WPA’s TKIP cracked in 12 to 15 minutes

According to several sources, security researchers Erik Tews and Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by WPA. Cracking the TKIP key was never thought to be an impossible feat and it was previously thought that the angle of attack would be via a massive dictionary attack over an extended period of time.

Tews and Beck, however, did not use a dictionary attack to crack TKIP. According to Dragos Ruiu (via this Network World article), the organizer of the PacSec conference where Tews plans on discussing the crack, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt.

And how long did it take Tews and Beck….12 to 15 minutes.

Beck, creator of the Aircrack security tool, has also added the ability to exploit this weakness over the past two weeks. Note, this attack only impacts WPA and not WPA2, which is still deemed “safe”. Over the past few years people who were using WEP, which was determined to be an unsafe and easy to crack protocol, were advised to switch over to WPA due to prevent an attack of this magnitude. Now many enterprise customers will be left scratching their heads and wondering how long it will be until they have to switch to something other than WPA2…and at what cost.

From Andrew Hay’s Blog.

New Web based Training for TSOM 4.1

IBM Tivoli Security Operations Manager 4.1 – Fundamentals

Course description

In this 4-hour Web-based training course, you will use IBM Tivoli Security Operations Manager 4.1 to learn its fundamentals and operator tasks.

Objectives

After completing this course, you should be able to:

• Install and configure IBM Tivoli Security Operations Manager 4.1
• Configure and collect events from sensors

Course outline

1. Introduction
2. Installation
3. Administration
4. Investigating Events
5. Correlating Events

Who will benefit from this course

This course is intended for implementers and administrators who need to correlate security events.

Required skills/knowledge

• Intrusion detection: Understand the basic concepts of intrusion detection
• TCP/IP: Understand IP addresses, networks, and ports

Recommended courses

• Tivoli Implementation Foundation Skills: Database Administrator Essentials (Foundation Skills)
• Tivoli Implementation Foundation Skills: TCP/IP (Foundation Skills)

Click here for order information.

Cyber Peeping Tom

Federal prosecutors are going after a Florida college student who allegedly installed spyware on a woman’s laptop to covertly snap nude photos of her through her webcam.

Craig Matthew Feigin, 23, is charged (.pdf) in U.S. District Court in Gainesville with violating the federal Computer Fraud and Abuse Act. Feigin was arrested by local police last July.

The case began when the victim noticed changes in her computer’s behavior after giving it to Feigin for overnight repairs, the Gainesville Sun reported at the time. Every time she got near her laptop,  the light on her webcam switched on.

A friend with IT experience examined the system, and found that someone had installed the remote access program Log Me In, and software called Web Cam Spy Hacker, which Feigin himself sold online as a tool for catching cheating spouses. Over three weeks, the software allegedly uploaded some 20,000 images of the woman to an Eastern European web server before it was detected.

Read the full article on Wired.

IBM software bundle targets retail theft, data breaches

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

SecureStore, announced Wednesday, combines surveillance and RFID systems with software that protects online and in-store transactions, as well as software that protects databases and applications from network-based threats, IBM said. While SecureStore mainly consists of pre-released products from IBM divisions such as Internet Security Systems (ISS), Tivoli and Rational, Big Blue’s Val Rahmani says it is unique in that it brings together products from various parts of IBM to address one industry segment, and re-architects the products so they fit together and are optimized for retail.

Read the full article on Network World.

New ISC(2) Certification

I am pleased to inform you that (ISC)2 launched a brand new certification program designed to validate secure software development practices and expertise and address the increasing number of application vulnerabilities. The need for education and certification in this area has become an overwhelming global concern in the industry and as a certifying body and proponent of continuing professional education we were presented the opportunity to provide a solution to address the issue.

The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual’s competency in addressing security issues throughout the software lifecycle (SLC). It takes a holistic approach to software security. Code-language neutral, it will be applicable to anyone involved in the SLC, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers. CSSLP is the only certification in the industry that ensures that security is considered throughout the entire software lifecycle.

Read more on CCCure.org.

Security and Society: Role of Government

Security Management: A Chicken & Egg Problem

Today’s security information and event management products and practices, as well as log aggregation and analysis technology, are still largely the same as they were in 2006. Oh, the players have changed — the big vendors now dominate the SIEM market — but there hasn’t been a revolution in the automation of security management technology or practices that even comes close to matching the revolutions we see in attack vectors almost every week.

