Birchtree Blog

Leaves from the Tree 2008-06-27

noreply@blogger.com (Peter Berlich) — Fri, 27 Jun 2008 12:07:00 +0000

My, oh my. What did we have this week...

xkcd (the world's best web comic) had a story on why Wi Fi holes may be useful: "Road Rage".

Security - who needs it? - Yes, we've all been there.

And last not least, it's Bill Gates' last working day at Microsoft today. Definitely a man who has done a lot for our industry. How time passes! 1978 - 2008. Somehow reminds me of these folks. (By the way, wonder how Steve Jobs is doing?)

Things you don't want to see on the same day

noreply@blogger.com (Peter Berlich) — Thu, 26 Jun 2008 07:10:00 +0000

You have a problem.

But your software is up to date.

(Via Heise)

An IT-secure holiday

noreply@blogger.com (Oliver Gassner) — Thu, 26 Jun 2008 06:27:00 +0000

Hey, it's the holiday season and I don't want to think about IT security.

If you use your web mail account from your holiday location and send mail to both family and your colleagues you might want to follow some basic hints.

* PCs in Internet cafes might be heavily infested with malware that might attach worms to your e-mail and spy on your banking and mail passwords

* avoid Internet cafes (maybe bring your own EEE?)

* if you use one: make sure you delete your cookies, temp files and surfing history once you leave

* set up a holiday mail account with a free mailer, so if you get hacked the hackers don't have all your regular correspondence

* if your bring your own laptop make sure that it's firewall and its virus file are up to date - and take care only to use encrypted wifi and https-connections

* and you might use a U3-Stick for extra security

IT-Sicherheitstipps für den Urlaub - Knowledge Center - Security - computerwoche.de

Security Risk: Your Admin

noreply@blogger.com (Oliver Gassner) — Tue, 24 Jun 2008 08:51:00 +0000

Did you know every third IT-Admin with a master password has looked at data that he is not supposed to see? Like your paycheck or the mail about the coming merger?

Besides treating your admin nicely there are not many thinngs you can do
* change the passwords more often then 'never' or 'every quater'
* encrypt stuff
* pray

By the way: When IT admins were asked what they would take with them when they leave the company they said:
* the customer database
* the list with the passwords

Surprise!

IT-Admins schnüffeln Mitarbeitern hinterher - Knowledge Center - Security - computerwoche.de

Proving a negative

noreply@blogger.com (Peter Berlich) — Tue, 24 Jun 2008 08:30:00 +0000

Question of the day:

When handing someone (a teacher of information security, no less) a USB stick, he was asking me whether I could "guarantee there were no viruses on it".

Let that sink in for a minute.

Still Alive: Cake

noreply@blogger.com (Peter Berlich) — Sun, 22 Jun 2008 08:15:00 +0000

Al Billings from the Firefox team writes about the large cake that the ~~Black Mesa~~ Microsoft Internet Explorer team sent for the release of Firefox 3.

Most funny are the comments.

"By the time the cake arrived, it already had several vulnerabilities in the wild." (x)
"The cake is a lie" (Al)

And of course there's more fall-out on Userfriendly.

Now these points of data
Make a beautiful line.
And we're out of beta,
We're releasing on time.
...

Interview with the authors of BackTrack 3

noreply@blogger.com (Peter Berlich) — Sat, 21 Jun 2008 20:25:00 +0000

Paul Asadoorian published an MP3 with an interview with the authors (Max Moser, Mati Aharoni and Martin Münch) of the recently published BackTrack 3 set of penetration testing tools.

Interesting stuff, you may want to listen in on it. What I find most impressive is their consistent motivation of "curiosity". Certainly a common trait in security professionals. Interestingly, you can even earn a certification here, the "Offensive Security Certified Professional" (OSCP).

Consolidating accounts

noreply@blogger.com (Peter Berlich) — Sat, 21 Jun 2008 20:01:00 +0000

It seems we're leaking identities.

Take this verbatim. It seems every day we're being asked to sign up to some new service. Of course, sign-up is free, signing off may not always be quite as easy though.

I recently took the step to consolidate some of my old identities. Some surprises down that road, so I suggest you take it with me.

* When I logged into an old account I had with my telecoms provider I found out they had changed their system entirely. (Oh, glory day.) Much to my surprise, the old account still worked, but immediately after log-in I was asked to create a new account. Interesting logic. It's not bad, they actually allow me now to monitor my phone cost in real time. But they still haven't figured out how to allow me to use the same PIN for online access to my voice mail or via the telephone system.

* Even stranger, I used the opportunity to sign off some newsletters. (It's incredible how much you get used to deleting the same newsletters every day... the routine sets in so quickly that you forget that you can change the system. Only... )

E-Mail from one provider of newsletters:
We are in receipt of your e-mail requesting assistance with removing your subscription from the (company) newsletters.
Please note that to unsubscribe from the (company) newsletter, you need to click on the on the "Unsubscribe from all newsletters" from the Summary Page of Subscription Services.
Please note that when you cancel your all of your subscriptions, you completely disengage from Subscription Services. So, if you merely want to remove a specific interest area or newsletter, please use the appropriate page within Subscription Services.

