quick thinking on his and Rich’s parts, I don’t think we could have had a show this week. I’m still working on my DSL line, but I’m pretty certain the wiring in my office is bad; the DSL has been fine since I moved the modem to a different wall plug in the bedroom. I just hope my wife is willing to ignore the bright yellow cable stretching across the hall until I can get a new telephone cable run.

Show Notes

[display_podcast]

Network Security Podcast, Episode 103, April 29, 2008

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Apr 29 2008

Security Flaw in WordPress; Upgrade

Published by under Blogging,Site Configuration

One of the things I have always hated about blogging is having to administer the web site. Moving to a hosted solution (Bluehost) earlier this year made life much easier, but there are still some issues I have to manage. One example is upgrading the WordPress version, which Bluehost helps with by providing Fantastico and SimpleScripts to do scripted updates. Fantastico is good, but they’re a little slow to provide updates. SimpleScript also looks good, but the verbiage in the update makes it sound like they overwrite the whole directory, not a good thing. So I found a WordPress plugin that handles all the messy stuff for me, Automatic Upgrade.

I’m not a total wimp when it comes to this sort of upgrade, but I’d rather have it done by a script that hopefully won’t hit the wrong key at the wrong time, something I’m prone to do. I like the fact that it backs up both the WordPress directories and the database for you before proceeding with the upgrade. It was good at disabling all of the other plugins I had running on the site, but was no where near as good about bringing them back up. That was a minor concern and gave me a good reason to update all the plugins too.

With a vulnerability in the WordPress 2.x installation that can result in admin access to your site, you’ll want to get upgraded as quickly as possible. I like my hosting company, but I can’t expect them to make upgrades to my site their first priority. So I have to make it one of mine.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 28 2008

[In]Secure Magazine #16 is out

Published by under Security Advisories

Pick up your latest virtual version of the magazine on the [In]Secure site. There’s a few articles I plan to read in my copious amounts of spare time, starting with the Security Policy Considerations Payment Card Data articles.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 28 2008

We can’t explain ourselves, so we’ll distract you with puppy pictures

Published by under Government

I had high hopes for The Evolution of Security when the TSA first started letting their personnel blog. I was hoping they would be able to explain what, if any, impact the policies currently in place at airports have. I expected to see enlightening posts about how taking off our shoes not only represents a tiny inconvenience but makes us measurably more secure. I wanted something other than cute puppies.

Okay, they are cute. And the article does explain little about what the puppies will be used for. But the main thrust of the post is about how cute the puppies are and how you can adopt one if you live in the San Antonio area (or in prison). Definitely makes me feel safer when I’m flying the annoying skies.

I flew to DC and back last week and I’ve learned how to get through the lines in the least amount of time, barring the use of a Clear card. I wear slip on dress shoes, I leave my keys in my carry-on bag and I leave the knives home on the dresser. I never take my toiletry bag out of my luggage, I’ve never used a 1-quart bag for liquids and I’ve accidentally slipped a knife through over a dozen x-ray machines before it was ever found. So tell me how these security measures which I bypass almost every flight make me safer?

I know there’s a fine line between revealing enough to make cynics like me happy and telling so much that the bad guys are able to come up with countermeasures. But the reality is, someone who’s a bad guy is probably taking a lot more time to examine airport security measures than I am and could come up with a dozen other easy to bypass security measures. As a flight attendant told me last week, if a bad guy really wanted to attack planes, the real security weakness is the flight crew and other personnel, not the passengers. They’re the one’s who have nearly unlimited access to the planes.

