Zen One

Cyberspace Security Review

noreply@blogger.com (Steve Zenone) — Sun, 31 May 2009 15:01:45 PDT

On Friday (May 29, 2009) President Obama announced the nation’s plan to defend against attacks on the nation's computer networks; a “strategic national asset.” This plan includes appointing a Cyber-Security Chief, whom he has not yet chosen, in the White House. Obama will sign a classified order within the coming weeks that will create the military cybercommand.

He stated that cyber-criminals have cost US citizens over $8 billion worth of stolen data and that the figure worldwide was up to $1 trillion.

The announcement came with the release of the Cyberspace Security Review, a 76 page document that had 60-days to be completed from the date of the initial request. The Cyberspace Security Review explains how the US intends to secure its critical network infrastructure. It was stated that the review was necessary because, “America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration”, and that, “our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”

The Cyberspace Security Review made the following 10 recommendations for near-term action:

Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
Initiate a national public awareness and education campaign to promote cybersecurity.
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

What is promising about the Review is that there's repeated focus on outcomes as opposed to the inputs. Too often forward progress is hindered by the inefficient efforts of trying to define process before goals and objectives are clearly defined and understood. Rather, the Review consistently attempts to make it clear what the strategic outcomes are, and from those objectives, the development of process will be guided.

The Review also states, “Other structures will be needed to help ensure that civil liberties and privacy rights are protected.” The inclusion to help protect our privacy and civil liberties is an indication of the balanced intention of the plan.

Money will also be set aside for research and development of security technologies, from which there will be significant opportunity.

What I'm not certain about is the overall effectiveness the Cyber-Security Chief will have. Specifically, the position will not have direct access to the president. As a result, this position may not be high-level enough to prevent the almost certain bureaucratic nonsense, internal bickering and games that could waste millions/billions of dollars.

Though the Review solely focusses on defensive measures, I'm also curious what efforts are underway, if any, towards the development and potential use of cyberweapons.

Overall, the document doesn't suggest that there will be any major changes that will affect the private sector within the near term. The Review recommends specific changes to the direction of future US policies. Within the mid-term I imagine that lawmakers will develop regulations that will require the sharing of security incident data from the private sector with the government, presumably tempered with the commitment to ensure civil liberties. I anticipate that we will also see more emphasis put towards penetration testing and incident response.

Steve

###

How ITIL Can Improve Information Security

noreply@blogger.com (Steve Zenone) — Wed, 27 May 2009 08:59:07 PDT

By: Steven Weil

Introduction

ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.

Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security.

ITIL overview

ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books.

When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management.

ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be "customers" of IT services. The IT organization is considered to be a service provider for the customers.

ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.

The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program.

Organizations can benefit in several important ways from ITIL:

IT services become more customer-focused
The quality and cost of IT services are better managed
The IT organization develops a clearer structure and becomes more efficient
IT changes are easier to manage
There is a uniform frame of reference for internal communication about IT
IT procedures are standardized and integrated
Demonstrable and auditable performance measurements are defined

ITIL details

ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels:

Strategic: An organization's objectives are determined, along with an outline of methods to achieve the objectives.

Tactical: The strategy is translated into an appropriate organizational structure and specific plans that describe which processes have to be executed, what assets have to be deployed, and what the outcome(s) of the processes should be.

Operational: The tactical plans are executed. Strategic objectives are achieved within a specified time.

A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices:

Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). By identifying, controlling, maintaining and verifying the items that make up an organization's IT infrastructure, these practices ensure that there is a logical model of the infrastructure.

Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs.

Problem Management: Best practices for identifying the underlying cause(s) of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.

Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware are provided to IT customers.

Availability Management: Best practices for maintaining the availability of IT services guaranteed to a customer (for example, optimizing maintenance and design measures to minimize the number of incidents). These practices ensure that an IT infrastructure is reliable, resilient, and recoverable.

Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are provided efficiently, economically, and cost-effectively.

Service Level Management: Best practices for ensuring that agreements between IT and IT customers are specified and fulfilled. These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users.

Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes.

Figure 1. ITIL Service Management Processes

More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article.

ITIL and information security

ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.

ITIL breaks information security down into:

Policies - overall objectives an organization is attempting to achieve
Processes - what has to happen to achieve the objectives
Procedures - who does what and when to achieve the objectives
Work instructions - instructions for taking specific actions

It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2:

Figure 2. Information Security Process

As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process:

Using risk analysis, IT customers identify their security requirements.
The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline.
The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.
Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.
The SLA and OLAs are implemented and monitored.
Customers receive regular reports about the effectiveness and status of provided information security services.
The SLA and OLAs are modified as necessary.

Service level agreements

The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include:

Permitted methods of access
Agreements about auditing and logging
Physical security measures
Information security training and awareness for users
Authorization procedure for user access rights
Agreements on reporting and investigating security incidents
Expected reports and audits

In addition to SLAs and OLAs, ITIL defines three other types of information security documentation:

Information security policies: ITIL states that security policies should come from senior management and contain:
1. Objectives and scope of information security for an organization
2. Goals and management principles for how information security is to be managed
3. Definition of roles and responsibilities for information security
Information security plans: describes how a policy is implemented for a specific information system and/or business unit.
Information security handbooks: operational documents for day-to-day usage; they provide specific, detailed working instructions.

Ten ways ITIL can improve information security

There are a number of important ways that ITIL can improve how organizations implement and manage information security.

ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.

Implementing ITIL

ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption.

Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization.

Critical factors for successful ITIL implementation include:

Full management commitment and involvement with the ITIL implementation
A phased approach
Consistent and thorough training of staff and management
Making ITIL improvements in service provision and cost reduction sufficiently visible
Sufficient investment in ITIL support tools

Conclusion

Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.

Author Resource: Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at sweil@sla.com.

