• My Tweats

    • Flickr Photos

    Tattoos for Informaton Security

    So, I was listening to Security Now Podcast #110 while blogging the last hour or so.

    At the end of the podcast I heard something weird in the context of remembering a TrueCrypt password:

    Here is the transcript (the bolding is my own):

    Leo: Well, we’re going to get them now. This is from an anonymous listener in Arkansas because we don’t want to name names: I’ve been thinking about this since your TrueCrypt episode. After I heard that episode I downloaded and installed TrueCrypt. We recommended it. It’s a free encryption program for Windows. While going through the process of setting up an encrypted volume, TrueCrypt complained that my standard password wasn’t long enough. Okay. I complied. I created a longer password I thought I could remember. And there’s a big word, “thought.”

    Weeks later I went back and tried to mount the volume I’d created, and I wasn’t able to remember the password. Now, fortunately there wasn’t anything of value in that volume. But it got me thinking, how do I go about securing my digital documents with some kind of securely complex password that I wouldn’t be able to forget? Also, what if I have head trauma and can’t remember? Or worse yet, what if I die and my family needs access to my documents? Which is a really important question. Here’s what I came up with. Oh, boy. A tattoo.

    Steve: He really wrote this, Leo. I’m not making this up.

    Leo: Not just any tattoo, my friends, a blacklight tattoo. My idea is to take one of your generated passwords and have it tattooed on a rarely exposed part of my body with ultraviolet ink. This would – talk about a private key. This would allow me to always have my password with me, but it wouldn’t be visible in normal light. I also thought it would be good to split the password up into eight eight-character chunks. All over his body. And then he could create passwords out of different chunks. And all he’d have to remember is, like, wrist, toe, ankle. And he’d have a good password.

    Steve, what are you talking about? This is a brilliant idea. He says: I know it’s not good for a spy or someone hiding from the government. But I’d like to hear what you think for your average Joe that wants to keep his tax return private. Love the show. Now, I’m sure it’s a little tongue-in-cheek. But that’s an interesting idea.

    Steve: Okay.

    Leo: Well, the problem is you can’t change it…

    Steve: Can you imagine, you go to the GRC Perfect Passwords page and get one of those 64-character nightmares, and then chop it up into eight eight-character chunks…

    Leo: See, that’s what’s inspired to me.

    Steve: And then maybe like an eight-by-eight block. And then you go to your local tattoo parlor…

    Leo: Yeah.

    Steve: …and say, okay, do you have any UV ink?

    Leo: Here’s what I want. Now, you have to trust your tattoo guy.

    Steve: Oh, you sure do.

    [Talking simultaneously]

    Leo: …you go to eight different tattoo guys.

    Steve: What kind of a lun- oh, yeah, good point, because you – no, but the problem is the eighth tattoo guy, in order to tattoo you with UV ink, you need to do it under black light. So he’d be seeing…

    Leo: Well, you keep your pants on.

    Steve: Ah, that’s – no. Now this is a reason – you’re right, Leo – for putting them in different locations. So you say, okay, now, I want you to tattoo these eight characters on the bottom of my left foot. And the other guy does it on the bottom of my right foot. And in my left armpit – I guess you’d have to shave for this…

    Leo: I’m not thinking it’s such a bad idea, Steve Gibson, I might just do this.

    Steve: Quite strange, Leo.

    Leo: Better than getting a Nike swoosh tattooed on your hip.

    Steve: Oh, god. And then when it comes to actually, you know, mount your TrueCrypt volume…

    Leo: Oh, wait, excuse me, I have to take off my pants here.

    Steve: Depending upon how secure your password is, you might have to completely disrobe in order to get access.

    Leo: And find an ultraviolet light.

    Steve: Yeah, that’s a very good point.

    Leo: Might be easier just to write this down.

    Steve: Yes. Anyway, it’s an interesting thought.

    In case you wondering, Information Security Engineering remains my profession of choice.

