15. September 2010 · Comments Off on Burglars used social network status updates to select victims • The Register · Categories: Privacy, Social Engineering · Tags:

Burglars used social network status updates to select victims • The Register.

Posting your location can have unintended consequences. A band of burglars in Nashua, NH were arrested for an estimated 50 burglaries in the area whose locations were chosen based on information they collected from social networks including Facebook.

“Be careful of what you post on these social networking sites,” said Capt. Ron Dickerson of Nashua police. “We know for a fact that some of these players, some of these criminals, were looking on these sites and identifying their targets through these social networking sites.”

15. September 2010 · Comments Off on New commercial DDoS botnet discovered · Categories: blog · Tags: , , , , , ,

Via SC Magazine article, a new commercial DDoS botnet  has been discovered. IMDDOS is growing at a rate of 10,000 devices per day. Note that this is a commercial effort:

Literally anyone who can read or work with a Mandarin Chinese website can go onto their self-service portal, create an account and pick their victim of choice for a DDoS attack.

The botnet’s C&C domains, located in China, are used to push out instructions to infected bots to launch DDoS attacks against a list of targeted domains. Researchers are unsure of the price of IMDDOS attack services and do not know the actual domain names targeted by IMDDOS customers.

Full disclosure: While this article was “stimulated” by Damballa’s VP of Marketing, I still thought it was newsworthy. We partner with FireEye, a Damballa competitor.

15. September 2010 · Comments Off on Microsoft addresses one of the Stuxnet related zero-day vulnerabilities · Categories: Malware, Vulnerabilities, Zero-day · Tags: ,

Today’s round of Microsoft patches addresses a variety of issues including one of the Stuxnet-related zero-day vulnerabilities. Stuxnet actually leverages four different zero-day vulnerabilities! For more details go here, here and here. Computerworld has a more detailed article about Stuxnet: Siemans: Stuxnet worm hit industrial systems.

14. September 2010 · Comments Off on New attacks leverage a zero-day vulnerability in Adobe PDF reader · Categories: Malware, Zero-day · Tags: , ,

Via ThreatPost yesterday:

Security researchers [at Symantec] say that a new wave of attacks suggests that the malicious hackers behind a security compromise [Aurora] at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application.

The post is well linked for background information on Aurora.

14. September 2010 · Comments Off on Twitter’s flawed OAuth implementation · Categories: Authentication · Tags: , ,

I meant to post this last week. Ryan Paul at ars technica wrote an important article detailing the flaws in Twitter’s implementation of OAuth. This is serious because it is the only method for “users to grant a third-party application access to their account without having to provide that application with their credentials.” He also details the flaws of OAuth 1.0a, but holds out hope for OAuth 2.0, which the IETF is currently working on. Let’s hope they get it right this time.

Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.

The article goes on to trash OAuth 1.0a as well:

…OAuth 1.0a is a horrible solution to a very difficult problem. It works acceptably well for server-to-server authentication, but there are far too many unresolved issues in the current specification for it to be used as-is on a widespread basis for desktop applications. It’s simply not mature enough yet.

There is hope though:

I think that OAuth 2.0—the next version of the standard—will address many of the problems and will make it safer and more suitable for adoption. The current IETF version of the 2.0 draft still requires a lot of work, however. It still doesn’t really provide guidance on how to handle consumer secret keys for desktop applications, for example. In light of the heavy involvement in the draft process by Facebook’s David Recordon, I’m really hopeful that the official standard will adopt Facebook’s sane and reasonable approach to that problem.


Although I think that OAuth is salvageable and may eventually live up to the hype, my opinion of Twitter is less positive. The service seriously botched its OAuth implementation and demonstrated, yet again, that it lacks the engineering competence that is needed to reliably operate its service. Twitter should review the OAuth standard and take a close look at how Google and Facebook are using OAuth for guidance about the proper approach.

13. September 2010 · Comments Off on Consumerization and Corporate IT Security · Categories: FireEye, Malware, Next Generation Firewall, Palo Alto Networks · Tags: ,

Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.

Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.

Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:

Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.

FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.

NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.

Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.

In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.

Enhanced by Zemanta
05. September 2010 · Comments Off on Ping drowning in scams and spam · Categories: Fraud · Tags: , , , , ,

Via NetworkWorld, Sophos is reporting that Ping, Apple’s new social network add-on to iTunes, is “drowning in scams and spam.”  Sophos says, “Apple has not implemented any form of automated spam or URL filtering in Ping,” although they do appear to be filtering profile photos for obscenity and copyright infringement.

