Category Archives: Security

Vulnerability Wednesday?

Here is an interesting article on changing the social contract of vulnerability disclosures from the current, though recent, seven day cycle, to one that follows patch Tuesday, or whatever equivalent date the particular software vendor has for patches.

It’s a good idea, but I think the author missed an important nuance: the short 7 day notice is for situations where the discovering researcher has found evidence that the vulnerability is being actively exploited. In other cases where the vulnerability is not being actively exploited, the time frame is 6o days, which is compatible with the author’s idea. Note that the 7 day recommendation comes from Google and is available to read here.

I do not think that it makes sense to wait until after the next patch Tuesday in cases of active exploitation. The point is that users of the vulnerable technology need to know that there is a vulnerability being actively exploited, whether or not a patch is available, so that the user can take steps to mitigate the problem.

Risk Perception Versus Reality

One of the side effects of podcasting is that I read a lot of infosec news on a daily basis and a lot of industry reports.  Sometimes, I see an odd overlap.  For instance, I was reading this article about a survey from McAfee on how long IT professionals believe it would take for them to detect a breach.  The numbers were all over the map, but is described like this:

“… 22 percent thought they’d need a day to recognise a breach, with one in twenty offering a week as a likely timescale.

Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards.

In terms of general security, three quarters  confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware.”

 

The article raises the point that the polled population seems overly optimistic, however I think it needs to be explored a little deeper.

  • Mandiant’s 2013 annual report claims that data breaches take an average of 243 days to find.
  • Trustwave’s report finds that the average to be 210 days.
  • Verizon’s DBIR finds that 66% of breaches in the scope of their report took “months” to “years” to discover.

This is not a minor miss.  This is not “being overly optimistic”.  This is a fundamental lack of understanding of the world we live in.

What concerns me most about this disconnect is how these beliefs are used as an input into risk management processes.  If organizations are prioritizing their security efforts based on the input from internal authoritative sources, such as the 500 people McAfee polled, that breaches will be detected quickly, when in reality they take months, there will be little appetite to make improvements in detection capabilities.

 

Defensive Security Podcast Episode 20

US power grid is highly vulnerable and under constant attack, Iran attacking energy companies, increase in sophisticated attacks against keys and certificates, Indian government site redirects to black hole exploit kit, FSB report find that only 36% of small businesses regularly patch, 5 quick wins from the DBIR, Google to give software vendors 7 days prior to releasing information on active exploits, and planning for the failure of malware prevention.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email Continue reading Defensive Security Podcast Episode 20

https://defensivesecurity.org Is Classified As Porn Site (if you are at Disney World)

I am here on vacation in Disney World, using wifi in the hotel and I’m being blocked.

20130525-223241.jpg

Disney appears to be using an old (I mean old) web filter called the 8e6 R3000 from 8e6 Technologies, now Trustwave. Interestingly, when I check this site’s category using Trustwave’s site here and it is not registered. The site is correctly categorized as “IT” in the other filtering engines.

So, it would seem that Disney World is keying off some element of content on the site, rather than on the Skye’s categorization.

Defensive Security Podcast Episode 17

This week: Twitter warns news agencies of attacks and to use dedicated PCs for using twitter, the US department of Labor website was compromised and serving up an 0day for IE8, 18 12-13 year olds in Alaska socially engineered passwords for 300 computers out of their teachers, iOS did NOT have a malicious app discovered, AV vendors are starting to shun Windows XP, 7 elements of a successful security awareness program, and the unforeseen impacts of cyberwar.

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

Episode 17

http://security.onestopclick.com/technology_news/media-warned-to-tighten-twitter-security_474.htm

http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/

http://www.bbc.co.uk/news/technology-22398484

http://www.networkworld.com/news/2013/050213-ios-app-contains-potential-269393.html

http://podcasts.infoworld.com/t/anti-virus/windows-xp-risk-antivirus-vendors-jump-ship-217806

http://www.wired.co.uk/news/archive/2013-05/2/comment-crew-plunder-qinetiq

http://www.networkworld.com/news/2013/050113-the-7-elements-of-a-269301.html

http://www.networkworld.com/news/2013/050113-livingsocial-breach-scope-widens-on-269295.html

http://qz.com/81268/the-worst-possible-cybersecurity-breaches-could-be-far-worse-than-you-imagined/

Defensive Security Podcast Episode 16

In this episode, another Java 0day, Symantec’s Q1 2013 0day roundup, the Akamai State of the Internet report, the Verizon 2013 DBIR, AP’s twitter feed hack, and cyber terrorists.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

http://www.scmagazine.com/livingsocial-updates-encryption-practices-after-password-breach-affects-50m/article/291042/

