[SecurityRatty] tag: security

Flying Without ID? Know What's in Your Files

Sat, 19 Jul 2008 18:00:00 +0000

Under new rules from the Transportation Security Administration, travelers who try to fly without ID will need to provide personal information from public records to convince federal employees to let them past the x-ray machines and onto the plane.

Things that happen in China when nodoby is watching

Sat, 19 Jul 2008 14:33:00 +0000

Here is another reason to pay attention for your own safety when you visit China - especially during the Olympics.

The BBC World News ran a story yesterday of a local Beijing woman whose house was about to be torn down, leaving her homeless. Why was her home being demolished? The Government had decided that her house would not look nice enough to the foreign visitors coming to Beijing for the summer Olympics. They planned to plant flowers in the spot where her home stood.

Apparently, the authorities knew that the woman was not going to willingly accept this obvious abuse of power. A couple of Police vans watched the house from about a block away. Then the cameras left after interviewing the woman. When the television cameras came back the next day, the house was gone and so was the woman. The house had been torn down in the middle of the night when there were no witnesses. Nobody could say what happened to her as the flower planters went about the task of digging flower beds.

The BBC had obtained similar footage that had been covertly recorded earlier at another house. In this instance, a couple of the homeowners tried to resist the authorities tearing down their house. The camera graphically recorded two men who attempted to protest on the roof of their humble abode. A couple of "heavies" pulverised the seated men with vicious blows and kicks. One poor man was kicked full-force in the face and head several times. The camera shot him being taken away by ambulance and his whole face was swollen and lacerated. It seems that the Chinese Government are very serious when it comes to planting flowers. They certainly appear to have a higher regard for flowers than they do for human rights.

Our advice to you if you are visiting Beijing this summer - don't pick the flowers. I have seen how they treat people when they think nobody is watching. It isn't pretty.

The Ghost in Your Machine: IPv6 Gateway to Hackers

Sat, 19 Jul 2008 14:30:00 +0000

It may be years before the new internet protocol IPv6 takes over from the current IPv4, but a security researcher is warning that many systems -- corporate and personal -- are already open to attack through channels that have been enabled on their machines to support IPv6 traffic.

Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit

Sat, 19 Jul 2008 13:12:33 +0000

More than two weeks ago Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. Microsoft began investigating active, targeted attacks leveraging this potential vulnerability. Recently, Symantec honeypots began detecting the vulnerability in the Access Snapshot Viewer ActiveX control exploited in a Neosploit wrapper. The Neosploit toolkit is an advanced [...]

Online safety education is working!

Sat, 19 Jul 2008 12:06:00 +0000

Yeah, this made my morning. Take the time to read the 10 questions you need to be asking yourself when shopping online.

clipped from www.crime-research.org

Online shoppers getting security savvy

With rising levels of online fraud, internet shoppers are becoming increasingly savvy about checking for some kind of security before paying for their goods.

Firefox update fixes Mac security issue

Fri, 18 Jul 2008 20:00:00 +0000

Mozilla has released an update to Firefox, its popular Web browser. The update is available for download either from the Firefox Web site or through Firefox itself, if you select "Check for Updates" from the Help menu.

DNS flaw discoverer says more permanent fixes will be needed

Fri, 18 Jul 2008 20:00:00 +0000

The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.

Links List 7.18.08

Fri, 18 Jul 2008 18:14:31 +0000

Rodrigues & Urlocker had a nice spin on an announcement about security vulnerabilities in the Spring Framework. How could these vulnerabilities have gone unnoticed for so long? “After all, isn’t one of the hallmarks of open source the strong community vetting?”

Stacey Higginbotham adds a “dose of reality” to the cloud computing craze in her post on “10 Reasons Enterprises Aren’t Ready to Trust the Cloud”. Check the link for the full list which include security, portability and reliability. Cloud Computing – the next big thing, emphasis on “next”.

This just tickled my funny bone. And made me feel sorry for a certain technical marketing manager… But really, if it’s that hard to explain where the name came from, you’re not paying your marketing people enough. ;-p

As IT spending growth slows, virtualization (and the ROI it promises) rises to the top. According to a Goldman Sachs report, “server virtualization” and “consolidation” are the top priorities for technology executives. Goldman predicts the overall growth in spending to slip from “7 percent to 5 percent this year.”

Butler Group analyst Roy Illsley shares his advice for implementing holistic systems management or “simplification, so that the IT department can manage the technology stack at a higher level, and therefore enable it to manage a wider range of technologies more efficiently. Hmm… simplifying IT, breaking down silos, automation, visibility across heterogeneous infrastructure…sounds very very familiar.

ShareThis

"Walking" with the SDL - Part 1

Fri, 18 Jul 2008 12:55:00 +0000

Jeremy Dallman here. Back in March I wrote a post about “Crawling” Toward SDL. I used the imagery of learning to “crawl, walk and run” as a way to provide some basic starting points that would move your organization toward implementing a version of Microsoft’s Security Development Lifecycle (SDL).