Only, they didn't delete my account, it's still possible to log in. Interesting, I will follow up on this. (Actually, I believe they are obliged to delete the account.)

* I was able to remove some 10 or so accounts. The number of accounts I still need to keep (with a good reason for every single one) is in the low 70s.

Oh, and don't get me started on newsletters.

I suggest you go and do likewise. You might be surprised.

Ethical Hacking Careers

noreply@blogger.com (Peter Berlich) — Fri, 20 Jun 2008 19:02:00 +0000

There was a presentation by Donald Donzal, CISSP, at the SANS "WhatWorks in Pen Testing Summit" on the subject of "Remodeling your career for little to no money down.".

Read the complete article at (ISC)² Blog.

Leaves from the Tree 2008-06-20

noreply@blogger.com (Peter Berlich) — Fri, 20 Jun 2008 18:00:00 +0000

Viral Anti-Virus. Cool.

Via NP-Incomplete.

Update 2008-06-22: News.com had this in October 2007 already. Oh, well. Of course this made me go to YouTube and find more Kaspersky videos (even though I must say this one isn't quite as nice as the other one.)

Choosing the right security personnel

noreply@blogger.com (Peter Berlich) — Fri, 20 Jun 2008 15:48:00 +0000

Simon Heron just published an interesting podcast on Help Net Security, covering the art of finding the right security personnel. I invite you to listen to it yourself, some key points include the requirement for experience ("there is no substitute"), training and the natural curiosity that security bring to work and the intellectual stimulation they crave.

Read the complete article at (ISC)² Blog.

iPhone 3G: ready for business?

noreply@blogger.com (Oliver Gassner) — Wed, 18 Jun 2008 13:19:00 +0000

No, not yet, says a Gartner analyst:

"Of some concern is how secure the iPhone will be. According to Ken Delaney from Gartner, the iPhone has neither firewall nor native encryption - functions many businesses have come to expect and trust from the likes of BlackBerry and Windows Mobile devices - so IT departments could be concerned about its daily use, and what happens if the iPhone is stolen."

We talked about business-ready iPhones before and had some hopes for the better. But it seems that iPhones are still more a design issue than a serious business tool.

via: iPhonic: iPhone 3G: still too many unknowns to recommend for business use, analyst says

Berufsbild IT-Sicherheits-Manager: Kommunikator statt Eigenbrötler

noreply@blogger.com (Peter Berlich) — Mon, 16 Jun 2008 16:00:00 +0000

Der IT-Sicherheits-Manager ist schon lange kein technikfixierter Eigenbrötler mehr. Er wirkt vielmehr als moderierender Risikomanager, der andere von den Vorzügen seiner Lösungen überzeugen muss.

Read the complete article at securitymanager.de.

Sicherheit hat ihren Preis

noreply@blogger.com (Peter Berlich) — Mon, 02 Jun 2008 15:58:00 +0000

Zwei Buchklassiker von Bruce Schneier haben nichts von Ihrer Aktualität verloren. Sie versuchen antworten zu geben auf die Fragen: Wie viel Sicherheit ist genug? und Welcher Schutz ist wirksam? Antworten auf diese Fragen sind für jeden Sicherheitsverantwortlichen heute aktueller denn je. Zumal die technikorientierte IT-Sicherheit sich mehr an den Geschäftszielen soll.

Read the complete article at Computerzeitung.

Punk not dead

noreply@blogger.com (Peter Berlich) — Sun, 25 May 2008 23:03:00 +0000

(It just smells different!)

Anyone remember the Cypherpunk movement?

Those were the people who invented anonymous remailers, were the first to deploy PGP on a wider scale and were generally a crypto-political movement to establish cryptography (and privacy) in the then nascent public Internet.

The Cypherpunk Manifesto by Eric Hughes starts:

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.

Read the complete article at IT Security Link.

Response to "Response to Is Vulnerability Research Ethical?"

noreply@blogger.com (Peter Berlich) — Sun, 25 May 2008 22:20:00 +0000

I'm a great fan of Richard Bejtlich's TaoSecurity. He recently wrote a response to a discussion on SearchSecurity, Face-Off: Is vulnerability research ethical?.

The argument is an old one: Does disclosure help make software more secure, or does it help the bad guys. RB now leans to the latter side, saying (quote) "The 5% I would change is that identifying vulnerabilities addresses problems in already shipped code. I think history has demonstrated that products ship with vulnerabilities and always will, and that the vast majority of developers lack the will, skill, resources, business environment, and/or incentives to learn from the past."

That's nicely put, but it overlooks one important fact - it's not how it's being done.

The reason we are faced with vulnerability disclosures is not necessarily that the people who look for them want to make software better. I admit many of them will, but if they didn't it wouldn't make any difference. And if we found out that disclosing vulnerabilities does not improve software security, vulnerabilities would still be disclosed.

