Thomas Ptacek posted this on Twitter. I was not sure of the context."First they came for the small round rare-earth magnet sets, and I said nothing." Then I read this news story about Mother Russia's new Internet Surveillance system:
http://www.wired.com/dangerroom/2012/11/russia-surveillance/all/
"Most importantly, however, the new Roskomnadzor system introduces DPI (deep packet inspection) on a nationwide scale. Although DPI is not mentioned in the law, the Ministry of Communications — along with the biggest internet corporations active in Russia — concluded in August that the only way to implement the law was through deep packet inspection."
Sunday, November 4, 2012
Stolen cell phone pictures, a cautionary tale
The Register carried an article about a woman with revealing pictures of herself that were stolen by two Verizon employees working on her phone. They then distributed the pictures.
Anything on the Internet is going to be around forever. Use caution. "the two men worked at a Verizon store in Bartow, Florida, where one, Joshua Stuart, 24, helped a nubile local waitress transfer her data from her old handset to a new smartphone. Unbeknownst to her, he also took a copy of some of the pictures from the phone's memory for his personal perusal, it's alleged, as well as for a colleague."
Anything on the Internet is going to be around forever. Use caution. "the two men worked at a Verizon store in Bartow, Florida, where one, Joshua Stuart, 24, helped a nubile local waitress transfer her data from her old handset to a new smartphone. Unbeknownst to her, he also took a copy of some of the pictures from the phone's memory for his personal perusal, it's alleged, as well as for a colleague."
NBC gets it on Guy Fawkes Day
According to ZDNET, "NBC had its Web sites hacked on November 4th. The sites are now coming back up, but hours after the initial Sunday morning attacks, there are still dead pages and others that aren't working properly."
"The hacker, who called himself, "pyknic," replaced the Websites with a simple page displaying scrolling text saying, “Remember, remember the fifth of November. The gunpowder treason and plot. I know of no reason why the gunpowder treason should ever be forgot.”"
According to Time, "In recent years, Fawkes' legacy has broadened. He provided the inspiration for the tile character in the Wachowski brothers' V for Vendetta, in which a masked crusader embarks on a terrorist campaign against a totalitarian British dystopia."
"The hacker, who called himself, "pyknic," replaced the Websites with a simple page displaying scrolling text saying, “Remember, remember the fifth of November. The gunpowder treason and plot. I know of no reason why the gunpowder treason should ever be forgot.”"
According to Time, "In recent years, Fawkes' legacy has broadened. He provided the inspiration for the tile character in the Wachowski brothers' V for Vendetta, in which a masked crusader embarks on a terrorist campaign against a totalitarian British dystopia."
Thursday, November 1, 2012
Apple IOS 6.0.1
I first heard about this release from the Internet Storm Center, a great source of news. So, I did a few Google searches and nobody seemed to be screaming that it brick'd their iPhone or iPad. I just finished updating my iPad. Then I saw this article from Sophos saying you really should for security reasons.
From the article: "But you ought to have grabbed it with both hands for security reasons: iOS 6 patched a whopping 197 CVE-numbered vulnerabilities in 41 system components"
From the article: "But you ought to have grabbed it with both hands for security reasons: iOS 6 patched a whopping 197 CVE-numbered vulnerabilities in 41 system components"
Give em heck, Mr. Gary McGraw
Oh yeah! If you have not read Gary's article on "active defense" you really should.
One quote from the article, "When the Washington Post publishes a story hyping an ill-considered notion of cyber-retaliation misleadingly called "active defense" as a rational idea, we should all worry."
Another take on this from the HP Blog, says: "s a strategy for an enterprise, "going on the offensive" is, I believe, small-minded. here's why. With so many difficult factors to consider which I'll discuss in a minute, it's really hard to allocate resources to offensive strategy. Let's take even one more step backwards, first. When thinking about offensive security measures as a means of digital defense, we have to ask ourselves what the return on effort is. What is there to gain?"
This may all be about guerrilla marketing, an article in Reuters quotes former FBI agent Shawn Henry, how has joined CloudStrike: ""Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.
