[SecurityRatty] tag: four-part

Updated Microsoft Security Assessment Tool

Tue, 02 Dec 2008 01:13:03 +0000

Greetings. In case you haven’t already read about it, we recently updated the Microsoft Security Assessment Tool (MSAT). Version 4.0 hit the web on 31 October. It’s been four years since the initial release, and two years since the prior version. Between then and now your security world has evolved a lot, and the tool now reflects that.

Download now: http://www.microsoft.com/downloads/details.aspx?FamilyId=CD057D9D-86B9-4E35-9733-7ACB0B2A3CA1&displaylang=en

Take a few moments and give yourself a security checkup. If you have any comments or feedback on the tool, feel free to leave them here on my blog—I’ll make sure the right people see it.

From the download page:

The MSAT employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources may assist you in keeping you aware of specific tools and methods that can help change the security posture of your IT environment.

There are two assessments that define the Microsoft Security Assessment Tool:

Business Risk Profile Assessment
Defense in Depth Assessment (UPDATED)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

After completing an Assessment, you will gain access to a detailed report of your results. You may also compare your results with those of your peers (by industry and company size), provided that you upload your results anonymously to the secure MSAT Web server. When you upload your data the application will simultaneously retrieve the most recent data available. To be able to provide this comparative data, we need customers such as you to upload their information. All information is kept strictly confidential and no personally identifiable information whatsoever will be sent.

Sun Gives Advance Notice of Java Update

Mon, 01 Dec 2008 14:52:01 +0000

Tomorrow, Dec. 2, 2008, Sun will release updates for various versions of Java. This is the first example, to my knowledge, of an advance notification of an update by Sun Microsystems. In fact, it's the first advance notification I know of except for those from Microsoft, which started the practice to accommodate planning by IT departments. Microsoft's advance notifications come four days in advance of the actual update release. Sun's is one day in advance, and contains only minimal information. It says the following updates will be released:

JDK and JRE 6 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19
SDK and JRE 1.3.1_24

It also lists Sun alert numbers for the updates, but there are no links or indications of what the alerts mean. I tried to search for the numbers but had no luck. Still, advance notification is a good thing and this is a step in the right direction. I hope it's a trend.

How spyware nearly sent a teacher to prison

Sun, 30 Nov 2008 02:00:00 +0000

If there's a poster child for the dangers of spyware, it's Julie Amero, who was convicted of four felony charges after a classroom computer began showing inappropriate content in pop-ups when she was working as a substitute teacher.

Links List 11.24.08

Mon, 24 Nov 2008 11:15:36 +0000

The hunt for the nation’s first CTO continues. Although names have been suggested, such as standout nominees include Bruce Schneier, founder of Counterpane and now chief security technology officer at BT; Mark Cuban for his obvious business sense – and in spite of the insider trading indictment – and Carly Fiorina, former controversial CEO of HP, the next question is what policies should this CTO pursue? Visit ObamaCTO.org to view and vote for policies.

SaaS is taking a bite out of the $18 billion IT management market. A new Forrester Research report forecasts SaaS-based IT management accounts will be 10% of the market by 2013. The reason: high level of interest from medium-sized and large enterprises. Forrester also predicts that enterprises with 1,000 or more employees will account for 50% of SaaS installations in 2009. We’ve seen this on the service desk side with the rapid growth of upstart Service-now.com. Companies are looking for easier and rapid deployment, lower upfront and capital costs and rapid time to value – all benefits of SaaS as well as our own appliance model.

IBM snapped up Transitive this week. Their QuickTransit software dynamically translates native code between architectures, enabling apps compiled for one processor to be run on another without any modification. Apple was the first licensee and used it to build Rosetta, a translation system that allowed users of Intel Macs to seamlessly run legacy PowerPC apps. IBM plans to use the technology to move workloads onto IBM systems without recompiling, allowing customers to “save on energy costs due to hardware consolidation and reduced TCO.”

At CA World, CA announced a partnership with Amazon to provide “management capabilities around Amazon’s EC2 utility computing platform, potentially including discovery of software running on EC2 instances, performance monitoring, configuration management, software deployment capabilities and provisioning”. John Willis, in spite of some pretty funny potshots and stories about CA (don’t we all have them), writes that “CA is the first of the Big Four to take the cloud serious”.

Skein and SHA-3 News

Wed, 19 Nov 2008 03:14:48 +0000

There are two bugs in the Skein code. They are subtle and esoteric, but they're there. We have revised both the reference and optimized code -- and provided new test vectors -- on the Skein website. A revision of the paper -- Version 1.1 -- has new IVs, new test vectors, and also fixes a few typos in the paper.

