|
| Fuente: INTECO |
Feeds RSS
22/06/2009,
La calidad en el furgón de cola de los procesos TIC
»»
|
20/06/2009,
Best seller
»»
Seguro que no soy la única que se pregunta como se construye un best seller, pero seguro que voy a ser la única autora de un best seller que no se lleva un duro. Tras una pila de años trabajando en la norma 27004 de “measurement”, recibimos la noticia de que ISO la ha identificado como un potencial best seller. Con tan fausto motivo, me han pedido que participe en la campaña de marketing. ¿Acabaré en una caseta de la Feria del Libro firmando normas ISO? Espero que en ese caso ISO se pague las cervezas. Read more... |
19/06/2009,
Incomplete Thought ? Cloudanatomy: Infrastructure, Metastructure & Infostructure
»»
I wanted to be able to take the work I did in developing a visual model to expose the component Cloud SPI layers into their requisite parts from an IT perspective and make it even easier to understand. Specifically, my goal was to produce another visual and some terminology that would allow me to take it up a level so I might describe Cloud to someone who has a grasp on familiar IT terminology, but do so in a visual way.
You can see how I define “metastructure” and “infostructure” in the diagram definitions to the left. Essentially Infrastructure is comprised of all the compute, network and storage moving parts that we identify as infrastructure today. Metastructure* is the protocols and mechanisms that provide the interface between the infrastructure layer and the applications and information above it. Infostructure is the applications and information/content as well as the service definitions that depend upon the other substrates.
Specifically, these three layers line up remarkably well with the S, P, I layer demarcation points that I outlined in my Cloud Model (see the extensive discussion here) built before that I use in my Frogs presentation that has met with good reception thus far. I can drill down as needed, but if I want to summarize from a security perspective where/what I am talking about, I now have three handy and easily understood set of macro-definitions to help me. What do you think? I know we’re all pretty buzzworded out these days, but this really seems to resonate with folks up and down the stack I have presented it to. Update 6/21: Reuven Cohen posted a nice follow-up to this blog on his in regards to his “metaverse” concept. /Hoff * I first mentioned the concept of “metastructure” in a post back in Februrary in another Incomplete Thought titled “Incomplete Thought: What Should Come First?Cloud Portability or Interoperability“ Related posts:
Read more... |
|
18/06/2009,
A Picture, And A Thousand Words (or less)
»»
This has nothing to do with security, or my case files. This is an open post to you, my readers, on a topic which is very dear to me due to a recent unfortunate event in my life.
Those of you that follow me on twitter know that I recently lost one of...
Read more... |
|
18/06/2009,
See You At Structure09 and Cisco Live!
»»
I managed to squeak out some additional time at the end of my first docking with the Mothership in San Jose next week such that I can attend Cisco Live!/Networkers the week after. I’ll be at Live! up to closing on 7/1. It will be a great opportunity to meet a bunch of Cisco folks, partners and customers…not to mention reunite with my best friend from high school whom I have not seen/heard from in twenty years If you’re going to be there, let’s either organize a tweet-up (@beaker) or a blog-down… Contact information is in the right-hand galley, down toward the bottom. /Hoff Related posts:
Read more... |
18/06/2009,
The folly of annual "awareness training"
»»
Hord Tipton is quoted in a rather curt piece on GovInfoSecurity referring to the "Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents". Right-on Hord! I realise I'm quoting a small extract from a short piece about a press interview, but still there's much more to it than Hord's statement implies. I hope you'll forgive me a short but passionate rant ... 1. It's not just federal employees who need more than once-a-year training. The same applies to everyone, including employees (staff, managers, IT professionals, temps, contractors, consultants, auditors ...), students, retired people and other ordinary members of the general public. And yes, even CISSPs. A once-a-year training session falls way short of what any rational professional would call Continuous Professional Education. 2. What is "awareness training" anyway? In my experience, it's management doublespeak for a lecture at the troops - a broadcast, a sermon maybe, but almost invariably tedious, dull and worse than that, annoying to all concerned. Management get to spout off at the workforce about what they should and should not do. They lay down the corporate law, usually with implied or explicit threats to thrash the message home. Such sessions take time out of busy worklives, and are attended under sufferance (not because the audience actually want to go along and learn new stuff, but because they are told in no uncertain terms that they "just have to go"). Conceited or naive managers tick the compliance box that says "Security awareness - done" and move onto 'more important things'. In reality, what I'm talking about is neither awareness nor training. It's an amateur attempt at brainwashing. It shows an amazing lack of creativity and understanding of human psychology. The only motivation it achieves is to encourage staff (and, I bet, some managers) to find ways to evade future sessions. 3. IT does indeed present ever-changing challenges, but so too does the organization, its business, the commercial & regulatory environment, the people, the compliance obligations, the consequences of failure, the hackers, the malware, the criminals, the competitors, the peers, the partners ... Oh and, by the way, it's not just a matter of IT security. Information security takes in the obvious things such as indiscreet conversations and leaving sensitive papers on public transport, but more subtly it concerns protecting information assets, meaning the information content, the meaning,the knowledge, the expertise and experience - which goes way beyond the data or IT. Surely by now we all know annual awareness sessions simply don't work. It's really not hard to poke giant holes in the concept but why does this ridiculous "annual awareness" thing refuse to lay down and die? I doubt any CISSP would seriously contend that subjecting employees to an "awareness training session" (whatever that might be) is going to achieve anything beneficial past the first few weeks, days, hours or minutes, let alone persist until the next year's session. Would you allow someone to drive a car on the basis of a "driving awareness training session" once a year? Would you be happy to don the face mask and place your most valuable personal assets in the hands of a surgeon who did a "surgery awareness training session" nearly a year ago? It's totally nuts, yet it keeps coming up like a dreaded zombie back from the grave to haunt us. What concerns me most is that merely repeating the phrase (which I appreciate, ironically, is exactly what I am now doing) "annual security awareness training sessions" furthers the myth that that's what is meant by security awareness and/or security training, which are in fact quite distinct ideas. Worse still, since we all know that these annual sessions are a worthless and insufferable waste of time, it implies that both security awareness and security training are also worthless and insufferable. Doh! That's a classic example of throwing the baby out with the bath water. Consider for a second the modern aircraft and its pilot. The cockpit is stuffed full of the most amazing technical wizzardry, designed to make flying as safe, cost-efficient and generally pleasant as possible for all involved, a large part of them designed to make the pilot's job simpler and easier than ever ... yet we don't let just anyone sit in the hot seat and fly us to Barbados. Pilots undertake intense training courses on the ground before even taking to the skies, and then are required to clock so many hours flying experience before being granted the privilege of becoming a qualified pilot - and yes it is a privilege that carries a heavy responsibility. They have further on-the-job training and flight simulator exercises to complete, and regular assessments to keep them up to date with the latest technologies, flight rules and so forth, throughout their careers. They meet and converse with other pilots, taking an interest in new risks and opportunities in flying. They develop a very personal passion or love for what they do. They get it. OK, now switch scenes to the average corporate "end user" (surely a perjorative term, but quite apt in this context) - largely untrained, almost always unqualified and yet sat there in the hot seat playing with corporate and personal information assets with hardly a thought as to their protection or security. The PC is merely a tool to him, one that belongs to the evil corporation that makes him work for a living. Are we surprised they don't get it at all, even right after one of