[SecurityRatty] tag: dancho

Fun AV Cartoon

Fri, 11 Jul 2008 05:57:00 +0000

Thanks to Dancho for the link. The cartoon is here.

ICANN And IANA Defaced

Mon, 30 Jun 2008 10:49:35 +0000

Well, I have to admit I only just saw this one this morning. Since it’s a long weekend(ish) here in Canada I wasn’t planning on updating the site until Wednesday. This one is something worth sharing. I figured I’d pass it along.

A group calling itself “NetDevilz” defaced the homepages for ICANN & IANA.

Ouch.

From Websense:

Websense® Security Labs™ has received reports that the official website of ICANN and IANA Domains have been hijacked by a Turkish group called “NetDevilz”. ICANN and IANA are responsible for the Internet Protocol (IP) address space allocation, protocol identifier assignment, generic (gTLD) and country code Top Level Domain Name System management, and root server system management functions.

For the full advisory please read on.

Article Link

For more on this check out Dancho Danchev’s posting on his site.

FISMA Report Card News, Formulas, and 3 Myths

Tue, 27 May 2008 12:36:28 +0000

Ever watch a marathon on TV? There’s the usual formula for how we lay out the day:

History of the marathon and Pheidippides
Discussion of the race length and how it was changes so that the Queen could watch the finish
World records and what our chances are for making one today
Graphics of the race course showing the key hills and the “sprint to the finish”
Talk about the womens’ marathon including Joan Benoit and Kathrine Switzer
Description of energy depletion and “The Wall”
Stats as the leaders hit the finsh line
Shots of “back-of-the-pack” runners and the race against yourself

Well, I now present to you the formula for FISMA Report Cards:

Paragraph about how agencies are failing to secure their data, the report card says so
History and trending of the report card
Discussion on changing FISMA
Quote from Karen Evans
Quote from Alan Paller about how FISMA is a failure and checklist-driven security
Wondering when the government will get their act together

Have a read of Dancho’s response to the FISMA Report Card. Pretty typical writing formula that you’ll see from journalists. I won’t even comment on the “FISMA compliance” title. Oh wait, I just did. =)

Some myths about FISMA in particular that I need to dispell right now:

FISMA is a report card: It’s a law, the grades are just an awareness campaign. In fact, the whole series of NIST Special Publications are just implementation techniques–they are guidance after all. Usually the media and bloggers talk about what FISMA measures and um, well, it doesn’t measure anything, it just requires that agencies have security programs based on a short list of criteria such as security planning, contingency planning, and security testing. It just goes back to the adage that nobody really knows what FISMA is.
FISMA needs to be changed: As a law, FISMA is exactly where it needs to be. Yes, Congress does have talks about modifying FISMA, but not much has come of it because what they eventually discover after much debate and sword-waving is that FISMA is the way to write the law about security, the problem is with the execution at all levels–OMB, GAO, and the agencies–and typically across organizational boundaries and competing master agendas.
There is a viable alternative framework: Dancho points out this framework in his post which is really an auditors’ plugin to the existing NIST Framework for FISMA. Thing is, nobody has a viable alternative framework because it’s still going to be the same people with the same training executing in the same environment.

Urban Cell-Phone Fire Myth photo by richardmasoner. This myth is dispelled at snopes.com.

Way back last year I wrote a blog post about indicator species and how we’re expecting the metrics to go up based on our continual measuring of them. Every couple of months I go back and review it to see if it’s still relevant. And the answer this week is “yes”.

Now I’ve been thinking and talking probably too much about FISMA and the grades over the past couple of years, so occassionally I come to conclusions . According to Mr Vlad the Impaler, the report card is a bad idea, but I’m slowly beginning to see the wisdom of it: it’s an opportunity to have a debate and to raise some awareness of Government security outside of those of us who do it. The only other time that we have a public debate about security is after a serious data breach, and that’s not a happy time.

I just wish the media would stop with the story line that FISMA is failing because the grades provide recursive evidence of it.

Bookmark to:

Redmondmag...I told you so!

Sun, 18 May 2008 08:36:00 +0000

There is no more egregious an act of negligence committed by online vendors and businesses than ignoring notifications of vulnerabilities found in their applications.
So when Dancho Danchev pointed out that Redmond Magazine had been SQL injected by Chinese Hacktivists, I was both appalled, yet not surprised.
On January 29th, 2008 I informed 1105 Media, the parent company of the Redmond Media Group, of multiple XSS vulnerabilities in various properties they maintain, including EntMag.com and AdtMag.com, as well as Redmondmag.com.

