The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for June, 2005

Supreme Court Ruling Will Chill Technology Innovation

Posted by Xavier Ashe on June 27, 2005

From the EFF:

Copyright Liability Standard in Grokster Decision Endangers P2P and Other New Technologies

Washington, DC – Today the Supreme Court issued a ruling
that could impede makers of all kinds of technologies with expensive
lawsuits. The long-awaited decision in MGM v. Grokster states that P2P
software manufacturers can be held liable for the infringing activities
of people who use their software. This decision relies on a new theory
of copyright liability that measures whether manufacturers created
their wares with the “intent” of inducing consumers to infringe. It
means that inventors and entrepreneurs will not only bear the costs of
bringing new products to market, but also the costs of lawsuits if
consumers start using their products for illegal purposes.

“Today the Supreme Court has unleashed a new era of legal
uncertainty on America's innovators,” said Fred von Lohmann, EFF's
senior intellectual property attorney. “The newly announced inducement
theory of copyright liability will fuel a new generation of
entertainment industry lawsuits against technology companies. Perhaps
more important, the threat of legal costs may lead technology companies
to modify their products to please Hollywood instead of consumers.”

The Supreme Court has also ordered the lower court to consider
whether peer-to-peer companies Grokster and StreamCast can be held
liable under the new standard. StreamCast is confident that it will
pass muster under the new, multi-pronged test.

MGM v. Grokster was
brought by 28 of the world's largest entertainment companies against
the makers of the Morpheus, Grokster, and KaZaA filesharing software
products in 2001. The entertainment companies hoped to obtain a legal
precedent that would hold all technology makers responsible for the
infringements committed by the users of their products. The Electronic
Frontier Foundation (EFF), along with StreamCast counsel Matt Neco and
Charles Baker of Porter and Hedges, defended StreamCast Networks, the
company behind the Morpheus filesharing software.

The entertainment companies lost their case in District Court, then
lost again on appeal to the Ninth Circuit Court of Appeals. The lower
court rulings were based on the Supreme Court's landmark decision in
the 1984 Sony Betamax case, which determined that Sony was not liable
for copyright violations by users of the Betamax VCR.

» PDF of the
Supreme Court decision

» Press Release: Supreme Court Ruling Will Chill Technology Innovation
» Audio from today's press conference coming
soon
» Statement from
Public Knowledge about Grokster Decision

Advertisements

Posted in Other Technology | Leave a Comment »

Banks: Beware of your own staff

Posted by Xavier Ashe on June 26, 2005

Employees have overtaken hackers as the greatest threat to the world's largest financial institutions, a new survey says.

The study, conducted by Deloitte Touche Tohmatsu in its 2005 Global
Security Survey, blames the rise in attacks on human weakness.

More than a third (35 per cent) of the financial services industry
surveyed confirmed encountering attacks from inside their organization
within the past year, an increase of 14 per cent over the previous
year. Attacks from external sources came in at 26 per cent, up from 23
per cent the year before.

Read the full article at Global Security.

Posted in Security | Leave a Comment »

The Administrator Accounts Security Planning Guide

Posted by Xavier Ashe on June 26, 2005

Because of their inherent permissions and power, the
administrator accounts on computers that run the Microsoft® Windows
Server™ 2003 operating system are both the most useful and potentially
the most dangerous accounts on your computer. Any other accounts to
which you grant the equivalent of administrator privileges present the
same high risks.

This guide will be an
indispensable resource when you plan strategies to secure
administrator-level accounts in Microsoft Windows NT®–based operating
systems such as Windows Server 2003 and Windows® XP. It addresses the
problem of intruders who acquire administrator account credentials and
then use them to compromise the network. The main goal of this guide is
to provide prescriptive guidance in terms of the steps you can take to
secure your local and domain-based administrator-level accounts and
groups. This guidance is based on Microsoft Security Center of
Excellence (SCoE) experience in customer environments and represents
Microsoft best practices.