those dreadful "annual awareness training sessions"? Right, switch scenes again to the classic geek hacker, all tattoos and piercings and black hoody - self trained, knowledgeable, committed and yes intensely passionate about what he does, with a deep fascination and respect for the technology. His PC is an art form, a thing of joy, an altar even. He inhabits a parallel universe to the end user. When end-user-man knocks off work at 5pm and traipses dejectedly home, the last thing he wants to do is "sit in front of the bloody PC all night", whereas that's exactly what geek-hacker enjoys most. Once the bytes start flying, the endorphins are released and before he knows it, it's dawn and time to get ready for work. In computer security terms, it's a seriously unfair fight. In the blue corner, end-user man just wants to do his job and have an easy life. In the red corner, geek hacker wants to pwn his b0x, and has the tools, expertise and motivation to get it (and these days, someone wants to pay him serious money to do it for him). Meanwhile, the poor old security manager does his best to gee up end-user-man from the sidelines but knows there's not going to be a pretty ending. Well maybe I've seriously over-stretched that analogy and taken the parody too far but what I'm really getting at is that end-user-man desperately needs effective information security awareness and training to:
That's it, relax, rant over. Now it's your turn. What do you think? P.S. Even mighty SANS refers to "awareness training" and "at least an annual basis". At the bottom of the latest SANS list of 20 Consensus audit guidelines is one recommending Security skills assessment and training to fill the gaps. The SANS advice includes: "Organizations should develop security awareness training for various personnel job descriptions. The training should include specific, incident-based scenarios showing the threats an organization faces. The training should reflect proven defenses for the latest attack techniques. Organizations should devise periodic security awareness assessment quizzes, to be given to employees and contractors on at least an annual basis, determining whether they understand the information security policies and procedures for the organization, as well as their role in those procedures." Read more... |
|
16/06/2009,
Reflections on the Comprehensive National Cybersecurity Initiative
»»
As an (ISC)2 member and a practitioner of Computer Network Defense, I was a bit surprised that no one has done an (ISC)2 blog on the Comprehensive National Cybersecurity Initiative (CNCI) which was released back on 6/1/2009. So I thought that I dip my toe into the pool and see what happens. Like many others, while I am cautiously optimistic about President Obama's new cybersecurity policy and the appointment of a new "cybersecurity coordinator," though much depends on the details. From what I read of the report, there was a lot of discussion of the history of cybersecurity and the general concepts behind it, but not a lot of detail of what has to be done. The concepts discussed -- securing government networks, coordinating responses, working to secure the infrastructure in the private sector (the power grid, the communications networks, and so on), although I think he's overly optimistic that legislation won't be required. I was happy to hear his commitment to funding research. Much of the current technology used to secure cyberspace was developed from university research, and the more of it we finance now, the more secure we'll be in the future Education is also vital, because there are still too many user practicing bad security practices and not enough professionals to protect the networks. I respect the president's commitment to transparency and privacy, both of which are vital for security. But the details matter immensely. Too often, cyber attacks cross national and organizational lines. There needs to be clear direction on who has the responsibilities for protecting the networks, who has responsibility and authority to direct network defenses. For example, someone may have to make the call to shut down a network to prevent further damage, keep it running to keep vital operations going, or perform certain actions to preserve evidence to build a criminal case. I have never liked the concept of creating more "czars" to resolve problems. However, we do need a leadership position with the appropriate authority to help allocate resources, resolve organizational conflicts, and provide a framework to coordinate cybersecurity at the national level, not just within a single department, agency or sector. Read more... |
|
16/06/2009,
Incomplete Thought: The Opportunity For Desktop As a Service ? The Client Cloud?
»»
Please excuse me if I’m late to the party bringing this up… We talk a lot about the utility of Public Clouds to enable the cost-effective and scalable implementation of “server” functionality, whether that’s SaaS, PaaS, or IaaS model, the concept is pretty well understood: use someone else’s infratructure to host your applications and information. As it relates to the desktop/client side of Cloud, we normally think about hosting the desktop/client capabilities as a function of Private Cloud capabilities; behind the firewall. Whether we’re talking about terminal service-like capabilities and VDI, it seems to me people continue to think of this as a predominantly “internal” opportunity. I don’t think people are talking enough about the client side of Cloud and desktop as a service (DaaS) and what this means:
There are companies such as Desktone looking to do this very thing in a way to offset the costs of VDI and further the efforts of consolidation. It makes a lot of sense for lots of reasons and despite my lack of hands-on exposure to the technology, it sure looks like we have the technical capability to do this today. Dana Gardner wrote about this back in 2007 and it’s as valid a set of points then as it is now — albeit with a much bigger uptake in Cloud:
I could totally see how Amazon could offer the same sorts of workstation utility as they do for server instances. Will DaaS be the next frontier of consolidation in the enterprise? If you’re considering hosting your service instances elsewhere, why not your desktops? Citrix and VMware (as examples) seem to think you might… /Hoff Related posts:
Read more... |
|
14/06/2009,
Cloud Computing Security: (Orchestral) Maneuvers In the Dark?
»»
Kevin’s essay is an interesting — if not hope-filled — glimpse into what IT Security could be as enabled by Cloud Computing and virtualization, were one to be able to suspend disbelief due to the realities of hefty dependencies on archaic protocols, broken trust models and huge gaps in technology and operational culture. Readers of my blog will certainly recognize this from “The Four Horsemen of the Virtualization Security Apocalypse” and “The Frogs Who Desired a King: A Virtualization and Cloud Computing Security Fable” To the converse, I’ve certainly also done my fair share of trying to change the world both by thought and action in the stance of “cheerleader”; I’ve been involved in everything from massive sensornet deployments to developing AI/Neural Networking based security technologies, so I think I’ve got a fair idea of what the balance looks like. The salty pragmatist often triumphs, however… Kevin’s article represents a futurist’s view, which is in no way a bad thing, but I fear it is too far disconnected from the realities of security and operational maturity outside of the navel:
Certainly Cloud is a game changer, but just because the rules change does not mean the players do. We haven’t solved those issues as they pertain to non-virtualized or Cloud infrastructure, so while sad, it’s a crushing truth we have to address. Further, to get from “here” to “there,” we do need to focus on these issues because that is how we are measured today; most of us don’t get to start from scratch. To that point, check out “Incomplete Thought: Cloud Security IS Host-Based?At The Moment” for why this gap exists in the first place. I should make it clear that this does not mean I necessarily disagree with the exploration of Kevin’s future state, in fact I’ve written about it in various forms several times, but it’s important to separate what Cloud will deliver from a security perspective in the short term from the potential of what it can possibly deliver in the long term; this applies to both the cultural and technical perspectives. I think the most significant challenges I had in reading Kevin’s article revolved around three things:
In the short term, there are certainly incremental improvements will occur with respect to security thanks to the “lubricant-like” functionality provided by virtualization and Cloud. These “improvements” however represent gains mostly in automation of manual processes and a resultant increase in efficiency rather than a dramatic improvement in survivability or security given what we have to work with today. The lack of heterogeneous closed-loop autonomics, governance and orchestration in conjunction with the fact that a huge amount of infrastructure and applications are not virtualization- or Cloud-ready means this picture a vision, not a mission. Kevin juxtaposes the last few decades of static, Maginot Line IT/Information Security “defense-in-depth” strategy with the unpredictable and “agile, hostile and mobile” notions of military warfighter maneuvers to compare and contrast what he suggests Cloud will deliver with an enlightened state of security capabilities:
