Planet Security

Digg.com Security10 IT security companies to watch

If there's a common theme among most of these vendors, as with 2007’s top 10, it's that trusted personal relationships forged in universities, business and the military played an essential role in inspiring their founders and convincing employees to join them.

Fergie's Tech BlogUK: BNP Wants Police Probe After Membership List Published

Gavin Cordon writes on The Independent UK:

The far-right British National Party has demanded a police investigation after a full list of party members was posted on the internet.

The party said in a statement posted on its website that the list with the names, addresses and contact details of more than 12,000 individuals was "essentially genuine".

The list, which includes details of the jobs and in some cases the hobbies and qualifications of the members, claims to include former police officers as well as members of the armed forces.

BNP leader Nick Griffin said: "We'll be asking the police to investigate. It's a list which is now just over a year old.

"Having spent a lot of money to secure our members' privacy we are disappointed that it's been breached."

More here.

The Guardian - Security RSSBNP membership list posted online by former 'hardliner'

The entire membership list of the British National party has been posted on the internet, identifying thousands of people as secret supporters of the far right and exposing many to the risk of dismissal from work, disciplinary action or vilification.

The BNP leader, Nick Griffin, claimed today that he knew the identity of the person who published the list, describing him as a "hardliner" senior employee who left the party last year.

"He didn't like the direction the party was going and broke away, taking the list with him," Griffin told BBC Radio 4's Today programme.

Around 13,500 names and home addresses were posted on a website on Monday evening.

As well as names and addresses, the list includes the home and mobile phone numbers and personal email addresses of BNP members. It is thought the list may include lapsed members of the party and the names and addresses of people who have expressed an interest in joining the party, but have not signed up. Many of the members' occupations are listed, revealing a small number of police, two solicitors, four ministers of religion, at least one doctor and a number of primary and secondary school teachers.

The list was removed from an internet blog today after complaints by the far right group.

A BNP spokesman, Simon Darby, said: "If we find out the name of the person who published this list it will turn out to be one of the most foolish things they have done in their life." Griffin insisted this did not represent a threat of violence but the reality that the person faced prison for breaching a high court injunction. The BNP leader admitted the party was relying on the Human Rights Act, based on EU legislation, which it opposes, to try to protect the privacy of its members.

He said he had no problem with publication of members' occupations but listing their names and addresses represented "a nasty piece of intimidation on behalf of the Labour regime".

However, Griffin welcomed the publicity the story had garnered for the party, saying the list showed the perception of the average BNP member as a "skinhead oik" was "simply not true".

Last night, Darby said the police had been called in to investigate the data security breach. Describing the posting as "malevolent and spiteful", he said: "This isn't a question of us mislaying the information, this is theft."

The BNP list includes the names and ages of children who have become members of the party after a parent has taken out a family membership, and several people who have joined the party at the age of 16.

Against the name of a woman said to be a serving police officer and living on the Wirral, Merseyside, is the note: "Discretion required re employment concerns - police officer", along with the names and ages of a number of her children.

Other notes against the names of individuals include: "Discretion requested (employment concerns), government employee, IT consultant" and "activist (discretion requested), teacher (secondary school)".

The BNP is known to go to considerable lengths to conceal the identities of members. Membership lists are held on computer spreadsheets, usually by an official based in York. He sends limited lists to local organisers as encrypted attachments to emails that can be accessed only by officials who have been given a password.

The BNP conceded that very few people would have had access to its full membership list. The party said the list was not up to date, featuring no members who had signed up since late 2007, and included the names of people who had never been members of the party. The party said it had obtained an injunction this year at the high court in Manchester to prevent the misuse of its membership list.

Griffin confirmed on the party's website that much of the list was genuine, and that it contained data stored at some point between November 30 and December 2 2007. "This latest attack is not really directed against our own people, who are already tough-minded and know that nothing ever comes of this sort of bluster, so much as against the thousands of [members of the UK Independence party] who are thinking of joining us.

"It probably will frighten some of them, but it's water off a duck's back to the stout hearts of the British National party."

Last night, internet chat rooms frequented by British supporters of the far right were buzzing with anger, indignation and considerable alarm. One typical posting said: "The most shocking thing is some of the comments by the names! God help anyone who is in the army, the prison service, health care, a police officer or a teacher."

It is thought the information commissioner, who enforces the Data Protection Act, may investigate the matter, looking not only at the posting of the list but at the amount of information the BNP has been storing about its members.

A spokesperson for the Information Commissioner's Office said: "Following media reports that the personal details of BNP members have been incorrectly disclosed, we will be contacting the party to establish the full facts. We will then decide what action, if any, is appropriate.

"We encourage all organisations to alert the Information Commissioner's Office if they discover a security breach has occurred."

The membership list reveals that the BNP has a handful of members in Australia, one in Oman and around 17 living in the United States. Some of the members' hobbies are listed. One gives her occupation as "holistic therapist" and her pastimes as "metaphysics, cartoon drawing". Another lists his hobbies as "fantail doves, koi carp, gardening".

There are one or two insights into reasons that people have left the party. Against the name of one lapsed member from Gillingham, Kent, is the note: "Objects to being told he shouldn't wear a bomber jacket."

• Additional reporting Duncan Campbell and Paul Lewis

guardian.co.uk © Guardian News & Media Limited 2008 | Use of this content is subject to our Terms & Conditions | More Feeds

Darknet HackersDshocker AKA Aush0k Hacker Pleads Guilty to Computer Felonies

Another teen hacker in the news, this guy looks like he has some formidable skills though with the list of crimes he’s perpetrated. He’s pleaded guilty though, so he should get a reduced sentence and he’s still classified as a juvenile offender being only 17 - so that works in his favour too. A juvenile hacker with [...]

Read the full post at darknet.org.uk

Fergie's Tech BlogWiretapping in Russia (Too)

Robert Amsterdam:

It is not just an American problem... the following exclusive translation from News.ru reports that the Ministry of Information has announced that all telephone and internet service providers must allow unrestricted wiretapping and monitoring access for the FSB, despite the constitutional requirement of a court order.

We know from experience that this system has been in place for several years, but it is just now that the Ministry is making it publicly known.

Much more here.

Hat-tip: Global Voices

Note: Yes, I realize that this blog post is from March 2008, but since I just came across it, it's news to me (well not really, but you get my meaning...) -ferg

Fergie's Tech BlogJailed Russian Ex-Diplomat Leaves U.S. for Moscow

Vladimir Kuznetsov

Via RIA Novosti.

A former Russian UN official, sentenced by a U.S. court to four years and three months in prison on money laundering charges, has left for Moscow after being handed over to Russian officials.

Kuznetsov, 50, who worked for the United Nations Advisory Committee on Administrative and Budgetary Questions, was arrested in September 2005 after borrowing $300,000 from a Russian colleague. U.S. investigators said that he was aware the funds had been acquired by criminal means.

The Russian held diplomatic immunity as a UN employee, but the status was revoked by Kofi Annan, the then-secretary general, paving the way for the FBI to arrest him.

The ex-diplomat was sentenced in October of 2007 by a U.S. district court, and was also ordered to pay a total of $73,000 in fines.

More here.

Fergie's Tech BlogEconomic Bust, Cybercrime Boom

Andy Greenberg writes on Forbes.com:

The first ripples of a growing wave of cybercrime may be appearing.