    Sick Fucks Are Using Flickr Photos to Pretend to Be Children On Social Networking Sites

    You can read about it here and here.

    Attention all you parents, grandparents, aunts and uncles out there:

    Do not store photos of your kids in a public accessible way.

    Just don’t do it.

    The Alternative to Endpoint Security Software Sprawl

    RationalSecurity comments on Endpoint Security:

    However, we’ve also come to realize that the locus of the threats
    and vulnerabilities demands that we get as close to the assets and data
    we seek to protect, so now in an ironic twist, the industry has turned
    to instead sprinkle software-based agents directly on the machines instead.

    After all, the endpoint is the closest thing to the data, so the more
    endpoint control the better, right?

    What we’ve done now is transferred the management of a few gateways to that of potentially thousands of endpoints.

    Based on an informal survey of security practitioners, the diagram I
    whipped up above demonstrates various end-point agents that reside on a
    typical enterprise client and/or server. It’s absurdly obscene:

    • Software Management/Helpdesk Remote Control
    • Patch Management (OS)
    • Asset Management (Inventory)
    • Firewall
    • VPN
    • Anti-Virus
    • Anti-Spyware
    • Anti-Spam
    • Browser Security Plug-ins
    • Encryption (Disk/eMail)
    • 802.1x Supplicants
    • NAC Agents
    • DLP
    • Single Sign-On
    • Forensic Agents
    • Device Control (USB, CD, etc…)

    You generally have to manage each of those pieces of software independently.

    I have spent a non-trivial part of this year working on an Endpoint Security project for my employer demanded by our auditors. While the project has come along nicely (meeting its goals), I really don’t believe in that kind of an approach anymore.

    There are to many holes, too many ways for data to leak out, to many sysadmin issues.

    I think corporations should replace their desktop workstation architecture with hardware that is locked down running minimal thin-client-ish software that connects to desktop providing terminal servers (like what Citrix offers) with strong authentication of the user. The servers can be locked down and controlled centrally. The users must have no rights (enforced by technology, not words) to install software or add hardware.

    Hey Bloggers: If you were wondering why you get all of that comment spam…

    …the recent SANS incident Handler diary entry explains it:

    So, the spammers do the following. They first “poison” Google so that a particular search returns their wanted web site as the first match. This isn’t too difficult to do because they don’t need to “poison” proper searching keywords – they can use whatever they want because all they need is their web site to come back first. If we go back to the example above, the keywords to search for are “myvisameds global cart”. If you search for this (normally) you will see that the spammer’s web site comes as the first search. Also take a look at all the other web sites that are returned. See something interesting? (I still have to check those web sites to see if they are even serving some malicious content).

    They want to manipulate the Google Search results.

    Luckily, wordpress.com uses Askimet. So, the while I have 500+ comment spam during the week, only 1 or 2 usually make it through.

    Defining “Firewalls” [Updated]

    In my day job I work as Information Security Engineer.

    I have been having a bit of a friendly mini-debate with a few co-workers as to what exactly constitutes a firewall (e.g. “is a firewall a single device or a set of device?”, “is the firewall just that thing doing stateful inspection, or is it the outbound user proxy server for web access”). Before starting to update policies and procedures to reflect a consensus definition, I decided to look up other sources and not just rely on my own judgment – though I am sure I am right :-).

    I was surprised by the diversity.

    FFIEC IT Examination Handbook

    A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as an access control point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network intrusion detection systems (IDSs).

    Financial institutions have four primary firewall types from which to choose:
    packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types.

    NIST Publication – Guidelines on Firewalls and Firewall Policy

    Network firewalls are devices or systems that control the flow of network
    traffic between networks employing differing security postures.
    Firewalls can also act as Virtual Private Network (VPN) gateways. Thus, an organization or agency can send unencrypted network traffic from systems behind the firewall to other remote systems behind a cooperating VPN gateway; the firewall encrypts the traffic and forwards it to the remote VPN gateway, which decrypts it and passes it on to the destination systems.
    A firewall environment is a collection of systems at a point on a network that together constitute a firewall implementation. A firewall environment could consist of one device or many devices such as several firewalls, intrusion detection systems, and proxy servers.

