Disclaimer
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2010
The opinions expressed herein are my own personal opinions and do not represent anyone else's view in any way, including those of my employer.
© Copyright 2010
Hi,
I’ve been unable to blog for a while now and for various reasons I am closing this place until further notice.
Yes, I’ll be back but don’t ask me when 
I got my hands full with some speaking engagements, the Eurotrash podcast, prepping some other exciting stuff, my day job and family … I’ll be busy enough.
I hope to catch you all at a later point this year !
Take care & stay secure !
Wim
Every blog should touch on the recent announcement by Google that it has been under attack by Chinese entities, right ?
Here I am with my personal observations 
enjoy !
This is actually a good thing !
When Apache got hacked a few months ago, most comments were not about who,why and what but about the way Apache handled the attack. In contrast of what we saw up until then in the corporate world, Apache reacted with openness, detailing what happened, why it happened and how they reacted to the situation. Secretly, I was hoping that companies would look at this and learn from it.
Today we see a similar reaction by Google, Adobe, etc. I can only cheer this on and hope that this type of reaction becomes the standard ! All stakeholders (shareholders, employees, partners, customers, …) benefit from openness as it does not leave room for speculation.
It’s just China, get over it.
It’s pretty funny to see that all of a sudden everybody seems to be an expert on China, Chinese culture and the Chinese hacker culture/economy in particular. All of my in-laws are Chinese and I have spent a generous amount of time travelling through China. The Chinese are, in general, pretty ordinary people, like you and me. Generalizing and saying that “The Chinese” are up-to-no-good, PI stealing spies won’t help. There’s plenty of cases where US corporations have spied on European corporations, and I don’t doubt most of them involved at least some computer manipulation. Let’s add to that the less than favorable reputation the US has build up by interpreting international law rather flexibly, and this discussion is mute.’
‘0h my god’-day rather than 0-day
Several people have commented on the technicalities of “the hack”. Andrew Jaquith wrote down his observations over at CSOOnline . Now I have to admit that Andrew is one of my favorite infosec people ever since he wrote his Security Metrics book, but I disgress …
Here’s what bothers me the most about that post :
Our most recent annual IT security survey, which we are busy analyzing, shows that “compliance” (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling.
Now, if you, as a company, fail to identify your business-critical information as important enough to implement sufficient controls to protect it from getting spilled at the first browser 0-day, you suck. It means that you have failed completely. If any security effort is dictated by compliance, aka a checklist that defines the minimum you should do, IT IS NOT ENOUGH ! Surveys, statistics, magic quadrants and waves won’t save your ass even on a sunny day. Don’t do what “everybody is doing”, do what is necessary to protect YOUR assets.
Relying on one browser is a liability.As we have seen, this attack succeeded because of flaws in Internet Explorer.
…
In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.
The search engine for security vulnerabilities at securityfocus.com reports 6 pages of vulnerabilities for Firefox, in general, and 6 pages for IE starting at IE5 SP4. I could do extensive research, but call me lazy and it’s Saturday, I got a life. There isn’t a lot of difference between both browsers in terms of being more or less vulnerable. (I’ll do a survey though and maybe create a magic rectangle of sorts !)
What do you mean exactly by “when one browser is targeted, enterprises can mitigate their risk by switching.” ? Choosing a (new) browser for your corporate workstations isn’t something you do overnight, as a reaction to an 0-day being reported. If I want to attack your infrastructure, I will find out what software you’re using and I’ll hit it until I find an exploit that I can use to bring you down.
When I have to protect an infrastructure, one of the first rules (in my very humble opinion) is standardization. If you rule your infra like a sheriff in the wild west, allowing everybody to use whatever they want, you’re bound for disaster. When standardizing you look for manageability. In terms of manageability in a corporate environment, IE is your browser of choice. Why? Two reasons :
What I do see regularly is poorly and/or ad-hoc developed and often unsigned Active-X controls. This has nothing to do with IE in itself. If you’re a crappy developer or your company has shitty development processes and you let this type of BS through QA, it could just as well be your next Firefox plugin. If you develop for a certain platform, you should take into account the risks related to that platform. I do agree with that. “Switching” isn’t easy and it’s not a solution …
Humans remain the weak link.I spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. “This kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.” It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.
Andrew gives Adobe the get out of jail free card here because now suddenly it’s the user who’s at fault !! If you’re using IE you should switch to Firefox because, you know, Microsoft don’t know how to develop but if you’re using Adobe Reader, well, it’s your own fucking fault ! Fact of the matter is that unless you’ve been living under a rock, Adobe has shown neither responsible behaviour nor secure development skills in the past 12 months while Microsoft has consistently improved security in their development process and their behaviour in relation to serious vulnerabilities.
Let me spell this out : people click links just as people open attachments. If there is one resource we are not utilizing enough in our security efforts, it is the people who are using our infrastructure on a daily basis. If your users are randomly opening attachments and clicking on links they shouldn’t be clicking on, the CISO should not dust of his social engineering playbook … He should be looking for new employment !
I think everybody remembers about 6 months ago some big names in the infosec community were put to shame when their sites got haxored by the “antisec” group, claiming they were on a mission to prove the whitehat community wrong.
Now, it seems like they got their ass handed to them by a group called “prosec” which made it their goal to take “antisec” down and boy did they succeed … the results of their work can be found and enjoyed here : http://pastebin.com/f12f6f9c0
If you thought zf05 was hilarious, wait until you read this epic stuff !
From what I read, it is what we all assumed : a group of lame-ass skiddies with nothing better to do than try and be something they are not on the intertubes. It could only last that long …
(
As I completely trashed my old iPod (sitting my fat ass on it during 10hrs of flight was more effective than I’d hoped…) I was on the lookout for a new one. As I leaned towards a Touch and I didn’t want to spend a load of cash on it, my mind was set on the 8GB edition but in the past years I had subscribed to too many podcasts that I would ever be able to listen to. Additionally, they would use too much space (my old iPod was a 30GB classic).
As of now, this is my list of podcasts that I will regularly listen to (or watch) :
I’m aware that there are other podcasts out there and since I ended up with a 64GB Touch as the 32GB or 8GB weren’t available, I’ll add to the list soon.
If you have any suggestions, don’t hesitate to leave a comment.
This time the audit cold rocked ya
A box checked instead of a certificate
Nothin’ proper about ya firewall rule set
Fools follow rules when the set commands ya
Said it was blue
When the alert was red
That’s how ya got a request crossed through ya head
Crossed through ya head
Crossed through ya head
Happy 2010, be good !
So, here we go again … why do some people – obviously under pressure to get their brand ‘out there’ – have to stand up and proclaim themselves experts on whatever is hot at a certain point in time only to make utter fools out of themselves ?
Yes, I care about people, even if they turn themselves, knowingly, into a fucking parody of what they really are.
What ticked me off ? Two dudes, one Belgian, one Dutch, working for anti-malware (I can’t say virus anymore, right?) vendors. They probably spent numerous hours together to devise this list of 9 risks they see “in the cloud”. Oh yes, we’re back to the big, mushroomy, scary, cloud. Ugh.
You can find their list here. The article is in Dutch, but I’m sure you’ll find some (cloud?) translating service to find out what they’re trying to say.
what I find interesting is that these two … persons look at “the cloud” from a very naive point of view. First off, they devise a list of 9 risks. A strange number in my humble opinion. If you look at the list, they put Identity and Access Management (IAM) on spot 9, but on spot 7 they talk about account hijacking, spot 2 is insider abuse and the golden medal is taken by what they call “Centralized abuse of and trust in Authentication, Authorization and Accounting”. In my extremely humble opinion and with my (maybe limited) knowledge of IAM, THIS IS ALL IDENTITY AND ACCESS MANAGEMENT related. So, we remain with a list of 5 risks … whereof the other four are too silly to reiterate here as they mostly relate to what the writers know best, Anti-malware as a Service.
If you really want to inform your customers about what they should be concerned about when evaluating cloud services, maybe it would be good to point them to knowledgeable people on the subject instead of blowing your own horn and pushing their cart in the canyon. Some starters could be this , this , this and this .
It doesn’t hurt you to admit you don’t know jack shit about a subject. It hurts your customers if you try to convince them that your backroom amateur BS is the only truth out there. Let’s hope they are a little bit wary about your “advice” and don’t run into the wall face first.
I’ll say my prayers this Christmas …
In the name of all that is sacred, what have you done you moronic ministers of finance and justice of the European Union of we’ll kiss America’s ass until there’s no tomorrow ?
Every country in Europe has pretty strict privacy laws. I’ve personally had my encounters with their inner workings here in Belgium a few years ago and up until now, I really thought they were there to protect me and my personal information.
Not any longer.
Today those assholes that we pay way to much for what they actually do have decided it is OK to share the information of ALL EUROPEAN CITIZENS with the United States and of course the war on terror is cited left, right and center as the reason to do this. There goes the neighborhood.
Why this decision ?
SWIFT was contemplating to move their servers (that handle ALL international payments) out of the US and onto European soil. This would have cut off access for the US as the privacy laws in each individual country would prevent the release of any personal information whatsoever.
Why now ?
After way too much time, Europe is ratifying the Lisbon agreement. Which would have given the European Parliament a voice in the decision. The lowlifes that quickly pushed this decision through knew that and probably wanted to make sure they can still travel to the US and be royally pampered while recovering from their demanding, energy-sucking, important job.
What can I do ?
Probably nothing much … or can I ? Article 8 of the European Treaty …
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Either that or we throw the whole treaty away ? At least it would allow us to waterboard suspected criminals again … fun should be had by all !
http://forskningsavd.se/2009/11/29/i-can-haz-moar-bout-teh-reid/
On saturday November 28th the Swedish Hackerspace Forskningsavdelningen was brutally raided by a few dozen police offers donning full riot gear and they confiscated a lot of hardware. The reason that’s stated (illegal sale of alcohol) seems like a strange reason to go S.W.A.T. on a hackerspace in my humble opinion but hey, it’s the coppers, they must know hackers are the real dangers of society … AS IF !
Allthough I’m not personally involved in the local or global hackerspaces, I do have a place in my heart for them because they make the dream of sharing information and knowledge true on a daily basis. Please click on the link above and see what you can do to help them out.
Thanks !
(and shameless self promotion)
Most of y’all know I was a speaker at Excaliburcon in Wuxi, China a few weeks ago. I have loads of pictures, but not a lot of the feature me Today our awesome host (Dr. Xu Rong Sheng) forwarded me some pictures. Here they are.
Yours truly in action
I learn most from interacting with an people
The awesome people that ARE Excaliburcon 1
Visiting the research center they’re building in Wuxi
So, my brother bought this new fancy HP laptop with Windows 7 and he asked me to prep it for him. You know the drill, basic settings, install software, configure network adapters, install anti-crapware (preferably free), …
While uninstalling some of the packaged software (Norton, MS Works, some trial versions of other craptastic software), My eye fell on the (nowadays) ubiquitous Adobe software packages that were installed. Adobe AIR 1.5.0 (the latest version available from Adobe is 1.5.2) and Adobe Acrobat Reader 9.1.0 (latest = 9.2.0) . A quick look at http://www.securityfocus.com showed that several exploits exist.
And then to know that the first 15 minutes starting a new HP laptop are spent looking at an update screen where HP happily tells you that it’s installing the *latest* updates.
Things will never change …
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous Entries
Last 50 Posts
Back