This comes on top of other generally negative reviews of Ping:

Can Ping be saved?

Apple’s Ping is a big pile of steaming dung

Ping is neither social, nor is it a network. Discuss.

The biggest issue seems to be lack of integration with Facebook.

05. September 2010 · Comments Off on Mitre releases log standards architecture – Common Event Expression (CEE) · Categories: Log Management, Security-Compliance · Tags: ,

Finally, on August 27, 2010, Mitre’s log standard, Common Event Expression Architecture Overview was released. The goal of CEE is to standardize event logs to simplify collection, correlation, and reporting which will drive down the costs of implementing and operating Log Management controls and improve audit and event analysis.

At present there are no accepted log standards. Each commercial application and security product implements logs in a proprietary way. In addition, the most commonly used log transport protocol, syslog, is unreliable since it’s usually implemented on UDP. The custom application environment is even worse as there are no accepted standards to guide application developers’ implementation of logs for audit and event management.

Why after ten years of log management efforts are there still no standards? In my opinion, it’s because government agencies and enterprises have not recognized that they are indirectly bearing the costs of the lack of standardization. Now that log management has become mandatory for compliance and strongly recommended for effective cyber defense, organizations will realize the need for log standardization. Initially, it’s going to be up to the Federal Government and large enterprises to force CEE compatibility as a requirement of purchase in order to get product manufacturers to adhere to CEE. The log management vendors will embrace CEE once they see product manufacturers using it.

Here is the Common Event Expression Architecture Overview (CEE AO) Abstract:

This Common Event Expression (CEE) Architecture defines the structure and components that comprise the CEE event log standard. This architecture was developed by MITRE, in collaboration with industry and government, and builds upon the Common Event Expression Whitepaper [1]. This document defines the CEE Architecture for an open, practical, and industry-accepted event log standard. This document provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the data dictionary, syntax encodings, event taxonomies, and profiles. The CEE Architecture is the first in a collection of documents and specifications, whose combination provides the necessary pieces to create the complete CEE event log standard.
KEYWORDS: CEE, Logs, Event Logs, Audit Logs, Log Analysis, Log Management, SIEM

There are four components of the CEE Architecture – CEE Dictionary and Taxonomy (CDET), Common Log Syntax (CLS), Common Log Transport (CLT), and Common Event Log Recommendations (CELR).
  • Common Log Syntax (CLS) – how the event and event data is represented. The event syntax is what an event producer writes and what an event consumer processes.
  • CEE Dictionary – defines a collection of event fields and value types that can be used within event records to specify the values of an event property associated with a specific event instance.
  • CEE Taxonomy – defines a collection of “tags” that can be used to categorize events. Its goal is to provide a common vocabulary, through sets of tags, to help classify and relate records that pertain to similar types of events.
  • Common Event Log Recommendations (CELR) – provides recommendations to developers and implementers of applications or systems as to which events and fields should be recorded in certain situations and what log messages should be recorded for various circumstances. CELR provides this guidance in the form of a machine-readable profile. The CELR also defines a function – a group of event structures that comprise a certain capability. For example, a “firewall” function can be defined consisting of “connection allow” and “connection block” event structures. Similarly, an “authentication management” function can be composed of “account logon,” “account logoff,” “session started,” and “session stopped.”
  • Common Log Transport (CLT) – provides the technical support necessary for an improved log transport framework. A good framework requires more than just standardized event records, support is needed for international string encodings, standardized event record interfaces, and reliable, verifiable log trails. In addition to the application support, the CLT event streams supplement the CLS event record encodings to allow systems to share event records securely and reliably.
The CEE Architecture Overview document also defines the CEE “product” approval management process and four levels of CEE conformance.

CEE holds the promise of driving down the costs of implementing Log Management systems and improving the quality of audit and event analysis. However, there is still much work to be done for example in defining Taxonomies and defining and testing interoperability at the Transport and Syntax levels.

Mitre has had mixed results over the years in it’s efforts to standardize security processes. CVE (Common Vulnerabilities and Exposures) has been it’s biggest success as virtually all vulnerability publishers use CVE numbers. CEE is much more ambitious though and will require more money and resources than Mitre is accustomed to having at its disposal.

Enhanced by Zemanta