In the physical world, the connection between declining business and crime is simple enough: As the above-ground economy suffers, the underground economy swells. The connection between economic trouble and cybercrime is trickier to prove. But as the economy slows, some crime watchers see signs that a portion of newly unemployed skilled tech workers are turning to the theft and exploitation of sensitive data even as the existing cybercriminal economy is finding new ways to exploit consumer confusion around the banking meltdown.

Meanwhile data on industry spending for security suggests that companies are preparing for the worst. Fear about the downturn's consequences for data protection has kept the cybersecurity industry practically recession-proof, even as other IT spending slumps.

More here.

Digital SoapBoxCSI Conference 2008 - Notes

Hey folks, in my other blog I published an entry of notes from the App Sec Summit, CSI Annual Conference here in Washington, DC.

Please give it a read, as it's a lot simpler to cross-post a link rather than re-writing the blog entry all over again.

Check it out!
http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/11/19/csi-annual-conference-take-aways-on-web-app-security.aspx

WifiNetNewsWee-Fi: News from Meraki, Violet, Qualcomm

Meraki offers wall plug, solar unit, apartment package: Meraki has added two products to its line up. A wall plug ($179) can be screwed into an outlet's center screw hole for theft prevention and stability, perfect for hotels and public venues. The long-awaited solar product is nearly ready, with a 4-December ship date ($749 with no solar panel up to $1,499 with highest-end panel).

Meraki switched battery technology to lithium iron-phosphate during the year-long delay, partly due to an increase in cost and shortage in solar panels. Meraki's also got a new bundle: $5,000 for a set of nodes designed to cover an apartment building.

Over at Ars Technica, I wrote a long recap of the state of municipal Wi-Fi, noting that Meraki seems to be on the winning side of the equation with its start-small approach. A number of municipal wireless projects (not all Wi-Fi) are getting rave reviews. We may be over the hump: applications (purposes as it were) are now driving network building rather than networks seeking reasons to be.

Violet prepares to ship an RFID tag reader, Mir:ror: The new device plugs in via USB to a computer and can read standard RFID tags, as well as new ones offered by the company. Some of Violet's tags look like postage stamps and are adhesive; others, like tiny versions of their Nabaztag/tag bunny. It's weird, but interesting, like all their stuff.

Qualcomm brings in Skyhook's Wi-Fi positioning: Qualcomm becomes the latest GPS giant to add Skyhook Wireless's technology to their platform. The gpsOne system, found in 400 million cell phones, will be enhanced in future versions with an option for Skyhook data to assist and integrate with GPS lookups. Qualcomm's sold so many chipsets due to E911 requirements for location finding.

Copyright ©2008 Glenn Fleishman. All rights reserved. Please notify us if you find this content anywhere but at wifinetnews.com or wimaxnetnews.com. Reproduction of full articles from RSS feeds is prohibited without permission.

ImperViewsWelcome to the Application Data Security Neighborhood

I've been intending to get back on the regular blogging train for a while, but some events from today kick-started my immediate return to the blog.  I will apologize up front for the product / marketing orientation of this entry, but I...
In the intervening years, we've learned a lot about end-to-end security and added multiple features and capabilities to our full-stack architecture.  Unlike what seems to be a key limitation of the F5/Secerno solution - the ability to only track suspicious events - SecureSphere can provide full visibility into data usage via an application for every transaction.  We call this Web to Database User Tracking and it's a part of our broader Universal User Tracking technology.

I do think F5 and Secerno are on the right track (and having been on that track for 4+ years with Imperva, I think I know a little about where they are headed).  And it is gratifying to see the industry really starting to adopt the vision that we at Imperva laid out 4 years ago (for another example, check out the SANS Top 20 report from the end of 2007:http://www.sans.org/top20/#s7).

So I guess I'll use today's announcement as an opportunity to welcome the new guys to the neighborhood...

CIO News AlertsAsustek to Launch IMac Rival in Taipei on Thursday

Asustek Computer plans to launch an all-in-one PC built into a monitor designed to rival Apple's iMac on Thursday at a news conference in Taipei, according to a company e-mail.
Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot

CIO News AlertsSun Adds Query Analysis Tool to MySQL Enterprise

Sun has upgraded MySQL Enterprise, its subscription-based service for the open-source MySQL database, adding access to a query analysis tool for tracking and fixing problematic code and performance issues.
Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot

CIO News AlertsBaidu Blasted Over Medical Paid-Search Results

Chinese Internet search leader Baidu.com has removed paid search listings for medical and pharmaceutical customers that do not hold proper licenses for their products or services after a state-owned TV news program condemned the practice.
Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot

CIO News AlertsMicrosoft Subscription Computing Targets 20 Million

A Microsoft program aimed at making PCs and Internet computing more affordable through monthly payments will deliver 20 million new desktops and laptops over the next few years to people who may not otherwise have been able to afford them, an executive said.
Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot

ItoolBox Whitepaper Network and Infrastructure2008 IT Salary and Skills Report

Gain insight from over 7,000 IT professionals on topics such as compensation, job satisfaction, certifications, and why they seek training. Learn the top paying industries, job functions, and certifications as they relate to IT.

Will Cox: SecurityPirate Gold

The Somali pirates who have been very active in recent months have been asking for dollars, not gold.

Moneychangers offer wads of new US dollar notes, the only currency that matters in a country that has been in chaos for almost two decades.

The world’s reserve currency indeed.

1raindropThe Economics of Finding and Fixing Vulnerabilities in Distributed Systems

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems 
Quality of Protection Keynote
Alexandria, VA
October 27. 2008

Gunnar Peterson
Managing Principal, Arctec Group
Blog: http://1raindrop.typepad.com

When Andy Ozment asked me over the summer to do this talk at QoP, I knew back in August that the topic I wanted to address was security and economics. So to that end I would like to start by thanking all of our friends on Wall Street and here in Washington DC for providing such a rich tapestry of recent events that I can speak to.

Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is"[1], there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management.

Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter [2] talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.

So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation - "All these people are talking about risk, but they don't have any assets." You can't do risk management if you don't know your assets.

Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.

Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.

Warren Buffett's evolution as an investor can be broken up into two parts. He began his career very much influenced by Ben Graham, who sought to buy "cheap stocks", comparing the price of the stock to value of the company's assets, and placing many, diversified bets on companies whose share price was below the total assets. Note that the businesses may have been of unremarkable quality, but when the price was right Graham would buy in, wait for it to rise and then sell. This was the dawn of value investing.

Buffett's later career departed from Graham's strict, statistical measures, where he sought to buy into companies that were selling at a fair price, but were also high quality businesses. We will examine high quality in Part 2 of this talk, but first we go to Part 1 which is asset value.

Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to.  You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.

When Warren Buffett was 19 years old studying at the University of Nebraska, he read Ben Graham's book "The Intelligent Investor", Buffett said he thought it was the best book on investing he has ever read and still feels that way today. In the Intelligent Investor Graham lays out the framework of value investing. Specifically, Graham talks about three concepts - Mr. Market, a stock is a piece of a business, and Margin of Safety.

Mr. Market is a fictional, teaching device invented by Graham. You imagine that you have a somewhat manic depressive business partner called Mr. Market. Every day, Mr. Market comes into the office and offers you quotes on companies, some days he is in a good mood and the prices are high, other days he is gloomy and prices are low. The market is a quote machine, for quoting prices, not a value assessment machine. Your job is to wait for the right price, and you are free to take as many passes and be as patient as you would like, Mr. Market will just show up the next day and throw out a new price. 