Q1 0day vulnerabilities: http://www.symantec.com/connect/blogs/2013-first-quarter-zero-day-vulnerabilities

http://www.akamai.com/stateoftheinternet/

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

http://akamai.infoworld.com/d/security/5-hot-security-defenses-dont-deliver-217045

http://www.pcworld.com/article/2036261/ap-twitter-hack-prompts-fresh-look-at-cybersecurity-needs.html

http://www.hotforsecurity.com/blog/associated-press-twitter-account-hack-hits-us-stock-prices-6015.html

http://www.theinquirer.net/inquirer/news/2263460/cyber-terrorists-are-only-a-matter-of-time-warns-eugene-kaspersky

Defensive Security Podcast Episode 15

This week: Twitter account hacks highlight opportunity for exploitation by attackers, Microsoft and Malwarebytes both release bad patches, Oracle releases a Java patch which fixes 42 security bugs, Oracle announces that Java 8 is delayed due to the focus on Java 7, a new botnet is being created by compromising WordPress installations for some unknown purpose, Linode was compromised in an attack targeted at some Linode customers, Microsoft finds a trojan that cleans up after itself in the next wave of anti-forensics, the Boston marathon bombing and West, Texas explosions see many phishing scams leading to malware installations, spam is down, targeted attacks via email are up, Microsoft released it’s second half 2012 Security Intelligence Report with some odd mixes of data, Microsoft releases EMET 4.0 beta, and a former employee has been charged with planting back doors on 2723 Hostgator servers.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

60 minutes, 48 hours, NPR, BBC twitter accounts recently hacked.

MS and Malwarebytes released bad updates

http://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/

http://mreinhold.org/blog/secure-the-train

http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/

http://www.theregister.co.uk/2013/04/16/linode_breach/

http://m.darkreading.com/133696/show/b7639d290f6c32534f633e85cfe6ac04/

Boston bombing used to spread malware in multiple ways
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Z6nE3UFETb0/

http://news.cnet.com/8301-1009_3-57579847-83/targeted-cyberattacks-jump-42-percent-in-2012-symantec-says/

SIR: http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4F/Microsoft_Security_Intelligence_Report_Volume_14_Key_Findings_Summary_English.pdf

http://blogs.technet.com/b/srd/archive/2013/04/18/introducing-emet-v4-beta.aspx

http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/

 

 

Defensive Security Podcast Episode 14

Subscribe in iTunes | Podcast RSS Feed | Twitter | Email

I’ll be picking someone to give an e-copy of @Taosecurity’s new book “The Practice of Network Security” who sends me an email with feedback on the show.
Encrypt your drives, eve. If you don’t think the computer will leave the office: http://feedly.com/k/ZM172z

Spate of MS and Adobe patches fix numerous remote code execution and priv escalation bugs

SEC filings seem to disagree with the growing furor over cyber attacks: http://feedly.com/k/ZM1IRB

51 weeks of windows XP left

FireEye threat report: http://feedly.com/k/11mWyAn

2 ideas for better security: http://feedly.com/k/14VTn5V

A review of APT1 http://www.malware.lu/Pro/RAP002_APT1_Technical_backstage.1.0.pdf

http://packetstormsecurity.com/news/view/22398/Author-Of-The-SSH-Protocol-Wants-A-New-One.html

http://www.networkworld.com/news/2013/041013-shylock-bank-trojan-upgraded-with-268583.html?source=nww_rss

http://packetstormsecurity.com/news/view/22399/Porn-Sites-Pose-Growing-Malware-Risk.html

http://www.bankinfosecurity.com/global-closes-breach-investigation-a-5684?rf=2013-04-15-eb&elq=593a933acd7a48d4b7e39bcc55f49e62&elqCampaignId=6440

Defensive Security Podcast Episode 13

The Internet destroying ddos attack that wasn’t

http://krebsonsecurity.com/2013/03/missouri-court-rules-against-440000-cyberheist-victim/

http://hothardware.com/News/Huge-Spike-In-Mobile-Data-Traffic-Drives-IEEE-400-Gigabit-Ethernet-Standard/

http://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/

http://nakedsecurity.sophos.com/2013/04/05/ransomware-child-buse/

http://blog.trendmicro.com/trendlabs-security-intelligence/three-lessons-from-the-south-korea-mbr-wiper-attacks/