It may sound like I’m dinging the SIEM technology vendors for a lack of recent innovation, but I’m not. The problem here really isn’t the vendors, but enterprise security managers. Vendors are only as good as the market demands, and so far, most security pros are still too busy fighting fires to really put much thought, time, or money into the management problem.

Interesting article on Dark Reading.

Judge: Man can’t be forced to divulge encryption passphrase

A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

Niedermeier tossed out a grand jury’s subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.”

Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”)

Read the full article on C|Net News.

TSOM + CloudShield + ISS + Blade = Awesome

IBM (NYSE: IBM) on Tuesday introduced a blade server that supports CloudShield Technologies’ software for real-time analysis of network traffic to prevent viruses and denial of service attacks.

“The IBM BladeCenter PN41 enables service providers to manage their network, security and telecommunications technology on a integrated platform,” Jim Pertzborn, VP of telecommunications industry solutions for IBM Systems Group, said in a statement. “This integration can help service providers meet their customers’ evolving requirements for data, voice and video services.”The new blade and software support are key components of IBM’s hardware, software and services framework for service providers. The package also includes IBM’s intrusion prevention technology and Tivoli Security Operations Manager.

Read the full article on InformationWeek.  I first heard about this project about 2 years ago when I was helping develop solutions for the Telecom group at IBM.  It’s taken a lot of work to get this packaged together and I am glad to see it finally hit the streets.  Other sites that have picked this up:

• IBM Press Release: IBM Introduces First Blade Server to Reduce Security Threats, Optimize Network Traffic
• Telephony Online: Cloudshield, IBM put DPI on Blade Center
• TelecomWeb: New IBM Blade First To Offer DPI
• ZDNet UK: IBM tackles security with a blade
• The Register: IBM pitches ‘network security’ blade server, Slimline P2P throttler
• The Inquirer UK: IBM introduces intelligent blade server, Counters security threats
• IT Jungle: IBM Partners with CloudShield for Network Security Blade Server
• eWeek: HP, IBM Unveil Blade Servers Optimized for Virtualization
• TechNewsWorld: IBM Hones New Blade Server to Repel DoS Attacks
• E-Commerce Times(TechNewsWorld) : IBM Hones New Blade Server to Repel DoS Attacks
• SmartBrief: IBM unveils security-enhanced blade server
• Picked up on over 130 sites, including CNN Money, Yahoo! Finance and Investors Business Daily

Free Incident Management Courses

EMI replaced its Incident Command System (ICS) curricula with courses that meet the requirements specified in the National Incident Management System (NIMS). EMI developed the new courses collaboratively with the National Wildfire Coordinating Group (NWCG), the United States Fire Administration and the United States Department of Agriculture.

The goods can be found on FEMA’s website (Yes, that FEMA).  Over on Securosis.com, Rich thinks it’s pretty good:

Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA.

Yes, that FEMA.

For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking.

DEFCON 16: List of tools and stuff released

DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.

I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse, it’s hard to find all of the “stuff” they release.

Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.

Posted by Ryan Naraine at ZDnet.

Banned DefCon preso anyone?

http://cryptome.org/mbta-v-zack/Defcon_Presentation.zip

Comment on the Yellow Book (no, not the yellow pages)

TO AUDIT OFFICIALS, AGENCY CIOS, AND OTHERS INTERESTED IN FEDERAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING

This letter transmits the exposure draft of the Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM) for your review and comment. The FISCAM presents a methodology for performing information system (IS) control  audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits.

The exposure draft revisions reflect changes in (1) technology used by government entities, (2) audit guidance and control criteria issued by the National Institute of Standards and Technology (NIST), and (3) generally accepted government  auditing standards (GAGAS), as presented in Government Auditing Standards (also known as the “Yellow Book”).  The Federal Information System Controls Audit Manual (FISCAM) provides a methodology for performing information system (IS) control audits in accordance with GAGAS. However, at the discretion of the auditor, this manual may be applied on other than GAGAS audits. As defined in GAGAS, IS controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. This manual focuses on evaluating the effectiveness of such general and application controls. This manual is intended for both auditors to assist them in understanding the work done by IS controls specialists, and
IS controls specialists to plan and perform the IS controls audit.

In addition, the FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). Also, the FISCAM control activities are consistent with and have been mapped to the NIST Special Publication 800-53.