The reality is that outside of the military, “shock and awe” doesn’t really work when you’re mostly limited to “compliance and three analysts with a firewall.” Check out “Security & the Cloud — What Does That Even Mean?” Here’s where the reality distortion fields trumps the rainbows and unicorns:
Allow me to suggest that “fight[ing] through an attack” by simply redirecting/re-positioning the $victim isn’t really an effective definition of an “active countermeasure” anymore than waiting the attack out because there’s no offense, only defense. There is no elimination of threat. I’ve written about that a bit: Incomplete Thought: Offensive Computing ? The Empire Strikes Back, Thinning the Herd & Chlorinating the Malware Gene Pool? and Everybody Wing Chun Tonight & ?ISPs Providing Defense By Engaging In Offensive Computing? For $100, Alex. Mobility does not imply security. To wit:
To pick on this specific example, even given the relatively mature anti-DDoS capabilities we have today without virtualization or Cloud, simply moving resources around in response to an attack does nothing if the assets are bound to the same IP addresses and hostnames. Fundamentally, the static underpinnings holding the infrastructure together hinder this lofty goal. You can Cloudburst till the cows come home, but the attacks will simply follow. You transfer all those assets to a new virtual datacenter and for the most part, the bad traffic goes with it. Distributed intelligence can certainly reduce the pain, but with distributed botnets whose node counts can number in the millions, you’re not going to provide for the “…elimination of the attack source.” With these large scale botnets as an example, the excess capacity and mobility of the $victim could even have unintended worse ramifications such as what I wrote about here: Economic Denial Of Sustainability (EDoS) In closing, we’ve got two parallel paths of advancing technology: the autonomics of the datacenter and the evolution of security. I’ll wager we’ll certainly see improvements in the former that are well out-of-phase and timing with the latter, not the least of which is due to what Kevin closed with:
It’s absolutely a cultural issue, but we must strive to be realistic about where we are with Cloud and security technology and capabilities as aligned. As someone who’s spent the last 15 years in IT/Security, I can say that this is NOT the “…dawning of a new day in IT security,” rather it’s still dark out and will be for quite some time. There is indeed opportunity to utilize Cloud and virtualization to react better, faster and more efficiently, but let’s not pretend we’re treating the problem when what we’re doing is making the symptoms less noticeable. I am absolutely bullish on Cloud, but not Cloud Security as it stands, at least not until we make headway toward fundamentally fixing the foundational problems we have that allow the problems to occur in the first place. /Hoff * I thought that out of all of OMD’s tracks, the most apropos titles to match to this blog post would be “Pandora’s Box,” “Dreaming,” or “The New Stone Age” Related posts:
Read more... |
|
13/06/2009,
Bandwidth Caps Means Bad Security
»»
Bandwidth caps: they're coming, and the ISP's really want them. Why? They can charge you a flat rate for, say, 5GB a month, such as is already done by Sprint and AT&T for their wireless broadband offerings. With 5G a month you can do a lot of email, some web browsing, perhaps a Hulu video or two. But what happens when you go over that 5GB in a month? You get charged by the megabyte, say 5 cents/MB. So customers using bandwidth caps need to be parsimonious with their Internet usage. Gone are the days of being able to download anything that caught their fancy. No more movies from iTunes, not so many songs from Napster, and no more huge OS updates. Wait, what? That's right. These customers will definitely think twice before downloading any costly OS or security updates. And we will all pay as a result. Some examples are Apple's recent Mac OS X 10.5.7 combo update (729MB), a massive Microsoft update that patches 31 vulnerabilities (some critical), and even the 36MB Ubuntu update that I am downloading as I type. If the user thinks his/her computer is working fine, why would that user waste valuable bandwidth downloading what seems like a totally necessary update? Who cares if the recent Microsoft update includes a patch to protect against Conficker (that has its million-plus botnet aimed at...well, we're still waiting)? Instead, the user saves his/her bandwidth for a couple of episodes of The Office. Meanwhile, the user's unprotected PC becomes another zombie. And now becomes everyone else's problem. Internet access cannot be treated as just another utility. If the electric company decides it needs to upgrade its infrastructure to protect against SCADA attacks, it charges its customers a couple more pennies per kilowatt hour. It doesn't demand the customer buy some copper wire and pipe and get to work. Just as most users won't spend their time and money upgrading a utility, most users won't going to spend an extra couple hundred MB improving their own PC's security. If the trend is to treat the Internet as just another utility, update downloads should be exempt. Otherwise, don't cap bandwidth. Also, OS vendors like Microsoft, Apple, even Ubuntu need to stop taking unlimited broadband for granted! Why are all updates available only as a download? Some of it is understandably because of zero-day exploits, but these security patches are relatively small. Otherwise, give customers the option of getting their updates via a non-download method, such as CD or a recycled USB key (you send it in, they send it back with the update.) Be creative. PC security is no longer about a virus that trashes your hard drive. It's about botnets made up of millions of unpatched computers that attack banks, infrastructures, governments. Bandwidth caps will contribute to this unless the thinking of Internet providers and OS vendors change. Because we are all inter-connected now. Read more... |
|
11/06/2009,
Hey, Uh, Someone Just Powered Off Our Firewall Virtual Appliance?
»»
So here’s an interesting scenario in virtualized and/or Cloud environments that make use of virtual appliances to provide security capabilities*:
Without getting into the vagaries of vendor specific mobility-enabled/enabling technologies, one of the issues with VMs/VAs is that there’s not really a good way of designating one as being “more important” or functionally differentiated such as “security” or “critical application” that would otherwise ensure a higher priority for service availability (read: don’t spin this down unless…) or provide a topological dependency hierarchy in virtualized network constructs. Unlike physical environments where system administrators (servers) are segregated from access to network and security appliances, this isn’t the case in virtual environments. In Cloud environments (especially public, multi-tenant) where we are often reliant only upon virtual security capabilities since we have no option for physical alternatives, this is an interesting corner case. We’ve talked a lot about visibility, audit and policy management in virtual environments and this is a poignant example. /Hoff *Despite the silly notion that the Google dudes tried to suggest I equated virtualization with Cloud as one-in-the-same, I don’t. Related posts:
Read more... |
|
09/06/2009,
Open Source Computer Forensics Manual
»»
The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted. Read more... |
|
09/06/2009,
US Cybercrime site
»»
US Department of Justice Computer Crime and Intellectual Property site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution. Read more... |
|
01/06/2009,
Control a finalist for ASBPE Magazine of the Year Award!
»»
Read more... |
|
01/06/2009,
ISO/IEC 38500:2008. Un año difundiendo el concepto de ?Buen Gobierno Corporativo de las TIC?
»»
|
|
01/06/2009,
Estar encima (por Mark Toomey)
»»
|
|
01/06/2009,
Being on top ? (por Mark Toomey)
»»
|
|
01/06/2009,
Primer mapeo de Val IT: nuevo fruto del acercamiento entre ISACA y la OGC
»»
|
|
01/06/2009,
Staying alive
»»
Ya comentamos en este blog hace unos días la nueva iniciativa legislativa que permitirá a la Admnistración Obama no sólo “apagar” internet, sino escanear la información y bases de datos de muchas entidades privadas. Staying Safe Online: The Need for Cybersecurity from White House on Vimeo. Sólo me pregunto si llegan tarde: no sólo porque los chinos ya están en condiciones de apagar internet y de ganar una guerra cibernética con tres golpes de ratón, sino porque es tarde para rescribir su constitución. Un problema que, por cierto, tampoco tienen los chinos. Via :: RosaJC Read more... |
|
26/05/2009,
ABB urges Smart Grid Standards...but where is ISA?
»»
In the gold rush to Smart Grid, it's easy to get left out. In the last several major press releases about Smart Grid I've seen, one standards body has been conspicuous by its absence. That, of course would be ISA. Even though ISA has launched a full-court press to transform itself from a member style educational foundation into a workforce development and standards body (which I believe is the future of the Society--- and I've been saying so since 1998)-- it seems to have been left at the altar for Smart Grid. Read more... |
|
25/05/2009,
Legado digital
»»
Facebook y otras redes sociales van a conseguir, con su politica de que hagamos amiguitos hasta muertos, que vivamos para siempre. ¿Tendremos que incluir en nuestros testamentos albaceas digitales para que gestionen nuestras cuentas y, en definitiva, nuestra “posteridad”? ¿Se gastarán nuestra herencia pleiteando con Facebook? Sugiero gastarlo antes en cañas. Vía :: Reputation Defender Blog Read more... |
|
23/05/2009,
¡Por fin!
»»
Bailaría la conga si no me pillara tan cansada y con tanto lío en casa. La norma de medidas, la tan traída y llevada ISO 27004 ¡pasa a FDIS! O lo que es lo mismo, si un cataclismo pandémico o económico no lo remedia, estará publicada a finales de año. Estoy trabajando en los comentarios, así que no os puedo adelantar como ha quedado hasta que lo vea con mis propios ojos. La confidencialidad me impide publicarla, pero no haceros un resumen (mejor yo que la he sufrido en mis carnes que no otros que van poniendo en las ofertas que la han hecho ellos cuando ni pertenecen al SC27 español ¡hay que jorobarse!) Y si tengo un rato, cosa que no tengo desde hace rato, os contaré como van las demás normas y que decisiones se han tomado en la reunión del ISO SC27 que hemos tenido en Pekín en medio de la “pandemia”. Os adelanto dos cosas: que las nuevas 27001 y 27002 van como un tiro (así que si no os sabéis las actuales esperad a las nuevas), y que será Microsoft quien nos pague los cafés en su sede de Redmond donde tendrá lugar la próxima reunión. Me llevaré el Mac para molestar. Read more... |
|
21/05/2009,
Más vale tarde
»»
Tenía desde que volví de China una deuda de gratitud con los chicos de Cámara Abierta 2.0 por darme un hueco en su espacio… aunque haya sido por culpa de la Ministra González-Sinde, por cierto tan olvidada gracias a la gripe porcina (¿tendrá ella algo que ver?). Sobre todo esta deuda es debida a que Dani y sus chicos me dieron, con esta entrevista, la oportunidad de colocar mis republicanas posaderas sobre los estrados en los que sus señorías apalancan los codos en las vistas y dejarme que me paseara como una estrella de papel cuché -con paparazzi incluido- ante la mirada tirando a atónita del “guardaespalderío” al completo de los Magistrados del Supremo. Gracias por hacerme sentir igualita a Belén Esteban, pero sin Andreita y sin pollo. Read more... |
|
13/05/2009,
A very great man passes - Vernon Trevathan died Sunday in St. Louis
»»
It is with deep sadness that I report the passing of my friend Vernon Trevathan. Vernon (who hated to be called Vern) died Sunday in St. Louis, Mo. Here is the message that was sent to the ISA Executive Board, where Vernon was Vice President of the Professional Development Department. ISA director T. S. "Chip" Lee forwarded it to me. Read more... |
|
13/05/2009,
Gobernanza de TI en Breve
»»
Vuelvo a hacer referencia en este medio a mi buen amigo Miguel García, autor del Blog Gobernanza de TI quien, una vez más, nos obsequia con un excelente artículo en el que describe claramente los principales conceptos de la Gobernanza de TI, y la aproximación que mediante COBIT puede hacerse a la misma. Como le indicaba hace unos minutos en un comentario al artículo, creo que uno de los grandes retos que tenemos por delante que a la vez es una cuestión común en determinados clientes, es el de intentar acercar el concepto de Gobernanza de TI a organizaciones en los que realmente no existe un Gobierno como tal (clamor de multitudes! ;)), o al menos no uno con el nivel de madurez (no personal, sino organizativa y “metodológica”) suficiente para asumir un concepto tan interesante (y tan importante para ellos, … aunque no lo sepan). Para ello crear una aproximación entendible, medible y efectiva es muy importante. Probablemente el top 10 de las empresas de cada país tengan el nivel para entender y asumir estos marcos organizativos, pero para el resto es necesario trabajar esa aproximación adecuadamente. A esto debe añadirse el factor humano (como siempre):
Dicho así suena un poco… ¿feo?, pero realmente es posible que si no transmitimos las cosas de forma adecuada, nuestros interlocutores finalmente oigan/entiendan eso. Tenemos trabajo por delante (interesante, eso sí!). Read more... |
|
08/05/2009,
Participate in the ISA-95/MESA Best Practices Work Group
»»
Hello All,I am finally moving forward with ISA-95 Best Practices Book 2.0 after a 2 year break. Book 1.0 was great success. Many companies and industry analysts have made it required educational reading. To build on this in Book 2.0, we, as the ISA-95/MESA Best Practices Working Group, will chose 10 methodology or detailed vertical examples to publish. Read more... |
|
07/05/2009,
Discount for WBF members--
»»
All WBF members are entitled to the discount for Automation Federation membership:
The Automation Federation is supporting the Progressive Manufacturing Summit 2009: Redefining the Business of Manufacturing in Turbulent Economic Times.
When: 9-11 June Read more... |
|
04/05/2009,
Cuando la Autenticación es Importante
»»
Habréis notado que hace un par de semanas que no aparezco por este medio. La causa no puede ser mejor: he sido padre nuevamente y las prioridades son las que son, por lo que este espacio ha quedado algo desatendido Aprovechando el embarazo de mi mujer, llevaba ya unos meses observando una situación que me parecía bastante preocupante, y que estaba esperando a publicar aquí a que naciese mi hija: la falta de “autenticación” en los servicios médicos. Me explico. Desde la primera visita al médico hasta el momento del parto el único mecanismo de autenticación de los servicios médicos hacia la madre ha sido la tarjeta sanitaria que como podéis suponer, no supone autenticación alguna ya que no contiene ningún dato “contrastable” fácilmente (como una fotografía o similar). Esto que al principio me resultó algo sorprendente, me dejó profundamente preocupado cuando al acudir a urgencias el día del parto tampoco se le solicitó en ningún momento el documento nacional de identidad o algún otro medio de autenticación adecuado. Quiere esto decir que alguien podría suplantar la identidad de la madre (por ejemplo una madre de alquiler) durante todo el embarazo e incluso en el mismo parto de forma muy sencilla (portando su tarjeta sanitaria!!)… con todo el campo de posibilidades que esto proporciona. Me quedé algo más tranquilo cuando una vez nacida mi hija, al poco tiempo le tomaron las huellas a la madre y a la niña (hombre, al menos un punto de autenticación biométrico, en realidad más bien de registro y malo ya que las huellas están movidas) y me proporcionaron una copia de la ficha que se supone que debería entregar en el Registro Civil al inscribir la recién nacida. En la inscripción en el Registro, he de comunicaros que en ningún momento me pidieron la ficha, y por tanto pude inscribir a mi hija sin autenticación alguna, nuevamente. Mi pregunta entonces es: ¿se realiza algún tipo de comprobación con las huellas registradas en la ficha del hospital o es un mero registro? Mi impresión es que únicamente es esto último, aunque si alguien tiene más información sobre este tema, estaría encantado de conocerla. Esto no deja de confirmar mi desconfianza con los mecanismos habituales de autenticación en el área de la salud donde son tan extremadamente importantes (de ser quien dices que ser a ser otro, puede suponer la extirpación de un órgano vital… o la bienvenida de un nuevo hijo… sin haberlo concebido). De hecho se han dado fraudes importantes utilizando esa debilidad al cambiar historiales de pacientes más enfermos por otros sanos (por ejemplo para obtener pensiones de forma “maliciosa”) y acontecimientos similares. … 2 familiares cercanos en diferentes momentos y lugares, ambos con problemas óseos importantes en rodillas, espalda, etc. curiosamente desaparecieron de sus historiales todas las radiografías que tenían, … ¿casualidad?… Es importante proteger los datos tratados en estas áreas, pero también es importante asegurar su autenticidad e integridad (la disponibilidad, como el valor, se presupone ;)) ¿Existe alguna medida de obligado cumplimiento en ese sentido? Read more... |
|
16/04/2009,
La Nube es a las Infraestructuras Gestionadas lo que Guitar Hero es al Karaoke?