Posted in Security | Leave a Comment »

Microsoft's 10 Immutable Laws of Security

Posted by Xavier Ashe on June 26, 2005

Here at the Microsoft Security Response Center, we
investigate thousands of security reports every year. In some cases, we
find that a report describes a bona fide security vulnerability
resulting from a flaw in one of our products; when this happens, we
develop a patch as quickly as possible to correct the error. (See “A
Tour of the Microsoft Security Response Center”). In other cases, the
reported problems simply result from a mistake someone made in using
the product. But many fall in between. They discuss real security
problems, but the problems don't result from product flaws. Over the
years, we've developed a list of issues like these, that we call the 10
Immutable Laws of Security.

Don't hold your
breath waiting for a patch that will protect you from the issues we'll
discuss below. It isn't possible for Microsoft—or any software
vendor—to “fix” them, because they result from the way computers work.
But don't abandon all hope yet—sound judgment is the key to protecting
yourself against these issues, and if you keep them in mind, you can
significantly improve the security of your systems.

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
If you allow a bad guy to upload programs to your website, it's not your website any more Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Weak passwords trump strong security Law #5: Weak passwords trump strong security
A computer is only as secure as the administrator is trustworthy Law #6: A computer is only as secure as the administrator is trustworthy
Encrypted data is only as secure as the decryption key Law #7: Encrypted data is only as secure as the decryption key
An out of date virus scanner is only marginally better than no virus scanner at all Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Absolute anonymity isn't practical, in real life or on the Web Law #9: Absolute anonymity isn't practical, in real life or on the Web
Technology is not a panacea Law #10: Technology is not a panacea

Posted in Security | Leave a Comment »

Are you PCI Compliant?

Posted by Xavier Ashe on June 23, 2005

Only a few days left until the PCI
Data Security Compliance deadline!  By June 30th of this year, you
must have your first network scan completed.  The Payment Card Industry (PCI),
including MasterCard, Visa, Discover, American Express, JBC Credit, and Diner’s
Card, require merchants and service providers to protect cardholder information
by adhering to a set of security standards. The PCI security standard includes
MasterCard's Site Data Protection (SDP) program and Visa's Cardholder
Information Security Program (CISP).

Who is required
to meet PCI standards?

  • Merchants processing
    over $125,000 credit card transactions per month or more than 20,000 credit card
    transactions per year.
     

What do I need to
do to meet PCI standards?

  • If you have more than 6
    million credit card transactions per year or suffered a hack or an attack that
    resulted in an account data compromise, you must complete an on-site security
    audit annually and complete and pass quarterly network
    scans.
  • All other merchants
    between 6 millions and 20,000 transaction must complete and pass quarterly
    network scans and complete a network security self
    assessment.

What network
scanner can I use?

  • Only those approved by
    PCI.  The Qualys
    Security Scanner
    is not only on that list, but is MasterCard’s
    preferred network scanner.
     

What do I have to
do to “Pass” a network scan?

  • You must not have any
    vulnerabilities that are classified as Level 3, 4, or 5.  The difference in
    Qualys and other network scanners is that Qualys will give you step-by-step
    instructions on how to fix the problems.  Other scanners force you to do this research.  Qualys provides
    instant Pass/Fail results in a format ready to be sent to the various credit
    card companies.

What must be
scanned?

  • All external facing IP
    addresses, any website that you host at a 3rd party hosting company
    (including shared virtual hosts), and all wireless access
    points.
     

What can I do to
meet PCI standards?

  • If you are a Qualys
    subscriber, then you just need a small upgrade to enable your account for PCI
    scanning.  Call Microtek today to meet the June 30th
    deadline!
  • If not, then call
    Microtek today to set up your first Qualys Scan.  You can buy one scan to see
    the power of Qualys (and meet the June 30th deadline), or you can buy
    a subscription, which allows you scan as often as you would like.  Free demo
    scans are available by clicking
    here
    .

Can I just ignore
this and it will go away?

