General: March 2005 Archives
Apparently these thieves have been watching Alias one to many times. On a side note this week on Alias they scooped out a dead guys eye for use on the biometric scanner. I had to look away.
Cars can be replaced. Fingers cant. Really makes you wonder about the wisdom of these biometric scanners.
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm
Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.
The car, a Mercedes S-class, was protected by a fingerprint recognition system.
saw this on a couple other blogs. I hate doing posts that are just links to other people's content but here goes.
In case its not obvious, this is a joke.
http://www.l33t.com/articles/000009-spyware-ceo.php
REDWOOD CITY, CALIFORNIA -- Imagine coming home from work to find dozens of partygoers helping themselves to your food, enjoying your furniture, and some of them even rifling through your desk looking for your private financial information!
That's exactly what happened to Claria President & CEO Jeff McFadden on January 13th, 2005. Claria is an internet marketing firm formerly known as Gator.com, and one of the largest creators of internet spyware and adware.
http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml Summary
The Cisco VPN 3000 series concentrators are a family of purpose-built, remote access Virtual Private Network (VPN) platforms for data encryption and authentication.
A malicious user may be able to send a crafted attack via SSL (Secure Sockets Layer) to the concentrators which may cause the device to reload, and/or drop user connections.
Repeated exploitation will create a sustained DoS (denial of service).
Workarounds are available to mitigate this vulnerability.
Cisco has made free software available to address this vulnerability for all affected customers.
This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCeg11424 ( registered customers only)
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050330-vpn3k.shtml
Affected Products
Vulnerable Products
Cisco VPN 3000 series concentrators running software 4.1.7.A and earlier are affected by this vulnerability.
This series includes models 3005, 3015, 3020, 3030, 3060, 3080 and the Cisco VPN 3002 Hardware Client.
Products Confirmed Not Vulnerable
The following products are confirmed not vulnerable:
Cisco IPSec VPN Services Module (VPNSM)
Cisco VPN 5000 Concentrators
Cisco PIX Firewalls
Any Cisco device that runs Cisco's Internetwork Operating System (IOS)
Any Cisco device that runs Cisco's Catalyst Operating System (CatOS)
No other Cisco products are currently known to contain this vulnerability.
Today Rob Rosenberger wrote about Vonage and 911. VoIP companies allow you to use the phone from anywhere in the world, as such 911 operators would be unable to ascertain your true location in case of emergency. Further, the VoIP phone must be configured to dial the correct local office. Of then this does not happen. The call goes somewhere else or to the local sheriff instead of the 911 center. Capitalism has managed to do what terrorists have not yet done. Weaken the 911 system. There are fears that VoIP could also be used to launch untraceable telemarketing calls that will make the phone system oversaturated.
In his article, Rosenberger links to an old article in which he quotes Michael Caloyannides as saying that capitalism is the Internet's worst enemy. Since Michael is a Senior Fellow where I work and is the head of the Infosec Board for the company (I am also a member of this board) I thought it interesting to look at further.
The quote is:
"'While the Internet was originally designed and configured to be survivable, its transformation to a commercial entity has caused it to become economically efficient at the expense of no longer being anywhere near as survivable.' " Rosenberger oversimplifies this quote in his summery that Caloyannides blames capitalism for the pending demise of the Internet.
Rosenberger is quoting from a Computerworld article but I think he missed some other interesting quotes.
His quote: 1. "The skills required to launch a strategic cyberattack with devastating economic consequences are far different from what terrorists have focused on in the past. However the interest remains very vulnerable to serious disruptions including those focusing on dns root servers, bgp routers and various single points of failure."
My reply: I have seen it postulated that there are three or so places in the United States where the majority of traffic passes. These routers could be taken out with a truckbomb or other physical means of attack. That would be within their current skill set. It is also possible that Al Quida has enough money to hire mercenary hackers from Germany, the Eastern Block, Russia, China or North Korea. Boy, I'm starting to sound like Richard Clarke. Doh!
2. ""While the Internet was originally designed and configured to be survivable, its transformation to a commercial entity has caused it to become economically efficient at the expense of no longer being anywhere near as survivable," said Caloyannides. "
my reply: I agree with this. You once heard about how the Internet was designed to survive a nuclear blast, what with multiple paths etc. Now days the economic interest has trumped the security interest.