Errata: Version 1.1 of the paper, reference, and optimized code corrects an error in which the length of the configuration string was passed in as the size of the internal block (256 bits for Skein-256, 512 for Skein-512, and 1024 for Skein-1024), instead of a constant 256 bits for all three sizes. This error has no cryptographic significance, but affected the test vectors and the initialization values. The revised code also fixes a bug in the MAC mode key processing. This bug does not affect the NIST submission in any way.

NIST has received 64 submissions. (This article interviews one of the submitters, who is fifteen.) Of those, 28 are public and six have been broken. NIST is going through the submissions right now, making sure they are complete and proper. Their goal is to publish the accepted submissions by the end of the month, in advance of the Third Cryptographic Hash Workshop to be held in Belgium right after FSE in February. They expect to quickly make a first cut of algorithms -- hopefully to about a dozen -- and then give the community about a year of cryptanalysis before making a second cut in 2010.

Lastly, this is a really nice article on Skein.

These submissions make some accommodation to the Core 2 processor. They operate in "little-endian" mode (a quirk of the Intel-like processors that reads some bytes in reverse order). They also allow a large file to be broken into chunks to split the work across multiple processors.
However, virtually all of the contest submissions share the performance problem mentioned above. The logic they use won't optimally fit within the constraints of a Intel Core 2 processor. Most will perform as bad or worse than the existing SHA-1 algorithm.

One exception to this is Skein, created by several well-known cryptographers and noted pundit Bruce Schneier. It was designed specifically to exploit all three of the Core 2 execution units and to run at a full 64-bits. This gives it roughly four to 10 times the logic density of competing submissions.

This is what I meant by the Matrix quote above. They didn't bend the spoon; they bent the crypto algorithm. They moved the logic operations around in a way that wouldn't weaken the crypto, but would strengthen its speed on the Intel Core 2.

In their paper (PDF), the authors of Skein express surprise that a custom silicon ASIC implementation is not any faster than the software implementation. They shouldn't be surprised. Every time you can redefine a problem to run optimally in software, you will reach the same speeds you get with optimized ASIC hardware. The reason software has a reputation of being slow is because people don't redefine the original problem.

That's exactly what we were trying to do.

Mobile Malware: What Happens Next?

Tue, 11 Nov 2008 21:00:00 +0000

Four years ago, F-Secure Chief Research Officer Mikko Hypponen was talking about malware infections on mobile phones while few others were paying attention. With the growing use of Internet-enabled phones, particularly Apple's iPhone and RIM's Blackberry, he sees more opportunities than ever for malicious activity. But, surprisingly, he sees a quiet mobile malware landscape at the moment.

Vulnerabilities quickly mitigated by security-conscious vendors

Tue, 11 Nov 2008 17:10:00 +0000

As you are likely aware, I spend a fair bit of time heckling those I believe deserving due to their shortcomings with regard to protecting online consumers.
I do, however, continue to seek opportunities to shed positive light as well, and recent responses from a number of vendor/developers warrant an opportunity to do just that.
In the last 30 days, I've discovered vulnerabilities in products from four different vendors, and advised them all immediately upon discovery. Usually, that's where the story ends, as sadly, my repeated requests for action are often ignored. The last 30 days have proven to be entirely different, with swift responses and action from ALL vendors to whom I reported vulnerabilities. In all cases I received replies within 24 hours or less, and patches/fixes/updates were typically released within 24-72 additional hours. These are exemplary responses, and reflect why I choose to conduct vulnerability research. I believe we, as web application professionals (both developers and security practitioners), are beholden to the greater public and must endeavor to protect the online safety of the Internet consumer.
To each of these vendors/developers I'd like to issue a hearty "well done" and issue public kudos for their diligence and security consciousness, on behalf of consumers and website operators.
To Lukas of PlanetLuc, Jasper and Eric of Infrae/Silva, Alexander of CompactCMS, and Peter from ActiveCampaign may I say that your efforts are greatly appreciated. Where too few choose to do the right thing, your responses leave us with the perception of caring and integrity.
Thank you.

del.icio.us | digg | Submit to Slashdot

Microsoft patches long-known Windows bugs

Tue, 11 Nov 2008 02:00:00 +0000

Microsoft patched four vulnerabilities in two security updates for Windows and Office, including a critical bug that had been publicly disclosed nearly two years ago.

One in four DNS servers still vulnerable to Kaminsky flaw, survey says

Sun, 09 Nov 2008 21:00:00 +0000

he Measurement Factory's 4th annual study of 80 million addresses in the IPv4 space proves several in the Internet community didn't heed the industry's warning to upgrade their DNS servers with patches for the Kaminsky flaw and other known vulnerabilities.

10 More Dead as Drone War Over Pakistan Continues

Fri, 07 Nov 2008 12:34:00 +0000

At least 10 people are dead after the latest U.S. killer drone strike on the border region of Pakistan. Four missiles slammed into a suspected al-Qaida training camp in Kumsham village, in North Waziristan province. Casualty counts vary.