Graham used Mr. Market to teach us the separation between a price of a stock, and the value of a company. The second big concept from Intelligent Investor is that buying a stock is buying a small piece of the underlying business. You are not buying a roulette chip, or a number that fluctuates in the newspaper every day, rather you are buying a piece of the company's existing and future cash flow. What the stock market says General Electric is worth yesterday, today or tomorrow is separate from GE's actual ability to generate cash flow.

The last big concept in "The Intelligent Investor" and the one seemingly most applicable to information security is the Margin of Safety. Graham's margin of safety involved calculating the intrinsic value of a business and then buying stock where the market cap of a company is less than its intrinsic value. So if a company has $100 million in assets and a market capitalization of $75 million, then an investor would get a 25% margin of safety. Ideally, Graham wanted to buy stocks that were selling for one half of their book value, i.e. with a 50% margin of safety. Graham said that buying stocks without a margin of safety, above their book value, speculation, not investing.

So price is readily available, but how do we calculate intrinsic value so that we can ascertain the margin of safety? Graham used quantitative statistical measures, relying heavily on the company's book value, like its hard assets. What would it take for a competitor to reproduce the company's assets - its factories, distribution system, and so on. The difference between the book value of the assets and market cap is the margin of safety.

What can we learn in information security from this quantitative approach? Where price and value are readily ascertainable we should build countermeasures and eliminate on vulnerabilities that give our assets a wide margin of safety. Since budgets are not unlimited we should prefer vulnerabilities that are cheap to find, cheap to fix.

First to the asset question, information security budgets like all IT budgets are crufty, they are not a reflection of today's top issues and priorities so much as an accumulating snowball of decisions, legacy contracts, and solution attempts to yesteryear's problems. Today the normal Information Security budget is just a legacy artifact from bygone years when the network was the purported greatest vulnerability. If you were around in 1995, you remember the great gnashing of gears as the enterprises opened up their networks, connected their back ends to the Web and began to transact business in the giant virtual space.

The security people huffed and puffed that it was dangerous but there was simply too much money to be made, so businesses went ahead. The security people would not go down without a fight and insisted on countermeasures. They got two - the network firewall and SSL. The firewall was used to separate the average Fortune 500s network of hundreds of thousands of machines, employees, consultants, and partners from the web at large. SSL was used to protect the network channel between the web server and the client browser. so the network firewall separated the network segments, and SSL in effect encrypted the last mile of many million complex transactions and computations.

In 1995, this seemed like a good security architecture. When we built out these security architectures, the eCommerce market was derided as a toy. Amazon famously lost money for years - losing a little on every transaction but making it up in volume. When the market is nascent, a quaint security architecture offers cost effective protection. But what about 2008? Those cute little eCommerce buggers have grown they even make profits now - market caps measured in the tens of billions, accumulating large cash hordes, no debt, and the largest ones are in better financial shape than the financial services players that kicked sand in their face in the dotcom era. 

And its not just eCommerce, the "real" economy Fortune 500 types are all connected as well. Directly and indirectly the Web is seeping into all businesses. Major changes from when the security architecture of the web was built out. But has the security architecture changed to reflect these new business realities? Not a bit of it!

We can use the book value of the IT budget investments and the book value of the Information Security investments to see what kind of Margins of Safety Information Security groups are engineering.

Let's look at some market data, Gary McGraw reviewed the numbers [2] in software security for 2007, breaking down software security sectors like tools and services. Here is a summary of his findings on software security tools:

"One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.


On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million."

These are very nice growth numbers, what company doesn't want 83% growth? However, the let's look at the total picture and compare the software security countermeasures against other security mechanisms. Gary McGraw's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space, in what alternate universe does this make sense?

This is where we begin to see that decisions in the People's Republic of Information Security have no real risk management thinking, they truly are swimming naked and hoping the tide doesn't go out.

Let's look at network assets. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion in just three vendors and you are going to "defend" that with allocating $150 Million worth of software security tools?

On the network side we are buying $900 million of security countermeasures (Checkpoint firewalls) to protect $39.5 billion worth of Cisco gear, about 2.3% of the network investment goes to security.

On the software side, we are buying $150 million of security countermeasures (like static analysis and black box scanners) to protect $98 billion of software (you know the stuff that runs the whole business), roughly coming to about 0.2% of the software budget goes to security.

This is very disturbing. From a prioritization standpoint The People's Republic of Information Security is misaligned by an order of magnitude at least. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball, it invests in network security not because those controls have greater efficacy (the whole point of networks is they are dumb), no, they invest in network firewalls because they bought a bunch in 1995, some more in 1998, and heck they just kept buying them, the Checkpoint rep kept showing up and taking CISOs out to play golf, contracts got renewed, and poof - there goes the security budget.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take network security as a target for a mature industry and assume that 2.3% is a reasonable margin of safety, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

My friend Brian Chess has a nice way of looking at this he says 2007 was the turning point - "the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists."

Now I am not suggesting that Information Security budgets have to be aligned with IT budget one for one, but I do think that looking at the overall IT budget is the starting point. If Information Security has a more cost effective security mechanism they should deploy it, but the starting point should be aligned to the business. Businesses spend most of their money on software, and there are very good reasons - competitive advantage, increased revenues and lower costs. Information Security spends most of its money on network security, and there is no good reason why, except that it was a seemingly good idea in 1995. You really don't have to go beyond the book value of IT investment as a whole versus Information Security to see a stunning disparity. Information Security's job is to deliver a Margin of Safety to the business, but they are not. 

To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:

- Network: all the resources invested in Cisco, network admins, etc.
- Host: all the resources invested in Unix, Windows, sys admins, etc.
- Applications: all the resources invested in developers, CRM, ERP, etc.
- Data: all the resources invested in databases, DBAs, etc.

Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.

Then do the same exercise for the Information Security budget:

- Network: all the resources invested in network firewalls, firewall admins, etc.
- Host: all the resources invested in Vulnerability management, patching, etc.
- Applications: all the resources invested in static analysis, black box scanning etc.
- Data: all the resources invested in database encryption, database monitoring, etc.

Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!

Its not just about alignment for alignment's sake, its about applying controls as a way to have a Margin of Safety properly placed so that when not if there is a failure on a higher value asset you are relatively better positioned to deal with it. 

The pure statistical approach can only take us so far. Buffett said he would be a lot poorer if all he did was listen to Ben Graham. Book value is great to see the diametric opposition mentioned above, but it doesn't really tell us much about the efficacy of the security mechanisms.

What we do get out of this statistical approach is a screen. The asset value screen filters out subjective opinion and narrows the field for where we need to dig in to do the high value, time consuming analytical work.

The second part of Warren Buffett's career and the second part of this talk leave behind pure statistical measures. In Warren Buffett's case he was joined by a guy named Charlie Munger who talked him out of the pure Ben Graham approach. Charlie Munger has a saying - "a great business at a fair price beats a fair business at a great price." Where Graham was focused on price and margin of safety, Munger wants a fair price but also a high quality business. This lead to Warren Buffett's company Berkshire Hathaway investing in companies like Coca Cola, Wells Fargo, and American Express, where the prices were far from dirt cheap (as Graham would have wanted), but the long term returns were outstanding.