3. He said any such attack launched by al-Qaeda or in direct support of al-Qaeda could have a significant impact on the Bush administration's war on terrorism. In particular, Caloyannides warned of potentially dire consequences for any nation that knowingly allows such an attack to be launched from systems and networks within its borders. "Any country that allows its territory to be used for a massive Internet attack on the U.S. may want to think twice of the likely consequences," he said.
my reply: Rosenberger recently ran a poll asking if we as U.S. citizens would support invading a country which was tied to a debilitating cyberattack. I really doubt that would happen. Even if it crippled the economy. When a "massive Internet attack" it will not some from the axis of evil. It will come from unsecured unlicensed Windows computers in Korea.
SANS is considering changing the alert status threshold for InfoCon alerts according to today's SANS Diary. Information about Infocon is available http://isc.sans.org/infocon.php
They report that many users have commented that the alerts status has stayed green for a very long time. This gibes with something I've been thinking about. There haven't been a lot of big name worm attacks. Internet connectivity hasn't been disrupted by a virus threat. This is becuase the virus writers goals are different. In the past the goal was to write something clever and get noticed. That caused many news articles and either the publicity or the actual damage would cause management to focus on fixing the security problelm.
Nowdays, the malicious code writers want to stay hidden. They want to collect information with keystroke montiors and screen grabbers, or they want to have a bot army for use in attacking others. They don't want to draw attention to themselves. This lack of news coverage means management often doesn't get involved. Each machine that is found wth a trojan is treaked as a separate incident.
Should this SANS alert status go up merely on the basis of increased dns hijacking or a known vulnerability? Clearly that is turning away from the original stated goal of monitoring threats to the internet infrastructre itself. However the SANS ISC Handlers deal with so much more than just the internet infrastructure so this change is warrented.
Did you see the latest prediction for an electronic perl harbor? This one is by David Lacey, director of information security for the Royal Mail Group.
http://news.com.com/VoIP+could+provoke+electronic+Pearl+Harbor/2100-7355_3-5623365.html?tag=cd.top
"An electronic Pearl Harbor-type event will happen in 2006 or 2007. I do stand by that," he said. "New technologies such as VoIP risk driving a horse and cart through the security in our networks."
So get that on your DOOM WATCH calendar, and for gosh sakes study up on semaphore, it may be the only means of communication when VOIP goes down.
eEye has a new free utility for scanning for the Computer Associates License service vulnerablity. I use these utilities to supplement the scans that I get from my regular vulnerability scanner.
eEye has always been a bit more stingy with the free utilities than ISS or Microsoft. It has been limited to a 254 address range at a time. Not as useful as scanning everything at once, but still ok. Now with this new product, they have restricted the user to scanning 16 IP addresses at one time. They certainly dont want you scanning more than a few computers.
As if this wan't bad enough the product has numerous other annoyances and bugs. The scanner must be installed. Previous versions could be run as a standalone exe. Lastly the address selection seems a bit buggy. I guess sometimes you get what you pay for.
AOL quietly updated their AIM terms of service on February 5th according to eweek.
Users who download AIM software after 2/5/2005 are under this policy.
According to the article, the new policy states:
"You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses," according to the AIM terms-of-service.
Although the user will retain ownership of the content passed through the AIM network, the terms give AOL ownership of "all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this [user] content.
"In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium,"
Looks like the bottom line is:
1. Use the encryption to prevent them from reading your message.
2. Refrain from posting anything to IM you wouldn't want to see published in a IM compilation, a court of law, or given to your competitor.
Sounds like good advice in general.
SearchSecurity.com has free CISSP training webcasts available for a limited time. It does require registration.
I watched the first class/domain over the weekend and though it was interesting. I came away with a few things to think about. The presentation is very rapid fire. There is way too much material in domain1 to fit into an hour. The presenter advised that this is an introduction to the material and is in no way adequate to prepare you for the exam.
SANS is modifying the requirements for the GIAC Certification so seekers will no longer be required to write a written practical. In the past there has been a requirement of a practical as well as multiple tests.
The written practical was a great thing for the GIAC. Some certifications are seen as a paper certification, or a sign of a individuals ability to quickly cram information into short term memory. That was never the case with the GIAC because there is a written paper designed to contribute to the general security knowledgebase. Anyone could go read that paper online and get an idea of the writing skills and the security skills of the certificate holder. By changing this to a test only certification, the great differentiator of the GIAC is gone.
The problem with the certification is that not enough people are getting it. Hiring managers are placing emphasis on the CISSP cert or even the Security+ cert from Comptia. By making the bar lower, more people will have the certificate and a "critical mass" of certificate holders will ensure the future value of the certificate. That's the theory anyway. I like it now where even though its not as well known, the ones who do know, have respect for it. With it being a test only cert now, not requiring people to actually view the course material, I fear it will be like the MCSE. If I see a bunch of high schoolers with a GIAC, I'm taking the certificate off my wall.