  • According to Visa, “If
    a merchant or service provider does not comply with the security requirements or
    fails to rectify a security issue, Visa may:

    • Fine the acquiring
      member
    • Impose restrictions on
      the merchant or its agent, or
    • Permanently prohibit
      the merchant or its agent from participating in Visa programs

Members receive protection from
fines for merchants or service providers that have been compromised but found to
be CISP-compliant at the time of the security breach. Members are subject to
fines, up to $500,000 per incident, for any merchant or service provider that is
compromised and not CISP-compliant at the time of the
incident.“

Posted in Main Page, Security | Leave a Comment »

_images_usbfinger_2.jpg

Posted by Xavier Ashe on June 22, 2005

Posted in Random Pics | Leave a Comment »

Need a Thumb Drive?

Posted by Xavier Ashe on June 22, 2005

I posted a new photo to Photos.

Posted in Main Page | Leave a Comment »

Security Expert expounds Evading Speeding Tickets

Posted by Xavier Ashe on June 21, 2005

Bruce Schneier may have gotten a speeding ticket lately, beacuase his recent blog entry is all about evading speeing tickets:

This site is run by an
ex-policeman, and feels authoritative. He places a lot of emphasis on
education; installing a fancy radar detector isn't doing to do much for
you unless you know how to use it correctly.

Here's a product that seems to counter the threat of aerial license-plate scanners.

This spray claims to make your license plate invisible to cameras. I have no idea if it works.

One final note: the ex-cop is offering a $5,000 reward for the first person who can point him to a passive laser jammer that works.

Posted in For Fun, Security | Leave a Comment »

Another nice Google maps hack

Posted by Xavier Ashe on June 21, 2005

Jimmy Palmer [ed: editor of the fine DRM Blog]
combined 2000 census data with Google maps. The result, gCensus.com, is that you can
now see how many people live in any area in the United States. You can
even see how many people live on a single city block.

Found on Boing Boing.

Posted in Other Technology | Leave a Comment »

A Microsoft Crash Course in Security

Posted by Xavier Ashe on June 21, 2005

Here are free guides from Microsoft to get your IT security staff ramped up.
The Security Monitoring and Attack Detection Planning Guide
describes how to plan a security monitoring system on Windows-based
networks that can detect attacks that originate from internal and
external sources.

Smart cards provide particularly
effective security control in two scenarios: to secure administrator
accounts and to secure remote access. We use them here at Microsoft.
The
Secure Access Using Smart Cards Planning Guide  details these two scenarios as the priority areas in which to implement smart cards.

The Administrator Accounts Security Planning Guide
provides prescriptive guidance on steps you can take to secure your
local and domain-based administrator-level accounts and groups.

Once you have the admin account locked down you will want to read the Services and Service Accounts Security Planning Guide.
This guide addresses the common problem of Windows services that are
set to run with highest possible privileges, which an attacker could
compromise to gain full and unrestricted access to the computer or
domain, or even to the entire forest.

Finally, you should read the Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide.
This guide describes the challenges in and benefits of planning and
implementing quarantine services with VPN through the new features
available in Microsoft Windows Server 2003 with Service Pack 1 (SP1).

From Tonyso's Technet Blog.

Posted in Security | Leave a Comment »

What is Pod Slurping?

Posted by Xavier Ashe on June 20, 2005

To demonstrate the ease of “pod slurping” – the ability to copy
corporate information to an iPod's hard drive – Abe Usher created an
application that can suck Word, PDF, Excel and other office documents
off an office PC in minutes. Usher, founder of Sharp Ideas , joins us to discuss his application and what companies can do to combat the potential iPod security risk.

Note: If you want to send an audio comment in MP3 about this or any other program, send your file to nwradio@gmail.com.

Subscribe to the Network World Radio Podcast feed here.

Listen:

Note: Both streams approx. 48K bit/sec

Player downloads:

Get Windows Media Player downloadplayer

Posted in Security | Leave a Comment »

It's like watching a car wreck….

Posted by Xavier Ashe on June 20, 2005


A car rear ends a parked van on the highway. Its dark and with the rear
lights damaged and no longer working this accident continues to cause
more accidents which are all caught on the video.