From my email:
"I’d like to advise you of XSS vulnerabilities in the search code used by all Redmond Media Group websites.
This is most easily validated by pasting a simple script alert generator in the search form.
These vulnerabilities were disclosed by XSSed.com in February and July of 2007.
http://www.xssed.com/mirror/20073/
http://www.xssed.com/mirror/13305/
These vulnerability be exploited by malicious people to conduct XSS attacks and it could further lead to reputation and PR issues for the Redmond Media Group."

Not only did they flatly ignore me, and they guys from XSSed.com who'd notified then in FEBRUARY and JULY 2007!, but all these vulnerabilities still exist, including Redmondmag.com. You could definitely say that these issues have led to "reputation and PR issues for the Redmond Media Group."
Doh! I told you so!
It goes without saying that if you are vulnerable to XSS, you have a significantly higher likelihood of being vulnerable to SQLi.
Redmondmag.com was also victimized by the 2nd wave of mass SQL injection attacks that dropped in nihaorr1.com/1.js.

Regarding current vulnerabilities, observe the following:
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://search.redmondmag.com/search.asp&cmd=search&SearchForm=%%SearchForm%%&index=C:\dtSearch\rmg\red_all&sort=Date&srcrequest=%22%3E%3CSCRIPT%3Ealert('XSS_Alert')%3C/SCRIPT%3E&submit1=Search">http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=
http://search.redmondmag.com/search.asp&cmd=search&SearchForm=%%SearchForm%%&
index=C:\dtSearch\rmg\red_all&sort=Date&
srcrequest=(Insert JavaScript here)&submit1=Search

Props, as always, to Whiteacid's XSS Assistant and POST forwarder.
But behold, what do we see, but index=C:\dtSearch\rmg\red_all.
Well, now we know you use dtSearch on the C: of your Windows server (no surprise there ;-)).

Common people, fix your sites!
You have been found guilty of the following charges:
1) Vulnerable to SQLi
2) Vulnerable to XSS
3) Internal file disclosure
4) Flagrant negligence with regard to secure coding best practices
50 Flagrant disregard fo information submitted to you by the information security community.
1105 Media and the Redmond Media Group, you have failed your readers, your visitors, your customers, and yourselves, and you should be ashamed.

del.icio.us | digg

Dancho on Security Industry and Media

Wed, 23 Apr 2008 14:59:00 +0000

Dancho Danchev makes this astute observation about the coverage of security by the media:
"You know it's a slow news week when you come across :
1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it" + 9 more items.

It would be funny .. if it weren't sad :-)

What? You Are Releasing Untested Malware?

Mon, 07 Apr 2008 12:24:00 +0000

... What are you, some kind of amateur? :-)

Dancho Danchev reminds people how modern malware is tested here. A quote: "And when a popular piece of malware known as Shark introduced a built-in VirusTotal submission to verify the low detecting rate of the newly generated server, something really had to change - like it did."

So, imagine a malicious "clone" of VirusTotal that is launched by an enterprising criminal to provide "a valuable service" of malware testing to a cybercrime community? :-) : "A small fee for testing please. What, you are releasing an untested malware? Phooo... What are you, some kind of amateur? :-)"

Dancho then predicts: "One thing's for sure - malware will start getting benchmarked against each and every antivirus solution and firewall before the campaign gets launched, in a much more efficient and Q&A structured approach than it is for the time being."

Please tell me if this happens, it won't be the final nail in the "legacy"/"blacklist-only" AV coffin?

Major Web sites hit with growing Web attack

Thu, 27 Mar 2008 21:00:00 +0000

A blossoming Web attack, first reported by security researcher Dancho Danchev earlier this month, has expanded to hit over a million Web pages, including many well-known sites.

Links for 2008-01-21 [del.icio.us]

Mon, 21 Jan 2008 21:00:00 +0000

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: E-crime and Socioeconomic Factors
High Tower Software Announces Cinxi SOA @ SOA WORLD MAGAZINE
http://geer.tinho.net/geer.housetestimony.070423.txt
re: Hearing, Wednesday 25 April 07, entitled Addressing the Nation's Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action
People Over Process » What One MSP Needs - barcampESM session
FFIEC InfoSec Handbook on Security Monitoring and Logging