The reason vulnerabilities get disclosed is because they exist and some people find them. It matters little who - what's important is that a vulnerability has been found. That is the key news.

And that's why vulnerability disclosure will hardly stop. Let's remember: Security is a game we can't win, we can't break even and we can't quit. The best we can hope for is establish a level playing field. "Responsible disclosure" is just that.

PS. I recommend everybody read the two linked articles from RB's posting, "Analog Security is Threat-Centric" and "Vulnerability-Centric Security".

Hackers can blow your family to smithereens! End of the world @11!

noreply@blogger.com (Peter Berlich) — Sun, 25 May 2008 22:13:00 +0000

Someone posted this article, purportedly from Weekly World News.

Anyone seen Elvis lately?

Security Corner: Gute Aussichten für IT-Sicherheitsmanager

noreply@blogger.com (Peter Berlich) — Sun, 25 May 2008 22:11:00 +0000

Beste berufliche Perspektiven für IT-Sicherheits-Experten belegt die Global Information Security Workforce Study. Doch nicht nur der Bedarf an qualifiziertem Fachpersonal und die Gehälter steigen: Der Aufgabenbereich bekommt zunehmend einen vom strategischen Management geprägten Charakter. Dieser sorgt dafür, dass der Druck und die Arbeitsbelastung zunehmen.

Read the complete article at Computerzeitung!

Lords: "Government should step up to its responsibility in IT Security"

noreply@blogger.com (Peter Berlich) — Sun, 25 May 2008 22:06:00 +0000

(This one would almost be worth a separate category on IT Security Link, called "Politics".)

The marvellous Merlin Hay, 24th Earl of Erroll, spokesman for the House of Lords Science and Technology Select Committee's report on personal internet security, gave a speech at a recent event, demanding that "the government should implement a programme of technical legislation and information to tackle the problem of online security breaches".

As short as five years ago I would have strongly disagreed with his viewpoint, and responded (as far as the House of Lords would listen to me, anyway) that the market will take care of the issue.

Read the complete article at IT Security Link.

Where is my spam?

noreply@blogger.com (Oliver Gassner) — Fri, 23 May 2008 16:11:00 +0000

As I use a mail adress that has been around since 1999 I get huge amounts of spam.

Make that: got.

I used to get about 140-170 spam messages per HOUR.

I am down to 3 per hour now.

What happened?

Google Anti-Malware Diagnostic Pages

noreply@blogger.com (Oliver Gassner) — Fri, 23 May 2008 16:10:00 +0000

Google does not only give you hints what pages to visit. It will also warn you if you visit a site that potentially contains malware. If you visit it after clicking on one of Googles search results, that is.

This way Google web search provides a similar spam and malware filtering capablity as its Gmail service.

More info: Google Anti-Malware Diagnostic Pages

The best random generator since Schrödinger's cat

noreply@blogger.com (Peter Berlich) — Sun, 18 May 2008 00:02:00 +0000

The Whirlygig RNG. If Felix von Leitner considers building a batch (in German language) then there must be value in it.

Read the complete article at IT Security Link.

Researchers: Obfuscate patches.

noreply@blogger.com (Peter Berlich) — Sat, 17 May 2008 23:39:00 +0000

Researchers from Carnegie Mellon have developed a way to semi-automatically develop exploits from patches (cf. story on SecurityFocus).

Read the complete article at IT Security Link.

Hacking back: Storm Botnet

noreply@blogger.com (Oliver Gassner) — Tue, 29 Apr 2008 16:08:00 +0000

Well there are some ways to counter hackers, Researchers from Mannheim, germany, used one of them: hacking back.

They are running an attack on the botnet 'Storm'.

"The researchers, from the University of Mannheim and the Institut Eurecom, recently infiltrated Storm to test out a method they came up with of analyzing and disrupting P2P botnets. Their technique is a spinoff of traditional botnet tracking, but with a twist: it not only entails capturing bot binaries and infiltrating the P2P network, but it also exploits weaknesses in the botnet’s P2P protocol to inject “polluted” content into the botnet to disrupt communication among the bots, as well as to study them more closely."

Botnets in general are used to generate a net of connected "hacked" computers that will execute tasks for their 'masters'. In general they are used to send e-mail spam. The users of these computers are usually unaware of this abuse of their machines.

via Researchers Infiltrate and 'Pollute' Storm Botnet - Desktop Security News Analysis - Dark Reading

IT Security people are networking-crazy

noreply@blogger.com (Peter Berlich) — Sun, 13 Apr 2008 20:38:00 +0000

I recently got bitten by the networking virus. By now, the infection is in full swing.

I am a member of four real-world associations, including, amongst others, (ISC)² and ISACA. Of course these offer excellent networking opportunities, and so I am regularly invited to networking meetings. As a part of the community, how could I resist?

Read the complete article at Network World.