Article From: SecurityFocus

Some of the Best Ways to Lose Your System Data

noreply@blogger.com (Steve Zenone) — Mon, 18 May 2009 07:44:00 PDT

By: Nick Pegley

Have you ever thought about the best ways to be negatively affected by a disaster, get hacked, or otherwise part with data stored on your computers? Here are some of the best ways to lose system security, in no particular order:

When an employee quits or is let go, leave his network log ins and e mail accounts enabled. You never know when he might want to check in on things.
Rely solely on technology. Firewalls, encryption and antivirus software are all you need to protect your information.
Completely outsource your information security initiatives. There's no need for anyone inside your organization to worry about such matters.
Leave your operating systems and software applications with the default settings. System hardening is for the birds.
Don't train your users on your security policies and what to look out for, such as unsolicited e mail attachments and common hacker activities. Your users can't be burdened with more training.
If you do happen to have a security policy, never refer to it, enforce it, update it or do what it says.
By all means, don't take an inventory of your information systems or document your network.
Don't pay attention to or even bother to understand what you're trying to protect.
Don't patch your software or update your virus signatures, and never, ever, run vulnerability assessments to detect newly discovered software flaws and system misconfigurations. It s just too time consuming.
Respond to hacker attacks, viruses and other intrusions as they happen don't be proactive in dealing with them.
Ignore all known best practices and international information security standards from the International Standards Organization, Internet Engineering Task Force, SANS Institute, and your local information security consultant, to name a few.
Leave your databases, especially those containing credit card or other confidential information, unencrypted. And be sure to store them on publicly accessible servers.
Run your business without disaster recovery and business continuity plans. After all, you can think clearly and make critical decisions under pressure, right?
Don't monitor your systems. They'll be fine running by themselves, and if anything major happens with the integrity or availability of your information, you'll be notified automatically, won't you?
Don't back up your data, but if you must, don't test your backups. Also, leave your backup media on site preferably sitting on top of an uninterruptible power supply.
Don't create any security policies that document how you re safeguarding your information to protect your organization and clients from information disasters and legal liabilities.
Apply the principle of greatest privilege. Give all users the greatest amount of access to your information systems. Everyone should have access to everything ... it's only fair, right?
Don't subscribe to security bulletins and mailing lists, and don't ever read information security trade magazines.
Don't, under any circumstances, get upper management involved in information security initiatives. They're business focused and shouldn't be bothered or even care about technology or the liabilities associated with their information, right?
Use passwords that consist of your pet's name, your name, your mom's maiden name, or your birthday. That way, you won t forget them. Better yet, just use "password" for your passwords. Also, don t forget to write them down and post them on your monitor or keyboard.

And, last but not least:

Leave your servers and network equipment in a room to which everyone, including outsiders off the street, has access.

By following these practices you can be sure that your computers will be an easy target for viruses, disgruntled employees, hackers, and others. You can show up to work each day with the pride of knowing that there's an excellent chance that your business data will be missing when you arrive. It's just a matter of time, and it s all easily achieved.

Author Resource:-> Nick Pegley is VP Marketing for All Covered: Technology Services Partner for Small Business, providing http://www.allcovered.com/locations/denver/ disaster recovery solutions and technology services in 20 major U.S. metro areas.

Article From Zing Articles - Best Free Articles on all topics

Where The 'Bleep' Did My Identity Go?

noreply@blogger.com (Steve Zenone) — Fri, 08 May 2009 17:15:32 PDT

By Judi Lynn Lake

I am a die-hard Mac user. Have been for over twenty years and it only gets better. The PC certainly has its place but for creative projects well... the Mac is superior and the good news is is that Mac's do not get viruses.

My partner is a die-hard PC user. If you ever viewed the recent Mac commercials then you can imagine our relationship. I have recently added creative video production to my advertising agency's services and my partner began to feel a bit competitive. I have always thrived on competition and believe it to be good... even if it is with your partner.

My first video was a Creative Director's dream -- my client gave me complete creative carte blanche. My partner, who is a copywriter, had recently bought PC video software and... well, he was just dying to use it and prove that it would triumph over the Mac.

Once I completed all the storyboards, I sent a crew out to shoot on location. As I passed my partners office, I peaked in his office and I could see sweat dripping from his forehead. He was struggling and I silently laughed, wishing we had made a bet. Two weeks later the video was completed; fully edited and designed on my Mac. The client approved the video and it was a 'go'. My partner, on the other hand, was still trying to learn the software and his final product was 'the homegrown version' clip. It is comical, but seriously our differences actually are our strengths.

An experienced Mac user tends to be 'cocky' at times because there really are no limits to what our little machines can do, and I am no exception -- I rarely see any limits. There was, however, a disadvantage I experienced recently that unfortunately is nondiscriminating towards neither a Mac nor a PC: Identity Theft. This week I became victim to Identity Theft and therefore a statistic in the wonderland of technology.

No longer holding the 'it could never happen to me' mentality because it did and it happens to millions of people a day without some consumers ever realizing it. Technology is incredible and we can do things today that were never imagined twenty years ago. But as technology juices up the creative sector, it also feeds the larcenists and opens up a world of crime unheard of years ago.

Once considered a protection, our social security number has actually transformed into the very bait that perpetrators look for to steal identities. Who is walking around with my name? Who is walking around with my numbers and personal information? Is it someone reading this article? Is it someone I do business with? Is it my neighbor? This is a form of terrorism, which stalks our daily lives in the twenty-first century and ruins lives.

I have been 'Judi Lynn' all of my life and 'Lake' for the past eleven years and am very happy to be me. How dare a stranger invade my life and steal it from me. I have heard nightmare stories of people haunted for years through Identity Theft and to quote the 1970s movie Network, "I am mad as hell and I am not going to take it anymore!"

Unfortunately, in this day and age, high security precautions must be taken both personally and professionally. The best defense against this heinous crime is education and guidance but 'the damned if you do' fact is that skilled identity thieves will use a variety of methods to gain access to your data. There are many websites available on the Internet that educates people on steps to protect themselves before and after Identity Theft occurs. One such site I recommend is The Federal Trade Commission For The Consumer.