»»
Esta frase que me ha encantado y con la que estoy totalmente de acuerdo, no es mía (lamentablemente ;)), sino de Christofer Hoff y aparece publicada en el ISSA Journal de Marzo haciendo referencia al famoso y tan de moda término, Cloud Computing que tantas veces está tratando en su Blog. La frase hace referencia a que probablemente veríamos a muy pocos de nuestros amigos vociferando en un karaoke alguna canción de los 80 a la vez que la baila y gesticula como un loco y sin embargo, sí que es posible que muchos de ellos estén haciendo lo propio en sus casas con la salvedad que el “karaoke” no se llama así, sino “Guitar Hero” y corre sobre una XBox en el cuarto de estar. Del mismo modo, compañías o personas que jamás hubiesen externalizado diversos servicios en un entorno de “infraestructuras gestionadas” o alojado sus datos en entornos externos a su organización, ahora comienzan a hacerlo porque repentinamente eso se llama “Cloud Computing”, si bien en los principios básicos, sigue siendo prácticamente lo mismo (si obviamos las importantes diferencias y aproximaciones comerciales actuales…). Lo cierto es que a día de hoy, yo no creo para nada en este tema tan de moda (quizás tenga que rectificar más adelante, quién sabe :-P), que como indica Hoff, tiene más de novedad en su aproximación comercial, que en sus principios tecnológicos. Si queréis profundizar más sobre el tema os recomiendo su Blog Rational Survivability, donde incluye reflexiones, contenidos y opiniones muy interesantes sobre ese tema (y otros). Imprescindible su último post comentando el modelo “Cloud Cube” del Jericho’s Forum y sus impresiones. Echadle un vistazo. Read more... |
|
08/04/2009,
Confirmación de Ataques a Infraestructuras Críticas en Estados Unidos
»»
Hoy aparece publicado en el Wall Street Journal y se hacen eco de ello diversos blogs y medios en Internet una noticia que confirma nuestras sospechas y recomendaciones sobre la protección de infraestructuras críticas que ya hace tiempo venimos tratando aquí. En mis presentaciones y charlas siempre digo que la seguridad de la información en el entorno industrial está al menos 5 años por detrás de la situación en el resto de sistemas corporativos y digo que si pensásemos un mundo en el que un simple catarro pudiese matarnos, estaríamos hablando de la seguridad de los sistemas industriales, la informática industrial y los sistemas SCADA, entre otros. Pues bien, en el artículo de hoy de Wall Street Journal, se confirma que Estados Unidos ha recibido ataques a sus redes de suministro eléctrico desde China, Rusia y otros países y que han encontrado software y programas maliciosos instalados internamente, preparados para ser activados que podrían causar importantes alteraciones en el servicio en el caso de ser activados (dicen ellos que probablemente estarían preparados para ser activados en caso de guerra o ataque de otro tipo… aunque quizás pueda ser algo teatral, según se lee). El caso es que desde fuentes oficiales se confirman estos ataques y estos hechos. Así mismo indican que los hallazgos no han sido descubiertos por las compañías que mantenía los sistemas sino por ”agencias de intelegencia gubernamentales”, lo que no deja de ser aún más preocupante, y dejan datos como que durante los últimos 6 meses se han gastado más de 100 millones de dólares en reparar “ciber-daños” (es decir problemas causados desde el “ciberespacio”). Quizás esta sea una de las causas del importante programa de defensa del ciberespacio que la “administración Obama” está desplegando, dedicando importantísimos recursos monetarios, humanos y organizativos a este tema. Como ya habíamos comentado aquí, existen varias normativas y estándares de obligado cumplimiento en ese país para empresas de suministro energético, aguas, etc. Parece que están en el camino de tomar las riendas en el problema y comenzar una aproximación al mismo. Ya preguntaba antes aquí cuál era la situación en nuestro país en este sentido… y no he recibido ningún comentario ni contestación… lo cuál no deja de confirmar mi preocupación (que se acentúa cada vez que conozco alguna instalación crítica). Deberíamos estar haciendo algo… si no lo estamos haciendo ya ¿no creéis? Podéis acceder al artículo completo aquí. Os recomiendo su lectura. Read more... |
|
06/04/2009,
Citas Seguras
»»
No, no me estoy refiriendo a aquellas en las que conocemos a la persona que vamos a quedar para cenar Recojo a continuación solo las 10 primeras … quien quiera leer el resto que lo haga en el Blog de los autores, que para eso se las han trabajado :) 1.- Cuanto más inseguro te sientes más seguro te haces Enhorabuena a ambos de nuevo! Read more... |
|
03/04/2009,
Case Of The Robotic Reflex - Conclusion
»»
"What's he doing?"
Cedric was whispering questions into Scrap's ear as I busily typed away into a shell window.
"He's doing what he does. He's looking for a contact lens in shag carpet." Scrap joked as he watched me searching through files on Cookie'...
Read more... |
|
07/02/2009,
Dear Journalists/Security Bloggers - Don't Believe The Hype
»»
I am seriously getting sick of security companies spewing fear and terror to sell products. My inbox, voicemail and even my social network connections are full of this crap.
Case in point:
iWork 09 Virus
This is a perfect example of how an anti-virus...
Read more... |
|
19/01/2009,
Recommended: How To Suck At Information Security
»»
Reader RS pointed me at this article at sans.org by Lenny Zeltser. It's a good read and lists many of my pet peeves about INFOSEC 'professionals'. I've listed a few here - but you need to click and read the article for the whole enchilada.
From the a...
Read more... |
|
12/01/2009,
The Economy Stinks - Get That IT Security Job Today
»»
A while back I wrote an incredibly popular post on getting a job in IT Security. With today's economy in a recession and unemployment approaching double-digits here in the United States, I thought it was time to revisit this post.
I received quite a ...
