[SecurityRatty] tag: september

Monthly Blog Round-Up November 2008

Tue, 02 Dec 2008 13:24:00 +0000

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

Amazingly, this month by far the #1 post is my “'Blogging from DeepSec 2008 in Vienna.” DeepSec was indeed an awesome conference.
Last month, I said that “SIEM bashing reached a new high.” OMFG. What should I say now? I dunno. In any case, “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. BTW, “On Open Source in SIEM and Log Management” is also again on the top list, to much of my amazement.
Again and again, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
Get a firewall AND a fire extinguisher, now, will ya? Is it too much to ask? :-) The post “On Small Companies and PCI Compliance” is on the Top list.
Shockingly, AGAINx2 :-) this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as on the Top list. BTW, see my other logging polls and my other “top 11” lists.

See you in December. Also see my annual “Top Posts” (2007)

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: blog,security,loggings,monthly

FBI Stoking Fear

Thu, 27 Nov 2008 09:27:35 +0000

Another unsubstantiated terrorist plot:

An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system.
[...]

The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly involved the use of suicide bombers or explosives placed on subway/passenger rail systems," according to the document.

"We have no specific details to confirm that this plot has developed beyond aspirational planning, but we are issuing this warning out of concern that such an attack could possibly be conducted during the forthcoming holiday season," according to the warning dated Tuesday.

[...]

Rep. Peter King, the top Republican on the House Homeland Security Committee, said authorities "have very real specifics as to who it is and where the conversation took place and who conducted it."

"It certainly involves suicide bombing attacks on the mass transit system in and around New York and it's plausible, but there's no evidence yet that it's in the process of being carried out," King said.

Knocke, the DHS spokesman, said the warning was issued "out of an abundance of caution going into this holiday season."

Got that: "plausible but unsubstantiated," "may have discussed attacking the subway system," "specific details to confirm that this plot has developed beyond aspirational planning," "attack could possibly be conducted," "it's plausible, but there's no evidence yet that it's in the process of being carried out."

I have no specific details, but I want to warn everybody today that fiery rain might fall from the sky. Terrorists may have discussed this sort of tactic, and while there is no evidence yet that it's in the process of being carried out, I want to be extra-cautious this holiday season. Ho ho ho.

Blurring the Lines Between Managed Service Provider and Cloud Computing

Tue, 25 Nov 2008 11:20:47 +0000

VMware made big announcements at their VMworld conference back in September, talking about adding on a slew of virtualization management functionality to a revamped vCenter and extending into the “cloud” with vCloud services. Like most people, I had a lot of skepticism about what vCloud really meant; was this just more hype trying to take advantage of the cloud computing buzz? Certainly CEO Paul Maritz came from this world and virtualization itself (and especially vMotion) is an enabling technology for cloud computing. But how ready were VMware and its ecosystem of partner vendors to actually fulfill on the promise?

So I was very interested when I heard that Opus Interactive, a customer of ours, had “joined the VMware vCloud initiative as a VMware Service Provider”. I talked to Eric Hulbert, CTO of Opus Interactive, to get some details directly from the source.

Eric shared our own caution about making “cloud-ready” announcements. There have simply been too many companies talking about cloud solutions that lack any substance – usually based on definitions of cloud computing that are hazy or just too broad. The backlash against the cloud hype is often quite justified. But in Opus’ case, there are real components that if they don’t add up to a “full” cloud computing solution just yet, are well on their way – and enabled by VMware’s program for service providers (VSPP).

Opus Interactive is serious about virtualization, which is an indispensable tool in their stated goal of creating a high-density micro-data center with the smallest footprint possible. They are 100% wind-powered and have already virtualized much of their data center, reducing the amount of hardware necessary to run the business and driving down costs to produce even more competitive advantage in a crowded marketplace.

VSPP for vCloud provides a rental model of VMware licenses – e.g., for Enterprise ESX or VDI. VMware Service Providers report on their customers’ virtual machines (vm) and pay only for what is actually used. This model lets Opus Interactive quickly spin up a vm to get a new customer up and running in about an hour and stay very cost competitive at the same time; Opus offers their vClustr entry-level virtual server for only $99.

Cost-effective, rapidly scalable computing “on-demand” based on shared resources, managed by “expert” third-parties, enabled by virtualization technology and pay-per-use vm licenses. Cloud computing? Instead of thinking about a single definition of cloud computing, perhaps it’s more relevant as the market matures to think about a continuum of cloud computing. And by that definition, Opus Interactive is providing cloud services, enabled by VMware’s VSP program. Next on the schedule, automated provisioning and perhaps in the future, API’s that make it even easier for application developers to test and deploy apps on Opus Interactive’s cloud platform – which, by the way, uses EM7 for its core management solution.

