[SecurityRatty] tag: top-down

Tips for staying safe online this Holiday season

Fri, 28 Nov 2008 13:37:01 +0000

Great article by Mr Walling.
Take the time read the tips and maybe you wont become a statistic this season

Walling Data’s Top Ten Safety Tips for Online Shopping

“The Internet is safe if you follow basic, fundamental rules of
using a computer safely,” says Luke Walling, Founder and President of Walling
Data, one of the largest distributors of online security products in
the country. “Many people think of their computer much like
they would an appliance, such as a microwave or stereo that behaves in a
predictable pre-programmed way. But, in reality computers
are dynamic devices that evolve dramatically with the installation of
each new program. It’s important to remember that viruses
and spyware are programs as well.”

FBI Stoking Fear

Thu, 27 Nov 2008 09:27:35 +0000

Another unsubstantiated terrorist plot:

An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system.
[...]

The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly involved the use of suicide bombers or explosives placed on subway/passenger rail systems," according to the document.

"We have no specific details to confirm that this plot has developed beyond aspirational planning, but we are issuing this warning out of concern that such an attack could possibly be conducted during the forthcoming holiday season," according to the warning dated Tuesday.

[...]

Rep. Peter King, the top Republican on the House Homeland Security Committee, said authorities "have very real specifics as to who it is and where the conversation took place and who conducted it."

"It certainly involves suicide bombing attacks on the mass transit system in and around New York and it's plausible, but there's no evidence yet that it's in the process of being carried out," King said.

Knocke, the DHS spokesman, said the warning was issued "out of an abundance of caution going into this holiday season."

Got that: "plausible but unsubstantiated," "may have discussed attacking the subway system," "specific details to confirm that this plot has developed beyond aspirational planning," "attack could possibly be conducted," "it's plausible, but there's no evidence yet that it's in the process of being carried out."

I have no specific details, but I want to warn everybody today that fiery rain might fall from the sky. Terrorists may have discussed this sort of tactic, and while there is no evidence yet that it's in the process of being carried out, I want to be extra-cautious this holiday season. Ho ho ho.

In Mumbai, bloggers and Twitter offer help to relatives

Wed, 26 Nov 2008 21:00:00 +0000

Bloggers pitched in offering information and other help to people worldwide as Indian police and commandos battled it out Thursday with armed terrorists in two top hotels and a residential complex in south Mumbai.

Zermatt is now Geneva Framework

Wed, 26 Nov 2008 11:41:00 +0000

For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products:

Geneva Framework: a .NET class library called Microsoft.IdentityModel (basically it's an updated Zermatt)

Geneva Server: This is essentially ADFS v2, built on top of the Geneva Framework

Geneva CardSpace: This is CardSpace v2.

This link takes you to the "Geneva" landing page at Microsoft, where you'll find links to all of the bits, as well as the whitepaper v2. The new version of the whitepaper was co-authored by myself and a PM on the Geneva Framework team, Sesha Mani, who added a bunch of new details based on the PDC version of the framework.

Localizing Cybercrime - Cultural Diversity on Demand Part Two

Tue, 25 Nov 2008 05:55:21 +0000

It's where you advertise your services, and how you position yourself that speak for your intentions, of course, "between the lines". There's a common misunderstanding that in order for a malware campaigner or scammer to launch a localized attack speaking the native language of their potential victims, they need to speak the local language. This misconception is largely based on the fact that a huge number of people remain unaware on how core strategic business practices have been in operation across the cybercrime underground for the last couple of years.

Outsourcing the localization process (translation services for spam/phishing/malware campaigns) has been happening for a while, courtsy of DIY servics ensuring complete anonymity of their customers. Interestingly, the translators may in fact be unaware that the advertising channels the service is using is directly attracting everyone from the bottom to the top of the cybercriminal food chain as a customer. Sometimes, it's services like this that open a new market segment covering an untapped opportunity, with this particular service already pointing out that it's charging cheaper than their competitors.

