The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for October, 2008

New Web based Training for TSOM 4.1

Posted by Xavier Ashe on October 7, 2008

IBM Tivoli Security Operations Manager 4.1 – Fundamentals

Course description

In this 4-hour Web-based training course, you will use IBM Tivoli Security Operations Manager 4.1 to learn its fundamentals and operator tasks.

Objectives

After completing this course, you should be able to:

  • Install and configure IBM Tivoli Security Operations Manager 4.1
  • Configure and collect events from sensors

Course outline

  1. Introduction
  2. Installation
  3. Administration
  4. Investigating Events
  5. Correlating Events

Who will benefit from this course

This course is intended for implementers and administrators who need to correlate security events.

Required skills/knowledge

  • Intrusion detection: Understand the basic concepts of intrusion detection
  • TCP/IP: Understand IP addresses, networks, and ports

Recommended courses

Click here for order information.

Posted in IBM, Security, TSOM | Leave a Comment »

Cyber Peeping Tom

Posted by Xavier Ashe on October 4, 2008

Federal prosecutors are going after a Florida college student who allegedly installed spyware on a woman’s laptop to covertly snap nude photos of her through her webcam.

Craig Matthew Feigin, 23, is charged (.pdf) in U.S. District Court in Gainesville with violating the federal Computer Fraud and Abuse Act. Feigin was arrested by local police last July.

The case began when the victim noticed changes in her computer’s behavior after giving it to Feigin for overnight repairs, the Gainesville Sun reported at the time. Every time she got near her laptop,  the light on her webcam switched on.

A friend with IT experience examined the system, and found that someone had installed the remote access program Log Me In, and software called Web Cam Spy Hacker, which Feigin himself sold online as a tool for catching cheating spouses. Over three weeks, the software allegedly uploaded some 20,000 images of the woman to an Eastern European web server before it was detected.

Read the full article on Wired.

Posted in Security | Leave a Comment »

Why The TCP Attack Is Likely Bad, But Not That Bad

Posted by Xavier Ashe on October 3, 2008

There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:

  1. Fyodor’s discussion of either the same, or a similar issue.
  2. Richard Bejtlich’s overview.
  3. Rob Graham’s take on the potential attack.

Here’s what I think you need to know:

  1. It is almost certainly real.
  2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
  3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
  4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
  5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
  6. This is the kind of thing we should be able to filter, once our defenses are updated.

From Securosis.com.

Posted in Uncategorized | Leave a Comment »

PCI DSS version 1.2 differences and updates

Posted by Xavier Ashe on October 3, 2008

On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements.  There are a number of changes as outlined previously in the update document.  The PCI SSC has established a life cycle process that will ensure the PCI DSS standard is revised and updated on a two year cycle.  What follows is a detailed outline of the differences between version 1.1 and 1.2 (some that have not been discussed previously) and the implications of those changes. (Unless otherwise noted, those items in quotations are taken directly from the PCI DSS or the update document linked above.)

Good dissection of the new reg from the PCI Blog.

Posted in Uncategorized | Leave a Comment »

Security metrics: more is not better

Posted by Xavier Ashe on October 3, 2008

The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices).  I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up.  It remains a highly beurocratic and costly response to a genuine management problem.

Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics.  It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.

Read the full article on the (ISC)2 Blog.

Posted in Uncategorized | Leave a Comment »

IBM software bundle targets retail theft, data breaches

Posted by Xavier Ashe on October 2, 2008

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.

SecureStore, announced Wednesday, combines surveillance and RFID systems with software that protects online and in-store transactions, as well as software that protects databases and applications from network-based threats, IBM said. While SecureStore mainly consists of pre-released products from IBM divisions such as Internet Security Systems (ISS), Tivoli and Rational, Big Blue’s Val Rahmani says it is unique in that it brings together products from various parts of IBM to address one industry segment, and re-architects the products so they fit together and are optimized for retail.

Read the full article on Network World.

Posted in IBM, ISS, Security, TSOM | Leave a Comment »

 
%d bloggers like this: