Tuesday, May 20, 2008

Not really a defense of the CISSP, but...

It is pretty funny hearing the detractors of CISSP and other "management" certifications (you know, the folks who consider themselves the "real" and "technical" security pros) as they discover amazing concepts such as:

  • Business Continuity and Disaster Recovery Planning
  • Risk Analysis
  • Security Metrics
  • Aligning security with business practices and principals
  • Physical Security (beyond lockpicking at cons)
  • The importance and value of Policies and Procedures
  • The minefield of Corporate Ethics
  • and the rest of the CBK

Imagine that, maybe a wide ranging course of security topics can expose you to things outside of you area of expertise and make you a more well-rounded professional.



Wednesday, May 14, 2008

Debian predictable PRNG fiasco

I am a big fan of Debian and Ubuntu- but not a big fan of gaping, ginormous security holes. The "predictable Pseudo Random Number Generator" OpenSSL vulnerability in Debian (and Ubuntu, and other Debian variants) leaves a gaping hole not only in those systems, but systems which are using keys from vulnerable systems. Patches need to be applied and keys regenerated, and we probably only have a couple of days before exploit code is loose. From the Debian Security Advisory:

"It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation."

Rather than mangle a technical discussion of the issue, here are some actually useful references:

  • Debian Security Advisory DSA-1571-1
  • Ubuntu Security Notice USN-612-1
  • NVD summary of CVE-2008-0166
  • Article at ZDNet Australia
  • SANS ISC Diary entry
    • Note, misidentifies the problem as being with OpenSSH- the root problem is with OpenSSL, which extends to OpenSSH.
  • Not directly related, but worrisome coincidence, SANS ISC post on SSH brute-force attacks.
    • This one's very real. I may have seen a pile of systems' doorknobs rattled on port 22 in something I get paid to do.

In review, we have stuff to do. And, the if word "predictable" can be used to describe your "random" process, you have a problem.


Botnets as Art?

Tired of botnet stories yet? CSO Online has a different take, a visual representation of bot networks with some interesting geometric results.

There is actually quite a bit of good data visualization information over at secviz.org. With the volume of data coming at us, we need to find new ways to make sense out of it without just grepping through piles of syslogs, and data visualization is really starting to mature enough to be useful.

Raffael Marty from Splunk gave a great data visualization talk at SOURCE Boston and then gave another outstanding presentation with Alain Mayer from Red Seal at RSA this year.


Tuesday, May 13, 2008

An OLPC post (but not-quite-dead-yet) mortem

Ivan Krstic has shared his feelings and a look behind the scenes at the state of the XO/OLPC project in his blog post Sic Transit Gloria Laptopi.  It is worth a read, even if you don't agree with all of his opinions.

A tip of the hat to Ryan Naraine for bringing this to my attention.



Monday, May 12, 2008

Podcast updates

It has been a while since I reviewed my list of security podcasts and a few new ones have made it into rotation since I last visited the topic. My regular listens and a link to the Getmon Security Podcast list are in my Podcast.com widget (over there on the right, scroll down a bit and you'll see it). Click away at any of the titles for episode details, links to Podcast.com pages, or to play episodes.

My previous recommendations still stand:

  • Pauldotcom Security Weekly
    • Pauldotcom has grown into an empire, with video and webcasts and an entire community involved.
  • The Network Security Podcast
    • Rich Mogull is now Martin McKeay's cohost and his addition has expanded the perspective of this great show.
  • CyberSpeak
    • Brett and Ovie continue to deliver informative and entertaining forensics and cyber-crime content on a quasi-weekly basis (They are busy guys).
  • Security Now*
    • Steve Gibson and Leo LaPorte talk security, and stuff.
    • *figure out the asterisk for yourself.

And newer in the rotation:

  • Risky Business
    • This one is a must-listen, an outstanding weekly podcast featuring news and interviews hosted by Patrick Gray (Patrick Gray is great, and he also has a weekly networking and systems podcast, "A Series of Tubes").
  • The Silver Bullet Podcast:
    • In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine.
  • Radio Free Security
    • A good podcast aimed at the small business IT administrator produced by WatchGuard LiveSecurity Service reporters.
    • NOTE- this shares a feed with their "Firebox Special", a podcast dedicated to the WatchGuard Firebox. Unless you are a customer, you may want to skip those.

And a few seem to have faded away, but I haven't completely given up on them:

  • The Security Roundtable [UPDATE: The Round Table is back, see comments below]
  • The Rear Guard
  • Sploitcast*
    • *Not quite dead.

Happy Listening!


Friday, May 2, 2008

Matrícula de coche con inyección SQL
-or- Language is no barrier.

My Spanish is pretty rusty, but you don't need to understand "Matrícula de coche con inyección SQL"- in this post you only need to look at the photo of the car.

(The Google translated page is here).


Thursday, May 1, 2008

Defense in Depth?

Thomas Ptacek recently opined on Twitter:

"Defense in depth is one of the great bills of goods the security industry has sold IT."

As you can imagine, this led to a lively discussion among the Security Twits- a respected member of the security community (and really smart guy) attacks a fundamental tenet of security.  At first I thought he had simply been working too long and hard and had lost it, but then I saw the key word in his pronouncement:


Ah, this angle works for me.  As an under-funded small-business IT guy (a redundant statement, I know) I have always relied on defense in depth, and built it into any system I could.  Don't get me wrong, I paid for some of the depth, but I did not buy defense in depth.  The layers have to make sense and work together.  bandage

Another angle which works is more theoretical. If we had fundamentally secure systems to begin with we wouldn't need (or have) an entire enormous industry dedicated to selling bandages for mortally wounded systems.




beating_a_dead_horse Wouldn't that be nice?  We could have yet another discussion about that, but that would be beating a horse which is not only dead but already processed into gelatin, dog food and glue.





Architecture astronauts take over

Not much to say about this article, except it is a refreshing alternative take on Microsoft's "new" Mesh Thingie©