[SecurityRatty] Lattest Articles

Its Mothers Day, be thankful you have a mom to call - so do it.

Sun, 11 May 2008 10:47:04 +0000

Mothers Day is always a tough one for me. My mom passed away 25 years ago and though time has passed to cover up a never healed wound, every Mothers Day the scab is torn off a bit and the regret and pain ooze through. Having our kids celebrate Mothers Day with my wife has made it better, but nothing takes the place of your own Mom. Fred Wilson reminded me of that today with this post about a Tom Friedman piece in the NY Times today.

Tom just lost his mom last year after a long bout with dementia it seems. She was 89. Tom reflects on her remarkable life and how she influenced him to be what he is. Can any of us say any differently? Weren't all of our Moms special to each of us. Isn't so much of the people we are today directly related to that woman who raised and nourished us? Of course. So on this day honoring Mothers everywhere, if you are lucky enough to have your Mom available to thank, do so and don't miss the chance because you never know when you might not be able to.

Happy Mothers Day Bonnie and to all of you mothers everywhere!

DARPA Wants Matrix-style Virtual World for Cybergeddon

Sun, 11 May 2008 08:15:00 +0000

The US military's famed scientific wingnut farm, DARPA*, has released full details of its planned "National Cyber Range" - a mighty network which could be configured to simulate the cyberspace battlefields of the future. This would allow America's fighting nerds to train for the net conflicts of tomorrow, mounting attacks on simulated enemies..

Security Flaw Turns Gmail into Open-Relay Server

Sun, 11 May 2008 00:02:32 +0000

A newfound flaw in Google's Gmail allows would-be spammers to treat the service as an open-relay server. Compounding the issue is the fact that services such as Hotmail and Yahoo "trust" Gmail. This may facilitate e-mail delivery, but it also makes it easier for spammers to reach their intended targets.

Swingtown - This ain't your mother's CBS

Sat, 10 May 2008 18:52:08 +0000

I was reading a review in the NY Times today about a new summer time show coming to CBS. It is called Swingtown and I was originally attracted to it because it is a look back at the mid 70's. That was the age of my adolescence, so it naturally attracted me. Well this show is about the mid-70's OK, but the wilder side. It is set in a suburb of Chicago and is about wife swapping, partying and other hedonistic activity that is supposed to sum up the era. And on CBS yet! That's right, the folks who give us 60 Minutes, Murder She Wrote and Touched by an Angel, now bring us the swingers of the 70's.

I grew up in a suburb in the 70's and while I do remember our parents hanging out drinking Harvey Wallbangers and some of them getting divorced, I don't think they were the type to pass around Quaaludes and engage in orgies, like depicted in this show. But hey, maybe I am just naive. This certainly sounds more like an HBO series to me, but I have to admit I will watch and see it what it is about. Just the 70's clothes and hairstyles should be entertaining for me. I am You Tubing the official trailer:

<\/param><\/param><\/embed><\/object><\/div>";" alt="">

If you like this trailer, here is a link to a longer video showing more highlights. Let me warn you that this one is a bit racy!

A Brief Intro To Cryptographic Hashes/MD5

Sat, 10 May 2008 16:33:02 +0000

New Video: A Brief Intro To Cryptographic Hashes/MD5
A cryptographic hash function takes an input and returns a fixed size string that corresponds to it, called a hash. Cryptographic hashes have a lot of uses, some of which are: detecting data changes, storing or generating passwords, making unique keys in databases and ensuring message integrity. This video will mostly cover detecting file changes, but I hope it gets your mind going in the right direction for how hashes can be used. Specifically covered will be tools for creating MD5 hashes in Windows and Linux.

Get the feeling youre being had?

Sat, 10 May 2008 11:02:33 +0000

Used to be the business strove to please the customer.
Not so any more except in rare cases.

clipped from www.crime-research.org

Microsoft didn’t crush Storm, counter researchers

By the company’s count, the MSRT cleaned more than 526,000 Storm-infected PCs in the final four months of last year. After some back and forth between the Storm bot herders and Microsoft, the former gave up, said Jimmy Kuo, a senior security architect at the company.

Not so fast, said Trend Micro.

More important, though, is the big picture, said Ferguson and Yaneza. Storm is certainly diminished, they agreed, but not simply because of Microsoft and its MSRT.

“Storm is still out there,” he said. And active. “We’ve seen campaigns to renew their [botnet] body count within the last 48 hours,” Ferguson said.

Insider Threats: the biggest Information Security risk

Sat, 10 May 2008 11:00:00 +0000

It's a fact that most crimes are committed by people known to their victims. Similarly, businesses are most at risk from former and current employees. Most commonly when thinking about information security we consider how to prevent intrusion into our business from the outside. The facts and statistics tell a different story. 62% of large businesses in the UK (source: DTI/PWC Insider Threat Report 2006) have dealt with a security incident instigated by a current or former employee. I've been writing up some of my research into insider threats in the form of a paper describing the risks posed to a fictional multinational company, Acme Widgets plc. You can download the paper for free here. If you'd like to leave me feedback or would like more information about insider threats, write to the email address within the digital signature at the end of the document. If you'd like to make a donation in return for downloading the paper, please give to Children in Need.