In our world of Information Security, we start by aligning our priorities with the business using the thumbnail defense in depth approach, but then we would like to invest in high quality, effective controls.

To get at the notion of control quality and effectiveness, I am going to start part 2 of this talk with a brief history of software. The first web software was just static HTML, but web software really got interesting when developers started creating dynamic websites using CGI an PERL.

Once websites were hooked up to company databases and were not just serving static content, the security people realized they needed a security architecture, and they sprung into action. What they came up was was model that divided the world into "good stuff" which was comprised of all their networks, systems, and data; and then there was everything else the "bad stuff" on the Internet. So job one of the early days Internet security architecture was to separate all your good stuff (i.e. your network) for the bad stuff (the Internet). To do this the security people used a sophisticated tool called Visio to draw a flaming brick wall on the network diagram, and this flaming brick wall was supposed to keep the good stuff and the bad stuff separate.

The security people also realized that the data and session tokens that they served up from their Web server would have to traverse the "bad" neighborhood called the Internet, so they added one more security mechanism to secure the last mile of the transaction - SSL between the browser and the Web server.

And this was the state of the art security architecture used circa 1995 to protect the earliest dynamic web applications.

What happened next was that the dotcom boom started to happen and businesses realized they could make some real money on the Web, the web apps started to get more sophisticated, more personalization, richer session experiences and so on. This led the Java people to create JSP and the Microsoft people to create ASP, and of course the PERL people to create even greasier PERL scripts, all of this in the effort to pooling resources and sessions on the Web server. The security people defended this new application programming model with network firewall and SSL.

Around 1998, developers began building out more distributed N tier or 3 tier applications that separated the business logic layer, the presentation layer and the data access layer. Among other things, your web application could seamlessly integrate data from multiple back ends systems. Let's say you have pricing data in Oracle, order data in SAP, and customer data in a Mainframe. You write separate data access objects, apply business logic in the middle tier and then you tie it all together in a friendly user interface. At this point the web applications are beginning to integrate across departments and geographic boundaries, huge critical chunks of the business are now connected to the web. How did the security people defend this part of the business? They applied the same 1995 security architecture - network firewall and SSL.

Around 1999-2000 timeframe businesses relied on web applications for major parts of the revenue, and the apps were built in different technologies like Java and Microsoft technologies, but the customer didn't care (still doesn't), the customer wanted (and still wants) data access and functionality. So to integrate the disparate technologies, SOAP and XML were deployed so that Microsoft could talk to Java and so Websphere could talk to Weblogic and so on. And, oh yes, SOAP and XML were used to connect B2B networks so partners in a supply chain and business process can exchange data and interoperate.  SOAP and XML present a fundamentally new programming model based on a message document style integration, where XML is used to mesh together data and functionality across platforms. SOAP and XML have no security model by default for authentication, authorization, and confidentiality. How did the security people deal with this? They kept the security architecture the same as they had in 1995 - network firewalls and SSL.

The software world did not stop innovating in 2000 of course, in the last few years we have seen Web services and XML form the basis of baroque and powerful SOAs and simple REST applications. We have seen Web 2.0 come on the scene, and entirely new networked applications built on top of that.

What we have not seen, is a single meaningful change in security architecture in 13 years. Developers have evolved, businesses have increasingly bet their entire business models on the web and they have increased security budgets. But what has the security architecture as its deployed in the field got to show for all of this? More firewalls and more SSL connections.

Since Information Security has proven incapable of evolving, it is time to learn from a discipline that has mastered innovation - software development, and yes, I will step back in case the lightning bolts hits.

What does software development focus on these days? Well, let's look at Service Oriented Architecture (SOA), all hype aside I look at SOA as a set of technologies that delivers three things:

Virtualization: we want Beijing, Bangalore and Boston to communicate.

Interoperability: we want our .Net stuff to talk to our java stuff.

Reusability: how many order/claim/pricing/customer systems does one company need?

To build out their SOA, developers separated the application interface from its implementation. So you can host the interface in a variety of locations, but its separate from the application logic and data.

This is also a useful trick for putting services like SOAP through the firewall. SOAP was designed as a firewall friendly protocol. When SOAP first came out, Bruce Schneier said calling SOAP a firewall friendly protocol is like having a skull friendly bullet. Which is a great line and explains why his books fly off the shelves, it does not explain, why security people think an architecture designed in 1995 is the one we should be using today. Maybe the problem is not that the developers figured out how to go through the firewall to get the data their customers want, maybe the problem is that the firewall is the sum total of the security architecture, and it never adapted.

A big part of this problem is that we have left Newton's world behind and entered Einstein's universe. Mainframes are Newton’s world, we have THE computer, THE price, THE record and so on.

As Pat Helland explained [4,5], Mainframes are Newron's world, but Distributed computing is Einstein’s world. More specifically in the Einstein world of distributed computing - "Computers don’t make decisions, computers try  to make decisions." Our computers don't really make a decision, they say you can buy this book from Amazon at this price, we have it in stock and will deliver on such and such a date. But the warehouse runs out, the pallet gets dropped in the warehouse, your boo is crushed, and the package is stolen off your front step. The computer confirmed your transaction, but the real world intervened.

So we don't have iron clad decisions, instead its all about Memories (last time I checked your book was in stock), Guesses (we should be able to ship on this date) and Apologies (sorry the forklift ran over your book)

Translating this into security, security mechanisms don’t make policy-based decisions, security mechanisms try to make policy-based decisions

Some examples of memories, guesses and apologies in security

Memories
Security Policies - for example Triple A policy
Triple A policies can memorize a map of subjects, objects, and roles. They can even replicate these memories and play them back at runtime to try to make policy enforcement decisions.

Guesses
Security Policy Enforcement Decision
Unfortunately, while the policy enforcement decisions can be based on memorized logic, the decision itself is still a guess, even in the case of Triple A. Any guesses why? Because, the authentication process itself is a guess. It happens to be a guess that you then bind to a principal so it looks very official once you bind your guess to a Kerberos ticket or SAML assertion, but it still a guess.

Apologies
Giant Global Bank is sorry your account was compromised!
And this leads to lots and lots of apologies by companies with poor access control models.

Some additional examples of information security memories, guesses and apologies.

Example Memories - Triple A Security Policies, Audit logs, User account information , Authorization Logic - concrete mapping Subject, Resource, Condition, Action

Example Guesses - Security Policy Enforcement Decision Points, Authentication Logic, Monitoring, detection, fraud response

Example Apologies - Identity Management tools - provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction - Giant Global Bank is still sorry your account was compromised!

The point of this is that security memories, guesses and apologies utilize different processes, different people, and different capabilities to be effective.

What trends can we identify to lead us toward better qualitative analysis based on the best practices of virtualization, interoperability and reusability.

Virtualization
Finding Vulnerabilities in a Virtualized World is a problem because applications are more configured than coded. Runtime behavior and structure not apparent due to weak typing and inversion of control.

Result - finding bugs becomes harder. Action - use screens to target finding time and resources

Fixing Vulnerabilities in a Virtualized World is a problem because how do I locate the controls when interfaces run in Beijing, Bangalore and Boston?

Result - synchronization and/or replication of security policy is problematic. Action - decentralized policy enforcement points and policy decision points.  