    PCI Data Security Standard v1.1

    Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

    Wikipedia Entry on Firewalls

    A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network which has different levels of trust.

    Firewalls Mailing List – Firewall FAQ v10.4

    A firewall is a system or group of systems that enforces an access control policy between two or more networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don’t have a good idea of what kind of access you want to allow or to deny, a firewall really won’t help you. It’s also important to recognize that the firewall’s configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility.

    Inside Network Perimeter Security 2nd Ed by Northcutt et al

    A firewall is a chokepoint device that has a set of rules specifying what traffic it will allow or deny to pass through it. A firewall typically picks up where the border router leaves off and makes a much more thorough pass at filtering traffic.

    Security Engineering by Ross J. Anderson

    This is a machine that stands between a local network and the Internet, and filters out traffic that might be harmful.

    Building Internet Firewalls (2nd Edition) by Zwicky et al

    A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

    Windows Server System Reference Architecture – Firewall Services Blueprint

    A firewall is a mechanism for controlling the flow of IP traffic between two networks. Firewall devices typically operate at L3 of the OSI model, although some models can operate at higher levels as well.

    Firewalls generally provide the following benefits: Defending internal servers from network attacks, Enforcing network usage and access policies, Monitoring traffic and generating alerts when suspicious patterns are detected.

    It is important to note that firewalls mitigate only certain types of security risks. This is important to note, as many organizations feel protected with a firewall alone. A firewall typically does not prevent the damage that can be inflicted against a server with a software vulnerability. Firewalls should be implemented as part of an organization’s comprehensive security architecture.

    I  decided upon this definition: A Firewall is what I say a #$*&#@& firewall is.

    I will edit it a bit before I update the official written policy.

    Anybody Out There Using PhoneFactor for Two-Factor Authentication? [updated]

    PhoneFactor is an interesting Two-Factor Authentication scheme.


    1. Uses an phone number (cell, land, whatever) instead of a token like RSA‘s Securid tokens so it has to be cheaper (RSA tokens are expensive and only last so long).
    2. This second factor is out-of-band so the man-in-the-middle vulnerability is neutralized. [Update: wrong!]

    Is anybody out there using it?

    Unexpect IT Issue With Hugoland

    RSA sent out this alert by email earlier today:

    On August 23, 2007, it was reported that Venezuelan clocks were set to a different time zone, Greenwich Mean Time (GMT) minus 4-1/2 hours, compared to the previous GMT minus four hours.

    RSA recommends that no server clock adjustments be made until vendor- specific operating system patches are available and tested by RSA to confirm that the time zone changes do not impact RSA Authentication Manager and other RSA products. At this time, no operating system patches are available to support the proposed Venezuelan GMT settings. Adjusting the server clock may result in all RSA SecurID authentications failing and other products ceasing to function properly. In addition, Software Token users should not adjust the clock on their PCs or mobile devices until vendor-specific operating system patches are made available and tested by RSA.

    Force HTTPS for GMAIL…

    …with the CustomizeGoogle add-on. It does lots of other things. Although I got it for the https, I am trying the other features a bit. So fart, so good.

    Information Security Awarness by Cartoon

    Welcome to SecurityCartoon.com.

    Cyber NORAD?

    Tao Security suggests the need for a Cyber NORAD.

    Here are some quick thoughts that I had:

    1. Does it need to be in DOD?
    2. Does it need to be in DHS (please, no)?
    3. Does it need to be transnational?
    4. How much can be outsourced (don’t try to turn the counter-hackers in to gov employees)?
    5. What authority will have?
    6. What will be its roll toward private companies?
    7. How will it measure success?
    8. Where can I send my resume to?

