Pingree on Security - Security

DNS Cache Poisoning again? I thought it died already...

nospam@example.com (Lawrence Pingree) — Thu, 10 Jul 2008 11:27:04 -0700

Apparently a newly discovered vulnerability in DNS allows for cache poisoning yet again. The poisoning is related to essentially brute forcing the transaction ID where some DNS servers don't use the correct number of bits to make it more difficult to guess. Do the RFC's need some work now?

Check the article here

Free Julie Amero!

nospam@example.com (Lawrence Pingree) — Thu, 10 Jul 2008 11:21:53 -0700

I'm not sure why this court case is still on, since its just obvious to almost any security person that this woman didn't do anything wrong. Its not like she "intended" to subject the children to smut and porn, its adware silly! Anyhow, I think this case should be dropped. Apparently its still in limbo.... see here

Is the RIAA out of control with enforcement?

nospam@example.com (Lawrence Pingree) — Sun, 08 Jun 2008 07:24:01 -0700

An interesting article on how research and enforcement activities of companies trying to ensure their data is not shared illegally can sometimes go awry.

[...]

While denial-of-service attacks are common occurrences on the Internet,
Revision3's investigation found that it was targeted not by
hard-to-prosecute political hacktivists or criminal groups, but by a
company known for its aggressive tactics against file sharers,
anti-piracy firm MediaDefender.

The company, a subsidiary of music firm ArtistDirect that counts a
number of record labels and movie studios as its clients, apparently
discovered that digital pirates had listed illegally-copied content on
Revision3's BitTorrent directory, Louderback learned during a
conference call with the firm this week. Rather than contacting
Revision3 to divulge the security weakness, however, MediaDefender
placed fake listings, or torrents, on the online video firm's servers
in an attempt to identify people who were downloading illegal content.

When Revision3 beefed up security last week to prevent others from
listing content on its tracker server, MediaDefender's computers
responded by repeatedly trying to access the files, overwhelming
Revision3's network, Louderback told SecurityFocus in an interview.

[...]

Are you being watched at work?

nospam@example.com (Lawrence Pingree) — Tue, 27 May 2008 10:45:56 -0700

Excellent PC Mag article on Employee Monitoring. Personally I've worked to monitor employee's email, web and Instant messaging as part of my Forensic and Investigations work while working at several of my jobs, so this is a very real concern. See an Excerpt below:

[...]

It's possible that someone has been reading your e-mails, listening to your phone calls, and tracking your Internet use. No, it's not a foreign spy. It's not even your ex—it's your employer. And she doesn't even need to tell you she's doing it.

Employers can legally monitor their workers however they want. They can log and review all computer activity as long as they own the machines. The most popular method of keeping tabs on employees is to track Internet use: A whopping 66 percent of companies monitor employee Internet activity, according to a survey released in February by the American Management Association and the ePolicy Institute. What are they looking for? Frequent visits to sexually explicit sites, game sites, and social-networking sites like Facebook on company time. Almost a third of those who said they monitor their employees have fired someone for inappropriate Web surfing.

[...]

Automated Forex Trading

nospam@example.com (Lawrence Pingree) — Sun, 25 May 2008 11:16:53 -0700

Off topic, if any of you are interested in automated investments with as little as $1000 and profit potential of 7% per month you should check out http://trademaster.zulutrade.com it offers automated signal services that are free to the trader. All you do is fund your account, pick a trade signal provider from their performance page and sit back and watch the trades execute. (Of course past performance is not indicative of future performance based on market conditions). If you want to learn more about the Forex and Trading, I suggest clicking on the "School" section at http://www.babypips.com

Paypal XSS, ethics and the law

nospam@example.com (Lawrence Pingree) — Fri, 16 May 2008 15:05:28 -0700

Today a man by the name of Harry Sintonen announced that the paypal payment processing site was exploitable by an XSS attack. In the back of my mind I was thinking how fitting his last name was "Sin"tonen. Apparently he demonstrated this to a journalist and during the "online interview" executed an XSS attack that exploited the vulnerability on the paypal website and used an alert pop-up to show the issue. The article is here

Now, I understand that its important that these types of companies (such as paypal) need to be looking for this type of bug and I'm certain that Paypal has an army of security personnel that are slated to ensure this sort of thing does not happen. What I'd like to take issue with is the fact that the public has no business executing attacks against websites on the internet and the fact that they are doing so is not only unethical but criminal. Its great that people know how to execute attacks, XSS and SQL injections are not that tough, especially given that paros proxy, web scarab and tamperdata for firefox etc allow you to easily push these to websites using your desktop. But just cause you CAN do something doesn't mean that you should and I feel publicizing this sort of this is just downright irresponsible and if its not illegal in finland, it darned well should be!

Interesting Security Poll of users on the street

nospam@example.com (Lawrence Pingree) — Thu, 15 May 2008 09:54:15 -0700

One thing that all of us forget is some of the basics in security. The following article is a survey RSA had performed in 2007 which asked security related questions about user activities. I found the numbers somewhat amusing and validated my own thinking in terms of where efforts needed to be focused. I thought it was interesting that Government employee's seem to be more on top of security (at least physical) than the corporate world.

Read the article here

Intrusion Tolerance replacing intrusion detection?

nospam@example.com (Lawrence Pingree) — Tue, 13 May 2008 12:13:14 -0700

Is "Intrusion Tolerance" replacing "Intrusion Detection and Prevention"? I doubt it.

Reading an article on DarkReading today about a new project started by "Aron Sood" that he's dubbed "Intrusion Tolerance". Basically the approach is simple, his idea was to take a "clean" copy of a web, dns or other server and rotate it into 1st position on the DMZ on a regular interval roughly 1 minute. He commented that this would lower the window of opportunity for a system to become breached and limit the data loss exposure.

In my humble opinion, Intrusion Detection and Prevention is not going away any time soon and here's why:

1. Web Servers don't normally store sensitive data these days (Application Databases do).
2. This does nothing to prevent zero day application exploit via the exposed web server.
3. To infect a system only takes moments and therefore any exposure for even more than 1 second can lead to a breach. Case in point - Place an unpatched Windows XP system on the internet for about 10 minutes and whammo, you'll have several worms infecting your machine in that timeframe.

Summary:

Although this technology helps aid us security folks in our endevour, its by no means a panacea. Honestly, this is only one small component that can be added to your overall security strategy and call it a day. Don't drop your Firewall, Intrustion Detection and Prevention and other compliance technologies on account of someone saying they will "limit" your data loss. I'll be keeping an eye on this technology as it has some promise if combined with the right complementary technologies. We'll see.

Read the Article here

Read about SCIT - Self Cleansing Intrusion Tolerance here

Identity theft and Renault website

nospam@example.com (Lawrence Pingree) — Thu, 08 May 2008 11:30:28 -0700

I hate to say it but it bothers me when people send the wrong message to the public regarding identity theft. Simply having someone's name, address and phone number is not enough to perform identity theft. I believe the media has a tendancy to embelish the idea of stealing someone's information and then having free reign to charge it up on the person's credit as this article suggests. The article says it can be used to perform phishing which is accurate and can help someone perform such a technique, but the data in question that has been so called "leaked" is public data with possibly the exception of the email address. Just trying to keep us all honest.

Social Security and Personal information on Riverside Court

nospam@example.com (Lawrence Pingree) — Fri, 02 May 2008 13:29:12 -0700

I was just reading an article on the Riverside court, essentially anything disclosed in a court case is considered a matter of public record in california courts. So its important that people know that what they disclose to courts gets input into imaging software or databases and sometimes (like this case) can be viewed online. My suggestion to the public is to ensure that your documents obfiscate certain personal information that can be used incorrectly when obtained. I also would encourage local officials to pass legislation to bar courts from posting documents containing PII onto the internet. Its bad enough that we have a PII problem on system's within corporations, but having the court disclose it is a breach that should be treated the same way as a corporate breach. Of course this makes too much sense for regulators.

Trust

nospam@example.com (Lawrence Pingree) — Thu, 24 Apr 2008 22:36:20 -0700

Main Entry:

¹trust
Pronunciation:: \?tr?st\
Function:: noun
Etymology:: Middle English, probably of Scandinavian origin; akin to Old Norse traust trust; akin to Old English tr?owe faithful — more at true
Date:: 13th century

1 a: assured reliance on the character, ability, strength, or truth of someone or something b: one in which confidence is placed
2 a: dependence on something future or contingent : hope b: reliance on future payment for property (as merchandise) delivered : credit <bought furniture on trust>
3 a: a property interest held by one person for the benefit of another b: a combination of firms or corporations formed by a legal agreement; especially : one that reduces or threatens to reduce competition
4archaic : trustworthiness
5 a (1): a charge or duty imposed in faith or confidence or as a condition of some relationship (2): something committed or entrusted to one to be used or cared for in the interest of another b: responsible charge or office c: care, custody <the child committed to her trust>

— in trust

: in the care or possession of a trustee

SOURCE: Merriam-Webster, Incorporated

Using credit statistics to determine who is most trustworthy

nospam@example.com (Lawrence Pingree) — Mon, 07 Apr 2008 21:46:25 -0700

I was cruising different ways to invest and I came across some statistics for a service that I use to lend people money. The statistics show the different types of job categories, the amount lent to the categories and the % late each of them are. The thing that I found interesting is that Clergy and Lawyers were the least likely to be late on loans. The stats are taken from prosper.com, a P2P lending service. It then occurred to me... is it possible to tell how trustworthy a person is by the way that they pay their bills? I mean, isn't a loan a promise to repay a debt, so if we were to expand this somewhat to trust, is it such a stretch? I'm sure some would disagree, but interesting none the less. Check the following stats and make your own conclusions.

Consumers on the hook for security in UK banking

nospam@example.com (Lawrence Pingree) — Mon, 07 Apr 2008 06:11:02 -0700

Well, I knew it was coming but now it has come and we're entering a new phase of accountability at the consumer endpoint. Now consumer's in the UK are being held accountable to have properly updated AV, Firewalls and Anti-Spyware... What a concept! I'm assuming this will soon be coming to the USA. I'm fairly certain that any lawsuit involving an end consumer would be defensible in this way in the USA already but I'm not a lawyer. I'm also not sure if any bank wants this type of PR yet, but we'll see. Check the article here

Assembly Bill 1298 Extends California's SB1386

nospam@example.com (Lawrence Pingree) — Mon, 07 Apr 2008 05:45:05 -0700

I'm not sure if everyone is aware of this, but in January, SB1386 was extended to include medical information and medical insurance information breached requires notification. A copy of the law is located here coupled with other notification laws, doing business in California means that businesses must be more responsible than ever, requirements that should have existed for years in my opinion.

Interesting HIPAA Study on Dentists

nospam@example.com (Lawrence Pingree) — Mon, 07 Apr 2008 05:20:46 -0700

An interesting survey of 18 dentists was conducted to assess the compliance to HIPAA. The Health Insurance Portability and Accountability act of 1996 defines some of the protections necessary for patient confidentiality and privacy. The dentists were given 10 compliance questions by Darrell Pruitt D.D.S.

Quote:
"The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample."

Read the article here