TaoSecurity: What Do You Investigate First?.
Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:
Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?
Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.
Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service.
Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.
First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL “http://twitter.com” still appeared in the address bar.
In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.
FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).
Rob provides extensive details and screenshots on his test methods.
hackademix.net » Forcing HTTPS with NoScript.
Looks like those of you already using the NoScript Firefox add-on, you do not need another add-on to enable/force SSL when it’s available.
Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmailaddons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript’s “force HTTPS” list right now.
Facebook Insecurity as a Microcosm of All The World’s Security Problems.
Gartner’s John Pescatore weighs in on the latest chapter in the ongoing Facebook privacy controversy.
Basically, what you see is Facebook taking several steps to protect its customers – advertisers. If they were trying to protect Facebook users, they would have taken very different steps. Because what you don’t see is any real attention to actually addressing the real vulnerabilities.
So, the key takeaway: make sure that you are the actual customer when you trust your data or your customers’ data to a social network or cloud service provider, or any other 3rd party for that matter. A cloud provider can claim they are better at running a data center than you are, but if they are focusing on protecting their advertising revenue, not your data, that claim is meaningless.
SpyEye v. ZeuS Rivalry Ends in Quiet Merger — Krebs on Security.
Brian Krebs today is providing an update on banking Trojan activity. While ZeuS has been in the public eye, another banking Trojan SpyEye seems to be ascending.
In the last several years, it is estimated that the ZeuS Trojan enabled the theft of more than $70 million from nearly 400 organizations.
Facebook Advertisers Can Glean Private Data – NYTimes.com.
Privacy vulnerabilities continue to be revealed on social networking sites like Facebook and MySpace reports the NYTimes. The Times describes two research papers which discuss how unethical advertisers can game social networks to determine people’s private profile information like sexual orientation.
Facebook counters that it has tools in place to prevent unethical advertiser behavior. However, Facebook realizes it needs to do more. In fact, Facebook announced that it proposing encrypting user IDs as a way to prevent the sharing of IDs with data brokers. But Facebook admits this will only “address the inadvertent sharing of this information on Facebook.”
Mashable weighs in with the obvious question, “Frankly, we think that encrypting the UID parameters within an iFrame is a good idea and a good first step towards accountability. Our big question is: Why is this only happening now?”
If you are looking for a clearer technical explanation of what the fuss is all about and the limited step Facebook is proposing read Ars Technica’s, Facebook touts encryption as solution to security flaw.
Microsoft: ‘Unprecedented Wave of Java Exploitation’ — Krebs on Security.
Microsoft is confirming a huge increase in attacks against Java vulnerabilities. Why is this important? Java is installed on the majority of the world’s desktop computers. In fact, the attack volume on Java dwarfs that of Adobe, which is saying something. Java may not be quite as ubiquitous as Adobe, but it’s close. For example, Java is required for Webex and GoToMeeting, the two most popular web meeting applications. To get an idea of the Java to Adobe proportion, see the graph below, courtesy of Microsoft via Krebs on Security.
According to Microsoft, the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions.
Krebs claims the reason for this spike is the inclusion of Java exploits in the commercial crimeware kits sold in the hacker underground.
Java surely falls into that set of PC applications which must be kept up-to-date.