    Home Information Security Tip: Use the (Free) Secunia Software Inspector

    The link to it is here. Note that it runs in IE, not FireFox. It will:

    The Secunia Software Inspector will inspect your operating system and software for insecure versions and missing security updates. A default inspection normally lasts 5-40 seconds, while a thorough inspection may take several minutes. Note: If you have anti-virus software or similar enabled, an inspection  may increase significantly in duration.

    To keep your Windows PC healthy, run a Anti-Virus software (like free AVG), a firewall (I used to use free Zone Alarm, I am currently testing the built in Windows Firewall), don’t open up attachment from people you don’t now (test the attachment here if yo must), use an email service like Gmail’s or Yahoo’s that has server side anti-malware/anti-spam filtering, and scan your machine occasionally for adware, apply windows security and application security patches on a regular basis, and make frequent backups of your data.

    If you get infected/compromised, you need to wipe and re-install the OS, re-load your apps and restore your data.

    “Chinese premier Wen Jiabao is ‘gravely concerned’ by allegations that hackers…”

    From Dark Reading:

    Chinese premier Wen Jiabao is ‘gravely concerned’ by allegations that hackers in his country have attacked German government systems, according to a report from the two countries’ diplomatic meeting earlier today.

    I don’t think Germany should worry. The Chinese/PLA hackers were just practicing to for cyberway against somebody else.

    I Just Listened to the new Rear Guard Security Podcasts (Espisodes One and Two)

    I liked them.

    They were very informative (more so then most of what I read) an deasy on the ears.

    Also, the disclaimer at the end was laugh out loud funny!

    Insider Threat References

    Here is the Link.

    Creating a National Information Security Board

    TaoSecurity calls for National Digital Security Board (though I prefer calling it a National Information Security Board) modeled along the lines of the National Transportation Safety Board:

    Since its inception in 1967, the NTSB has investigated more than 124,000 aviation accidents and over 10,000 surface transportation accidents. In so doing, it has become one of the world’s premier accident investigation agencies. On call 24 hours a day, 365 days a year, NTSB investigators travel throughout the country and to every corner of the world to investigate significant accidents and develop factual records and safety recommendations.

    This is exactly what we need in digital security. Not the NTSB, but the NDSB — the National Digital Security Board. The NDSB should investigate intrusions disclosed by companies as a result of existing legislation. Like the NTSB, the NDSB would probably need legislation to authorize these investigations.

    Sounds like a good idea to me.

    This would put more sunshine on actual information security incidents. It would have the effect of creating an additional incentives to organizations to have a better security profile to avoid an investigation that would include no doubt negative publicity, loss of confidence from customers, employees, and investors. It would have a secondary effect of building up knowledge of securiety incidenct that should be shared with all.

    Security Community Smackdown

    Financial Cryptography spread the word:

    The meme is starting to spread. It seems that the realisation that the security community is built on self-serving myths leading to systemic fraud has now entered the consciousness of the mainstream world.

    Link/Reference: SQL Injection Cheat Sheet

    Via Reddit –> Here

    Wired Magazine Online Used one of My Photos


    Here they are on Flickr.

    Do Shredders Matter: A Personal Information Security Experiment

    From Reddit, The Cockeyed Citizen presents “The Torn-Up Credit Card Application“:

    Is that good enough? Could a determined and dexterous criminal gather all the bits, tape them together and apply for a card in my name? Would a credit card company balk when confronted with an obviously resurrected application?

    Read the whole thing!

    My thought, would a shredder matter? The experiment should be repeated using a shredded application.

    Weekend Information Security Links, Part 1

    So many links, so little time.

    Continue reading

    Porn and Filtering and PurpleMemories

    Jeff Hayes’ Blog has an article on Porn and Content Filtering.

    It made me think of Four stories I have from running Web Proxy servers back a few years ago for a large company:

    1) First time turning on the filters just to log (not to Block)

    The first porn surfer spotted was a nice guy known to me…and a hardcore evangelical Christian. Yikes. I stopped looking real quick. I didn’t want to know who else was porn surfing.

