[SecurityRatty] tag: root

Experts to Feds: Sign the DNS root ASAP

Mon, 24 Nov 2008 21:00:00 +0000

Internet security gurus and leading vendors are urging the U.S. federal government to rapidly deploy security and authentication mechanisms at the top level of the DNS hierarchy, which is known as the root zone.

DNSSEC and Root Zone Signing

Mon, 24 Nov 2008 08:15:00 +0000

I posted a "Position on DNSSEC and Root Zone Signing" commentary over on the Security Practice Blog.

Hackers Jailbreak T-Mobiles And Googles Android Phone

Wed, 05 Nov 2008 21:35:13 +0000

Hackers have managed to jailbreak T-Mobile’s new G1 phone by exploiting a gaping loophole in Android, the open source operating system supplied by Google. The hack, which was posted to XDA-Developers forum, is a straight-forward process that allows root access in about one minute. It involves using the widely available PTerminal application to telnet to the [...]

Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more

Thu, 16 Oct 2008 06:48:11 +0000

Synopsis: Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Welcome to Blue Box: The VoIP Security Podcast #83, a 39-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was recorded on September 4, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
Remote DoS in reSIProcate
Remote root shell in Trixbox
Second route of VoIPShield Cisco/Avaya/Nortel vulnerabilities
AST-2008-010 – IAX2 ‘POKE’ Resource Exhaustion
AST-2008-011 – IAX2 Firmware Provisioning System
Saunderslog: Squawk Box – July 10, 2008: Voice biometrics and VoiceVerified.com
Saunderslog: Squawk Box – July 9, 2008: P2PSIP
IETF: P2PSIP Security Requirements
Voice of VOIPSA: “Aircell blocking VoIP on a plane” – part 1 , part 2 and an update
Voice of VOIPSA: Shawn Merdinger’s series on “Asking The Cisco IPICS Expert” – Questions 1-5 – 6-10 – 11-15 – 16-20 – 21-25
Voice of VOIPSA: Asterisk ‘hack’ to show blocked Caller-ID points to larger trust issues with SIP (and SpeechTEK speech)
NetworkWorld: Georgia student arrested for hacking grades, VoIP
CRN: Analysis: Hacking VoIP as easy as 1-2-3
Ari Takanen starts blogging at InfoWorld
InfoWorld: Motivation for VoIP Fuzzing
TMCnet: How to keep your tech career afloat
New analyst report: Security Threats Loom Over Unified Communications pointing to Light Reading report and article
VoIP Companies to Fight For Market Share
IEEE approves 802.11r standard
Google Chrome – upgrading the web to be application-centric
Items on my DisruptiveTelephony blog… Skype 5th birthday, Asterisk future, Digium/Nortel
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
39:08 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Top data-breach causes

Wed, 15 Oct 2008 20:00:00 +0000

A recent research project has led me to look at information security and in particular, the root cause of data breaches.

A horse's ass approach to virtualization security

Mon, 13 Oct 2008 21:52:00 +0000

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual “devices,” networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining “constant” element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...

VeriSign, ICANN Square Off Over DNS Root

Fri, 10 Oct 2008 17:59:00 +0000

As the U.S. government starts the process of closing a major net vulnerability, two longtime net infrastructure rivals -- the non-profit ICANN and for-profit VeriSign -- are battling over who will compile and verify the net's most important document. Internet experts give the nod to ICANN and bring up VeriSign's greedy past.

U.S. proposes digital signing of DNS root zone file

Fri, 10 Oct 2008 00:00:00 +0000

The U.S. government is seeking comments on a way to make the Internet's addressing system less susceptible to tampering by hackers.

U.S. gov't proposes digital signing of DNS root zone file

Thu, 09 Oct 2008 20:00:00 +0000

The U.S. government is soliciting input on a way to make the Internet's addressing system less susceptible to tampering by hackers.

CEP, Event Noise and Asymmetric Event Processing

Thu, 02 Oct 2008 01:22:59 +0000

In The Genesis of Complex Event Processing: Asymmetric Capabilities I introduced the abstract concept of “asymmetric processing capabilities” to describe the foundations of complex event processing. If you take a few moments to review the first CEP projects from Stanford University, you will see that the application of CEP was toward solving myriad asymmetric event processing problems in distributed networks. These applications included challenging problems such as:

Network Level Monitoring and Management,
Cyber Security: Network Intrusion Detection,
Enterprise Monitoring and Management,
Modeling and Simulation of Collaborative Business Processes,
Business Policy Monitoring, and
Analysis and Debugging of Distributed Systems.

In each of the CEP application examples above, the amount of event information available to software developers can be staggering; however, despite all the available information, the capability to sense-and-respond to threats and opportunities is crude, at best.

Folks who work in network and security management, for example, are bombarded with event information. However, this deluge of event information is, for the most part, “noise” that is difficult to understand. In network management one of the most difficult things to accomplish is to find the root cause of an outage or performance problem. This is why researchers at Stanford were funded to focused on research topics such as (above), the Analysis and Debugging of Distributed Systems.

These are the classes of asymmetric event processing problems that define complex event processing, or CEP. Processing events by mediating events, routing events, or running a rule-set against events and making a processing decision are all perfectly valid event processing applications. However, the core reason to have “complex event processing” is to solve event processing problems where there exists a significant asymmetry between the deluge of “event noise” (Professor Luckham called this phenomena the “event cloud”) and detecting business-relevant, actionable complex events in an climate of uncertainty and noise.

In my next post on this topic I will briefly the review motivation behind my 1999 ACM paper, Intrusion Detection Systems and Multisensor Data Fusion, where we were working on solving complex distributed security challenges based on real-world experiences with the problems of asymmetric processing capabiilities. I will discuss why we evolved from an early rule-based expert system model to a more advanced inference model that was not dependent solely on rule-based thinking. I will also explain why other researchers and developers experienced in complex event detection applications have come to the same conclusion.