I watched this video 5 times… damn. (WMV file)

Posted in For Fun | Leave a Comment »

Why it's important to establish a security culture through security awareness

Posted by Xavier Ashe on June 20, 2005

I was researching for a piece on security culture when I found an
excellent post which included a paper given by Harris Miller(president
of the Information Technology Association of America (ITAA)) on
Internet Security to a Senate committee. I like the paper as it's well
researched, concise and full of wonderful quotes including the
following:

Inadequate user awareness is the single most important thing we should tackle – Richard Hackworth, HSBC

Security is a process not a product – Bruce Schneier

Security guru Bruce Schneier said “Computers and networks might
be difficult to secure, but the biggest security vulnerability is still
that link between keyboard and chair

You can view the post itself by clicking here. It's well worth a read as you can pick up some great references for use in your own security discussions.

Found on Steve Lamb's Blog.

Posted in Security | Leave a Comment »

Ignorance is a powerful force, especially when wielded by a government

Posted by Xavier Ashe on June 20, 2005

How much do you trust your government?
That's a question that all of us have to ask, perhaps the more often
the better. Thomas Jefferson, one of the founders of the United States
and its third President, wrote to Abigail Adams in 1787 sentences that may seem incredible to many people today:

 


“The
spirit of resistance to government is so valuable on certain occasions,
that I wish it to be always kept alive. It will often be exercised when
wrong, but better so than not to be exercised at all. I like a little
rebellion now and then. It is like a storm in the atmosphere.”


The Naperville Public Library in Naperville,
Illinois (the board of which is appointed by the Mayor and approved by
the City Council) is now going to ask patrons to submit fingerprints
in order to verify the identities of patrons wishing to use the
Internet terminals. Currently, parents can ask the library to filter
the Internet access of their kids; according to the library, “filtered”
kids are swapping library cards with kids whose parents have not asked
for filters, so the little shavers are able to use the network without
restrictions.

(Other examples of governmental and non-governmental organizations asking for your fingerprints today: the Statue of Liberty, Disneyland, the US Border Patrol, plus even some tanning salons, and gyms.)

Read the full column at SecurityFocus.

Posted in Security | Leave a Comment »

Microsoft Releases a Collection of New Planning Guides

Posted by Xavier Ashe on June 19, 2005

NEW June 2005 Planning Guides

The Services and Service Accounts Security Planning Guide

This
guide addresses the common problem of Windows services that are set to
run with highest possible privileges, which an attacker could
compromise to gain full and unrestricted access to the computer or
domain, or even to the entire forest.

http://go.microsoft.com/fwlink/?LinkId=41311  

The Security Monitoring and Attack Detection Planning Guide

This
guide describes how to plan a security monitoring system on
Windows-based networks. This system can detect attacks that originate
from internal and external sources.

http://go.microsoft.com/fwlink/?LinkId=41309

The Secure Access Using Smart Cards Planning Guide

Smart
cards provide particularly effective security control in two scenarios:
to secure administrator accounts and to secure remote access. This
guide concentrates on these two scenarios as the priority areas in
which to implement smart cards.

http://go.microsoft.com/fwlink/?LinkID=41313

The Administrator Accounts Security Planning Guide

This
guide provides prescriptive guidance in terms of the steps you can take
to secure your local and domain-based administrator-level accounts and
groups.

http://go.microsoft.com/fwlink/?LinkId=41315

Implementing Quarantine Services with Microsoft Virtual Private Network Planning Guide   

This
guide describes the challenges in planning and implementing quarantine
services with VPN through the new features available in Microsoft®
Windows Server™ 2003 with Service Pack 1 (SP1).

http://go.microsoft.com/fwlink/?LinkId=41307

Microsoft Solutions for Security (MSS) team's blog.

Posted in Other Technology, Security | Leave a Comment »

BSI Open Source Security Suite (Boss)

Posted by Xavier Ashe on June 19, 2005

Germany's Federal Office for Security in Information Technology
(BSI) has developed a free, open-source tool that allows public and
private sector organizations and companies to test the security of
their networked systems, the agency announced Friday.

