If you are are reading this, welcome to the new home of the Security Bloggers Network. You can reach this site from the URL http://www.securitybloggers.net or http://www.securitybloggersnetwork.com. Thanks to Lijit for providing a new home to the SBN. Also be on the look out for new features coming soon. You can subscribe to the feed for this site by clicking on the button on the right side.
Thanks for visiting and stay tuned for lots of great new features!
Posted in Security.
Please join me on July 7 for an informative webcast on Maintaining PCI Compliance! To register or attend, please go to: http://www.brighttalk.com/webcasts/4431/attend.
Now that Level I merchants have undergone a few annual Payment Card Industry (PCI) assessments (and Level 2 merchants are soon to be doing the same), they are addressing the realization that a mature, sustainable compliance program requires more than once-a-year rallying to prepare for, participate in, and pass an assessment. Daily operational focus and ongoing effort are vital to protect investments in compliance, manage risk, and minimize the business disruptions and costs associated with achieving and demonstrating compliance year after year. This presentation discusses best practices for building a compliance program that can be supported and maintained year-round while also alleviating the burden on IT staff. When implemented effectively, the practices can help your company mitigate risk, reduce costs, and boost confidence in compliance by developing a cohesive plan for ongoing PCI assessment, maintenance, and refinement.
Posted in Security.
I have a half dozen books on Thomas Jefferson’s life, but this is a pretty cool story I had never heard before. The Wall Street Journal this morning has a story about a Professor Robert Patterson, who had developed what appears to be a reasonably advanced cipher, and sent an enciphered message to President Jefferson in 1801. He provided Jefferson with the the message, the cipher, and hints as to how it worked, but it is assumed that Jefferson was never able to decrypt the message. The message was only recently decrypted by Dr. Lawren Smithline, a 36-year-old mathematician who works at the Center for Communications Research in Princeton, N.J., a division of the Institute for Defense Analyses.
The key to the code consisted of a series of two-digit pairs. The first digit indicated the line number within a section, while the second was the number of letters added to the beginning of that row. For instance, if the key was 58, 71, 33, that meant that Mr. Patterson moved row five to the first line of a section and added eight random letters; then moved row seven to the second line and added one letter, and then moved row three to the third line and added three random letters. Mr. Patterson estimated that the potential combinations to solve the puzzle was “upwards of ninety millions of millions.”
After about a week of working on the puzzle, the numerical key to Mr. Patterson’s cipher emerged — 13, 34, 57, 65, 22, 78, 49. Using that digital key, he was able to unfurl the cipher’s text: “In Congress, July Fourth, one thousand seven hundred and seventy six. A declaration by the Representatives of the United States of America in Congress assembled. When in the course of human events…”
I am not sure why I am fascinated by this discovery. Perhaps it’s a bit like discovering hidden treasure.
- Adrian
(0) Comments
Posted in Security.
I have a client looking for candidates for the below positions. Let me know your interest. If you are not interested forward this position to anyone you think may be interested.
Clearance: TS or Secret (one TS for each category personnel would be preferable)
Place of Performance: Crystal City. BRAC will move them to Ft. Belvoir in 2010-2011
Below are two Job Descriptions
Salary Range (Policy Analyst): $61K-$95K (negotiable)
Job Description (Policy): Expertise in developing Army policy and conducting studies in support of Army CAC/PKI. Analysis and Studies regarding Army’s needs as it relates to HSPD-12, DoD Policy, Certificate Management, Wireless policy, CAC issuance, Smart Cards, PKE of Applications, SIPRNET/Classified PKI policies and issues. Expertise in Army CAC/PKI objectives related to legislation, policy, procedures and programs. Writing, staffing and coordinating program-specific issues including plans, policies, papers, studies and standards. Build a strategic agenda for the Army to meet its CAC/PKI requirements and objectives. Provide liaison support with Human Resources Command (HRC), DEERS/RAPIDS. Evaluate and advist the GTL in regard to emerging developments as they relate to Defense, National and International Electronic Data Interchange standards, concepts, technologies and applications. Subject Matter Expertise in the following standards: X.509, Certificate Practice Statements, Federal Information Processing Standard (FIPS201 and 140, National Institute of Standards and Technologies (NIST) Special Publications (SP) 800-73, 800-78-1, and 800-79-1, and National Security Telecommunications and Information Systems Security Policy (NISTISSP) No. 11.