Don’t even get me started on ‘passenger engagement‘. Everyone flying is stressed, so a process that relies on observing stress factors by the average TSA agent is just ludicrous. How do you tell stressed because they’re carrying a bomb from stressed because the TSA wants them to try their own baby food?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 28 2008

0day gets hundreds of thousands of web servers

Published by under Hacking

If you’ve got an IIS server, you’ll want to take a long look at your traffic and make sure you’re not one of the ‘hundreds of thousands’ of the Microsoft web servers that’ve been compromised. Microsoft is staying quiet on this one, it’s F-secure and Panda Security are the one’s who are reporting the problem. And it appears to be quite a problem, since the script on the sites is redirecting web surfers to sites that aren’t nearly as wholesome as the original target site. There is a Microsoft advisory with a work around to block this vulnerability, and Dancho Danchev has a write-up that includes information about the malware that’s being served up with this attack.

A 0day with an automatic discovery and dissemination tool shouldn’t be a surprise to anyone. The fact that it’s hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis? This is another SQL injection attack against the servers, so I wonder if a web app firewall would have protected against this or if tuning would have just opened a whole for the attack vector.

Edit: Microsoft does have something to say after all. Thanks Ben

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Apr 25 2008

Bill Brenner leaving SearchSecurity.com

Published by under Uncategorized

Just got an email update from SearchSecurity.com: Bill Brenner has announced that he’s leaving the company to ‘pursue a new challenge’. That usually means he got a better offer somewhere else, which bodes well for Bill. I’ve talked to Bill a few times for different articles he was writing and he seems like a pretty nice guy, so I wish him the best of luck in his new adventure. Hopefully he tells us all what it is sooner rather than later. For some odd reason I couldn’t find the update on the SearchSecurity site yet.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Apr 23 2008

PCI 6.6 & 11.3 clarification

Published by under PCI

I guess Bob Russo and the PCI Security Standards Council heard the roar of the crowds at RSA and decided to do something to help clarify the situation around standards 6.6 and 11.3. In reality, they probably had this in the work for months and may have even tried stirring things up a little at RSA to get more attention to the supplements. In either case, it’s good that they’re working on making the standards clearer and they’ll be working these updates into the next version of PCI. We’re still not sure if it’s going to be 1.2 or 2.0, but it’s coming in September.

The updates to 11.3 are relatively minor and center around clarifying what’s expected from the penetration test. The update to 6.6 explicitly spell out what the acceptable solutions are for code review:

  1. Manual review of source code
  2. Automated app source code analyzers
  3. Manual web app vulnerability assessment
  4. Automated web app vulnerability assessment

It also lays out a number of suggestions for a web application firewall, but none of these are requirements at this time. The absolute minimum on a WAF is checking for and protecting from the OWASP top 10 vulnerabilities, but if that’s all you’re getting from your WAF, you better go ask for your money back.

The updates to 11.3 are going to matter to Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) more than they are to the average company complying with PCI. On the other hand, the clarifications on 6.6 are going to be very important to everyone who’s involved in PCI as the June 30, 2008 deadline for complying with 6.6 approaches. One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Apr 23 2008

Fighting Botnets with botnets

Published by under Malware

Researchers at the University of Washington want to use their own botnet to fight malicious botnets on the Internet. Basically, the paper suggests using a swarm of the Phalanx, the name of their system, computers as proxies with a small crypto-puzzle being required of the connecting computer at the start of the conversation. It would hopefully slow down or eliminate DDoS attacks by making the attacking botnet perform a massive amount of aggregate computations, thus limiting their effectiveness.

I see a number of problems with this approach, not the least of which is the fact that it would need to have a distributed DNS architecture that trusts the Phalanx system to work. If the Phalanx system itself was compromised, the potential for damage far outweighs any benefit that it might have created. While DDoS is still a problem, it’s not a common problem and it’s one that there are already a number of solutions for. The changes this would require and the potential vulnerabilities far outweigh the potential gain. Additionally, the thought of adding home computers to this proxy botnet adds a whole additional layer of security concerns, primarily more worries about the whole system being compromised and used to promote the exact sort of DDoS it was designed to prevent.

All in all, this is an interesting intellectual exercise, but nothing that’s actually going to see the light of day. At least it’s not a rehash of the ‘let’s infect computers with a friendly virus to combat malicious viruses’ concept.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Next »