Instructions for Commenting on the Exposure Draft

The exposure draft of FISCAM is available only in electronic form at http://www.gao.gov/cgi-bin/getrpt?rptno=GAO-08-1029G on GAO’s Web page. We request comments from federal audit officials, CIOs, financial managers, the public accounting profession, and other interested parties. Please associate your comments with specific references to section, paragraph, and age number. Also, please provide the rationale for your comments and proposed changes, along with suggested revised language. Please send your comments electronically to FISCAM@gao.gov no later than September 5, 2008.

We anticipate that the final version of FISCAM will be issued in the fall of 2008 for use in conducting fiscal year 2009 federal financial statement audits.

Here’s the PDF for your review, and here’s a PowerPoint outlining all the changes.

Splunk Fail

This is great.  Found on the McGrew Security Blog.

Splunk Fail

Draft Redbook: Certification Study Guide, TCIM 8.5

This IBM Redbooks publication is a study guide for IBM Tivoli Compliance Insight Manager Version 8.5 and is meant for those who want to achieve IBM Certifications for this specific product.

The IBM Tivoli Compliance Insight Manager Certification, offered through the Professional Certification Program from IBM, is designed to validate the skills required of technical professionals who work in the implementation of the IBM Tivoli Compliance Insight Manager Version 8.5 product.

This book provides a combination of theory and practical experience needed for a general understanding of the subject matter. It also provides sample questions that will help in the evaluation of personal progress and provide familiarity with the types of questions that will be encountered in the exam.

This publication does not replace practical experience, nor is it designed to be a stand-alone guide for any subject. Instead, it is an effective tool which, when combined with education activities and experience, can be a very useful preparation guide for the exam.

Planned Publish Date: 30 September 2008

Download the Redbook here.

Cisco PIX is dead

Well, only mostly dead. Today, July 28th, 2008 is the last day you can purchase a PIX firewall appliance from Cisco, ending one of the longest and most successful lives of a gateway security product ever. The PIX (Private Internet Exchange) was the first Network Address Translation device and later evolved into a statefull firewall. See this introductory piece on the PIX by Johna Till Johnson in the January, 1995 issue of Data Communications Magazine. Cisco acquired the PIX with Network Translations, Inc. along with its inventors, John Mayes, Brantley Coile and Johnson Wu. From there the PIX grew into a multi-billion dollar franchise out selling its nearest competitors, Checkpoint, and Netscreen.

…

According to Cisco they will continue to sell add-ons to the PIX series until next year and will support the product until 2013, which has got to be one of the most responsible end-of-life programs in the history of networking and security. While the latest version of PIX is compatible with the first version of Cisco’s replacement security appliance, the ASA, from here on they diverge as ASA moves to a Linux based OS.

Read the full article at Stiennon on Security (NetworkWorld).

USB Snoop: A USB Sniffer

USBSnoop is a program (driver) that logs the USB data exchange between hardware and device driver. Best part is, it is OPEN SOURCE.

It is based on the WDM architecture (Windows Driver Model), which supports the insertion of a filter between device drivers. In this case, the filter itself is a driver.

Also, it is very easy to install. All you need to do is copy the driver to your ‘drivers’ directory (normally c:\windows\system32\drivers for Windows XP & c:\WINNT\system32\drivers for Windows 2000). Then, you need to configure the sniffer front-end sniffusb.exe and then use the device that needs to be sniffed. This program saves the logs in your Windows drive with the name usbsnoop.log

This application is compatible with Windows 98, Windows 2000, Windows XP.

Download the latest version (though not updated in a LONG time) here (version 1.8).

Homepage: http://benoit.papillault.free.fr/usbsnoop/

Found on Meta-Human.net.

DNS Exploit in the Wild

We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]’s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]’s site.

From Hack-a-Day.

iPhone Forensics

iPhone Forensics gives IT professionals, security personnel, and law enforcement the knowledge needed to conduct forensic analysis of an iPhone. This book shows the reader how to recover sensitive information from the device and perform disaster recovery, and walks the reader through various scenarios for recovering different types of information. With this guide, the reader will be able to effectively recover live, lost, or deleted email, photos, voicemail, Google Maps searches, typing cache, and other sensitive data retained by the iPhone. The reader will learn advanced techniques including data recovery, properly preserving and preparing evidence, and technical techniques such as bypassing basic passcode security or recovering data even after a full restore (by say, a disgruntled employee). Finally, the reader will learn how to properly wipe an iPhone clean of all data for resale or reissue – something Apple’s own restore process fails to do.

iPhone Forensics: Rough Cuts Version from O’Reilly

Think if this was your company