Read more... |
22/06/2009,
HTTPS security for web applications
»»
A group of privacy and security experts sent a letter today urging Google to strengthen its leadership role in web application security, and we wanted to offer some of our thoughts on the subject. We've long advocated for ? and demonstrated ? a focus on strong security in web applications. We run our own business on Google Apps, and we strive to provide a high level of security to our users. We currently let people access a number of our applications ? including Gmail, Google Docs, and Google Calendar, among others ? via HTTPS, a protocol that establishes a secure connection between your browser and our servers. Let's take a closer look at how this works in the case of Gmail. We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched. If you choose to use HTTPS in Gmail, our systems are designed to maintain it throughout the email session ? not just at login ? so everything you do can be passed through a more secure connection. Last summer we made it even easier by letting Gmail users opt in to always use HTTPS every time they log in (no need to type or bookmark the "https"). Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide. In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users. We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back. But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS ? in some cases it makes certain actions slower. We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS? Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well). Stay tuned, but we wanted to share our thinking on this, and to let you know we're always looking at ways to make the web more secure and more useful. Update @ 1:00pm: We've had some more time to go through the report. There's a factual inaccuracy we wanted to point out: a cookie from Docs or Calendar doesn't give access to a Gmail session. The master authentication cookie is always sent over HTTPS ? whether or not the user specified HTTPS-only for their Gmail account. But we can all agree on the benefits of HTTPS, and we're glad that the report recognizes our leadership role in this area. As the report itself points out, "Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to [data theft and account hijacking]. Worst of all ? these firms do not offer their customers any form of protection. Google at least offers its tech savvy customers a strong degree of protection from snooping attacks." We take security very seriously, and we're proud of our record of providing security for free web apps.  Read more... |
|
22/06/2009,
Top 10 Malware Sites
»»
A recent surge in compromised web servers has generated many interesting discussions in online forums and blogs. We thought we would join the conversation by sharing what we found to be the most popular malware sites in the last two months.  The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in our search results as potentially dangerous. Other malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen.net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites. To help make the Internet a safer place, our Safe Browsing API is freely available and is being used by browsers such as Firefox and Chrome to protect users on the web.  Read more... |
|
22/06/2009,
Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems
»»
Building on our earlier posts on defenses against web application flaws ["Automating Web Application Security Testing", "Meet ratproxy, our passive web security assessment tool"], we introduce Automatic Context-Aware Escaping (Auto-Escape for short), a functionality we added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS). We developed Auto-Escape specifically for general purpose template systems; that is, template systems that are for the most part unaware of the structure and programming language of the content on which they operate. These template systems typically provide minimal support for web applications, possibly limited to basic escaping functions that a developer can invoke to help escape unsafe content being returned in web responses. Our observation has been that web applications of substantial size and complexity using these template systems have an increased risk of introducing XSS flaws. To see why this is the case, consider the simplified template below in which double curly brackets
In this template, four variables are used (not in this order):
Each of these variable insertions requires a different escaping method or risks introducing XSS. To keep the example small, we excluded several contexts of interest, particularly style tags, HTML attributes that expect Javascript (such as Auto-EscapeThe example above demonstrates the importance of understanding the precise context in which variables are being inserted and the need for escaping functions that are both safe and correct for each. For larger and complex web applications, we notice two related vectors for XSS:
Considering the sheer number of templates in large web applications and the number of untrusted content they may operate on, the process of proper escaping becomes complicated and error prone. It is also difficult to efficiently audit from a security testing perspective. We developed Auto-Escape to take that complexity away from the developer and into the template system and therefore reduce the risks of XSS that would have ensued. A Look at ImplementationAuto-Escape is a functionality designed to make the Template System web application context-aware and therefore able to apply automatically and properly the escaping required. This is achieved in three parts:
A simple mechanism is provided for the developer to indicate that some variables are safe and should not be escaped. This is used for variables that are either escaped through other means in source code or contain trusted markup that should be emitted intact. Current StatusAuto-Escape has been released with the C++ Google Ctemplate for a while now and it continues to develop there. You can read more about it in the Guide to using Auto-Escape. We also implemented Auto-Escape for the ClearSilver template system and expect it to be released in the near future. Lastly, we are in the process of integrating it into other template systems developed at Google for Java and Python and are interested in working with a few other open source template systems that may benefit from this logic. Our HTML/Javascript parser is already available with the Google Ctemplate distribution and is expected to be released as a stand-alone open source project very soon. Co-developers: Filipe Almeida and Mugdha Bendre  Read more... |
|
22/06/2009,
Why Googlers attend the Internet Identity Workshop
»»
Posted by Eric Sachs, Senior Product Manager, Google Security Google?s participation in the Internet Identity Workshop (IIW) has grown from a few lone individuals at its founding in 2005 to fifteen Googlers at the last IIW. The reason for this growth is that as Google has started to provide more APIs and developer tools for our application hosting business, we have found that standards and interoperability for identity and security on the Internet are critical. Our engineers attend to discuss standards such as OAuth, OpenSocial, OAuth, SAML, Portable Contacts, as well as longer term trends around discovery, malware, phishing, and stronger authentication. Another major topic is the usability of these technologies, which we summarized in a blog post after the last IIW. We hope that other companies and individuals working in these areas will register to attend IIW 2009a and start building momentum for another great event. If you attended either the Facebook hosted UX summit in Feb 2009 or the Yahoo hosted UX summit in Oct 2008, you can join in further discussions on those topics at the upcoming IIW. Google attendees: Dirk Balfanz, Nathan Beach, Breno de Medeiros, Cassie Doll, Brian Eaton, Ben Laurie, Kevin Marks, John Panzer, Eric Sachs, and more to come  Read more... |
|
22/06/2009,
Announcing "Browser Security Handbook"
»»
Many people view the task of writing secure web applications as a very complex challenge - in part because of the inherent shortcomings of technologies such as HTTP, HTML, or Javascript, and in part because of the subtle differences and unexpected interactions between various browser security mechanisms. Through the years, we found that having a full understanding of browser-specific quirks is critical to making sound security design decisions in modern Web 2.0 applications. For example, the same user-supplied link may appear to one browser as a harmless relative address, while another could interpret it as a potentially malicious Javascript payload. In another case, an application may rely on a particular HTTP request that is impossible to spoof from within the browser in order to defend the security of its users. However, an attacker might easily subvert the safeguard by crafting the same request from within commonly installed browser extensions. If not accounted for, these differences can lead to trouble. In hopes of helping to make the Web a safer place, we decided to release our Browser Security Handbook to the general public. This 60-page document provides a comprehensive comparison of a broad set of security features and characteristics in commonly used browsers, along with (hopefully) useful commentary and implementation tips for application developers who need to rely on these mechanisms, as well as engineering teams working on future browser-side security enhancements. Please note that given the sheer number of characteristics covered, we expect some kinks in the initial version of the handbook; feedback from browser vendors and security researchers is greatly appreciated.  Read more... |
22/06/2009,
Writing workable infosec policies
»»
Writing in Computerworld, author Jennifer Bayuk offers some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like...
Read more ... Read more... |
|
22/06/2009,
Appeals Court Protects White House Office E-mails
»»
From today's GigaLaw news:
"A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The...
Read more ... Read more... |
|
22/06/2009,
Pop Mechanics does infrastructure security
»»
Popular Mechanics gives the US national infrastructure a once-over from the perspective of its resilience to cyberwarfare, asking "How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? Could...
Read more ... Read more... |
|
22/06/2009,
Revised NIST security awareness/training standard
»»
I've been reading and thinking today about a revised NIST Special Publicatio SP800-16, currently released for public comment. If you are genuinely interested in making security awareness more...
Read more ... Read more... |
|
22/06/2009,
How to fix SCADA security [not]
»»
In "A cautionary tale about nuclear change management" ComputerWorld blogger Scott McPerson discusses a few security incidents that have been linked to SCADA systems, picking out two causes: poor...
Read more ... Read more... |
22/06/2009,
Penetration Testing Challenge: Santa Claus is Hacking to Town
»»
This past holidays Ed Skoudis published one of his always interesting, amusing, and educational thematic security challenges at the Ethical Hacker Network: "Santa Claus is Hacking to Town". The last one I participated in was in mid-late 2006, although I was a huge fan of them since 2003. This time the challenge was penetration testing focused, rather than incident handling based, so I decided to play and enjoy it. Honestly, from all the security services I offer, penetration testing has taken an increasingly significant percentage of my time during the last years. There is a clear need in the industry for more pen-testers.