In this series I am going to talk about “Walking” with the SDL. Walking is the point where your security development practices become a lifecycle – a repeatable, mostly reusable process that makes security a part of your development culture. To relate the analogy to SDL a bit more closely, think of crawling as the “SD” in SDL. For this post, we’ll talk about walking – or adding the “L” in SDL.

I will be covering quite a bit on this topic, so I intend to split it up in to a multi-part series over a few days. I’ll condense it all into one big doc at the end. In Part One, I will review “crawling” and the foundation you need to have in place as well as discuss getting management approval. In Part Two we’ll cover the topic of expanding your security training. In the additional posts, we’ll discuss formalizing requirements, reusing threat modeling and attack surface review data, the importance of final security reviews, and managing post-release documentation. All of these are components to “walking” with the SDL.

Before I jump into detailing what you can do to “walk” with the SDL, let’s look back at a snapshot of what you should already have in place from learning to “crawl.” At a high level, crawling involved three components. Each of these components requires specific activities or tools that your team must implement to begin developing secure code:

1. Detailed awareness of your architecture and its attack surface.

a. Threat Modeling

2. Tools that will perform security analysis on your application.

a. Strengthen compiler defenses

b. Use code analysis or static analysis tools such as PREfast, FxCop, AppVerif

c. Build a strong fuzz testing capability

3. Results that show how the analysis resulted in improved security

a. Response planning and response process in place

b. Use bugs to gather evidence and show that your work improved security

Think of these pieces as the “gross motor skills” you need to start walking. You should already be using these components and have reached a conscious decision to start building a lifecycle around your secure development practices. As you start figuring out how to “walk”, I want to point out that each of the concepts I discuss in this post is a critical component of the Microsoft Security Development Lifecycle. Adopting the SDL in your company involves a combination of integrating the existing SDL principles and the creating of unique requirements and components specific to your environment to build your own Security Development Lifecycle.

With that in place, let’s start talking about what it means to “Walk with SDL.”

Obtain Management Approval/Endorsement

Creating a Security Development Lifecycle will cost time and money. In addition, it will likely require some process changes. In most organizations, this change will not happen unless you obtain the management approval and endorsement necessary to compel the organization to act.

The key to successfully pitching SDL to your management can be found in the data you have been accumulating during the “crawl” phase. As you may recall from my crawling post, the simplest way to create evidence that clearly illustrates improved application security is to “mine” the data from your bug database. Connecting those bugs to known security vulnerabilities or to what would have been bad security issues that were avoided by fixing them in development is a powerful story. Of course your pitch should include other necessary components like anticipated costs, new software acquisition, possible vendor and consulting contracts and anticipated return on investment.

However, the heart of your argument will be the story you tell. The story is quite simply “If we hadn’t done this basic work in security, here is what we would have missed and how much it would have hurt…” followed by “if we continue to expand our security practices and make them a part of our process, we can better predict measurable security improvements that reduce the likelihood of future risks.”

The new SDL website [http://www.microsoft.com/sdl] provides some valuable reference material on the Business Case for SDL. I would recommend that looking through that information for some good supporting material. In Part Two, I will discuss expanding your security training as another component of “walking” with SDL.

I’d like to hear if anyone is using the concept of “crawling” and “walking” to implement SDL in your company.

? What unique challenges are you facing as you try to push for SDL adoption?

? What have you used to successfully communicate the importance of security to your management?

Homer's Odyssey

Fri, 18 Jul 2008 12:52:08 +0000

Well, it's been a pretty busy week here as Homer Simpson + Malware = quite the commotion.

It started off with USA Today, VNUNet and CNET, then appeared on Slashdot over the weekend. After that, the sheer joy at being able to use Homer Simpson pictures in tech-related writeups was evident. Who would have thought it would finish off with Matt Selman himself (the Simpsons scriptwriter responsible for the whole "Chunkylover53" phenomenon) writing about the situation.

Pretty nuts. Heck, I even got to do a four minute Podcast that (from what I've been told) goes out to around 100 radio stations in the States. I think the closest I got to crossing security with popular culture previously was ye olde net-war (that revolved around a "stolen" picture of Lindsay Lohan - long story), but this one has Homer Simpson in it so clearly it wins by default.

However, what a lot of people might have missed - in fact, I nearly missed it myself - was something that appeared shortly before the plug appeared to be pulled on poor old Homer. Here's a screenshot of his previous message history - you can see how many times it was constantly changing:

Click to Enlarge

Here's the final message I saw before the lights seemingly went out on Homer:

Click to Enlarge

That message is particularly interesting, because it refers to a group of individuals who were involved in this Comcast hack not so long ago. Were they involved here? Or are the real culprits simply blaming someone else?