Salary Range (RA): $50K-$85K (negotiable)
Job Description (RA/LRA): Expertise in Army PKI software-based certificate registration process. Training for RA/LRA through DISA RA Training. Verify the identity and information for each software certificate subscriber; issue software certificates; revoke software certificates; and add, modify or delete directory entries. Provide RA subject matter expertise for the RA Certificate Practice Statement (RACPS) and LRA CPS. Provide operational support to users in downloading and installing certificates. Manage the alternate smart card process for both SIPRNET and NIPRNET. Provide management and oversight for Army CAC PIN Reset (CPR) workstations.
Regards
Jere Keener
Keenerstaffing LLC
Jere.Keener@KeenerStaffing.com
703.732.6879
Posted in Security.
If you work in IT, then you have devices to manage. There is no escaping this fact. Often device management comes down to numbers and resources. How many devices are there to manage, where are they located, who has access to them, and what happens when someone in Chicago changes a policy, will that affect the office in Manhattan?
Posted in Security.
Several security vendors are issuing reports about Michael Jackson related Malware, either in the form of a mass-mailing Worm or search related domains that offer images. The aim is to use the shock of the pop star’s death to lure victims into downloading images, video, music, and news articles with the latest information.
F-Secure, on Monday, discovered several domains that are spreading Malware related to the singers death.
Posted in Security.
What they were emphatically not doing, said Jay Platt, the third-generation proprietor of the ranch, was abiding by a federally recommended livestock identification plan, intended to speed the tracing of animal diseases, that has caused an uproar among ranchers. They were not attaching the recommended tags with microchips that would allow the computerized recording of livestock movements from birth to the slaughterhouse.“This plan is expensive, it’s intrusive, and there’s no need for it,” Mr. Platt said.
The New York Times reports that not even cattle need Real ID in”Rebellion on the Range Over a Cattle ID Plan.” There’s a web site, NoNAIS.org which is tracking things like
Oklahoma is now mandating Premises ID for anyone wanting participate in the Swine Shows. One more tricky little way that they make “voluntary” into mandatory.
Image: IstockPhoto
Posted in Security.
Mozilla is said to be planning a round of patches and bug fixes for their newly released browser version due later this month. As was the case during the 3.0 release, Mozilla released Firefox 3.0.1 just four weeks later, addressing several bugs and security issues.
The patches, coming only a few weeks after Firefox 3.5 was released to the public, will address what Mozilla calls topcrashes, or bugs that lead to consistent crashes in the browser.
Posted in Security.
Network access control technologies are complicated enough to plan and implement on a technological level, but dealing with the politics of policies can be an entirely new headache your IT department never saw coming.
Conversations about NAC frequently start with basic information gathering: What features are you looking for? What operating systems and switches are in the environment? How do you want to handle non-compliant devices? And, of course, the sales guy will slip in the ol’ “What’s your budget?” line.
Take this set of Q&A with a grain of salt. When making decisions about NAC, there’s another set of primary questions that should be addressed first: What are the primary drivers for implementing NAC? What organizational policies need to be enforced? Where is your organization’s trade off between security and productivity?
The Technology of Policy
For the network administrators, IT directors and technologists these questions are the equivalent of that mandatory legal jargon in size 6 font on a page footer; superfluous at best and an impediment at worst. And so here comes the catch-22 we face in every NAC implementation — the struggle of finding the equilibrium between the policies of management and the technology of security.
When we talk about network access control systems, we start talking about segmenting, VLAN-ing, quarantining and isolating devices and/or users from the various network resources. We’re stopping users from accessing the Internet, we’re stopping laptops from accessing the primary database servers and maybe we’re even preventing a critical billing or HR system from accessing the resource it needs to cut the weekly paychecks. We are, as technologists, implementing a control that will, in effect, be playing God on the network.