Let's give HBGary, the last word. I think their approach to Active Defense is a bit more sane. "Armed with advanced enterprise threat intelligence provided by Active Defense, organizations can quickly gather critical evidence to contain the threat, locate compromised machines, and assess damage. For example, one can use its IDS to detect additional infected machines, data exfiltration can be blocked at the egress firewall, and malware can be cut off from Command and Control servers."
One quote from the article, "When the Washington Post publishes a story hyping an ill-considered notion of cyber-retaliation misleadingly called "active defense" as a rational idea, we should all worry."
Another take on this from the HP Blog, says: "s a strategy for an enterprise, "going on the offensive" is, I believe, small-minded. here's why. With so many difficult factors to consider which I'll discuss in a minute, it's really hard to allocate resources to offensive strategy. Let's take even one more step backwards, first. When thinking about offensive security measures as a means of digital defense, we have to ask ourselves what the return on effort is. What is there to gain?"
This may all be about guerrilla marketing, an article in Reuters quotes former FBI agent Shawn Henry, how has joined CloudStrike: ""Not only do we put out the fire, but we also look for the arsonist," said Shawn Henry, the former head of cybercrime investigations at the FBI who in April joined new cyber security company CrowdStrike, which aims to provide clients with a menu of active responses.
Let's give HBGary, the last word. I think their approach to Active Defense is a bit more sane. "Armed with advanced enterprise threat intelligence provided by Active Defense, organizations can quickly gather critical evidence to contain the threat, locate compromised machines, and assess damage. For example, one can use its IDS to detect additional infected machines, data exfiltration can be blocked at the egress firewall, and malware can be cut off from Command and Control servers."
Physical security, Amy Weber laptop stolen
WWE Amy Weber had her laptop stolen so she is preemptively posting naked pictures of herself according to this article.
No, I am not going to go get the NSFW links for you,and we have to give her some credit, she must have had backups.
No, I am not going to go get the NSFW links for you,and we have to give her some credit, she must have had backups.
Judge OKs warrantless cameras on private property
Bit by bit the United States seems to be headed towards being a police state. So sad. Read the story here.
According to the CNET article, "That recommendation said that the DEA's warrantless surveillance did not violate the Fourth Amendment, which prohibits unreasonable searches and requires that warrants describe the place that's being searched."
According to the CNET article, "That recommendation said that the DEA's warrantless surveillance did not violate the Fourth Amendment, which prohibits unreasonable searches and requires that warrants describe the place that's being searched."
COOP, NYC Data Centers
Slashdot has a nice concise article on the fight to keep data centers running. Apparently after ConEd pulled the plug, they went to generators which were located in the basements. Enter the record storm surge and the generators drowned. They brought in alternate generators ( that has to be a story all by itself, delivering industrial generators in a hurricane ) and so now they are pumping their basements and trying to keep their generators fueled.
The Wall Street Journal blog, has a great photo of the Verizon basement and an in-depth story as well.
Verizon is continuing updates on their blog. This has a really cool picture of their 18 wheeler mobile communications center serving Nassau county.
My brain is screaming one thing over any other. SLAs. Gawker and the other web sites that went down, almost certainly had Service Level Agreements with the ISPs and data centers. Time for someone to write a check I suspect.
The Wall Street Journal blog, has a great photo of the Verizon basement and an in-depth story as well.
Verizon is continuing updates on their blog. This has a really cool picture of their 18 wheeler mobile communications center serving Nassau county.
My brain is screaming one thing over any other. SLAs. Gawker and the other web sites that went down, almost certainly had Service Level Agreements with the ISPs and data centers. Time for someone to write a check I suspect.
Wednesday, October 31, 2012
A binder full of security women executives
I just read a post on technet and it really reminded me of the binder full of women gaffe. ( by the way, I am non-political).
A quick excerpt from the blog post, the history of the founding of the Executive Women's Forum, now ten years old:"The prospect of finding a number of candidates to round out executive teams was a challenge too. In particular, Joyce was adamant that talented women existed for a spectrum of positions, while she also acknowledged that tracking down the talent and following the network wasn’t as easy as just going to security events."
A quick excerpt from the blog post, the history of the founding of the Executive Women's Forum, now ten years old:"The prospect of finding a number of candidates to round out executive teams was a challenge too. In particular, Joyce was adamant that talented women existed for a spectrum of positions, while she also acknowledged that tracking down the talent and following the network wasn’t as easy as just going to security events."