"We offer our services in translation. We are only competent translators profile higher education. Service is working with all types of texts. Languages available at this time of Russian, English, German. Average translation of the text takes up to 10 hours (usually much faster) through the full automation of the order and payment. Just want to note that we do not keep any logs on IP and does not require registration. In addition you can remove your order from the database after his execution. In addition to running more than 1000 translations already, we can use all the lessons learned to be more effective in our services. Prices vary depending on the complexity of the topic covered.

Prices and deadlines:
* Standard - the deadline is not more than 24 hours. Prices depend on the direction and guidance from the 'Order'.
* Term - work on your translation begins precedence. The price of the 50% more than the standard translation. Prices also depend on the direction and guidance from the 'Order'.

The cost of the transfer depends on the amount of work. The workload is measured in symbols. In calculating the characters are shown letters and numbers. Punctuation do not count. Minimum order 100 characters."

I'm particularly curious how is a contractor(translator) going to react to a situation when a large scale malware campaign speaking several different languages tell a fake story that the contractor might have recently translated for them. With the employer positioning itself as a fully legitimate company, whereas its customers requesting localized version of texts for the spam/phishing/malware campaigns are the "usual suspects", the contractors would continue allowing cybercriminals the opportunity to build more authenticity within their campaigns.

Related posts:
E-crime and Socioeconomic Factors
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit Localized to Chinese
Localizing Open Source Malware
Localized Fake Security Software
A Localized Bankers Malware Campaign
Lonely Polina's Secret (Localized malware campaign)

Experts to Feds: Sign the DNS root ASAP

Mon, 24 Nov 2008 21:00:00 +0000

Internet security gurus and leading vendors are urging the U.S. federal government to rapidly deploy security and authentication mechanisms at the top level of the DNS hierarchy, which is known as the root zone.

Celebrity's Bodyguard Caught on Camera

Sun, 23 Nov 2008 18:14:00 +0000

Paparazzi seem to draw bodyguards to their cameras like moths to a light bulb.

This recent grapple caught on video was aired on the Fox News show in the "Kelly's Court" segment. Megyn Kelly acted as the judge while two other lawyers debated whether the photographer had a chance of winning a civil suit

The celebrity, John Meyer, appeared to be exiting a restaurant with a friend when a photographer tried to take a picture. Although the clip was relatively short, it appeared as if Mr. Meyer's E.P. agent went over the top in trying to block the photogapher from taking the picture.

From a professional E.P. point of view, the matter could have been handled with much decorum and expertise. Mr. Meyer should have been closely escorted to his vehicle and placed inside out of harm's way. Since there only appeared to be one E.P. agent (who also doubled up as driver), when he went charging at the photographer, he left his Principal unprotected.

For some reason, many of the people employed to protect celebrities seem more preoccupied with making sure that pictures are not taken rather than ensuring the safety of their Principal. What makes it all the more ironic, is the fact that these celebrities are usually out in the public eye and therefore can not realistically expect total privacy.

If you are a Personal Protection Specialist and you find yourself in this position, remember two things. Firstly, always remember your duty to protect your Principal. If you are doing it alone, who will be looking after them when you are rolling around the floor with a photographer?

Secondly, remember that you can be sued civilly - and do not take that literally, there is nothing civil about it. You may or may not be prosecuted criminally, but if you lose a civil suit, it could mean that you'll be spending the rest of your working life paying that photographer who is claiming neck injuires and all kinds of trauma.

A picture may be worth a thousand words, but it is hardly worth ruining your career and life.

Team Foundation Server (TFS) and the Open Web Application Security Project (OWASP) Top Ten

Fri, 21 Nov 2008 09:25:08 +0000

Nice article over on MSDN here.

America's Next Top Hash Function Begins

Wed, 19 Nov 2008 23:00:00 +0000

You might not have realized it, but the next great battle of cryptography began this month. It's not a political battle over export laws or key escrow or NSA eavesdropping, but an academic battle over who gets to be the creator of the next hash standard.

Hash functions are the most commonly used cryptographic primitive, and the most poorly understood. You can think of them as fingerprint functions: They take an arbitrary long data stream and return a fixed length, and effectively unique, string. The security comes from the fact that while it's easy to generate the fingerprint from a file, it's infeasible to go the other way and generate a file given a fingerprint.

Originally created to make digital signatures more efficient, hashes are now used to secure the very fundamentals of our information infrastructure: in password logins, secure web connections, encryption key management, virus and malware scanning, and almost every cryptographic protocol in current use. Without cryptographic hash functions, the internet would simply not work. At the same time, there isn't a good theory of hash functions. Unlike encryption algorithms, there are no secret keys involved; this makes it harder to mathematically define exactly what hash functions are.

The National Institute of Standards and Technology, NIST, is holding a competition to replace the SHA family of hash functions. "SHA" stands for "Secure Hash Algorithm." It was developed by the NSA in 1993 to replace the commercial MD4 and MD5 algorithms, and has been updated several times since then. All the SHA algorithms are very similar, and have been increasingly under attack, so NIST wants to replace them.

The competition is important because, unlike other technological standards, committee design — balancing the interests of diverse constituents — isn't conducive to good security. Security is best when it's designed by expert teams and then subjected to public review. And cryptography is best when it's chosen by competition.

In 1997, NIST held a competition for a block cipher to replace DES. Fifteen candidates and three-and-a-half years later, Rijndael became the new Advanced Encryption Standard — AES. NIST is doing the same thing for what it's calling SHA-3 (not, for some unexplained reason, the Advanced Hash Standard or AHS).

The deadline was October 31, and NIST received 64 submissions. This isn't surprising — I predicted 80 — as most of the 15 AES submitters were professors, whose students at the time have become professors themselves, with their own students. (If NIST does a stream cipher competition in another ten years, they should expect about 256 submissions.) These submissions came from academia, from industry, and from hobbyists. CIO magazine recently interviewed one of the submitters, who is 15. Twenty-eight submissions have been made public by the submitters, and six of those have been broken.

NIST is going through all the submissions right now, making sure they are complete and proper. Their goal is to publish all accepted submissions by the end of November, in advance of the First Hash Function Candidate Conference, to be held in Belgium right after the Fast Software Encryption workshop in February.

The group expects to quickly make a first cut of algorithms — hopefully to about a dozen — and give the community a year of cryptanalysis before making a second cut in 2010. After another year of cryptanalysis, NIST will choose a winner in 2011. Expect a final standard by 2012.

My advice for software developers is to let the process run its course. While it's tempting to use the new cool algorithms in your designs, it's far too soon to trust any of them. This process is likely to result in all sorts of new research results in hash function security, and some real cryptanalytic surprises. Give the community a few years to figure out which ones are good and which aren't.

I've previously called this sort of thing a cryptographic demolition derby: The last one left standing wins. But that's only partially true. Certainly all the groups will spend the next few years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms. NIST will select one based on performance and features.

NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart; in this process, the best is the enemy of the good. While there's no rush to choose a new standard — the SHA-2 algorithms will remain secure for the foreseeable future — we don't want to analyze the candidates forever.

Personally, I was part of a group of eight cryptographers that submitted Skein to the competition. A decade ago, writing Twofish and participating in the AES process was the most fun I had ever had in cryptography. These next few years promise to be even more fun.

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

Links for 2008-11-19 [del.icio.us]

Wed, 19 Nov 2008 21:00:00 +0000

QualysGuard PCI Pass/Fail Status Criteria - Qualys
Press Releases - November 11, 2008 - Q1 Labs
free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures
Healthy Paranoia: Top 50 Internet Security Blogs by The Daily Netizen
GOVCERT.NL Symposium 2008
Looking for Trouble - WSJ.com
ClearNet Security : It’s hard to build a smart SIEM
If you find yourself evaluating SIEM products, dig in and investigate how each works - you don’t want yesterday’s product.
PCI Perspectives by Dave Taylor
Lehman Bros 'killed by complexity' (physicsworld.com Blog) - physicsworld.com