I suggest you to read the challenge wording and try to solve it before reading the official solution and answers. You can get some hints by reading the first paper referenced at the end of this post (Ed told me he published them there on purpose to help people out with the challenge), although it is funniest to solve it from scratch :) You can find my submission here. I also generated (out of the contest) a second version of the paper that includes the challenge text, my official solution, and an appendix with a simpler and direct solution to the challenge, plus the reasons why it was not included as my final submission. Definitely, I could have been stealthier by providing the "-n" option to all the netcat relay instances in order to disable DNS resolution. Complementary, my Inguardian's friends recently released two penetration testing papers you might be interested in: "Secrets of America's Top Pentesters" (Ed) and "Vista Wireless Power Tools for the Penetration Tester" (Joshua). I strongly recommend both! -- Raul Siles www.raulsiles.com  Read more... |
|
22/06/2009,
NMAP Trivia ANSWERS: Mastering Network Mapping and Scanning
»»
Three weeks ago I published the NMAP Trivia challenge. Thanks to all ISC readers that submitted their responses! A special mention goes to the winning entry from Jason DePriest, an extensive and elaborated submission, available here. Congratulations! The prize (technical book) is on his way! ;) Jon Kibler provided an in-progress nmap idea for a new features, a scan proxy engine equivalent to the FTP bounce scan to scan through HTTP or SOCKS. Now... it is time for the answers: 1. What are the default target ports used by the current nmap version (4.76)? How can you change the target ports list? What (nmap) options can be used to speed up scans by reducing the number of target ports and still check (potentially) the most relevant ones? How can you force nmap to check all target ports? 2. How can you force nmap to scan a specific list of 200 target ports, only relevant to you?
Try it by your own! ;)
6. Why port number 49152 is relevant to nmap? 7. What is the only nmap TCP scan type that classifies the target ports as "unfiltered"? Why? What additional nmap scan type can be used to discern if those ports (previously identified as "unfiltered") are in an open or closed state? 8. When (and it what nmap version) the default state for a non-responsive UDP port was changed on nmap (from "open" to "open|filtered")? Why? 9. What is the default scan type used by nmap when none is specified, as in "nmap -T4 scanme.nmap.org"? Is this always the default scan method? If not, what other scan method does nmap default to, under what conditions, and why? 10. What nmap features (can make or) make use of nmap's raw packet capabilities? What nmap features rely on the OS TCP/IP stack instead? 11. Nmap's performance has been sometimes criticized versus other network scanners. What (nmap) options can you use to convert nmap into a faster, stateless scanner for high performance but less accurate results? 12. What relevant nmap feature does not allow an attacker to use the decoy functionality (-D) and might reveal his real IP address? 13. What are the (nmap) options you can use to identify all the steps followed by nmap to fingerprint and identify the Web server version running on scanme.nmap.org? 14. As an attacker, what port number would you select to hide a listening service backdoor trying to avoid an accurate detection by nmap's default aggressive fingerprinting tests? Would it be TCP or UDP? Why? What additional (nmap) options do you need to specify as a defender to fingerprint the hidden service backdoor? 15. What is the language used to write NSE scripts, and what two other famous open-source security tools/projects currently use the same language? 16. What Linux/Windows command can you use to identify the list of NSE scripts that belong to the "discovery" category and will execute when this set of scripts is selected with the "--script discovery" nmap option? 17. How can you know the specific arguments accepted by a specific NSE script, such as those accepted by the whois.nse script? Finally, a couple of extra questions for the real nmap-lovers:
That's all folks! Happy nmap discovery and scanning! NOTE: This challenge has been published on the Internet Storm Center (ISC) diary too.--  Read more... |
|
22/06/2009,
Security Book Review: "Nmap Network Scanning"
»»
"Nmap Network Scanning"
Author: Gordon "Fyodor" Lion Editorial: Nmap Project Publication date: January 1, 2009 ISBN-10: 0979958717 ISBN-13: 978-0979958717 Summary: The Art of Network Mapping and Scanning Masterpiece. Score: 5+/5 Review: I could summarize this book review by saying this is THE nmap reference book, what in itself would be an obvious conclusion I already expected before reading a single page, just by looking at the author name. Fyodor is the creator of nmap, a tool he has carefully fed and taken care of during all these years, and slightly knowing him from the Honeynet project, I couldn't expect less. "Nmap Network Scanning" is a masterpiece that teaches the reader the Art of Network Mapping and Scanning, and definitely, one of the best books I've read in years. Honestly, there are only a few minor things regarding network scanning you cannot accomplish with a single tool, the current nmap version. The book takes advantage of it. The official nmap reference guide is simply included on chapter 15, while the rest of the book steers the reader through the nifty art of network mapping and scanning. It disects the network scanning phases and techniques, describing the different options and tool arguments available throughout practical examples and real-world usage tips, here and there, that will improve all your scanning techniques. This is a never-ending book that took Fyodor 5 years to write, and it clearly spreads his experience testing and analyzing networks. This is specially true in the "Solution" section at the end of some chapters, where real-world scenarios are efficiently solved. Additionally, the book clearly pinpoints the limitations for the multiple platforms (eg. Windows vs Linux) and scenarios (eg. privileged vs non-privileged user) nmap can run on. Besides that, it summarizes most nmap internals without requiring you to dive deep into the source code, what is a challenge in itself. All this information is complemented with some real challenges you find as a penetration tester today, such as the limitations to spoof Internet traffic from legal ISP, a topic I've been researching about recently. The most advanced and technical chapters are chapter 7 and 8, detailing the inner workings of the nmap service, application, and OS fingerprinting modules, and chapter 9, providing the NSE knowledge required to read and develop your own nmap scripts. This is the type of book I recommend you to read in front of your computer, practicing simultaneously. Open a terminal, enable your network connection, and run the latest nmap version as you read throughout the book while testing the different options and examples. You can use multiple target virtual machines to experiment with, or if not available, the scanme.nmap.org site (use with caution). One thing is sure: you will have a lot of fun! I have been using nmap since 1999, and found the book fits a broader audience, from the novice reader (please, do not get overwhelmed initially by all the available nmap options and scan types), that can learn the principles of the scanning techniques used (the packet flow diagrams on the port scanning chapter are specially helpful), up to the advanced professional, explaining what's behind the scenes of every technique and nmap argument, at the OS and network traffic level. The book applies to most security professionals, from security administrators that need to manage and secure their environments, to penetration testers interested on driving their skills to a new level. This is the kind of book that feeds your creativity and research motivation. Fyodor, once again, promotes along the book the open-source philosophy, the need to share and contribute to the community, in this case in the form of OS and service fingerprints, NSE scripts, or just reporting nmap bugs. Some minor things I would have liked to see mentioned for an extra finishing touch, offering my tiny contribution for a future version, are:
Fyodor was generous enough to release an extensive portion of the book for free on the official nmap book website. Take a look at it and you won't doubt about getting your own full copy. UPDATE: Amazon review.  Read more... |
22/06/2009,
NMAP Trivia: Mastering Network Mapping and Scanning
»»
 Recently the official (and highly recommended) NMAP book, "NMAP Network Scanning" by Fyodor, was published. I will post its review here in the next few days. Meanwhile, I thought it would be very productive to challenge you with a NMAP Trivia. The main goal is providing some entertainment during the holiday season and the early days of 2009, and at the same time, force you to practice and play with the latest stable nmap version, v4.76, trying to increase your technical knowledge, skills, and mastering of the traditional and current features of such an important security tool.