And yes, I know the prospect of total supreme network domination is exceptionally appealing to you all. Aside from sounding cool, it does give us complete purview over the network and control over any objects that may become security risks for the organization. For those of you who have spent your entire career protecting the network from dumb users and protecting those same dumb users from themselves, NAC can be a key tool for you; however, implemented without controls and proper planning, it can also be the bane of your (and everyone else’s) existence. Why? It’s pretty simple, the first time a critical system or critical employee gets zapped from the network, either you or your NAC solution will disappear — and quickly.
I get dirty looks every time I say this, but it’s true - network access control is a BUSINESS DECISION, not a technology decision. We put the technology in place ONLY for the purpose of supporting and enforcing an organizational policy that is already in place. When organizations do it the other way around and start making policies around the technology, they’ve doomed the project before it began.
There are a host of reasons to not set access policies Willie-nilly on the network. Aside from the obvious ones, there’s an assortment of legal and business reasons to hold off on total network domination. In this age, the IT department is forced to take into account such off-the-wall issues as human resources policies, compliance and regulation mandates, corporate initiatives and even partner contracts. What if one of your newly imposed NAC policies conflicted with a primary policy or standard for operation and violated your organizations HIPAA or SOX compliance? What if you cut off a partner resource that was contractually provisioned with an uptime guarantee? Or what if the policy you set is simply not enforceable by the HR department?
Five Steps for a Successful Start
If NAC is something your organization’s management recognizes as a necessity and has signed off on, then you’re heading down the right path and there are some key things to consider in a successful NAC rollout.
# # #
This content and similar articles appear in Search Midmarket Security by TechTarget.
Posted in Security.
It’s probably superstition, but it seems that news stories comes in bunches. Today’s theme is: “governments across the planet try to deal with Internet pornography”:
– The Green-Dam saga continues. China delayed indefinitely the requirement that new computers have an installation of Green Dam-Youth Escort filtering software to protect young people from pornographic and violent Internet content. The big question seems to be: “will the delay be temporary or permanent.” They really should just make the filtering voluntary AFTER they get rid of the political censorship issue and AFTER they resolve the copyright-infringement issues and AFTER they fix the vulnerabilities in it. But I digress.
– The Ukraine has made illegal the possession of pornography except for medicinal purposes. I just don’t know what to say about “medicinal purposes” except that it’s going to generate another category of spam that will probably give a whole new meaning to “Canadian pharmacy.”
– In the U.S., several adult-content web sites appear to be collateral casualties of the take down of the Pricewert ISP by the Federal Trade Commission. Some are reporting the loss of $5,000 per day. Some are scrambling to find their web site content, since the Federal court and FTC confiscated Pricewert’s servers. I guess the lesson here is: don’t do business with businesses that do illegal stuff.
– The Georgia (USA) Bureau of Investigation is warning that an email containing a six-minute child porn video is circulating in the Stone Mountain area. The video may be might be a 2005 clip from the Dominican Republic that has been known to investigators. There are conflicting news reports, but at least one says it’s being spammed by malware. Possession of the video on one’s computer is a felony in the U.S. Investigators are telling Internet users to delete the email on sight (Subject line: “VERY Disturbing! TAKE CARE OF YOUR KIDS/ they should kill this man, do not open if your [sic] sensitive… click video link.” )
Pornography has been a complicated issue since, well, forever. There are paintings in the ruins of Pompeii of “adult” nature that were buried in the year 79. In the quaint 1950s in the very Puritan U.S., there were “nudist” and “art photo” magazines that pushed the legal envelop and “men’s” magazines explored how much of a woman’s anatomy they could show and still stay at least one millimeter away from the legal limit.
In the U.S., porn enthusiasts probably won the battle when courts as high as the U.S. Supreme Court found themselves completely unable to define the difference between pornography and free speech. In 1964, U.S. Supreme Court Justice Potter Steward wrote the legendary articles of surrender, saying that he couldn’t define pornography, but “I know it when I see it.” Shortly after that, the VCR went on sale and it was REALLY “game over” for the anti-porn side.
The result has been a legal shadow world and very lucrative gray economy that turned into a terrific environment for scams, fraud, rogue anti-malware products and thieving computer malcode. Yes, there is a load of pornography out there on the Internet that is perfectly legal, sold by perfectly legal businesses with secure servers. Governments in conservative places will always try to fight it. They will only ever have very limited success. Sex will always be a very shiny lure.
The bottom line: if you see any advertisement on the web or in your email for “adult” anything, it simply will never be truly safe to go there.
Links to stories:
“Yushchenko signs porn law despite widespread opposition”
“Web-Hosting Firm’s Shutdown Costing Adult Affiliate Operator $5K a Day “
“GBI: Open This E-Mail, Go Directly to Jail (Possibly)”
Tom Kelchner
Posted in Security.
Hey everyone, sorry it has taken so long to get around to recording another podcast episode! The audio should be a bit better on this podcast, and we are going to try and get these out more often now. Enjoy!
All the podcasts
Podcast through iTunes
Posted in Security.
Yesterday, amid the heavy Michael Jackson news coverage and tabloid autopsy speculations, another round of email was spammed out with the following text:
Michael Jackson Was Killed…
But Who Killed Michael Jackson?
Visit X-Files to see the answer:
(hxxp://xfiles link here)
The link redirected to a site hosted at 87.97.116.131 in an x-file-esque directory “x-files/x-file-mjacksonkiller.exe”, which is currently down. The site hosted a malformed pdf and Zbot banking password stealing variant. The ThreatFire community prevented the file in very low prevalence, so very few users are falling for this sort of shameless scam. But we remind you to always think twice before running an unknown executable or visit an untrusted site (the url for this one is most likely not a domain one would recognize: jillih. com), regardless of the news. And update third party plugins on your system like pdf readers.
Posted in Security.
This is a SecurityOrb.com News Update discussing how malware is being pushed from the Michael Jackson death and how security are you on your social networking websites. For more information go to: www.securityorb.com
Posted in Security.
I know that most of you already saw the announcement I posted yesterday, but I want to make sure that nobody ends up at Capital College tonight and wonders where DojoSec is.
Marcus said that the August DojoSec will be happening as planned, so be sure to mark your calendars accordingly!
Posted in Security.
There’s been a lot of discussion in the past day or so about the security of the AES encryption algorithm. There’s a paper by Alex Biryukov and Dmitry Khovratovich that describes an attack against AES-256 that can be done in much less time that brute-force exhaustion: 2119 trial encryptions instead of 2256. That’s a huge difference. Is AES now so weak that we need to worry about it?
Absolutely not.
The attack that Biryukov and Khovratovich found also takes lots of data for it to work. Their attack that can be done in 2119 time also takes the same amount of data: 2119. That’s a lot of ciphertexts.
The best estimates that I’ve seen say that the entire world produces a few exabytes of data per year. This estimate is actually from a few years ago, so it isn’t that current. Let’s suppose that the amount of data being created doubles each year. If that’s the case, we probably have a few zettabytes of data being created per year right now.
A zettabyte is 1021 bytes, or about 270 bytes. That’s a lot of data, but it’s still a long way from 2119 ciphertexts. This means that an attack that takes that much data is totally impractical. Even if we assume that all of the data in the world is being used in an attack that’s trying to recover a single AES key, it’s still not enough. It would take roughly the amount of data that the entire world will produce in the next 50 years or so to get the amount of data that we’d need. And even then, the amount of time required is still prohibitive.
It’s interesting that Biryukov and Khovratovich found a significant weakness in AES, and their work may give useful insights into how to design better symmetric encryption algorithms, but it’s not the sort of weakness that anyone can actually use to actually recover data that’s encrypted with AES.
Posted in Security.
Welcome to the Security Bloggers Network. We provide access to all of the best content from the best security focused bloggers around the world.
Network OPML
