Apache HTTP DoS tool mitigation, (Sun, Jun 21st)
If you've been following our diaries or any other IT Security related news, you probably know about ...(more)...
Situational Awareness: Spam Crisis and China, (Sat, Jun 20th)
Gary Warner, Director of Research at the UAB Computer Forensics, posted a very interesting analysis ...(more)...
G'day from Sansfire2009, (Sat, Jun 20th)
Well SANSFIRE 2009 is drawing to a close. As you may know SANSFIRE is the SANS conference host ...(more)...
Webmedia Explorer Cross Site Scripting Vulnerability
…
phpMyAdmin Code Injection
…
Pantha transLucid Cross Site Scripting and HTML Injection Vulnerabilities
…
Kaspersky PDF Evasion All Products
…
libpurple MSN Protocol SLP Message Heap Overflow Vulnerability
User interaction is not required to exploit this vulnerability.
Related Searches
on Ask.com
Ikarus Multiple Generic Evasions Using CAB ZIP or RAR Files
…
Related Searches
on Ask.com
The Centrality of Red Teaming
By Richard Bejtlich
In my last post I described how a Red Team can improve defense. I wanted to expand on the idea briefly.
First, I believe the modern enterprise is too complex for any individual or group to thoroughly understand how it can be compromised. There are so many links in the chain that even knowing they exist, let alone how they connect, can be impossible.
To flip that on its end, in a complementary way, the modern enterprise is too complex for any individual or group to thoroughly understand how its defenses can fail. The fact that vendors exist to reduce firewall rule sets down to something intelligible by mere mortals is a testament to the apocalyptic fail exhibited by digital defenses.
Furthermore, it is highly likely that hardly anyone cares about attack models until they have been demonstrated. We seen this repeatedly with respect to software vulnerabilities. It can be difficult for someone to take a flaw seriously until a proof of concept is shown to exploit a victim. L0pht's motto "Making the theoretical practical since 1992" is a perfect summarization of this phenomenon.
So why mention Red Teams? They are central to digital defense because Red Teams transform theoretical intrusion scenarios into reality in a controlled and responsible manner. It is much more realistic to use your incident detection and response teams to know what adversaries are actually doing. However, if you want to be more proactive, you should deploy your Red Team to find and connect those links in the chain that result in a digital disaster.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Offense and Defense Inform Each Other
By Richard Bejtlich
If you've listened to anyone talking about the Top 20 list called the Consensus Audit Guidelines recently, you've probably heard the phrase "offense informing defense." In other words, talk to your Red Team / penetration testers to learn how they can compromise your enterprise in order to better defend yourself from real adversaries.
I think this is a great idea, but there isn't anything revolutionary about it. It's really just one step above the previous pervasive mindset for digital security, namely identifying vulnerabilities. In fact, this neatly maps into my Digital Situational Awareness ranking. However, if you spend most of your time writing policy and legal documents, and not really having to deal with intrusions, this idea probably looks like a bolt of lightning!
And speaking of the Consensus Audit Guidelines: hey CAG! It's the year 2000 and the SANS Top 20 List wants to talk to you!
The SANS/FBI Top Twenty list is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list...
In the past, system administrators reported that they had not corrected many of these flaws because they simply did not know which vulnerabilities were most dangerous, and they were too busy to correct them all...
The Top Twenty list is designed to help alleviate that problem by combining the knowledge of dozens of leading security experts from the most security-conscious federal agencies, the leading security software vendors and consulting firms, the top university-based security programs, and CERT/CC and the SANS Institute.
Expect at some point to hear Beltway Bandits talking about how we need to move beyond talking to the Red Team and how we need to see who is actively exploiting us. Guess what -- that's where the detection and response team lives. Perhaps at some point these "thought leaders" will figure out the best way to defend the enterprise is through counterintelligence operations, like the police use against organized crime?
For now, I wanted to depict that while it is indeed important for offense to inform defense, the opposite is just as critical. After all, how is the Red Team supposed to simulate the adversary if it doesn't know how the adversary operates? A good Red Team can exploit a target using methods known to the Red Team. A great Red Team can exploit a target using methods known to the adversary. Therefore, I created an image describing how offense and defense inform each other. This assumes a sufficiently mature, resourced, and capable set of security teams. 
This post may sound sarcastic but I'm not really bitter about the situation. If we keep making progress like this, in 3-5 years the mindset of the information security community will have evolved to where it needed to be ten years ago. I'll keep my eye on the Beltway Bandits to let you know how things proceed.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Response to the Möbius Defense
By Richard Bejtlich
One of you asked me to comment on Pete Herzog's "Möbius Defense". I like Lego blocks, but I don't find the presentation to be especially compelling.
- Pete seems to believe that NSA developed "defense in depth" (DiD) as a strategy to defend DoD networks after some sort of catastrophic compromise in the 1970s. DiD as a strategy has existed for thousands of years. DiD was applied to military information well before computers existed, and to the computers of the time before the 1970s as well.