Some Steps To Take Today Before You Fall Victim

Place passwords on all of your credit card, bank, and phone accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers. When opening new accounts, you may find that many businesses still have a line on their applications for your mother's maiden name. Ask if you can use a password instead.
Secure personal information in your home, especially if you have roommates, employ outside help, or are having work done in your home.
Ask about information security procedures in your workplace or at businesses, doctor's offices or other institutions that collect your personally identifying information. Find out who has access to your personal information and verify that it is handled securely. Ask about the disposal procedures for those records as well. Find out if your information will be shared with anyone else. If so, ask how your information can be kept confidential.

Don't think that identity theft can not happen to you, expect that it will so that it won't -- stay informed and stay educated so you do not become a statistic.

Article Source: Articles Engine

PCI Compliance - Disable SSLv2 and Weak Ciphers

noreply@blogger.com (Steve Zenone) — Thu, 19 Mar 2009 07:57:06 PDT

According to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

What does this mean? In order to validate your PCI DSS compliance in this area you will need to ensure that your relevant server(s) within your PCI environment are configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. You are also required to have quarterly PCI security vulnerability scans conducted against your externally facing PCI systems. Without disabling SSLv2 and weak ciphers you are almost guaranteed to fail the scans. In turn this will lead to falling out of compliance along with the associated risks and consequences.

The SSLv2 Conundrum

Does your server support SSLv2?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -ssl2 -connect SERVERNAME:443

If the server does not support SSLv2 you should receive an error similar to the following:

# openssl s_client -ssl2 -connect SERVERNAME:443

CONNECTED(00000003)

458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

How to configure Apache v2 to not accept SSLv2 connections:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

How to configure Microsoft IIS to not accept SSLv2 connections:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

Those Pesky Weak SSL Ciphers

Does your server support weak SSL ciphers?

How to test:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

If the server does not support weak ciphers you should receive an error similar to the following:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

CONNECTED(00000003)

461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

How to configure Apache v2 to not accept weak SSL ciphers:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.

How to configure Microsoft IIS to not accept weak SSL ciphers:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:0000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..

At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to not tag and fail you on the following vulnerabilities:

SSL Server Supports Weak Encryption
SSL Server Allows Cleartext Encryption
SSL Server May Be Forced to Use Weak Encryption
SSL Server Allows Anonymous Authentication

Steve

###

Sync Oracle Calendar to Google Calendar + iCal + iPhone

noreply@blogger.com (Steve Zenone) — Mon, 02 Mar 2009 19:21:21 PST

I've been searching for a reliable method to automate the synchronization of events from Oracle Calendar (formerly CorporateTime) to my Google Calendar, iCal on my Mac, and internal iPhone calendar on my iPhone.

Recently I learned of a promising iPhone app available at iTunes called Todo+Cal+Sync that could do most of what I was looking for with synchronizing calendars. However, I didn't want to fork over $14.99 for an application that, instead of importing Oracle Calendar events into the native iPhone calendar, added an additional calendar application on my iPhone. Synthesis AG, the developer of the Todo+Cal+Sync application, is required to do this because of limitations imposed by Apple's iPhone software development kit (SDK). In other words, Apple does not allow 3rd part applications, such as Todo+Cal+Sync, to access the internal iPhone calendar, nor sync with iCal. This is a risk/benefit that Apple needs to manage; is the benefit of restricting access to the internal iPhone calendar worth the impact it has on the development of 3rd party applications and subsequent ripple effect? Until Apple's iPhone SDK allow such access, I did not want two calendar applications and continued looking for something that would better match my needs.

After digging around and tinkering with different solutions, I worked out a method that did exactly what I wanted. To make this solution even better, it cost $0 - in other words, FREE!

Below are the steps that I came up with to make the calendar sync work for me. Steps 1-3 are also useful for those who do not necessarily have an iPhone or iTouch but want to sync their Oracle Calendar with other devices and/or calendar apps that support Google Calendar's CalDAV sync.

Begin by changing your password for your Oracle Calendar user account. Make it a unique password that you are not using anywhere else. In other words, your new Oracle Calendar password should not be the same password as you're using for other email accounts, online banking, eBay, PayPal, etc. This new password should also comply to any password policies that may exist for users of the Oracle Calendar system.
Create a "magic" URL using SyncML2iCal.com. This URL will be used in step #3. You will want your magic URL to look something like the following:

Example - Oracle Calendar supporting https on port 443

http://sync.syncml2ical.com/?serverurl=https://YOUR.ORACLE.CALENDAR.COM:443/ocas-bin/ocas.fcgi?sub=syncml&user=USERNAME&pass=PASSWORD&eventsdb=./Calendar/Events?/dr(-7,30)

SECURITY WARNING - There is an increased security risk with this method. It's up to you to determine if this is a risk you are willing to accept and that it doesn't violate any policies or restrictions imposed by the organization running the Oracle Calendar service that you are using. The risks include:

Unauthorized interception of your password from the URL as it's being transmitted to SyncML2iCal.com or from SyncML2iCal.com.

SyncML2iCal.com itself becoming compromised and allowing an attacker to intercept your password.

In my opinion, the likelihood of the above risks happening are medium to low. You can keep this risk on the lower end by never connecting to untrusted networks or using insecure wireless, which includes wireless networks that use WEP encryption.

Additionally, you will need to determine if the impact of an unauthorized user obtaining your Oracle Calendar password would have a significant impact or not. In most instances, I would imagine the impact would be low.

This is why doing step #1 above is critical in helping minimize the impact if your password was compromised.

Anyone using an application that syncs using the SyncML functionality of Oracle Calendar should take the same precautions irregardless if he or she are using SyncML2iCal.com as a proxy to convert SynchML to iCal format.