IE8 ActiveX Improvements

Sat, 10 May 2008 04:13:07 +0000

The IE team has announced some more about ActiveX improvements in Internet Explorer 8. Some of the blog is about old features, but there are some new ones: Per-User (Non-Admin) ActiveX, available only on Vista, means that it's possible for users to install an ActiveX control only for their own user context, not for the machine. It sounds like this will be on by default, but administrators can turn it off through Group Policy. You can already see from the comments to the blog entry that some people wanted this, and I guess it's a good thing. Through Per-Site ActiveX a control may be restricted to use only in the context of specific sites. If a control is run by a site not in the list, the user gets an information bar asking whether they want to allow it to run in that context. Administrators can control all of this, including pre-polulating a list of controls and permitted sites. That's it for the really new stuff, although the blog reiterates some other powerful security features. For instance, MS already announced that IE8 will have DEP on by default, which will defeat a huge proportion of vulnerabilities.

NSA Attacks West Point! Relax, It's a Cyberwar Game

Fri, 09 May 2008 21:00:00 +0000

Five hours into their assault on West Point, the hackers got serious.

The SQL [structured query language] inserts that came earlier were just pablum intended to lull the Army cadets into a false sense of security. But then the bad guys unleashed a stealthy kernel-level rootkit that burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the nation's most secretive repository of spooks, snoops and electronic eavesdroppers -- directed coordinated assaults on custom-built networks at seven of the nation's military academies, including West Point, the Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training event for future military IT specialists. The exercise offered a rare window into the NSA's toolkit for infiltrating, corrupting or destroying computer networks.

The 34 Army cadets comprising the West Point IT team operated in a different kind of battlefield, but their combat skills and instincts need to be every bit as sharp. Like George Washington said: "There is nothing so likely to produce peace as to be well prepared to meet the enemy."

The SQL injections, targeting their Fedora Core 8 Web server, were a piece of cake for these IT combatants. Each injection tried to smuggle malicious code inside the seemingly harmless language used by the network’s MySQL software. The cadets handily defended with open source Apache web server modules, plus some manual tweaking of the SQL database to "avoid any surprises," in the words of Lt Col. Joe Adams, a West Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy operating-system hijacker can open unseen "back doors" into even highly protected networks. When they detected the rootkit's "calls home" the cadets launched Sysinternal's security software to find the hijacker, then they manually scoured the workstation to find the unwelcome executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it required them to use some advanced techniques to find the rootkit," Adams says. And rooting it out helped boost the West Point team to the top of the pile when, in the aftermath of the exercise, the referees rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air Force, Coast Guard and others, winning geek bragging rights and the privilege of holding onto a gaudy, 60-pound brass trophy festooned with bald eagles and American flags. Adams credits the team’s thorough preparation and their excellent teamwork despite the round-the-clock schedule.

At the network control room on the second floor of West Point’s 200-year-old engineering building (which once was an indoor horse corral and still smells like it in some remote corners, according to one instructor), the IT team set up cots and, just for the hell of it, camouflaged netting. They worked in shifts, with one team member always monitoring incoming and outgoing traffic. He or she would alert other cadets -- "router guys" -- to block any suspicious addresses. Meanwhile, off-shift cadets would make food and coffee runs to keep everyone fueled up and alert. Together, the team was "faster than anyone else," Adams says.

But the way the cadets designed their network was a big factor in their victory, too. The NSA dictated some terms: All networks had to be capable of e-mail, chat and other services and had to be up and running at all times despite any attacks or defensive measures. Beyond that, the teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly standard Linux and FreeBSD-based network with advanced routing techniques for steering incoming traffic in directions of the IT team's choosing.

The choices in software tools for responding to any attack really boiled down to "automatic" versus "custom," says Eric Dean, a civilian programmer and instructor. He adds that while automatic tools that do most of their own work are certainly easier, custom tools that allow more manual tweaking are more effective. "I expect one of the 'lessons learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there was an element of intuitiveness required to defend against the NSA, especially once it became clear the agency was using minor, and perhaps somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it, or if it’s a cover," says Dean. Spotting "cover" attacks meant thinking like the NSA -- something Dean says the cadets did quite well. "I was surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise. Ideally, the teams would be allowed to attack other schools' networks while also defending their own. But only the NSA, with its arsenal of waivers, loopholes, special authorizations (and heaven knows what else) is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the agency told Wired.com that it had tailored its attacks to be just "a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.

Facebook, states agree to boost efforts to protect children

Fri, 09 May 2008 20:00:00 +0000

Social networking site Facebook Thursday announced that it is boosting its privacy protections as part of an ongoing effort to work with 49 state attorneys general to protect children online.