The
tool, BSI Open Source Security Suite (Boss), is based on a remote
security scanner system developed by the Nessus Open Source
Vulnerability Scanner Project. Nessus software includes more than 7,000
plug-ins to test the security of all relevant networking products,
according to BSI. The software's user interface has been modified to
make the application easier to use, the agency said.

Boss
also draws on other open-source software applications available via
Knoppix, a GNU/Linux distribution that boots and runs completely from
CD. Knoppix includes recent Linux software and desktop environments,
with programs such as OpenOffice.org, Abiword, The Gimp, Konqueror,
Mozilla, Apache and MySQL.

In
addition, BSI has integrated a Security Local Auditing Daemon (SLAD),
which manages a range of security software, such as Tiger,
John-The-Ripper, Tripwire, LSOF, ClamAV Antivirus and Chkrootkit.

The
new security tool developed by BSI can thoroughly check core systems
for internal security weaknesses or recent attacks, helping
organizations and companies track down security problems, according to
the agency.

The free software can be downloaded from BSI's Web site .

The
software will also be available on CD at the BSI booth during the
LinuxTag 2005 conference from June 22 to June 25 in Karlsruhe, Germany.

Found on Network World.

Posted in Security, Tools | Leave a Comment »

Alert over hi-tech thieves who scan cars for laptops

Posted by Xavier Ashe on June 19, 2005

Thieves are using new ‘blue-tooth’ phones to detect whether
motorists have left mobiles or laptops in their cars. The ‘blue-tooth’
facility enables thieves to locate compatible electrical items – even
if they are hidden away in a boot or glove compartment.

Police say the new technology is allowing criminals to selectively
steal from cars with expensive laptops and mobile phones which also
have ‘blue-tooth’ facilities.

Read the full article at the South Manchester Reporter.

Posted in Security | Leave a Comment »

Snort on Windows 2003 Server Guide

Posted by Xavier Ashe on June 19, 2005

There is a lot documentation on Snort on Linux and considerable on
Snort for Windows too. But most of the documentation deals with older
versions. So I thought let me create one for the latest version of
Snort environment. The setup that I am talking about is running Snort
2.3.3 on Windows Server 2003 with PHP5 and SQL 2000 SP4. All other
components are also the latest available for public use.

The PDF is posted on Infosec Writers.

Posted in Security | Leave a Comment »

MasterCard Security Breach Called Biggest Ever

Posted by Xavier Ashe on June 18, 2005

MasterCard International said its security staff identified the breach
at Tucson-based CardSystems Solutions Inc., a third-party processor of
payment card data. Third party processors process transactions on
behalf of financial institutions and merchants.

MasterCard said security vulnerabilities in CardSystems processor's
systems allowed an unauthorized individual to infiltrate CardSystems'
network and access cardholder data.

MasterCard cautioned that social security numbers, dates of birth and the like were not stored on MasterCard cards.

CardSystems has already taken steps to improve the security of its
system, MasterCard said it was giving the company “a limited amount of
time” to demonstrate compliance with MasterCard security requirements.

It just keeps getting worse.  Check it out on eWeek.

Posted in Security | Leave a Comment »

GPS Jamming for Fun and Profit

Posted by Xavier Ashe on June 16, 2005

Most modern weapon systems and aircraft
depend, in part, on the Global Positioning System (GPS) for navigation.
This reliance on GPS navigation dictates that laboratory test
facilities be equipped to create realistic GPS jamming environments
able to verify compliance with jamming specifications. Engineers at the
Naval Air Warfare Center Weapons Division (NAWCWPNS) have designed and
built a GPS jamming system for laboratory use to test GPS system
jamming performance.

This paper identifies and discusses issues related to implementing a
GPS jamming system in a laboratory test environment. These issues
pertain to jamming accuracy requirements, as well as important jamming
system design parameters and how they may affect jamming system
performance. An example of the Navigation Laboratory jamming system is
presented. It addresses fabrication issues, data requirements, error
handling, local and remote operations, and how to attain high accuracy
and repeatability during the generation and measurement of jamming.

Start the fun at GlobalSecurity.org.  It's an old report (1997), but a little birdie told me it still works.

Posted in Security | Leave a Comment »

 
%d bloggers like this: