My two step sons, Jorge and Leo, are part of a Autism Scholarship Program that is being hosted by Myles-A-Part. Myles-A-Part is partnering with two other Atlanta organizations to offer its first family therapy grants for families living with Autism. Please take a few minutes a watch the video below. If you or your company would like help our boys get the services they need, go to http://www.mylesapart.org/scholarship.html to get more information.
According to several sources, security researchers Erik Tews and Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by WPA. Cracking the TKIP key was never thought to be an impossible feat and it was previously thought that the angle of attack would be via a massive dictionary attack over an extended period of time.
Tews and Beck, however, did not use a dictionary attack to crack TKIP. According to Dragos Ruiu (via this Network World article), the organizer of the PacSec conference where Tews plans on discussing the crack, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt.
And how long did it take Tews and Beck….12 to 15 minutes.
Beck, creator of the Aircrack security tool, has also added the ability to exploit this weakness over the past two weeks. Note, this attack only impacts WPA and not WPA2, which is still deemed “safe”. Over the past few years people who were using WEP, which was determined to be an unsafe and easy to crack protocol, were advised to switch over to WPA due to prevent an attack of this magnitude. Now many enterprise customers will be left scratching their heads and wondering how long it will be until they have to switch to something other than WPA2…and at what cost.
Federal prosecutors are going after a Florida college student who allegedly installed spyware on a woman’s laptop to covertly snap nude photos of her through her webcam.
Craig Matthew Feigin, 23, is charged (.pdf) in U.S. District Court in Gainesville with violating the federal Computer Fraud and Abuse Act. Feigin was arrested by local police last July.
The case began when the victim noticed changes in her computer’s behavior after giving it to Feigin for overnight repairs, the Gainesville Sunreported at the time. Every time she got near her laptop, the light on her webcam switched on.
A friend with IT experience examined the system, and found that someone had installed the remote access program Log Me In, and software called Web Cam Spy Hacker, which Feigin himself sold online as a tool for catching cheating spouses. Over three weeks, the software allegedly uploaded some 20,000 images of the woman to an Eastern European web server before it was detected.
There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:
Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
This is the kind of thing we should be able to filter, once our defenses are updated.
On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure the PCI DSS standard is revised and updated on a two year cycle. What follows is a detailed outline of the differences between version 1.1 and 1.2 (some that have not been discussed previously) and the implications of those changes. (Unless otherwise noted, those items in quotations are taken directly from the PCI DSS or the update document linked above.)
The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices). I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up. It remains a highly beurocratic and costly response to a genuine management problem.
Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics. It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.
IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.
SecureStore, announced Wednesday, combines surveillance and RFID systems with software that protects online and in-store transactions, as well as software that protects databases and applications from network-based threats, IBM said. While SecureStore mainly consists of pre-released products from IBM divisions such as Internet Security Systems (ISS), Tivoli and Rational, Big Blue’s Val Rahmani says it is unique in that it brings together products from various parts of IBM to address one industry segment, and re-architects the products so they fit together and are optimized for retail.
I am pleased to inform you that (ISC)2 launched a brand new certification program designed to validate secure software development practices and expertise and address the increasing number of application vulnerabilities. The need for education and certification in this area has become an overwhelming global concern in the industry and as a certifying body and proponent of continuing professional education we were presented the opportunity to provide a solution to address the issue.
The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual’s competency in addressing security issues throughout the software lifecycle (SLC). It takes a holistic approach to software security. Code-language neutral, it will be applicable to anyone involved in the SLC, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers. CSSLP is the only certification in the industry that ensures that security is considered throughout the entire software lifecycle.
Today’s security information and event management products and practices, as well as log aggregation and analysis technology, are still largely the same as they were in 2006. Oh, the players have changed — the big vendors now dominate the SIEM market — but there hasn’t been a revolution in the automation of security management technology or practices that even comes close to matching the revolutions we see in attack vectors almost every week.
It may sound like I’m dinging the SIEM technology vendors for a lack of recent innovation, but I’m not. The problem here really isn’t the vendors, but enterprise security managers. Vendors are only as good as the market demands, and so far, most security pros are still too busy fighting fires to really put much thought, time, or money into the management problem.
A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
Niedermeier tossed out a grand jury’s subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.”
Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”)
Network and resource availability is critical to business and service assurance. But enterprises, federal agencies, and service providers can lose millions of dollars per year as a result of worms and other types of malware that bring down corporate resources and customer-facing services. That is why information security is one of the top concerns of every CIO in any organization. To maximize resource and service availability and protect customer information, today’s information security teams must be able to:
- Quickly recognize and handle security incidents.
- Enforce security policies.
- Support audit and compliance initiatives.
The problem is that each of these activities involves security data that resides throughout the organization. Enterprises and service providers need to be able to access and quickly analyze this time disparate data quickly and efficiently. In today’s complex, multi vendor environments that means leveraging an automated, integrated solution. In response to these challenges, IBM Tivoli Security Operations Manager, a security information and event management (SIEM) platform is designed to improve the effectiveness, efficiency and visibility of security operations and information risk management.
This IBM Redbooks publication helps you design/create a solution using Tivoli Security Operations Manager to centralize and store security data from throughout the technology infrastructure so that you can:
- Automate log aggregation, correlation and analysis.
- Recognize, investigate and respond to incidents automatically.
- Streamline incident tracking and handling.
- Enable monitoring and enforcement of policy.
- Provide comprehensive reporting for compliance efforts.
This book is a valuable resource for security officers, administrators and architects who wish to understand and implement a Security Event and Information Management system.
IBM (NYSE: IBM) on Tuesday introduced a blade server that supports CloudShield Technologies’ software for real-time analysis of network traffic to prevent viruses and denial of service attacks.
“The IBM BladeCenter PN41 enables service providers to manage their network, security and telecommunications technology on a integrated platform,” Jim Pertzborn, VP of telecommunications industry solutions for IBM Systems Group, said in a statement. “This integration can help service providers meet their customers’ evolving requirements for data, voice and video services.”The new blade and software support are key components of IBM’s hardware, software and services framework for service providers. The package also includes IBM’s intrusion prevention technology and Tivoli Security Operations Manager.
Read the full article on InformationWeek. I first heard about this project about 2 years ago when I was helping develop solutions for the Telecom group at IBM. It’s taken a lot of work to get this packaged together and I am glad to see it finally hit the streets. Other sites that have picked this up:
Tivoli Security Operations Manager V4.1.1 is now available. To download this updated release support entitled customers should access the Passport Advantage Customer download site.
Tivoli Security Operations Manager V4.1.1 has been updated to include the following:
Additional Platform Support
* Added Windows 2003 SP2 64
* Added Red Hat Linux 5.x
Integration
* Tivoli Change and Configuration Management Database integration via Tivoli Application Dependency Database Manager
* IBM Tivoli License Manager Support
* IBM Support Assistant Support
EMI replaced its Incident Command System (ICS) curricula with courses that meet the requirements specified in the National Incident Management System (NIMS). EMI developed the new courses collaboratively with the National Wildfire Coordinating Group (NWCG), the United States Fire Administration and the United States Department of Agriculture.
Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA.
Yes, that FEMA.
For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking.
DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.
I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse, it’s hard to find all of the “stuff” they release.
Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.
TO AUDIT OFFICIALS, AGENCY CIOS, AND OTHERS INTERESTED IN FEDERAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING
This letter transmits the exposure draft of the Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) for your review and comment. The FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits.
The exposure draft revisions reflect changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government auditing standards (GAGAS), as presented in Government Auditing Standards (also known as the “Yellow Book”). The Federal Information System Controls Audit Manual (FISCAM) provides a methodology for performing information system (IS) control audits in accordance with GAGAS. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both auditors to assist them in understanding the work done by IS controls specialists, and
IS controls specialists to plan and perform the IS controls audit.
In addition, the FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with and have been mapped to the NIST Special Publication 800-53.
Instructions for Commenting on the Exposure Draft
The exposure draft of FISCAM is available only in electronic form at http://www.gao.gov/cgi-bin/getrpt?rptno=GAO-08-1029G on GAO’s Web page. We request comments from federal audit officials, CIOs, financial managers, the public accounting profession, and other interested parties. Please associate your comments with specific references to section, paragraph, and age number. Also, please provide the rationale for your comments and proposed changes, along with suggested revised language. Please send your comments electronically to FISCAM@gao.gov no later than September 5, 2008.
We anticipate that the final version of FISCAM will be issued in the fall of 2008 for use in conducting fiscal year 2009 federal financial statement audits.