Interoperability
Finding interoperable vulnerabilities
XSS - Javascript is an equal opportunity offender - interoperability for developers and attackers alike.

Fixing interoperable vulnerabilities
App servers, ESBs, and services are the attacker’s red carpet to your enterprise, right into your book of business. Interoperable access control can be leveraged across the enterprise.

Use XML signature for authentication and integrity 

<SOAP:Envelope>
<SOAP:Header>
<WSSE:Security>
<ds:Signature>
<ds:Reference URI=‘#body’>
</WSSE:Security>
</SOAP:Header>
<SOAP:Body wsu:Id=‘body’>
</SOAP:Body>
<SOAP:Envelope>

Use XML encryption to protect sensitive data, don't pass sensitive data in the clear

<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Body><ns1:echo xmlns:ns1="http://sample01.samples.rampart.apache.org">

<param0>My Credit Card Number</param0>
</ns1:echo>
</soapenv:Body>
</soapenv:Envelope>

Encrypt the data

 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">…
            <xenc:EncryptedKey Id="EncKeyId-3020592">
               <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<xenc:CipherValue>
XNQ0a4legiie5mWFxO6CQkk2hhldYNnKroObue/LXS/VYtvaTgMbCujhGExDi+vlkU//Qc2/T6mx0WVTmBMT3z8rogha8jD+nS9Zr2Bc3CwoTh2lh8wL3D0DEu91iwJT9JByLGXvt7v9lyuxK0ooDOYEClsH974CPmTs3tBC+GQ=
</xenc:CipherValue>               
</xenc:CipherData>

To ensure that these controls are applied use automated tools like static analysis to scan for security mechanism use and coverage.

In terms of reusability findings and fixes consider two bug findings

Session management bug: session state is passed around to every component, service and user. Makes for many high priority findings in audit report, also the fix is required on virtually every program

Data validation bug: Data access object (DAO) has a SQL injection hole. One major high priority finding in report. DAO used by many business logic classes, one fix location serves many classes 

To bring these factors together, I generally use a scorecard index [6], so you can measure such things as transport security, message security, threat protection and so on. The hard work in developing the index is developing a useful scale. A scale for XML tokens could use the following

0: no token
1: hashed token
2: hashed and signed token
3: hashed and signed token from standard authoritative source

An example scale for XML validation could use:

0: no validation
1: schema validation
2: schema validation against hardened schema
3: schema validation against standard, hardened schema

These indexed scales are used to show maturity across the factors in the scorecard. The first part of the talk described value, the value assessment is used to focus time and effort on high value assets. The value assessment can be determined quantitatively. There is hard analytical work to qualitatively determine the scorecard, index, and scales, the quantitative value assessment is used to screen out high value targets for these endeavors. The scoring index is used to track progress and improve quality over time. In the best case scenario, automated tools are used to perform the checks described in the index, and once security is automated just like software developers we may see security innovation make progress in years not decades.

Thank you for your time.

1 "Risk Management is where the Money Is" by Dan Geer, http://catless.ncl.ac.uk/Risks/20.06.html

2 Berkshire Hathaway 2007 Shareholder Letter by Warren Buffett, http://www.berkshirehathaway.com/letters/2007ltr.pdf

3 "Software [In]security: Software Security Demand Rising, by Gary McGraw
http://www.informit.com/articles/article.aspx?p=1237978

4 "SOA and Newton's Universe" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/20/soa-and-newton-s-universe.aspx

5 "Memories, Guesses and Apologies" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx

6 "Web Servicres Security Checklist" by Gunnar Peterson, http://arctecgroup.net/pdf/WebServicesSecurityChecklist.pdf

Privacy DigestOnline Age Verification for Children Brings Privacy Worries

Online Age Verification for Children Brings Privacy Worries: Via StarNewsOnline.com | Star-News | Wilmington, NC

WHEN it comes to protecting children on the Internet and keeping them safe from predators, law enforcement officials have vocally advocated one approach in particular. They want popular sites, like the social network MySpace, to confirm the identities and ages of minors and then allow the young Web surfers to talk only with other children, or with adults approved by parents.

But performing so-called age verification for children is fraught with challenges. The kinds of publicly available data that Web companies use to confirm the identities of adults, like their credit card or Social Security numbers, are either not available for minors or are restricted by federal privacy laws.

Nevertheless, over the last year, at least two dozen companies have sprung up with systems they claim will solve the problem. Surprisingly, their work is proving controversial and even downright unpopular among the very people who spend their days worrying about the well-being of children on the Web.  read more »

Martin McKeay's Network Security BlogNetwork Security Podcast, Episode 128

We’re joined today by Glenn Fleishman to talk about our own recent past and the recent cracks in the WPA armor.  Rich recently got to visit Russia to participate in a talk on Data Leak Prevention, while Martin got his own sit down with DHS Secretary Michael Chertoff.  Glenn had a little excitement of his own, with a detailed article on the recently revealed vulnerabilities in WPA using TKIP.  It’s a small vulnerabilty, but both Rich and Glenn suspect it’s just a precursor to bigger, badder things to come. And somewhere in there, a three year anniversary for the podcast slipped by.

Network Security Podcast, Episode 128, November 18, 2008

Show Notes:

No time for any music or fancy stuff like that. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

codeblogmd5 lookups for 4 chars and common words

Here’s a fun link. This site appears to have seeded their md5 hash list with all lower case character strings of 4 characters or fewer and many english words (probably from some large dictionaries), and they seem to be adding more as they go. This makes me want to put up an interface to the 7 character alpha-numeric-plus-many-special-chars rainbow table I’ve got. But searching the 500G table for a single hash takes… a while. I’d need to batch it up. Go-go-gadget web 2.0!

HP - Application Security Center CommunityCSI Annual Conference - Highlights on Web App Security

Listening to the speakers (yes, this time around I was a spectator only... sort of) and the audience from these past 2 days, and specifically at the Web 2.0 Security Summit here at CSI Annual 2008... I've come up with a few things that I think you (the readers who may or may not have attended) should come away with.  These are important points, highlights from a very well organized conference geared towards actual solutions rather than the typical smoke, mirrors, and hand-waving [Trey Ford] you may expect from a security conferences.  A nod to Robert Richardson for the guest pass, and an excellent conference.

From the experts

  • Threats continue to escalate and get more clever in their attack
  • Browsers cannot be trusted, applications can be compromised - this is not a rosy picture
  • End-user (and business) "push" is needed to help move browser developers to produce more secure browsers
  • HTML-spec and standards are actually working against security in some cases (see: ClickJacking) 
  • Web applications are, and will continue to be, the prime target for attackers
  • Few businesses are prepared to drive standardized security throughout their organization
  • Metrics - good metrics collection and delivery is one of the secrets to making a security program work for you
  • Process, services, secure coding tools, code analyzers/scanners and Web App Firewalls are not mutually exclusive
  • Your business must have a short-term tactical fix and long term strategic plan to succeed
  • Services and tools are maturing at a great rate - and businesses should understand the purpose of each
    • Tools are a support mechanism for automation, standardization, and repeatability - they do not replace people
    • Services allow for independent 3rd party verification (satisfying some regulatory and compliance requirements)
    • Neither of the above will magically "make your applications secure"
  • SaaS (Software as a Service) for web app security provides immediate ROI, implementation, and won't use up your CapEx (instead uses OpEx) spending
  • You can't use the Ostrich approach (head in the sand, ignoring what's around you)
  • Right now, someone is hacking either your applications, your users or both

The bottom line from the experts?  The web is more dangerous than the wild-west; and things are going south fast.  There is hope.