- Pete says DiD is
"all about delaying rather than preventing the advance of an attacker... buying time and causing additional casualties by yielding space... DiD relies on an attacker to lose momentum over time or spread out and thin its massive numbers as it needs to traverse a large area... All the while, various units are positioned to harm the attacker and either cause enough losses in resources to force a retreat or capture individual soldiers as a means of thinning their numbers."
That's certainly one way to look at DiD, but it certainly isn't the only way. Unfortunately, Pete stands up this straw man only to knock it down later. - Pete next says
"Multiple lines of defense are situated to prevent various threats from penetrating by defeating one line of defense. 'Successive layers of defense will cause an adversary who penetrates or breaks down one barrier to promptly encounter another Defense-In-Depth barrier, and then another, until the attack ends.'"
It would be nice to know who he is quoting, but I determined it is some NSA document because I found other people quoting it. I don't necessarily agree with this statement, because plenty of attacks succeed. This means I agree with Pete's criticism here. - So what's the deal with Möbius? Pete says:
"The modern network looks like a Moebius strip. Interactions with the outside happen at the desktop, the server, the laptop, the disks, the applications, and somewhere out there in the CLOUD. So where is the depth? There is none. A modern network throws all its fight out at once."
I believe the first section is party correct. The modern enterprise does have many interactions that occur outside of the attack model (if any) imagined by the defenders. The second section is wrong. Although there may be little to no depth in some sections (say my Blackberry) there is plenty of depth elsewhere (at the desktop, if properly defended). The third section is partly correct in the sense that any defense that happens generally occurs at Internet speed, at least as far as exploitation goes. Later phases (detection and response) do not happen all at once. That means time is a huge component of enterprise defense; comprehensive defense doesn't happen all at once. - Pete then cites "Guerrilla Warfare and Special Forces Operations" as a new defensive alternative to DiD, but then really doesn't say anything you haven't heard before. He mentions counterintelligence but that isn't new either.
I've talked about DiD in posts like Mesh vs Chain, Lessons from the Military, and Data Leakage Protection Thoughts.
I think it is good for people to consider different approaches to digital security, but I don't find this approach to be all that clever.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Could Opera Unite Be a Botmaster's Best Friend? (PC World)
In technology
PC World - Opera has added a lot of cool new features to its upcoming Opera 10 browser, and one of them is almost sure to catch the eye of cyber criminals.
Fraudsters Try to Scam Security Expert on EBay
Security expert Bruce Schneier tried to twice sell a used laptop on eBay and each sale was aborted over fraud concerns.
Tech Managers Often Underestimate Impact of Data Loss
Only 7percent of respondents to a survey on data management believed data loss has a "high" impact on a business.
Microsoft's Free Anti-Malware Debuts Next Week
Microsoft Security Essentials, formerly "Morro," is scheduled for release next Tuesday for Windows systems.
Women More Security Savvy, Vendor Finds
PC Tools finds men are more often aware of security risks, but few of either gender take the precautions advised.
Twitter Spam Spreads Worm
The malicious zip file contains malware that infects Windows systems but is easily thwarted by antivirus programs.
Could Opera Unite Be a Botmaster's Best Friend?
Security researchers worry that Opera's new Unite server feature will be misused by criminals.
Identity Thieves Target Medical Records
Whether stolen data is held for ransom or traded on online black markets, medical identity theft is a growing threat.
Google News Alert for: "cyber security" | cybersecurity | information security | computer security
|
Smart Grid Security Frenzy: Cyber War Games, Worms and Spies, Oh My! |
|
Designated immigration agents authorized to participate in drug ... |
|
Somali security minister killed in explosion |
|
Cybersecurity To Push For Standard For Info Security Products |
|
EU Progressing on Information Infrastructure Policy |
|
China Disables Some Google Functions |
|
Will PCI Ever Make the Grade? |
|
Apple: iphone OS 3.0 plugs 46 security bugs |
Google Blogs Alert for: "cyber security" | cybersecurity | information security | computer security
|
Smart Grid Security Frenzy: Cyber War Games, Worms and Spies, Oh My! |
|
Sonos 130 Music System: Review |
|
Social Security Reform - Government Improvement Series |
|
Norway's government caught spying on itself | IceNews - Daily News |
|
Microsoft Security Essentials Premiering June 23rd ~ Revelations ... |
Google News Alert for: "cyber security" | cybersecurity | information security | computer security
|
Public, Private Experts Create Security Guidelines (Opinion) |
|
The next big thing is cybersecurity but what does it mean for us? |
|
A Plan to Secure the Federal Cyberspace |
|
US-Indian security ties boosted after Mumbai: official |
|
Typing In an E-Mail Address, and Giving Up Your Friends' as Well |
Google Blogs Alert for: "cyber security" | cybersecurity | information security | computer security
|
All Our Might » Blog Archive » PPI panel on cyber security |
|
Computing Research Policy Blog: HOUSE S&T COMMITTEE DISCUSSES ... |
|
Free Download Trend Micro Internet Security 3 Months Licence ... |
|
Microsoft Security Essentials (MSE or Morro) Rapidshare and Direct ... |
|
Spyware: Protect Your Privacy | Nathan's Plain Tech Talk |
Posts
No comments:
Post a Comment