Go to Google Calendar and add a new calendar by selecting Add by URL . You will use the URL you created from step #2. You may also want to change the display name and color of this new calendar on Google Calendar.

Do note that Google has stated that external feeds added via the "Add by URL" method should be refreshed every 24 hours.

Download and run Calaboration from Google Code. This will allow you to add your Oracle calendar to your Mac's iCal application. Before you can add the new calendar, click on preferences within Calaboration and enable allowing read only calendars to be added. Make sure your new calendar is selected and let Calaboration do the setup work for you. Your Oracle calendar will then sync with iCal.

Use iTunes to sync Oracle calendar from iCal to your iPhone.

One minor annoying issue I came across was with how day events and day notes from Oracle Calendar were handled by the time they showed up in iCal. Day events and notes from Oracle Calendar showed up in iCal as being a blocked all-day event from 0000-2359. As a quick temporary solution I simply denied day events and notes within Oracle Calendar and re-synced. This temporary approach was acceptable for me since I use Google Calendar to manage my daily notes and I can look at a user's Oracle calendar if I need to know if he or she is on vacation, on-call, etc.

As for effectively managing tasks using your iPhone, see my previous article titled, Tools To Get Things Done.

Steve

###

Thoughts on IT Security Organizational Structure

noreply@blogger.com (Steve Zenone) — Mon, 04 May 2009 15:45:12 PDT

I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.

As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:

Develop high standards of corporate governance
Treat InfoSec as a critical function that enables an organization to do business
Create an environment that understands the importance of, and embraces, InfoSec
Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
Stay informed and accept ultimate responsibility and accountability

The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:

An all-inclusive security strategy that links to clearly defined and documented business objectives
Security policies that address the multiple facets of security strategy, regulatory compliance and controls
Standards for each of the policies to make sure that procedures and guidelines comply with policy
An organizational structure void of conflicts of interest with sufficient resources and authority
Metrics and monitoring processes to ensure compliance and provide feedback

Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.

To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.

Ok, great, so the ISO should report to the CFO ... then what?

What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.

Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.

So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.

Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.

What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.

Steve ###

Forensics: Blackberry Curve 8310 and Incorrect EXIF Time Stamp

noreply@blogger.com (Steve Zenone) — Fri, 23 Jan 2009 11:43:18 PST

While working on a forensic investigation that involved a Blackberry 8310 I ran into an issue that just didn't settle right with me. I wanted to ensure that, beyond a reasonable doubt, the EXIF time stamp embedded within a photo taken by the Blackberry device was written accurately by the device. Before signing off on the validity of the EXIF time stamp, something just didn't seem right. After digging around and doing countless tests, I was surprised that I was able to consistently recreate a failure whereby the incorrect time stamp was written to the original date/time EXIF field. Here are additional details:

DEVICE: Blackberry Curve 8310 smartphone (EDGE)

VERSIONS: v4.5.0.55 (Platform 2.7.0.68) & v4.5.0.110 (Platform 2.7.0.90)

PROVIDER: AT&T

DATE/TIME SOURCES: Blackberry & Network

ADDITIONAL ENABLED SETTINGS WORTH NOTING:

PASSWORD (options | security options | general settings | password)
BACKLIGHT TIMEOUT value of 30 seconds (options | screen/keyboard | backlight timeout)
SECURITY TIMEOUT value of 1 minute (options | security options | general settings | security timeout)

OBSERVED BEHAVIOR:

The EXIF original date/time embedded within a photo taken by the Blackberry 8310 had the incorrect time stamp. Consistently and repeatedly I was able to have the Blackberry device write the incorrect time stamp to the EXIF field. The EXIF original date/time was inconsistent with the actual date/time that the photo was taken in addition to the “Last Modified” time displayed by the Blackberry device.

SCENARIO REPRODUCING THE PROBLEM:

I take a photo with the Blackberry at 0600 on 1/22/2009. The image name is IMG00001. Using the Blackberry and looking at the properties of photo IMG00001 I see the correct “Last Modified” date and time of “Jan 22, 2009 6:00AM”. Emailing the photo to my email address I then view the EXIF data of the photo on a separate forensics system and see the correct original date/time of “2009:01:22 06:00:00”.
An hour passes. I delete IMG00001 from the Blackberry and then take a photo at 0700 on 1/22/2009. The image name is IMG00002. Using the Blackberry and looking at the properties of photo IMG00002 I see the correct “Last Modified” date and time of “Jan 22, 2009 7:00AM”. Again, I email myself the photo and view the EXIF data of the photo on a separate forensics system. However, this time I see the incorrect original date/time. The EXIF field shows “2009:01:22 07:02:00”.
[update: 1/23/2009] - I can also reproduce this EXIF incorrect time stamp issue without deleting photos. This issue presents itself only with the first photo taken after the phone has automatically locked, requiring a password to unlock before the said photo with the incorrect EXIF time stamp can be taken by the device. Subsequent photos taken before the security timeout locks the device have the correct EXIF time stamps.

IMPLICATIONS:

An assumption is made that the Blackberry device is writing the correct date/time within the EXIF data when a photo is taken with the device. EXIF data within photos could potentially be used as evidence to support what an individuals recorded statement (e.g., whereabouts at a given time). From my tests there’s reasonable doubt that the EXIF time stamp of a photo taken by a Blackberry 8310 device (and perhaps others) may be incorrect. Therefore, EXIF time stamps from photos used as evidence becomes highly questionable and ultimately, and likely, could be rendered irrelevant.