From the audience

  • Managers and practitioners alike are confused and disheartened when it comes to security ... specifically web application security
  • Despite wanting to do the right thing, managers facing insecure (or worse, unknown) web applications are finding it difficult to implement a program
  • Between integrations, acquisitions, and poor oversight security teams are struggling to keep up with the avalanche of published web apps
  • Overwhelming numbers of vulnerabilities presents itself in a feeling of "we're powerless, why not just give up" as one person put it... 
  • Managers are confused on where, when, and how to apply tools to web application security programs
  • Some managers have their hands tied by long-term contracts with outsource developers which do not properly include information security components
    • When code is finally turned over to them, are faced with checking the security of that code on their own
    • ... that code, if found defective, will then require re-work at their cost!
    • Ineffective contractual obligations are making it impossible to have an effective security program
  • Security metrics are typically a problem...
    • Some companies don't know what metrics to collect
    • ... others collect them and manually try to make sense of them
    • ... still others have intelligent metrics but haven't been able to translate them into actionable items yet
    • ... still haven't figured out how to take raw metrics and model them for upper-management consumption
  • Security outsourced services are still too confusing
  • Compliance is causing more headaches than it is solving
  • Companies are striving to be compliant... but are still terribly insecure - and managers are getting that but feel powerless to change

The bottom line from the audience?  Make security simple, actionable, and consumable for my organization... and do more than just sell me tools or services - help me build a program.

There is good news, and bad news.
  The good news is that I feel very strongly that we (HP Application Security Center) can help you accomplish your goals.
    The bad news is ... it's still going to be your job to sell it to your upper management and execute...

Hack in the boxJudge tosses Psystar’s countersuit

A federal judge has tossed out a countersuit filed by Mac clone maker Psystar, which alleged that Apple was engaging in anticompetitive business practices by controlling both the hardware and software that makes up the Macintosh computer line. Psystar was given 20 days - until Dec. 8 - to amend its complaint to convince the judge that it has a more solid argument for its countersuit. The judge rejected the countersuit, in part, over the allegation that Apple’s operating system is so unique that it has no “actual or potential competitors,” noting that Psystar did not present facts to support that claim.

Hack in the boxNASA tests "deep space Internet"

The US space agency NASA said it successfuly conducted a first test of a deep space communications network modeled on the Internet. "This is the first step in creating a totally new space communications capability, an interplanetary Internet," Adrian Hooke, NASA's manager of space-networking architecture, technology and standards, said in a statement. The US space agency said Jet Propulsion Laboratory engineers used software called Disruption-Tolerant Networking, or DTN, to transmit dozens of space images to and from a NASA spacecraft some 20 million miles (32.4 million kilometers) from Earth. NASA said the software protocol, which must be able to withstand delays, disruptions and disconnections in space, was designed in partnership with Vint Cerf, a vice president at Internet search giant Google.

Hack in the boxYahoo to make BrowserPlus open-source

It was probably inevitable given what Google did with Gears, but Yahoo said Tuesday it's releasing BrowserPlus software as open-source software. BrowserPlus and Gears are aimed at improving browsers' native abilities so Web applications can better match those running natively on a computer's operating system, and Gears already is open-source software. Yahoo announced its intent to make BrowserPlus open-source software on its Yahoo Developers Blog on Tuesday. "Openness is a key initiative and a major theme for Yahoo this year and beyond, and open-sourcing BrowserPlus is part of that commitment," said team member Lloyd Hilaiel. "This will allow developers to rapidly extend the platform in a distributed fashion. Our hope is that community contributions and review will ensure BrowserPlus stays a secure, robust platform running on all popular operating systems and browsers. I'd like to see BrowserPlus become a valuable piece of Internet infrastructure."

Hack in the boxFacebook application verification plan rankles some developers

Facebook plans to start charging for verifying applications built for the social network - an optional process that has upset some developers despite the company's assurances it will bring plenty of positive benefits. Platform program manager Sandra Liu Huang said Tuesday that Facebook opened the verification process to developers on Monday. The process is meant to increase users' trust of applications that are posted on the site and to help developers wanting to build a serious business get more visibility with users, she said. Initially, developers file a form to register their application, and after it is reviewed by Facebook, the developers fill out paperwork and submit a $375 annual fee for each application. Students and registered non-profits pay $175 for each application they want verified.

Hack in the boxYahoo Shares Soar as Jerry Yang Agrees to Quit CEO Post

Shares of Yahoo Inc soared 10 percent on Tuesday on hopes that the departure of Jerry Yang, its embattled chief executive, would clear the way for a deal with Microsoft Corp. Yahoo announced late on Monday that Yang, whose leadership had come under growing criticism from shareholders after he failed to agree to a deal with Microsoft, would step down from his role as soon as the board finds a replacement. Yahoo is evaluating both internal and external candidates for the top post, and has hired executive search firm Heidrick & Struggles to run the search process. Analysts said Yang's decision to step down is a sign that the board was frustrated with his efforts to turn around the company, which he co-founded. Yang took on the CEO role in June 2007.

Hack in the boxMicrosoft to Phase Out Windows Live OneCare

Microsoft is giving up on its Windows Live OneCare subscription service next June. But it is not giving up on the security business entirely - it has plans for a free, anti-malware product code-named "Morro." Two years after releasing Windows Live OneCare with much fanfare, Microsoft announced today it is abandoning the subscription service next June. But it is not getting out of the consumer security business. In fact, the company plans to release a free, anti-malware product code-named "Morro" in the second half of 2009. According to Microsoft, Morro will be architected to use minimal computing resources to make it amenable to low-bandwidth scenarios and less powerful PCs. The trade-off for the smaller footprint is that it will not have some of the non-security features found in OneCare, such as the printer sharing, Microsoft officials said.

Hack in the boxRuby on Rails rolls into the enterprise

The New York Times used Ruby on Rails to pull together, analyze and display election results in near real time on one of its busiest Web traffic days ever. How did nytimes.com scale up Rails -- a framework known for quick development turnaround but less than lightning fast performance? "The secret is, we didn't," Ben Koski told a session at the Professional Ruby Conference here today. Instead, Koski and others in the Times' interactive new media group used low-level SQL commands for some key data-manipulation tasks. And while some Rails purists might frown upon choosing SQL over Rails' own higher-level interactions with data, Koski said the direct SQL commands helped slash the time needed to process thousands of records from 30 seconds to about 1 second -- a major boost when election result files were literally being updated by the minute.

Hack in the boxApple's new MacBooks have built-in copy protection measures

Apple's new MacBook lines include a form of digital copy protection that will prevent protected media, such as DRM-infused iTunes movies, from playing back on devices that aren't compliant with the new priority protection measures. The Intel-developed technology is called High-bandwidth Digital Content Protection (HDCP) and aims to prevent copying of digital audio and video content as it travels across a variety of display connectors, even if such copying is not in violation of fair use laws. Among the connectors supported by the technology are the Mini DisplayPort found on Apple's latest MacBook, MacBook Pro, and MacBook Air, in addition to others such as Digital Visual Interface (DVI), High-Definition Multimedia Interface (HDMI), Gigabit Video Interface (GVIF), and Unified Display Interface (UDI).

