[SecurityRatty] tag: coms

I Dreamed a Dream of Clouds Gone Social

Wed, 05 Nov 2008 13:30:01 +0000

Can Marc Benioff live up to his own hype plus the hype around cloud computing? Maybe. (image from chris_lyb)

Salesforce.com’s Dreamforce conference takes place this week in SF. Billed as “The Cloud Computing Event of the Year”, the conference kicked off with a keynote by Benioff while people wearing puffy-white jackets and holding giant helium-filled cloud balloons stood outside.

Benioff announced partnerships with Facebook and Amazon.

Part 1: Force.com apps will be able to run on Facebook and leverage the Facebook users’ social network. An example shown was integrating “My Starbucks Idea” into Facebook. If a user submits an idea through Facebook, their friends can see it, comment or be prompted to submit their own.

Part 2: Force.com applications can now use Amazon’s cloud hosting services in addition to the public Force.com sites.

This is smart and a surprisingly non-megalomaniac way of doing things. Instead of trying to own the entire cloud stack (hmmm – someone just made a very different announcement), Salesforce looks like it’s focusing on what it does best – enabling application development in a hosted model. And letting Amazon take at least some of the future blame for any outages/interruptions in service (anyone who has Salesforce can say amen to that). That is smart.

Blue Skies for Microsofts Cloud Computing

Wed, 29 Oct 2008 13:10:45 +0000

Microsoft announced their Azure cloud platform this week – a rival to Amazon.com’s EC2 and Google’s App Engine. Combined with Microsoft Visual Studio, SQL Services, .NET Services, Live Services, Sharepoint Services and Microsoft Dynamics CRM Services, the new platform will help web developers to build apps for the cloud.

The Azure announcement is the culmination of years of planning for Microsoft’s “software-plus-services approach to computing.” According to Debra Chrapaty, the woman who runs Microsoft’s data center infrastructure, plans started about four to five years ago to build out data center capacity for the new initiatives. The best place to build a new data center: Quincy, Washington – whose hydroelectric power and commitment to fiber made it a winner. (Click here for Mayor Hernberry’s update on the impact of the new data centers and apparently new wineries popping up in Quincy.)

Thank goodness for Microsoft. In this economy, we should all be grateful to companies that can still spend between $300 million to $700 million to build just one data center.

What Dans DNS Checker Doesnt Do

Thu, 10 Jul 2008 19:03:03 +0000

Despite what various commenters around the blogosphere think (I’ve read a few but can’t find the links now), Dan Kaminsky’s online “Check My Dns” utility doesn’t:

Poison anybody’s DNS cache
Expose how the actual exploit works

What it does is check whether your ISP’s DNS server is patched. Plain and simple. It looks for one thing — source port randomization. This does not give away the exploit, it checks for the existence of the sledgehammer fix that prevents the exploit from working.

More specifically, there’s some Javascript code that generates a random hex string which is used to create a URL, e.g. http://6313d97e498e.toorrr.com. Your OS then does a DNS lookup for that unique hostname. Your ISP’s DNS server asks toorrr.com’s DNS server (a server Dan controls) to resolve that funky DNS name to an IP address. It sends a few packets in the process. Dan’s server makes a note of the source port of each request and sends back the webserver’s IP address to your DNS server, which sends it back to you.

Now that you have the IP address, your browser can fetch the results page. The web page is generated dynamically by parsing the hex string out of the URL you requested, using Ajax to fetch the relevant port and TXID data stored on Dan’s server, and printing out a “safe” or “vulnerable” message such as:

Your name server, at 71.243.0.38, appears to be safe.
Requests seen for 6313d97e498e.toorrr.com:

71.243.0.38:45298 TXID=13926
71.243.0.38:45310 TXID=25412
71.243.0.38:45338 TXID=30829
71.243.0.38:45332 TXID=13934
71.243.0.38:45321 TXID=2701

That’s all. Nothing tricky. This particular DNS server is deemed safe because the source port varies from one request to the next.

Come to think of it, those source ports don’t really look that random, do they. For anybody “in the know”, is that amount of randomness sufficient to protect against the attack?

Ethical Phishing to Evaluate Phishing Awareness

Tue, 06 May 2008 13:26:25 +0000

What is the most efficient and cost-effective way of both, measuring your employees awareness of phishing threats, and building awareness of the threat simultaneously? By sending them ethical phishing emails to see which department based on which social engineering campaign is more susceptible to phishing attacks, at least that's what PhishMe.com is all about :

"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Phish your employees before hackers do!"

Once watching the demo online, you'll get the feeling that it's actually a real phisher's web interface to spamming out phishing emails, so I guess the bad guys can in fact learn from the good guys standardizing approach and metrics mentality applied.

For the time being, Rock Phish represents the most efficiency centered phishing approach, with a single IP hosting numerous domains, each of those hosting over ten different phishing campaigns on average each of these with a dedicated cybersquatted subdomain. However, with the ongoing commoditization of phishing pages, the localization and segmentation of phishing campaigns, the next logical development would be the public release of a point'n' click web interface for managing real phishing campaigns.

Or perhaps a public leak, given that someone out there might have already came up with such an interface, without the sexy layout? And by the time there hasn't been a release or a leak, spamming tools would continue getting adapted for phishing purposes, and log parsers would be a phisher's best friend in respect to evaluating the success rate of a phishing campaign.

How do UK online businesses fell about this?

Sat, 22 Mar 2008 12:17:48 +0000

If youre in the UK and have a online business, how do you feel about this?

clipped from www.crime-research.org

Businesses may be forced to pay for e-crime police

Businesses would be forced to contribute to the funding of a national police e-crime unit under the current proposal being considered by the Home Office.

But the private sector has hit back saying the core funding for a dedicated police unit to combat e-crime must come from the government.

This follows the launch of silicon.com’s e-Crime Crackdown campaign calling for a dedicated UK cyber crime police unit to co-ordinate investigation and recording of e-crime nationwide.

Babies and bath water

Fri, 21 Mar 2008 13:13:09 +0000

So the security blogging world welcomes a new contributor in Chris B over at Napera Networks. The Napera blog joined the security bloggers network a short time ago and with the public unveiling of the company. Chris's first article is called NAC is dead, long live NAC. Evidently Chris was at one time working over at Lockdown Networks and brings his own unique views on what went wrong at Lockdown.

Chris makes some good points about the Lockdown shutdown. One in particular that I think we should all realize is that Lockdown's failure is not a failure of NAC technology, but rather a failure of Lockdown's execution. NAC still solves problems that customers have. Done right, NAC is valuable and will find its place in the security world. Over the past few days there have been more people people jumping on the "NAC sucks" bandwagon than their were vendors coming out with NAC solutions just a few short years ago. I read with disbelief Eric Ogrens piece in ComputerWorld the other day about him never being a believer in NAC. I don't remember him saying that when we were briefing him a few years ago. But maybe he was getting paid to cover NAC than, I don't know. But it is certainly fashionable to throw dirt on NAC now and there are plenty of people only too happy to do so. Frankly, part of me wants to say sure go ahead, throw dirt. It will be that much sweeter to show the naysayers wrong. Actually selling the solution we see the real market for NAC and remain jazzed. For us it is about executing

What I fear is that we are throwing out babies with the bath water here with all of the NAC bashing. Yes there are companies in this space that frankly don't have the technology or the team to make it. Lockdown is a perfect example. But there are others who have actually built a better mousetrap and the market (the ultimate decision maker) is rewarding them. But if the media and analysts just keep bashing NAC it becomes almost a self-fulfilling prophesy. No matter how good the technology or the team it is like spitting into the wind. I saw this happen with the dot com bubble first hand. Many companies that were doing great things were killed off in the great extinction of the dot coms. It took years for the market to come back. In the case of NAC not only would the better NAC companies and technologies be the ones to suffer, but the networks they can protect would suffer. NAC is attractive because it solves a real problem that people have and in spite of what Paul Roberts at 451 or Amrit says, there are not existing tools that solve that problem for them well.

My only issue with Chris is he confuses the problem that Lockdown was solving with the way they were solving it. Yes using the network including switches is a great way to control access. However Lockdowns technology to test these devices was circumspect. But more than that SNMP is never going to scale for NAC. It is not secure and more importantly you just can't wire and script every model and version of switch out there. Inherently Lockdown had the wrong solution to the right problem, on top of some of the other focus issues that Chris talks about.

All in all though, Lockdown's failure should stop being used as a blunt instrument by the naysayers to bludgeon the NAC vendors who are executing and solving customers problems!