Gmail security and recent phishing activity

Tue, 25 Nov 2008 10:22:00 +0000

Posted by Chris Evans

We've seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners' domains by unauthorized third parties. At Google we're committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.

Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed and deployed worldwide within 24 hours of private disclosure of the bug details. We know of no affected users. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.

We recognize how many people depend on Gmail, and we strive to make it as secure as possible. At this time, we'd like to thank the wider security community for working with us to achieve this goal. We're always looking at new ways to enhance Gmail security. For example, we recently gave users the option to always run their entire session using https.

To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see our blog post here.

Security Predictions: Two Views on the Department of Homeland Security

Tue, 18 Nov 2008 02:00:00 +0000

Amit Yoran left DHS in September 2004, convinced the department had no clue on how to handle cybersecurity. Now he is feeling more hopeful.

Security Predictions: Two Views of DHS

Sun, 16 Nov 2008 21:00:00 +0000

Amit Yoran left DHS in September 2004, convinced the department had no clue on how to handle cybersecurity. Now he is feeling more hopeful.

MSDN Security Issue Articles

Thu, 13 Nov 2008 20:58:00 +0000

Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog!

First up is a code review quiz, “Test Your Security IQ”. Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets that Michael and I devised. As an added incentive, I’ll post public congratulations here in the SDL blog to the first person who reverses the insecure hash found somewhere in the exam (not to give too much of a hint).

Next up, we have “Agile SDL: Streamline Security Practices for Agile Development”. I’ve been talking about web application security issues in the SDL blog (and in the September issue of MSDN magazine, if you missed it). However, while it’s essential to make sure that web-specific issues are covered in the SDL, it’s equally important to make sure that web development teams – and other Agile development teams – can use the SDL effectively, and the classic, phased SDL approach is not always a good fit for these teams. This MSDN article is the first public look at the new SDL/Agile methodology that we’ve been working on for the last year. This process is currently in beta with some internal Microsoft product teams and online services. We’d love to get some external feedback on it before we release it to the entire company, so please send us your thoughts.

Finally, be sure to check out Michael’s Security Briefs column “Threat Models Improve Your Security Process”. Regular readers of this blog know how important threat modeling is to secure development. This article describes methods of using threat modeling not just to identify security vulnerabilities outright, but how to use it to make other SDL activities such as fuzzing and reducing attack surface more effective.

Three articles are more than enough for one team for one month! But be on the lookout for more articles from the usual SDL suspects in the near future. As always, keep watching this space for details.

Monthly Blog Round-Up October 2008

Mon, 10 Nov 2008 13:35:00 +0000

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

OF COURSE, the news of my “transition” is the item #1, by far. “Change!!!” and “Qualys” posts rule the list.
Last month I posted a bunch of my presentations on logs, security, etc on the blog. “Presentation from GOVCERT.NL 2008: Log Forensics” takes one of the tops spots; and so do “Presentation on Application Logging, Done Wrong or Very Wrong” and “Presentation on Optimizing Your Logging for Insider Attack Tracking.” BTW, all the presentations are here.
Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll). BTW, see my other logging polls and my other “top 11” lists.
SIEM bashing reached a new high (eh…“low”? :-)), now that Richard is helping too; my “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. It is both humorous and sadly true (and backed up by other sources and here.)
Somewhat predictably, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.

See you in November.

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: blog,security,loggings,monthly

Going Green

Fri, 07 Nov 2008 15:25:16 +0000

Last year, IBM pledged to spend $1 Billion per year to figure out ways to make computing more energy efficient and environmentally friendly and named the plan “Product Big Green.” Of course, that pledge was in far better financial circumstances for everyone involved, but you have to think that pointing out ways for companies to save is something you should actually be spending time and money (for IBM, a whole lot of it) on right about now.

Of course, virtualization can do its bit to help companies save on hardware, power and cooling costs. We have this straight from a customer’s mouth – see the video here. And having your data center be 100% wind-powered certainly does its bit as well.

But the winner – according to eWeek and and an EMA study in September – is to turn equipment off when they’re not in use. I would say this is a no-brainer, but apparently we all need to be reminded…

Who remembers that line from the Schoolhouse Rock video on Energy? “So don’t get cross, when momma says turn that extra light off.” The full video for your viewing pleasure here.

(image from freedomroadproject)

Baylor Health warns of possible data compromise

Tue, 04 Nov 2008 21:00:00 +0000

HealthTexas Provider Network, a subsidiary of the Dallas-based Baylor Health Care System, is notifying about 7,400 patients of the potential compromise of their Social Security Numbers (SSNs) and other personal information after a laptop containing the data was stolen in September.