    2) Ballsy request(s) to unblock porn sites

    I was always surprised by the people asking to have web sites unblocked that, when we checked them, turned out to be hardcore or softcore porn. I certainly would not have had the guts to ask a Security Director unknown to me to open up a porn site. Lots of people did though.

    3) Weirdest incident involving a proxy server

    I was tracking down threats of physical and sexual harm done in a chat room to a Vikings fan by a Packers fan. Very weird.

    The incident came from the Corporate Counsel to me. I am sad to report the GB fan (and fellow employee) was the threatener.

    I don’t know what was done with to the guy in the end. A very frustrating part of investigations at that company – HR always hushed things up.

    The best thing that came out of it was a answering machine message I used for awhile that had been on the vicitm’s machine which I used for several years afterwards in the pre-do-not call days: “Hello. If you are selling something or soliciting a contribution, please hang up now. Otherwise, leave your message after the beep”.

    4) Porn Story

    One morning when I came in, a PC break/fix technician and his supervisor were stalking my cube.

    While fixing the guys PC, they found what appeared to be large amounts of porn on his PC. Further investigation showed that this programmer was actually writing/supporting porn sites on company time. He was allowed to quit and walk out by HR who hushed it up.

    Update 1/6/2008: Some grammar cleaned up.

    Information Security Lawfare Example on Identity Theft

    Flyingpenguin writes on ID Theft:

    The argument seems to be that the state finds ID theft investigations expensive, so they want find the failed control points and hold them liable.

    Good Information Security Lawfare is all about governmental units creating economic incentive for good behavior – in this case, reducing identity theft (less money for bad guys) by creating incentives for the enablers to not be enbalers.

    Sunday Information Security Links

    Jeff Hayes has Lock Picking Analogy:

    In the world of locks, the same premise holds true. Some locks are designed and tested much better than others. The lock picking hobbyist — the lock hackers — do us all, including the manufacturers, a service in assessing the security of these products. If the manufacturer demonstrates a weak design and QA process, then society at large is fully in its rights to bring those flaws to light.

    He also has a post on the principle of Least Privilege:

    The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. This is done to enhance protection of data and functionality from faults and malicious behavior.

    Some things make me want to change fields: Security Focus on Quantum Computer Security:

    In the weird world of quantum computing, the state of computer systems networked together is so fragile that a read access to a single quantum bit, or qubit, on one machine would require a network-wide reset. It’s no wonder, then, that two researchers who are working on ways of defending against the future possibility of malicious attack assume that any unauthorized access to a quantum computer constitutes a catastrophic failure.

    Quantum computers make use of quantum physics, the rules of subatomic particles and light, to create a computing system. Where a classical computers uses binary values of 0 and 1, a quantum system can be in a state that represents either 0 or 1, or a probabilistic blend of both states, known as a “superposition,” so that it has the potential to be either 0 or 1 with its value only be determined at time of measurement. These quantum bits of information, or qubits, essentially take on all possibilities until measured, when the state of the qubits collapse to an actual value.

    The science behind quantum computing gets even weirder…

    There is no telling what such an attack might look like. Destroying data or circumventing a calculation on a quantum computer is the easiest course. Attackers could operate a rogue computer on the quantum network or coopt the communications line, he said.

    “We deliberately stay away from specifics of malware, such as Trojan horses, et cetera,” Lidar said. “So, quantum malware to us just looks like any malicious instruction set sent to an attacker.”


    Multiple Sources for Boarding Passes And Bad Security: Here, here, here, and here:

    Last week Christopher Soghoian created a Fake Boarding Pass Generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, flight. This action got him visited by the FBI, who later came back, smashed open his front door, and seized his computers and other belongings. It resulted in calls for his arrest

    WatchYourEnd has USB Flash Drives Contain Evidence of a North Korean Spy Ring:

    A pro-North Korean group is under increased suspicion in South Korea, of providing a significant amount of information, including state secrets, to Pyongyang recently after large amounts of evidence were found on USB flash drives in their offices.