Hack in the boxMS explains 7-year patch delay

Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult of the Dead Cow fame at a hacking conference in 2001, if not before. The flaw opened the door to SMB replay or reflection attacks that would have allowed the operator of a malicious SMB server to run exploits on vulnerable PCs. The flaw was rated as important by Microsoft but critical by some independent security watchers, such as the SANS Institute's Internet Storm Centre. Microsoft explained the delay on issuing a patch on the effect a fix would have had on network-based applications. In a post on Microsoft's Security Response Blog, Christopher Budd explains that the SMBRElay attack worked in much the same way as its legacy NTLM protocol.

BumpInTheWireNow That’s Different

How long has Windows Server 2008 been out?  Since late February or early March if memory serves me correctly.  Until today I haven’t had much reason to look at it much.  Today that changed though.  When somebody starts throwing around the need for Itanium servers in a SMB my ears perk up.  Thinking this was just a tad excessive I figured I’d see what the different versions of Server 2008 would support hardware wise.  I have to admit I was a bit shocked at what I found.  Mainly the change from SMP to sockets for processors.

Server 2008 x64 Standard Edition supports four sockets with a max of 64 cores along with 32 GB of RAM.  That’s quite a change from Server 2003 x64 Standard.

Server 2008 x64 Enterprise Edition supports eight sockets with a max of 64 cores along with 2 TB of RAM.  Yikes…that’s something even Tim “The Toolman” Taylor would grunt about.

Anything above Enterprise Edition and you’re now in a statosphere I can’t even relate to computing wise.  Or as David Wooderson would put it…

“Let me tell you what Melba Toast is packin’ right here, all right. We got 4:11 Positrac outback, 750 double pumper, Edelbrock intake, bored over 30, 11 to 1 pop-up pistons, turbo-jet 390 horsepower. We’re talkin’ some fuckin’ muscle.”

 

Hack in the boxSSH sniffer attack poses minor risk

UK security researchers have discovered hard-to-exploit cryptographic weaknesses in the Secure Shell (SSH) remote administration protocol. The shortcoming creates a potential means to recover the plain text of encrypted sessions, depending on remote access configurations. Potential attacks - which would take ninja-like hacking skills to pull off - would involve inducing and observing error conditions. It's much more likely that a potential attack would crash a conversation than yield useful results. Switching the mode of SSH links from block-cipher (CBC) to stream cipher modes would thwart any potential attack, which is confirmed to affect OpenSSH. Commercial versions of SSH are also affected, to an even more modest extent. SSH Communications Security has released an advisory urging users to update its SSH Tectia clients and server software. In the case of SSH Communications, four bits of plain text might be recovered by eavesdropping on conversations on vulnerable systems compared to 32 bits or, more realistically, 14 bits from an arbitrary block of ciphertext on OpenSSH systems.

Hack in the boxOS earns highest-ever gov’t security rating. Does that make it “most secure?”

I have to admit that I had never before heard of a certification called EAL6+ High Robustness until the folks at Green Hills Software reached out to tell me that they were about to get it for their operating system, formally called INTEGRITY 178B. EAL6+ High Robustness, I’ve since learned, means that the government has put Integrity through the most rigorous hacking and security tests to determine if its strong enough to meet the needs of the most sophisticated and critical computer systems, such as those that support electrical grids, power plants and banking systems. EAL is an acronym for Evaluation Assurance Level - basically a national and international standard for IT security - and Green Hills execs say that INTEGRITY is the first OS to earn the ELA 6+ rating.

Hack in the boxBoxee Gets $4 Million

Open-source social media center Boxee has raised $4 million in its first round of funding from Union Square Ventures and Spark Capital, which split the round 50-50. Union Square’s Fred Wilson and Spark’s Bijan Sabet are lead investors. According to a Boxee spokesperson, the funding will be used not only to keep the doors open but to hopefully instill confidence in potential partners, such as device manufacturers, that Boxee will be around for awhile. Boxee is a free, open-source media platform initially based on the XBMC project that allows users to watch and share media like movies, music and more from Internet-connected devices hooked up to their TVs. The company went into alpha in June of this year.

Hack in the boxHacking Bluetooth 2.1 Passwords

If you think Bluetooth is getting safer, think again: A researcher has revealed glaring security flaws in the newest version of the wireless protocol that let an attacker stage simple man-in-the-middle hacks. Bluetooth Version 2.1, which is gradually becoming available in Bluetooth-enabled devices, in some cases is less secure than the previous version, 2.0, said Andrew Lindell, chief cryptographer for Aladdin Knowledge Systems and assistant professor at Bar-Ilan University in Israel, here today at the CSI 2008 Security Reconsidered conference. Lindell says the password protocol is not secure and can be easily manipulated by an attacker. Key Bluetooth headsets and keyboards are also left unprotected under this new protocol version, which was built to use less power and to lock down Bluetooth devices from man-in-the middle and other attacks. "I found that the password protocol is not secure in the way we would expect. It's secure as long as a one-time password only is used, but that's not mandatory in the specification," Lindell says. "The biggest problem is that it's very easy to get Version 2.1 wrong and hard to [ensure] the implementation is very secure."

Hack in the boxVirus sweeps through university e-mail

When Corey Tincher discovered his SIU e-mail inbox filled with messages that appeared to be sent from himself, he said he knew they were spam. Tincher, a graduate student from Marion in applied psychology, said he sometimes sends himself e-mails, but he knew he did not forward himself ones titled "Now everyone knows your secrets" and "Shaming videos of Obamas." These e-mails were a hoax that gave users' computers a virus if they clicked "unsubscribe," said Frank Scobby, director of information technology. "We probably reject like 60,000 e-mails a day," Scobby said. "Because it's an siu.edu e-mail source, there's not a heck of a lot we can do. These hackers are very good." Tincher said he planned to use his other e-mail accounts instead of the university's if he continued to get spam under the cover of his university address.

Hack in the boxLinux on the iPhone?

Of course, after Apple develops an elegant and perfectly understandable mobile UI, Linux hackers want to tear it down. Bring on the OpenMoko, Android or Ubuntu Mobile for the iPhone. I enjoyed a recent post by PlanetBeing on the Linux on the iPhone blog. It was an attempt to justify why someone would want to spend a tremendous amount of time to bring Linux to the iPhone, when he or she could “just develop on an open platform instead with no such wasted effort?” Good question, dude. PlanetBeing says he doesn’t want to buy other less-polished platforms just for a hack; he likes the iPhone. And the “knowledge that we are gaining/will have gained about the iPhone hardware will be of incredible practical value to the homebrew iPhone community.”

Privacy DigestChertoff: We're Closing that Boarding-Pass Loophole

Chertoff: We're Closing that Boarding-Pass Loophole: Via Threat Level

There’s a hole in airline security big enough to get Osama bin Laden himself onto a domestic flight, Homeland Security chief Michael Chertoff acknowledges, but that’s no reason to ditch watch lists or ID checks at the airport, he says.

Chertoff told Threat Level in an interview last week that the government was aware of, and patching, the so-called boarding-pass loophole, which just came back into the public eye after a recent Atlantic magazine story where a reporter got though security using a fake boarding pass.

That loophole lets a known terrorist who is on a government watch list board a plane without needing a fake ID.  All that’s needed is a home computer, a printer and a little skill at HTML.