ADDITIONAL NOTES & QUESTIONS:

Blackberry and RIM have been contacted to investigate and confirm the issue.
I was able to reproduce this issue on a single Blackberry Curve 8310 which was initially running v4.5.0.55 (Platform 2.7.0.68). I was also able to reproduce the failure after upgrading the same Blackberry Curve 8310 to v4.5.0.110 (Platform 2.7.0.90).
I viewed the EXIF data on a Mac using both “EXIF Viewer” and “Preview”. I viewed the EXIF data on a Windows XP system using “InfranView” with the EXIF plugin installed.
Can others reproduce the same issue on 8310’s running similar and/or different firmwares?
Can others reproduce the same issue on non-8310 Blackberry devices?
[update: 1/23/2009] - Could this be a residual artifact of the security lockout feature? (will need to test after disabling the security timeout)

Steve

###

Tools To Get Things Done

noreply@blogger.com (Steve Zenone) — Sun, 11 Jan 2009 00:08:15 PST

“Give us the tools and we will finish the job.” ~ Winston Churchill

Managing tasks and keeping notes readily accessible and easily searchable has been an ongoing challenge for me. In 1997 I took a Franklin Time Management class and clearly understood the necessity to effectively manage my tasks and time. However, carrying an awkward organizer with me wherever I went wasn't convenient, and I often found it annoying to pull my organizer out when I needed review my schedule and often difficult to quickly locate notes that I had taken previously.

Fortunately...through need, advances in technology and the synergy of creative minds, many electronic productivity tools have surfaced in the market over the years to help with staying organized and getting things done.

Task Management

Over the past several years I've used tools such as Jott and Remember The Milk (RTM) to help me with managing my tasks. Over a period of time I found myself growing more and more frustrated with the two productivity tools. Jott started charging money for a service that did a mediocre job with converting speech-to-text. I tethered RTM with Jott for adding tasks through speech...in other words, I was using two productivity tools to do what one should have been able to do independently.

I can't expect to meet the challenges of today with yesterday's tools and expect to be in business tomorrow. Fortunately, I found a very powerful yet easy to use productivity tool that has been working extremely well for me. Several months ago I started using ReQall as a replacement for both Jott and RTM. What exactly is ReQall? According to the marketing blurb on the ReQall website:

"ReQall is the best memory tool you may ever have, connecting all the ways you communicate in one easy-to-use reminder system. Use it on the web (no software to install!) or download it into your iPhone or BlackBerry smartphone. ... By integrating voice input, speech-to-text transcription, automatic organization and multi-platform reminders, ReQall goes beyond typical to-do and reminder applications."

I've been using ReQall to manage my tasks and shopping lists. From my experience ReQall does a much better job with speech-to-text conversions than with Jott. ReQall's web interface to manage tasks is simpler to use. I'm able to add tasks via the following; web (text), iphone app (text and voice), firefox plugin (text), phone (voice), and instant messaging (text). Plus, I appreciate now having a single solution (ReQall) to do what I had been doing with two (Jott and RTM).

ReQall also allows me to add meetings and schedule tasks for specific dates and times. For example, on my iPhone I can launch the ReQall app and say the following note:

"Meet with Mike on Friday at 3pm"

The above voice note gets converted to text by ReQall. Adding my ReQall meeting feed to my Google Calendar I then see a meeting on Friday at 3pm with Mike! I also synch my iCal with Google Calendar so that my schedule stays current and easily accessible no matter where I'm accessing it.

If I want to add an item to my shopping list, all I have to do is say "buy" and whatever it is I need to pick up at the market. Whoala, the item gets converted to text and shows up in my shopping list. My shopping list can be accessed and individual items checked off from my iPhone while at the store.

Though ReQall is currently a very useful productivity tool, there's room for improvement that will increase ReQall's value. Features I would like to see include:

A ReQall desktop widget for Mac (RTM already has a desktop widget for Mac OS X)
Ability to view all To-Do's and shopping list items via the Firefox extension
Ability to check items off as completed via Firefox extension
Ability to check items off as completed via the IM interface
iPhone app: Have shared shopping list entries show up in my shopping list AS WELL as my recipient's shopping list
iPhone app: Auto refresh when starting app, making changes to items, and at specified time intervals (e.g., every 15 mins)
iPhone app: Ability to change user/pass from the ReQall app instead of having to go through the standard iPhone settings app

I look forward to seeing what ReQall will rollout throughout 2009!

“Computers are magnificent tools for the realization of our dreams, but no machine can replace the human spark of spirit, compassion, love, and understanding.” ~ Louis Gerstner

Note Taking, Journaling and Retrieval

Over the past six months I've been using Journler to record and search through my notes. Journler was great so long as I had my laptop next to me when I needed to retrieve notes. Ultimately, what I needed was a solution that would allow me to securely access my notes from my iPhone as well as from the web. I also wanted a productivity tool that would let me take photos with my iPhone, or other camera, of whiteboards at the conclusion of a work meeting and would place the photo into my notes and preferably convert the words on the whiteboard from the photo into searchable text (OCR).

Last month a co-worker of mine asked about Evernote. Simply put, Evernote is incredibly useful! According to the Evernote website:

"Evernote allows you to easily capture information in any environment using whatever device or platform you find most convenient, and makes this information accessible and searchable at any time, from anywhere."

I've now migrated all of my Journler entries into Evernote. It goes without saying, I don't store anything sensitive in Evernote unless PGP'd. I can access my notes from the web browser on my laptop, the Evernote application, and from my iPhone. Imagine I was in a meeting this morning and I took a picture of the whiteboard where the word "Monkey" was written. Evernote will convert the writing into text and make it searchable. Therefore, I can search my Evernotes for the word "Monkey" and the picture of the whiteboard will be a returned result. That's awesome!

Screenshot: Evernote iPhone App

Additional features I would like to see in Evernote include:

Strong crypto that can be applied to specific notes requiring a separate password to encrypt/decrypt for enhanced security and privacy - see next bullet point regarding two-factor authentication;
Two-factor authentication with support for one-time-passwords (see PayPal Security Key)

Overall, I see productivity tools finally getting to a point where there's a noticeable benefit in my productivity in using them. ReQall and Evernote are two such productivity tools.