    Dark Reading on Strategic Security:

    Most C-level executives still view security as an operational issue, not a strategic issue, according to “Navigating Risk: The Business Case for Security.” The study, which researched the attitudes of some 213 top-level corporate, non-security executives, found that most security organizations are still operating in silos that are far removed from their highest-ranking decision makers.

    Despite frequent news about security breaches, most C-level executives report that they still have little direct responsibility for most aspects of security. And the few executives who do understand the issues often do not have the influence needed to do something about it.

    Dark Reading: Increasing Spam With New Malware Techniques:

    Unlike traditional methods of spamming, where each botnet sends out spam emails one at a time, SpamThru uses templates that lets them send millions of emails from a single bot-infected computer, MessageLabs’ Wood says. “The template approach is the equivalent to a mail merge.”

    What can be done:

    • Corporate firewalls should only allow mail servers to send email out along with desktop firewalls controlling applications and traffic.
    • ISPs should require residential accounts to only relay email through them (with authentication).
    • Shared Distributed Blackholes of IP space that can dropped at perimeters
    • InfoSec Lawfare against enablers of bots.

    Security Focus on Employee Privacy, Employer Policy:

    Mark Rasch looks at two recent court cases where an employee’s reasonable expectation of privacy was more important than the employer’s ability to read any employee’s e-mail – despite a privacy policy that clearly stated any company e-mail can, and will, be monitored.

    A book review of Identity Crisis (something that has been on my to-do list.

    A reminder about the importance of power from SANS.

    More on Botnets from SecurIT.

    Weekend Information Security Links

    (ht Dark Reading) Anti-Phishing.org has an excellent PDF –> The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond:

    “Crimeware” is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.

    SecuritTeam: Money Mule Recruitment Over IM:

    Today was the first time we observed a money mule recruitment happening on instant messaging.

    Dark Reading: New Email Malware:

    There is less hard data about Haxdoor, which uses a rootkit to hide from the user and from most antivirus applications that might be running on the PC. Once installed, it hunts for passwords for popular Internet services — such as eBay, PayPal, or Web Money — and for popular email clients such as Outlook Express. The attacker can then use the passwords to carry out online fraud or identity theft, Panda says.

    Dark Reading: People Aspects of Information Security:

    Interestingly, however, organizations are finding it difficult to locate skilled security staff to work on the problem. While the number of security professionals increased 8.1 percent worldwide in the past year, “you can look at any jobs site and see that there are a lot of open positions out there,” Carey noted. As a result, many organizations are giving more responsibility to junior-level staffers and security outsourcing organizations, the report says.

    Well duh. Supply and Demand. Pay more for people who have the the skills and more people will get the skills.

    Financial Cryptography: E-Tradecraft:

    Someone’s paying attention to the tracking ability of mobile phones. Darrent points to Spyblog who suggests some tips to whistleblowers (those who sacrifice their careers and sometimes their liberty to reveal crimes in government and other places)…

    Bruce Schneier.com: Chemical Residue Detectors

    Schneier on Security and Botnets:

    The trick here is to not let the computer’s legitimate owner know that someone else is controlling it. It’s an arms race between attacker and defender.

    Botnets are hard to shutdown once established. The best thing, is to have proper controls in place to begin with to prevent takeover and to start forcing infoSec Lawfare (economic incentives) against those who allow their networks to be used.

    Security Focus: An Information Security Lawfare Example:

    Federal prosecutors charged on Tuesday a 32-year-old Florida man with computer trespass in connection with the creation of a bot network and the targeting of Internet service provider Akamai with a denial-of-service attack more than two years ago.

    WatchYourEnd: Los Alamos Nuclear Weapons Data Found on Three USB Flash Drives During Drug Raid

    …police found classified nuclear data on three USB flash drives during a search of the trailer she shares with another man who was being investigated for drug charges. The information is believed to be classified as Secret Restricted Data which indicates it involves nuclear weapons data and…

    WatchYourEnd on Homeland Security and EndPoint Security: here and here:

    …Federal Homeland Security officials in Portland, Oregon are trying to find a lost USB thumb drive that may have held personal information on more than 900 current and former employees. This information included your standard “destroy a person’s life” data…


    …the Port of Seattle is reporting that six computer disks containing personal information for almost 7,000 people who work at the Seattle-Tacoma Airport are now missing. At this time they do not know if the disks were “misplace” or if they have been removed from Port property. No mention of encryption or other endpoint security measures and/or policies.

    Security Focus: Fraud Costs

    Two American brokerage houses have written off $22 million in fraud losses on their third quarter financials, citing spyware, stolen identities and hacker fraud as the cause.

    Security Focus: Spammers continue Lawfare against spam-fighter Spamhause

    e360 is going after Spamhaus again, this time trying to use the US Marshall service to seize http://www.spamhaus.org from Tucows, Inc.

    Schneier on Security: Links to Paleo-Security Article:

    Prehistoric evidence indicates that people have always been concerned with detecting whether others have tampered with their belongings. Early human beings may have swept the ground in front of their dwellings to detect trespassers’ footprints. At least 7,000 years ago, intricate stone carvings were…

    Security Humour Spotted by Securiteam:

    FLUNKY: Well, he says it’s bad security to create a privileged low-security channel for a lucky few.
    CEO: He isn’t a socialist, is he?

    CEO: Not interested. Let’s cut to the chase. What does he want my password changed to?
    FLUNKY: dF3#(~!pk40%L/sD:@
    CEO: This is a prank, right?

    Securiteam: A Wormboy’s Story

    When I came to work the next morning, all you could hear around the office was the sound of mutley, you would hear that laugh at least 3 times once every half hour. There were about 50 computers in the office. The Jig was up. The IT dept. had no clue what was going on, because norton didn’t detect it. Honestly they never had a clue.

    Jeff Hayes: Network Access Control:

    NAC is a very powerful tool. It allows a network to follow a predefined set of policies. It is policy-based networking at its finest. However, deploying it properly requires some detailed networking and security skills and knowledge.

    Javascript Malware

    From Dark Reading:

    Network security, in large part, had a huge role to play in creating the newest attacks. Network administrators rightly told their architects to build applications that could be tunneled over hypertext transfer protocol, while at the same time they would close down all access to any other unnecessary inbound services. Can you see the obvious flaw in their logic here?

    I was one of those people. We did hat we could with the tools of the time.

    How it works:

    When a user inside a corporate LAN visits the malicious Web page, that Web page starts making requests to internal devices behind your firewall.

    The first thing the malware does is attempt to locate any machine that responds. Once it does that it attempts to fingerprint things on the machine that might tell the attacker more (like what Web server itself it is running, which might have default issues with it or a particular outdated version of an open sourced package with remote file includes built into it). Using that as a steppingstone, the malware attempts to execute the command on the user on your corporate intranet’s behalf. If the attack is successful the machine behind the firewall is compromised.

    It is all about layers:

    • Inbound and Outbound web traffic should be scanned for virus/malware.
    • A filtering service should be used that uses a network of sensors and keeps current
    • Desktops should have anti-malware and even centrally controlled desktop firewalls to control activity
    • Internal intrusion detection through the of standard ids, honeypots and
    • Network/security zone segmentation an inetrnal firewalls (at L2 or L3) to futher breakdown.
    • Log everything centrally with ip/userid when possible.
    • Use traffic analysis by segments triggering on unusual patterns
    • Treat your internal network server pool just like DMZs with closed access.
    • Do watch outbound failures on your firewalls – they are a great source of intel on bad things gong on.
    • You need to watch for and respond quicklyto this stuff