Tuesday, October 30, 2012
Hurricane Sandy, physical security and rats
I just read that one of the side effects of hurricane Sandy was that the rats and mice that were in the subway tunnels, basements and parking garages had to come to the surface to escape the flooding.
Now they will be looking for two things, food and shelter. The unlucky buildings that give them both will have new residents. There is a great introduction here about why they are such a problem and what to do about it. Here is a more comprehensive discussion. Most of this I knew, but this article claims they can consistently survive a fall of 50'. Since they are now above ground, and they are good climbers, hmmmmm, I have an idea for an Indie horror film.
Now they will be looking for two things, food and shelter. The unlucky buildings that give them both will have new residents. There is a great introduction here about why they are such a problem and what to do about it. Here is a more comprehensive discussion. Most of this I knew, but this article claims they can consistently survive a fall of 50'. Since they are now above ground, and they are good climbers, hmmmmm, I have an idea for an Indie horror film.
WA National Guard
20 Critical Controls Reading List
Executive Summary:
The seminar papers required in your course of study are an opportunity for you to reflect on what you have learned in so far in The SANS Technology Institute's ISE 5100 and ISM 5100. You should view this first paper as a chance to establish a general theme for your studies, consistent with the overall goals you enumerated in the outcomes statement you submitted as part of your admission application.Review your outcomes statement and if necessary, update it to reflect any changes in your goals. (Updates should be submitted to info@sans.edu so that we always have your most recent version.) Review the technical material in the SANS class, and especially the aspects regarding practical implementation of the technology. Review the 20 Critical Controls, your paper must include at least one aspect of the appropriate controls. We have provided a list of readings below, a mix of threats and solutions illustrating various aspects of the critical controls which mention recent security related events. Choose to read the ones you feel might be relevant to your environment, and you are welcome to use other sources as appropriate. Your paper should discuss practical application of security technology in a context that is consistent with your stated outcomes. You paper should also serve to increase the knowledge of security and implementation and should have at least five sources not listed below. Your paper should be five to ten pages in length and should be the beginning of your research for your monograph, part 4 of this course.
Learning Outcome:
The student will demonstrate mastery of the 20 Critical Controls as a framework to implement enterprise security.Grading rubric:
Relation of paper subject matter to student outcome statement 10 possibleRelation of paper subject matter to at least one control 10 possible
Paper contributes to the body of knowledge 10 possible
Length of paper is between five and ten pages, 1 point per page
Writing quality ( grammar, spelling, flow) 10 possible
Critical Security Controls - Version 3.1
http://defense.aol.com/2012/10/08/dla-demands-chip-makers-tag-products-with-plant-dna-a-war-on-co/
Michael Baxter stole hw from Verizon and Cisco http://www.theregister.co.uk/2012/10/05/sysadmin_jail_kit_theft/
Illegal imports of hw to Russia http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/
Downloading trojan (phone) http://www.h-online.com/security/news/item/French-hacker-captures-EUR500-000-with-smartphone-trojan-1734182.html
Mobile malware http://news.cnet.com/8301-1009_3-57532937-83/fbi-warns-users-of-mobile-malware/
Malware spreading through Skype - Ransomware http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/
Microsoft report on root kits http://blogs.technet.com/b/security/archive/2012/10/19/new-mmpc-threat-report-on-rootkits-now-available.aspx
State sponsored mini=flame http://www.wired.com/threatlevel/2012/10/miniflame-espionage-tool/all/
Sandboxing http://www.computerworld.com/s/article/9232562/Adobe_bolsters_Reader_Acrobat_XI_security?taxonomyId=17
Attributes of Malicious Files http://www.sans.org/reading_room/whitepapers/malicious/attributes-malicious-files_33979
Microsoft Report on Malware in Romania, Poland, Bulgaria http://blogs.technet.com/b/security/archive/2012/10/22/cyber-threats-in-the-european-union-first-half-2012.aspx
NIST Checklist http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm
NIST Wireless Special Publication http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf
One of the many Scott Moulton Youtube videos http://www.youtube.com/watch?v=Kx-D1nJcv0k
Netwars http://www.sans.org/cyber-ranges/netwars
Why certify? http://www.giac.org/certifications/why-certify
Admin privileges in Windows 8 http://www.forumswindows8.com/general-discussion/how-promote-administrative-privilege-windows-8-a-2214.htm
BYOD exposure http://news.cnet.com/8301-1009_3-57537298-83/some-android-apps-could-leak-personal-data-researchers-find/
Google in Europe http://www.bbc.co.uk/news/technology-19953241 New Zealand Job seekers http://www.theregister.co.uk/2012/10/14/nz_mnd_leaks_data/
Ireland Domain Registry http://arstechnica.com/security/2012/10/irelands-domain-registry-suspends-some-operations-following-security-breach/
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/240008928/florida-university-breach-exposes-data-on-279-000.html
Facebook response to data breach http://arstechnica.com/security/2012/10/facebook-tries-cloaking-probe-into-data-leak-involving-1-million-accounts/
Zappos unenforceable EULA http://boingboing.net/2012/10/31/zapposs-crappy-eula-found-un.html
Pacemaker attack http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt?taxonomyId=85 Letter to energy producers ( Sen. Rockefeller) http://assets.nationaljournal.com/pdf/1209_ElectricLetterRockefeller.pdf Secure OS for control systems http://www.eweek.com/security/kaspersky-lab-developing-secure-os-for-industrial-control-systems/
IPhone backup files. A penetration tester’s treasure trove? http://www.sans.org/reading_room/whitepapers/apple/iphone-backup-files-penetration-testers-treasure_33859
Systems Engineering: Required for Cost-Effective Development of Secure Products http://www.sans.org/reading_room/whitepapers/physcial/systems-engineering-required-cost-effective-development-secure-products_34000
Technology forces at work, not sure how cloud fits 20 CC
Fault Modeling for Cloud Services http://blogs.technet.com/b/trustworthycomputing/archive/2012/10/11/fault-modeling-for-cloud-services.aspx
Cloud Security Alliance https://cloudsecurityalliance.org/csa-news/csa-releases-siem-guidance/
Google email under state sponsored attack http://www.nbcnews.com/technology/technolog/google-users-your-account-may-be-under-attack-6259428
Monday, October 29, 2012
My defibulator has a virus and will not start
I met Tim Hoffman at the annual ISSA meeting and we were talking about the problem of malware on medical devices. There is a great article about that here.
I pointed out that the devices mostly worked anyway and Tim wisely pointed out that if he is have a heart attack he doesn't want the defibulator to mostly work. So true.
The article jumps straight to the heart of the problem, with an example from Beth Israel Deaconess Medical Center in Boston: "664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."
I pointed out that the devices mostly worked anyway and Tim wisely pointed out that if he is have a heart attack he doesn't want the defibulator to mostly work. So true.
The article jumps straight to the heart of the problem, with an example from Beth Israel Deaconess Medical Center in Boston: "664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews."
Wednesday, October 3, 2012
SHA 3 is announced
NIST has chosen SHA 3 and announced it. As they put it in their announcement, one reason this is important is if SHA 2 falls hard we have an insurance policy. The algorithm is Keccak "(pronounced “catch-ack”)".
I commend the winners and look forward to playing with the new technology after the reference algorithm is published.
One of the things I am most excited about is to see how deterministic it is. We know that two different messages produce a different digest, but if they are very similar, will the digest be similar. There are some interesting security implications including finding modified copyrighted documents if the digest allows similar documents to produce similar digests.
VOIP in the cloud
I was updating my course, MGT 512 day 1 and there is a section on VOIP. Did some Google searches to see what is new for VOIP and just was not finding anything, then I found a page that pointed to Youtube videos.
What an incredible resource. There was a great explanation of SIP trunking that any CIO of a mid-size business should see. The potential cost savings are impressive.
But the big eye opener is how many VOIP cloud providers have sprung up. This could really save a startup company a lot of money, just buy the IP phones or even use software phones that can work from PCs, Macs, iPads and such. In just a decade, the sunk cost of hardware for voice communications has dropped by an overwhelming amount of money, they most of these solutions do want a monthly subscription per user, but I bet with some research it gets pretty cheap.
Subscribe to:
Posts (Atom)