“When you write down your ideas you automatically focus your full attention on them. Few if any of us can write one thought and think another at the same time. Thus a pencil and paper make excellent concentration tools.” ~ Michael Leboeuf

Steve

###

Microsoft out-of-band security bulletin for October 2008

noreply@blogger.com (Steve Zenone) — Thu, 23 Oct 2008 14:25:45 PDT

Microsoft recently issued an out-of-band security advisory for a vulnerability in the server service that could allow remote code execution (MS08-067). Due to the criticality of the vulnerability, Microsoft has released a fix out-of-band (i.e., not on the regular Patch Tuesday).

It is strongly recommended that patches be tested and applied to all vulnerable systems you administrate as soon as possible. According to one source, targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 systems have been seen.

Advisories

MS08-67

SecurityFocus

Additional Information

Technet Blog

Steve
###

Made the Switch to Mac

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 14:17:23 PDT

Years back I made the switch from Windows to RedHat as my desktop OS of choice. I wasn't too impressed with it as a Desktop OS and eventually migrated over to Ubuntu, which I immediately fell in love with. Last week I finally made the move to using a Mac as my preferred "desktop" operating system. After traveling from Singapore, to Alaska, and then to St. Louis, I finally have my PowerBook Pro. I didn't do the traveling - rather, my Mac was shipped from Singapore and made the journey halfway around the world.

Every time I'm on my MacBook I find myself very impressed with how smooth and fully integrated the system is. Simply put, the system is awesome! I've also installed VMware Fusion so that I can virtually run Windows from my BootCamp partition, allowing me to still run the Windows dependent programs necessary for me to get my work done as efficiently as possible.

This morning I installed a blogging client called "ecto", which I'm trying out for the first time with this posting.

Steve

###

Blackhat Briefings: The Talks I Plan on Attending

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:47:25 PDT

The Blackhat Trainings just wrapped up and now everybody here is getting ready for the Blackhat Briefings.

After today's training I picked up my official annual Blackhat swag bag. While picking up my bag there were slews of people wandering around the Caesar's Palace Convention Center for the briefings. The number of people seems to have doubled since the trainings, which is typical.

Last week I had looked online at the list of presentations and had written down what I wanted to attend. This afternoon I reviewed my list against what was shown within the printed brochure. Assuming there's room, my plan is to attend the following presentations at the Blackhat Briefings for the next two days:

Day 1 - August 6

0900-0950 - Keynote: Complexity in Computer Security - Ian Angell
1000-1100 - Nmap: Scanning the Internet - Fyodor Vaskovich
1115-1230 - DNS Goodness - Dan Kaminsky
1345-1500 - Client-Side Security - Petko D. Petkov
1515-1630 - Xploiting Google Gadgets: Gmalware and Beyond - Tom Stracener
1645-1800 - MetaPost Exploitation - Val Smith

Day 2 - August 7

0900-0950 - Keynote: Natural Security - Rod Beckstrom
1000-1100 - Satan is on My Friends List - Shawn Moyer & Nathan Hamiel
1115-1230 - Visual Forensic Analysis and Reverse Engineering - Greg Conti & Erik Dean
1345-1500 - Hacking and Injecting Federal Trojans - Lukas Grunwald
1515-1630 - The Internet is Broken - Nathan McFeters, Rob Carter & John Heasman
1645-1800 - Pushing the Camel Through the Eye of a Needle - Haroon Meer & Marco Slaviero

For those of you in Twitterland - tweet me if you're going to any of the same presentations and want to say "hi" [twitter]

Steve Zenone
###

Productivity: Useful Meetings

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:47:57 PDT

Aaron, of the Dumb Little Man blog, just posted a helpful reminder that includes eight tips we all [should] intuitively know in order to keep meetings focussed and useful. I think we've all experienced "those" types of work meetings; whereby hours pass and very little progress, if any, has been made. The result is wasted time, wasted money, and often frustration and confusion.

Aaron writes:

The phenomenon of chronic, pointless meetings is also known as the Dilbert Meeting in some circles. Dilbert Meetings happen every day, wasting people's time and patience.

Meetings can be quite productive, but most organizers simply don’t take the steps to guarantee that a meeting will be useful.

Aaron then lists and expands upon the following eight points:

Have a clear agenda
Make sure that only attendees are people who need to be present
Establish objectives for the meeting
Have the attendees prepare in advance (if necessary)
Keep it short
Record key points and decisions
Create action items and assign them
Report progress and follow-up

I believe it's important for all of us who propose meetings to incorporate the above points into how we organize and run our meetings. The result will be better for the business, and better for the development and morale of those attending.

Steve Zenone
###

Security: Thoughts on Latest DNS Vulnerability

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:48:18 PDT

While on a quick trail run before work this morning, I was thinking about yesterday's announcement of a serious vulnerability in the DNS protocol. For those that don't know, yesterday Dan Kaminsky announced that there's a fundamental flaw in the DNS protocol. Shortly thereafter the United States Computer Emergency Readiness Team (US-CERT) issued a security advisory titled, "Multiple DNS implementations vulnerable to cache poisoning".

Since we're talking about a fundamental flaw within the DNS protocol itself, many implementations of DNS are considered to be vulnerable. DNS, in a nutshell, is what translates human readable and memorizable names, such as www.blackhat.com, to IP addresses that can get routed through the Net, such as 66.240.206.90.

BlackHat has made available a recording of the press conference at which Karminsky made the public announcement. Karminsky has also made available an online tool to check whether or not the primary DNS server you're using is vulnerable. A recent post on NANOG has a link to a perl script that allows one to run Karminsky's DNS checker against any nameserver.

I've heard a few individuals state that this latest vulnerability isn't critical in nature. We do know that Karminsky will be releasing full details of the vulnerability at next month's BlackHat in Las Vegas. It is also possible that exploit code could emerge prior since Karminsky did narrow down the area in which the DNS design flaw exists. Though Karminsky has stated, "This is not enough information to reverse engineer the flaw," I believe it's an extremely risky assumption for businesses to base delaying the patching of their vulnerable name servers upon.