“On the issue of switching boarding passes, that is a loophole we are aware of,” Chertoff said.  read more »

Hack in the boxLatest Ninteno Wii update blitzes Homebrew modifications

Nintendo has released a new software update for its Wii console. Although, not in this case to dramatically increase its features and capabilities. It looks like the latest 3.4 update is designed with one single task in mind: locking out those pesky modders running dastardly third party homebrew software. Nintendo may have nothing against third party software, per say, but it'll be darned if it'll let that stuff run willy nilly on its whiter than white Wii. Instead, all software that wants to run must be given the official nod by Nintendo and there are software checks in place to make sure everything has been properly sanctioned. However, the cunning hackers - looking to make things like DVD playback possible - have found a chink or two in Nintendo's software armour. The current exploit involves using a specially modified game save file for The Legend of Zelda: Twilight Princess. Once this has been loaded up, a bug in the game allows the hackers access to run their own software and then patch the system to remove the necessary checks.

Privacy DigestSecure OS Gets Highest NSA Rating, Goes Commercial

Secure OS Gets Highest NSA Rating, Goes Commercial: Via Slashdot

ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.

Read Original Article (Via Slashdot.)  read more »

Hack in the boxFacebook spamming 'not surprising'

It is 'not surprising' that cybercriminals have begun using Facebook to send out spam, according to security firm Sophos. Carole Theriault, senior security consultant at the company, said that Facebook 'has sky rocketed in importance and everyone loves it', which means cybercriminals will enjoy it too. 'Spammers and hackers basically follow the trend, so it is not surprising at all that they are attacking Facebook and using Facebook to send out spam,' she said. However, Ms Theriault revealed that users of the social networking site can protect themselves from attack. 'One of the main ways that you can try and combat this and work at this is by setting your [configuration] options,' she said.

Hack in the boxWoman loses $400,000 in Nigerian e-mail scam

An Oregon woman who is out $400,000 after falling for a well-known Internet scam says she wasn't a sucker or an easy mark. Janella Spears of Sweet Home says she simply became curious when she received an e-mail promising her $20.5 million if she would only help out a long-lost relative identified as J.B. Spears with a little money up front. Spears told KATU-TV about the scammers' ability to identify her relative by name was persuasive. "That's what got me to believe it," She said. "So, why wouldn't you send over $100?" Spears, who is a nursing administrator and CPR teacher, said she mortgaged the house and took a lien out on the family car, and ran through her husband's retirement account.

Hack in the boxKZN govt pioneers fingerprint security

The KwaZulu-Natal provincial government is the first in the country to introduce fingerprint access to its staff and accounting computer systems in a bid to curb fraud and corruption. The new system will mean that civil servants entering ghost employees or authorising a fraudulent transaction can be traced through their unique fingerprints. It will also make charging culprits easier as they cannot say that their password was stolen. It will hamper hacking into the system as hackers will be able to advance only to a certain level before they will be asked for an identifying fingerprint. Demonstrating how the system works at a gathering of senior provincial staff, Vuma Madlala of Datacentrix assured them that only live fingerprints are identified. The demonstration and introduction to the Biometric Access Control System was held at the premier’s office yesterday.

Hack in the boxWorm Infects London Hospital Systems

A computer worm has forced the shutdown of computer systems at three London hospitals for more than 24 hours, reports BBC News. A hospital spokesman said “well rehearsed” emergency procedures were in place. The hospitals — St. Bartholomew’s, the Royal London Hospital in Whitechapel and The London Chest Hospital in Bethnal Green — are part of a single system, Barts and The London NHS Trust. The system went down about noon Monday, affecting Internet access, e-mail and other applications, according to E-Health Insider. By Tuesday morning the system was back up but the worm, described on the BBC site as “not malicious,” was more prevalent than ever and a major incident declared. All but essential systems were shut down to contain it and manual backup systems were used, which in some cases meant writing with pen and paper, according to The Register. Most services were operating normally, including walk-in emergency services. But ambulances were being diverted to other facilities.

Hack in the boxNew 'Stealth' Technology Secures Data On Shared Networks

The problem seems simple: How can data be transmitted over a large, shared network, yet restricted so that only a small group of individuals on the network can read it? The possible answers, as most security professionals will tell you, are anything but simple. Unisys today took a crack at this complex problem with the introduction of Stealth Solution for Network, a patented method of encrypting and "bit-splitting" data into smaller pieces while encrypting them again. The idea behind Stealth is to allow organizations to restrict the exchange of sensitive data to a fixed group of individuals who have the keys to encrypt and decrypt it --without forcing them to use a discrete network. Stealth can be used on an enterprise network to prevent other groups in the organization from viewing data, or it can be used over virtual networks or the Internet to help protect sensitive data from being accessed by outsiders, Unisys says.

Hack in the boxUS teen hacker 'DShocker' confesses three-year crime spree

A juvenile hacker with a reputation for stirring up trouble in online gaming groups has admitted to multiple computer felonies, including cyber attacks that overwhelmed his victims with massive amounts of data and the placing of hoax emergency phone calls that elicited visits by heavily armed police teams. Known by the online handle of Dshocker, the 17-year-old Massachusetts hacker also admitted he breached multiple corporate computer systems, called in bomb threats and engaged in credit card fraud. The defendant, who was identified only by the initials N.H., pleaded guilty to charges in court documents that included one count each of computer fraud and interstate threats and four counts of wire fraud. Dshocker is best known in hacker and gaming circles as the miscreant said to have perpetrated a series of attacks on members of myg0t, an online confederation dedicated to cheating and disrupting play in online games such as Counter Strike. He also unleashed attacks on other well-known hackers, according to online accounts.

SANS Internet Storm CenterSecurity Awareness Training is Boring, (Wed, Nov 19th)

I love the directness of Marcum Ranum's perspective on security awareness training. If it was going to work, it would have worked by now, he wrote. Indeed, whenever I perform social engineering testing, too many people willingly give up sensitive data, click on a link or launch that fateful attachment.
Maybe the problem with many security awareness programs is that they are borning. Come up with something unusual and personally-relevant to the attendies, and I bet the audience will remember your message. Below are some tips and a video clip.
Select a Different Format
Call your annual security awareness session a Security Awareness Session, and you're guaranteed to hear sighs and excuses for not being able to attend. How about something in a less standard format? Thinking out loud here:

Add a security commerical interruption to an unrelated meeting or a conference call.
Create a challenge for people to report unsafe IT practices they observe. Without identifying the offenders, but with prizes.
Sponsor a bagels and donuts breakfast with a 10-minute data security discussion.
Create a drawing for a prize. The cost of entry is a tip on improving IT security.

Of course, the format will depend on your corporate culture, but the idea is to take a less ordinary approach to spreading your message.
Make the Message Personally-Relevant
People tend to care about their well-being more than the well-being of their company. To make your message heard, make it useful for your colleagues as individuals, be it in the context of phishing for email credentials, on-line financial fraud, or spyware. By helping them protect their personal data on-line, you will show them how to act when corporate IT assets are threatened.
Example: A Video Clip
How about peaking the employees interest in your program with a short video clip? I found a service called Animoto that will let you upload a bunch of photos, and automatically generate a nice-looking videos from them. (30-second videos are free.)
Here's an example I created using generic photos I found via EveryStockPhoto. For best results, use the photos specific to your company or industry