It's about time! NIST has published its intention to withdraw its approval for using the DES encryption algorithm to protect federal gov't information. The short announcment encourages DES users to switch to AES, but also notes that DES used as part of triple DES implementations is still OK.
Friday, July 30, 2004
The Web Application Security Consortium has published a new taxonomy of web security threats. It's 87 pages long and contains detailed descriptions, examples and references for over 20 types of attacks. Is it rocket science? No. Is it useful? Maybe, but only if enough people actually read it and start referencing it.
A taxonomy is a good thing, in my opinion. I need to read in more detail before I can say whether I'll be using it on a daily basis, though.
joatBlog mentions that there might be a trust issue with using a copyrighted taxonomy, but I've read the OpenContent license this document uses, and it seems quite reasonable and very Open Source-like.
Posted by David Bianco at 1:58 PM
Reading this article about a Blackhat presentation on Metasploit gave me the idea for this entry.
If you haven't tried Metasploit, you should. Right now. Their motto, "Hacking like it is in the movies", is pretty accurate. They've got a good database of reliable cross-platform exploits and payloads all wrapped up in a convenient point-n-click GUI. It's extremely useful as a tool for security testers and admins who want to verify the security of their systems, but unfortunately, it can also easily be used for Evil.
You really do owe it to yourself to check this out. Trust me.
Posted by David Bianco at 10:28 AM
IBM's developerWorks has published Kenneth Ballard's fine article on basic OpenSSL programming. This is the clearest, most straightforward explanation of how to program the OpenSSL library in C. Although the documentation does a good job of hiding it, it's really trivial to work OpenSSL into your own applications.
Posted by David Bianco at 8:48 AM
Wednesday, July 28, 2004
Slate has an article entitled Fight Virus With Virus - That's the only way to stop MyDoom. The author's idea is that if we can't stem the tide of malware with our current technology, then we should fight fire with fire, or "virus with virus", by creating worms that exploit widespread security holes in order to spread around and automatically fix security holes.
This idea is not just bad, it is disastrous. It's hard enough sometimes for legitimate administrators to patch their systems and have them still run reliably (pre-production testing, anyone?) and the idea of trusting my systems to an anonymous piece of code that has no local knowledge about my configuration, requirements or schedule is simply ludicrous.
Let me be clear: No way in hell.
Posted by David Bianco at 9:11 PM
Sunday, July 25, 2004
The SANS Internet Storm Center's diary entry for today talks about something I find, frankly, amazing. Scott Weil, the head of SANS' Local Mentor training programs, spoke with a group of school children about Internet safety issues. He asked some of the students to design an attack against their school's network, and the rest to design defensive measures to protect their network against attackers. I'm amazed by the sophistication their responses displayed.
Posted by David Bianco at 2:51 PM
Saturday, July 24, 2004
Slashdot has a pointer to a a couple of articles showcasing Dartmouth Assistant Professor Hany Farid's work on detecting altered digital images. Apparently, he and his graduate student, Alin Popescu, have developed a mathematical model that can determine whether or not various common image editing techniques (cloning, averaging, resizing, etc) have been applied.
How is this related to Information Security, you may ask? For one thing, it may have potential ramifications for the admissibility of digital photos as evidence in a court of law. Also, and neither article mentions this, it sounds like it may also have the potential to help identify images which contain steganographic content.
Posted by David Bianco at 5:26 PM
Thursday, July 22, 2004
The Boston Globe has an article showcasing possible vulnerabilities in the network setup planned for the Democratic National Convention. Apparently, some of the hackers over at Newbury Networks have keyed in on the fact that although the DNC is deploying an exclusively-wired network, the influx of thousands of laptops pretty much guarantees some of them will be misconfigured to act as as bridges to their built-in wireless networks. The article describes an attack whereby a Bad Guy could set up a high-power access point near the convention site and trick unwary laptop users into associating with his malicious network, and then use the attendees laptops as jumping-off points into the wired network.
This attack has a reasonable chance of succeeding but it's nothing new. You see this type of thing any place lots of people bring laptops (conventions, conferences, heck even hotel networks). The real question in my mind is about the potential risk. I'm not familiar enough with what goes on at these conventions to know what's on the network or evaluate what the potential loss could be. Anyone care to comment?
Posted by David Bianco at 3:22 PM
Wednesday, July 21, 2004
InfosecWriters.com has a good paper exploring the issues (pro and con) of teaching "ethical hacking." As you probably know, any yahoo with $$ can sign up for a number of "Super Ultimate Megaleet Hacking" courses and learn most of the same techniques the Bad Guys use against us. The concern is, of course, are we the ones teaching the Bad Guys? My take is that truly dangerous blackhats don't need our help to learn anything, so the benefit to the security community far outweighs the possible downside. But check out this paper and see if you agree.
Posted by David Bianco at 11:48 AM
Check out Eliot Lim's excellent paper, Design and Deployment of a Rapid Response Security Vulnerability Scanning Infrastructure. It's a fascinating case study of implementing a vulnerability scanning program in an environment which is usually downright hostile towards security, the university and academic research facility.
Posted by David Bianco at 10:15 AM
Tuesday, July 20, 2004
El Reg has an amusing article surveying the musical tastes of various types of IT pros. Apparently, security pros are supposed to be fond of 60's rock classics like The Dead, Jimi Hendrix and The Doors. While I do have
Hendrix and The Doors on my iPod, I'm more of a blues man myself. Guess I'll have to get another job...
Immunity's Dave Aitel has posted slides from his recent talk, entitled Advanced Ordnance. The presentation explores the idea of creating a description language and compiler for implementing the next generation of platform-independent worms. Lest you think this is just pie-in-the-sky, I should mention that it's based on his freeware MOSDEF tool, so parts of what he describes already exist, or are withing cat-hurling distance of existing. It's interesting stuff, though the implications are a little on the scary side.
(Note: The presentation is in an OpenOffice format)
Posted by David Bianco at 8:36 AM
Monday, July 19, 2004
Saturday, July 17, 2004
The Associated Press has an interesting story about cybersecurity measures for the upcoming Olympic games. It's a little light on technical details, but there are some interesting nuggets nonetheless. I'd like to know how large of a staff they have working on this part, but unfortunately the article doesn't say.
Posted by David Bianco at 1:44 PM
Friday, July 16, 2004
I've just read that Los Alamos National Lab has temporarily suspended all classified research due to a continuing pattern of Information Security problems. Specifically, in this last incident they lost two ZIP disks containing classified weapons-related information.
Classified research counts for a lot of their business, so I hate to think how much this is affecting a) their scientific mission, and b) their bottom line. It's nice to hear that they are finally taking decisive actions to clear up the problem, though.
On that note, here's my favorite quote from the article:
Nanos said people at the lab sometimes have an attitude of impunity, expressed in the phrase, "They can't fire us all."
Speaking to those who had behaved with a cavalier attitude, Nanos said, "We're going high and right on this one. And the fact of the matter is, if we have to, we will fire you all."
Posted by David Bianco at 4:24 PM
In a brash display of... well, I'm not sure what, but it certainly wasn't brains, two Oxford students apparently hax0r3d the school's network and then published the results in the school's newspaper.
The law is the law, folks, and the difference between an administrator and a hacker is permission. If you don't have it (in writing!), you're just asking for trouble pulling this kind of stunt.
Here's a writeup from El Reg, and here's the students' original article.
Posted by David Bianco at 12:17 PM