Looking at a risk matrix, I see the this DNS vulnerability as a high risk:

Likelihood of exploitation: LOW/MEDIUM [ within 30 days]
Impact of exploitation: HIGH
-----------------
Risk Rating: HIGH

One individual I know had stated, "In terms of DNS, the world isn't any more dangerous today than it was yesterday." However, we're not just dealing with randomization of source ports which had been known publicly for several years (back in 2005). We're also dealing with the weak entropy in the DNS transfer id (DNS XID). I believe that the risk, or danger, has increased.

In some uncomfortable way, this latest issue with DNS reminds me of the levees in New Orleans that were known to have severe vulnerabilities. Eventually the threat (heavy rain) exploited (broke) the vulnerability (failing levees) resulting in negative impact (flooding, financial loss and loss of life). Ignoring the vulnerability with the levees didn't remove the risk or make things any "safer".

I'm interested to see what Karminsky produces at the upcoming BlackHat.

Steve Zenone
###

[UPDATE - 7/10/2008]: Yet another option to test your nameserver is to use the dig hack from Duane Wessels; from a unix shell type 'dig +short @nameserver-to-be-tested porttest.dns-oarc.net TXT'.

A vulnerable nameserver will display the following output:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is POOR: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"

In turn, a better maintained nameserver will return the following:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"nameserver-you-tested is GOOD: 22 queries in 0.6 seconds from 1 ports with std dev 0.00"

Security: Instant Messaging and Enabling Business

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:24 PDT

I recently had a colleague ask me about the inherent risks in using Instant Messaging (IM) for business. Certainly, IM is an extremely effective way to communicate with team members and customers who may not be in close physical proximity. However, if used incorrectly, negative impact to the business can be massive.

There's consumer grade and business grade IM solutions. Services such as Yahoo IM are considered consumer grade. All text based IMs can either be routed through a core set of central servers and then on to the recipient, or through peer-to-peer connections. When you combine consumer grade IM services with traffic flowing in the clear (i.e., unencrypted) through central servers outside of the organization's control, you end up with a significantly elevated set of risks. Are these risks worth accepting?

Here are some of the more obvious risks that I see with using consumer grade IM for business:

Vulnerable Clients -- advisories for vulnerabilities in chat clients are announced fairly often. Many of these vulnerabilities allow for the remote execution of code on the vulnerable client system
Traffic can be viewed ("sniffed") -- by default, consumer grade IM clients send all of their traffic in the clear. There are plugins to provide encryption for some clients, however, all parties involved in the chat will need the crypto plugin enabled and configured correctly
Data theft -- a nefarious employee could potentially move critical/restricted data to a location offsite
Identity Theft -- The mechanism for consumer grade IM user authentication is weak. Grab the weak authentication traffic and an attacker now has valid login credentials. The stolen credentials can then be used to impersonate the victim and be used as a launch pad to further identify theft
Provides IP info to attackers -- if an employee decides to go to an external chatroom with their IM client, their IP is now known to anyone else in the chatroom who may be interested...including a potential attacker. With the IP the attacker can focus their attack to a specific system
Privacy...or lack thereof -- see all points above
Social Engineering -- more likely to happen if an employee engages in conversations in non-business specific chatrooms

Another risk is in employees using IM for business on their home computers. Imagine, for just a moment, that an employee commits a crime against the business from their home and used IM to enable them to commit the crime. Your business won't have the authority or right to confiscate their home computer for investigation - your hands are tied behind your back. I'm sure you can start seeing where the dangers and risks start to go up.

Additionally, many chat clients will log all conversations to disk. What if confidential or restricted data is logged and stored on an individuals home computer? Other family members, or friends, may have access to that system, or perhaps the home computer is already compromised and under someone else's control (think botnet). Now the attacker can pull the chat logs and have unauthorized access to confidential or restricted data. The impact could be titanic to the business! Of course, confidential or restricted data should never be sent over IM in the first place.

In addition to having policies, procedures, and perhaps even guidelines on the proper use of IM for business, I believe the return on investment by providing an internal and redundant IM service to enable business is compelling and certainly worth considering strategically.

Steve Zenone
###

Security Toolbox: RatProxy

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:29 PDT

The good folks from Google have released a freely available open-source web application security assessment tool called RatProxy. The tool, which is still in beta, is designed to identify security vulnerabilities within web based applications.

Quoting from the RatProxy project documentation page:

"Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

Earlier this afternoon I downloaded the source code and compiled it to run on Ubuntu 8.04. After posting this blog entry I'll begin experimenting with RatProxy.

RatProxy Documentation Page [link]

Steve Zenone
###

The Coolness of Geek

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:35 PDT

Apparently, geek is becoming sexy. We've all known that geek was chic [pronounced sheek for those who think I'm saying chick]....but sexy, that's just hot! I think I've been waiting for this since the late seventies:

"The Nerd Girls may not look like your stereotypical pocket-protector-loving misfits—their adviser, Karen Panetta, has a thing for pink heels-but they're part of a growing breed of young women who are claiming the nerd label for themselves. In doing so, they're challenging the notion of what a geek should look like, either by intentionally sexing up their tech personas, or by simply finding no disconnect between their geeky pursuits and more traditionally girly interests such as fashion, makeup and high heels."
Newsweek, "Revenge of the Nerdette", 6/9/2008

As I sit here I get mini flashbacks of typing away on my TRS-80 in elementary school, writing my first snippets of code in BASIC, knowing that in the eyes of the masses I wasn't being cool. Then, in junior high, I graduated to the the Apple II, on which platform I launched my first BBS. Soon after I added multiple phone lines and had sister systems throughout the US. Ahh, the good 'ol days of the lawless wild west, shortly before William Gibson coined the term cyber in his 1982 book, Burning Chrome.

Newsweek Article [link]

-Steve Zenone
###

Equiped to Get the Job Done

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:39 PDT

I came across an article in USA Today titled, Some employees buy own laptops, phones for work. The article reports that more and more professionals are buying their own electronic equipment to get their work done. This includes equipment like cell phones and even laptops!

Nearly 40% of professionals recently surveyed by researcher In-Stat paid for a laptop that they regularly carried. Cellphone users often picked up their bill. And company-provided personal digital assistants (PDAs), cameras and Global Positioning Systems (GPS) are relatively rare, says the survey, released Monday.

As many organizations start to withdraw spending on materials and equipment, professionals are having to take matters into their own hands and purchase their own equipment. This reminds me of research done by Buckingham and Coffman. Their research paper summarized the twelve key factors in retaining star employees (there's a connection here - question #2 relates to employees having to purchase their own equipment).

In a nutshell, if employees can answer the below questions in the affirmative, then the work environment is probably very strong and productive:

Do I know what is expected of me at work?
Do I have the materials and equipment I need to do my work right?
At work, do I have the opportunity to do what I do best every day?
In the last seven days, have I received recognition or praise for good work?
Does my supervisor, or someone at work, seem to care about me as a person?
Is there someone at work who encourages my development?
At work, do my opinions seem to count?
Does the mission/purpose of my company make me feel like my work is important?
Are my co-workers committed to doing quality work?
Do I have a best friend at work?
In the last six months, have I talked with someone about my progress?
At work, have I had the opportunities to learn and grow?

As a manager, the above points are worth reflecting upon.

USA Today Article [link]
###

On The Air: Manualism

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:42 PDT

Several weeks back, on May 12, I posted a blog entry about Manualism; the art of making music with one's hands as the instrument. I've edited the piece down to half its original size and then edited it some more. This past Sunday I went down to the radio station to record the piece and had the producers do their magic. It will air on KUSP this Friday (6/13) at 7:33am and 5:33pm in the First Person Singular segment.

UPDATE #1 [6/13/2008]: I believe my piece on KUSP is being delayed a week. I listened to the station this morning and someone else's First Person Singular was aired...and I would imagine the same piece will be aired this afternoon. I will update this post once I learn of the new air date.

UPDATE #2 [6/13/2008]: I received confirmation from the radio station that the piece will air this afternoon at 5:33pm.

UPDATE #3 [6/13/2008]: My piece aired this afternoon. If you missed it, you can download the two minute segment here [link to mp3]

PCI Security Standards Council Mandates New Vulnerability Scoring

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:47 PDT

I recently learned that all Approved Scanning Vendors (ASVs) are required to use version 2 of the Common Vulnerability Scoring System (CVSS). Starting July 1, 2008, version 2 will be the new industry standard and all scans will be scored using this system.

Many of the ASVs that I have experience with continue to fail scans based upon false positives. Although PCI DSS requirement 11.3.1 necessitates a network-layer penetration test to be performed at least once a year and after any significant infrastructure upgrade or modification, the automated quarterly vulnerability scans will still show a compliance failure even if the flagged vulnerability is a false positive.

It'll be interesting to see how many merchants will move from compliance status of compliant to non-compliant after July 1.

Sunday Post #11 - Memorial Day

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:49:56 PDT

Where does one begin saying "Thank You" to all those who have given everything so that we may have our freedom?

Photo: Steve Zenone (Golden Gate National Cemetery)

"That from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion ... that we here highly resolve that these dead shall not have died in vain."
-- Abraham Lincoln, spoken at Gettysburg in 1863

Walking through the cemetery, contemplating, I was in awe. Each tombstone not only represents a single serviceman/servicewoman. Rather, every tombstone also represents the family and friends whose lives were interwoven so intimately...in addition to the lives the family and friends touched. Clearly, we're all affected and connected.

Opinion: Responses to OpenSSL Vulnerability

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:50:00 PDT

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image: ZwahlenDesign]
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Security: Debian and Ubuntu OpenSSL Vulnerability

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:50:08 PDT

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:50:12 PDT

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:

sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22

Is there a single host that's bothering you and you want to block it?

sudo ufw deny from {IP address}

If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

Off Topic: Manualism

noreply@blogger.com (Steve Zenone) — Fri, 12 Sep 2008 13:50:15 PDT

Recently I learned about the entertaining subculture of manualism. It happened by complete chance, I swear! You believe me, don't you?

While searching YouTube for "Cantina Band", there was a video that I couldn't resist watching. Without skipping a beat I moved my mouse over the video and clicked play. As I began watching the video of a manualist playing the Star Wars “Cantina Band” song with his hands, distant memories from my past started to emerge. It had nothing to do with rice and beans. Please!

As I was saying, we were just about to take a stroll down memory lane...

[dream sequence]
I remembered my sophomore year in high school; I was sitting in my desk during Spanish class. I should have been conjugating verbs, but instead I was attempting to squeeze air through my hands while pressing them together, firmly. Minutes passed and I kept trying to make sound with my hands. Suddenly, and quite unexpectedly, there was a hush in class, and it was during that silence that my hands made “the sound”. If I recall correctly, the moment my hands made the sound of bodily relief, my face grew bright red. I had no idea if my classmates thought I had uncontrolled flatulence or if my hands made the sound.
[/dream sequence]

Fast forward twenty years, and there I was watching a guy play “The Cantina Band” using his hands! I wondered how much the musician must have practiced to be able to play the song as well as he did? Interestingly, according to Wikipedia, “Some manualists practice for as much as 30 years before finally reaching a presentable level of proficiency.” Apparently the first individual that was documented to have made musical parody with his hands was Cecil Dill. He claims to have learned how to play “Yankee Doodle” using his hands back in 1914.

Now, isn't that a gas!

Video of manualist playing "The Cantina Band" [link]
Video of Cecil Dill and his Musical Hands [link]
Wikipedia article on Manualism [link]

UPDATE [6/13/2008]: My piece aired this afternoon. If you missed it, you can download the two minute segment here [link to mp3]