Send your answers to radajo@gmail.com using "NMAP Trivia" as the subject by January, 15. The winner will get a copy of one of the latest technical security books I get access to. NOTE: This challenge has been published on the Internet Storm Center (ISC) diary too.  Read more... |
|
22/06/2009,
Security Book Review: "Voice over IP Security"
»»
"Voice over IP Security"
Author: Patrick Park Editorial: Cisco Press Publication date: September, 2008 ISBN-10: 1587054698 ISBN-13: 978-1587054693 Summary: General VoIP security overview. Best chapters: SBC's and LI. Score: 4/5 Review: The book provides a good general overview of VoIP security, covering multiple topics involved on securing a VoIP infrastructure, from network devices to VoIP servers, plus secure VoIP protocols. In my opinion, the best chapters are chapter 8 and 10 & 11, Session Border Controllers (SBC's) and Lawful Interception (LI), respectively; it is difficult to find books covering these topics still today, although these are two of the major areas regarding VoIP security nowadays. SBC's are the VoIP security element by design and therefore a key device in any VoIP infrastructure. The book covers SBC's types, access and peering, expected SBC functionality and capabilities (such as DoS protection, translation and NAT features, LI, high availability and load balancing, etc) and offers a brief introduction to its architecture design concepts. Lawful Interception (LI) by law enforcement (LE), or LI by LE :), is one of the main VoIP research topics today, especially when strong security features are added, such as signaling and media encryption, that difficult the interception tasks. The last two chapters cover the fundamentals of LI on VoIP networks (following the Cisco model, as there are three other standards), describing the different elements, fucntions, and interfaces involved. It is a theoretical chapter followed by some practical advice to implement LI, very detailed and Cisco-based. The book starts with an introductory overview of VoIP, its benefits and drawbacks, and some security concerns. Then it provides another VoIP threat taxonomy, a good generic overview that lacks some VoIP threats and complements (or simply provides another perspective to) the IETF draft and VOIPSA VoIP threat taxonomies. Unfortunately, I have not found yet a classification that consolidates all the different VoIP threats from (IMHO) the right perspective. Chapter 3 offers an interesting summarized analysis of the main VoIP protocols, how they work, and their main security requirements and features. It covers H.323, SIP, and MGCP; I specially liked the SIP section, with descriptive message captures and flow diagrams. Chapter 5 complements the VoIP protocols with the main network devices in a VoIP environment, their role, and key security requirements. Although chapter 7 extends the security analysis of VoIP protocols, covering authentication and signaling and media encryption, it does not cover the latest key exchange solutions, such as DTLS, ZRTP or MickeyV2, as it is focused mainly on S/MIME. All these chapters provide a lightweight analysis of VoIP security, not going very much in-depth into any of the topics covered. The book is a good overview reference for the VoIP security novice reader, I guess intended for network and system administrators, law enforcement, or security pros new to VoIP. VoIP threats, including some attack types and tools, are analyzed on chapter 6. This chapter covers in detail a few VoIP attacks, providing simulation, examples and command line options for widely available attack tools. It allows the reader to see some real attacks in action, although it only shows the tip of the iceberg regarding all the tools and attacks that are possible; please, do not get the feeling that this is all you can do. Chapter 4 covers cryptography, and in my opinion, it doesn't fit on the book; although crypto is a key aspect to protect VoIP infrastructures, the novice reader can get this info from other sources. As the book is from Cisco Press, chapter 9 focuses on specific Cisco features and syntax, specially for practical sections that provide configuration details for firewalls, access devices, and the Unified Communication Manager (& Express), formerly CallManager. The info is useful to get an overview of the implementation steps, but do not apply to you if you are using equipment from other vendors. Overall, it is a generic reference book to start getting involved into the VoIP security world, acquire a general understanding of the main VoIP security threats, target network elements, VoIP protocols, and security solutions. Once again, the SBC and LI sections are my favorites. UPDATE: Amazon review. NOTE: I will not publish my reviews on Bookpool anymore due to their hard-to-use interface and review rules.  Read more... |
22/06/2009,
SANS 2009
»»
More than 35 courses, SANS top instructors, all in one great place! SANS 2009 is being held in Orlando, FL on March 2-9. Register today!
Read more... |
|
22/06/2009,
Incident Handlers Guide to SQL Injection Worms
»»
|
|
22/06/2009,
Building an Automated Behavioral Malware Analysis Environment using Open Source Software
»»
|
|
22/06/2009,
PCI DSS and Incident Handling: What is required before, during and after an incident
»»
|
|
22/06/2009,
Virtual Rapid Response Systems
»»
|
|
22/06/2009,
Engineers More Likely to Become Muslim Terrorists
»»
|
|
22/06/2009,
Friday Squid Blogging: Squid Embryos
»»
|
|
22/06/2009,
This Week's Movie-Plot Threat: Fungus
»»
I had been wondering whether to post this, since it's not really a security threat -- there's no intelligence by the attacker: Crop scientists fear the Ug99 fungus could wipe out more than 80% of worldwide wheat crops as it spreads from eastern Africa. It has already jumped the Red Sea and traveled as far as Iran. Experts say it is poised to enter the breadbasket of northern India and Pakistan, and the wind will inevitably carry it to Russia, China and even North America -- if it doesn't hitch a ride with people first. Read more... |
|
22/06/2009,
Fraud on eBay
»»
I expected selling my computer on eBay to be easy. Attempt 1: I listed it. Within hours, someone bought it -- from a hacked account, as eBay notified me, cancelling the sale. Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then -- near as I could tell -- immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying "I paid you, now send me the computer." But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn't ship the item until the investigation is complete. I'm willing to make Attempt 3, if just to see what kind of scam happens this time. But I still want to sell the computer, and I am pissed off at what is essentially a denial-of-service attack. The facts from this listing are accurate; does anyone want it? List price is over $3K. Send me e-mail. EDITED TO ADD (6/19): It's not just me. Read more... |
|
22/06/2009,
Imagining Threats
»»
A couple of years ago, the Department of Homeland Security hired a bunch of science fiction writers to come in for a day and think of ways terrorists could attack America. If our inability to prevent 9/11 marked a failure of imagination, as some said at the time, then who better than science fiction writers to inject a little imagination into counterterrorism planning? I discounted the exercise at the time, calling it "embarrassing." I never thought that 9/11 was a failure of imagination. I thought, and still think, that 9/11 was primarily a confluence of three things: the dual failure of centralized coordination and local control within the FBI, and some lucky breaks on the part of the attackers. More imagination leads to more movie-plot threats -- which contributes to overall fear and overestimation of the risks. And that doesn't help keep us safe at all. Recently, I read a paper by Magne Jørgensen that provides some insight into why this is so. Titled More Risk Analysis Can Lead to Increased Over-Optimism and Over-Confidence, the paper isn't about terrorism at all. It's about software projects. Most software development project plans are overly optimistic, and most planners are overconfident about their overoptimistic plans. Jørgensen studied how risk analysis affected this. He conducted four separate experiments on software engineers, and concluded (though there are lots of caveats in the paper, and more research needs to be done) that performing more risk analysis can make engineers more overoptimistic instead of more realistic. Potential explanations all come from behavioral economics: cognitive biases that affect how we think and make decisions. (I've written about some of these biases and how they affect security decisions, and there's a great book on the topic as well.) First, there's a control bias. We tend to underestimate risks in situations where we are in control, and overestimate risks in situations when we are not in control. Driving versus flying is a common example. This bias becomes stronger with familiarity, involvement and a desire to experience control, all of which increase with increased risk analysis. So the more risk analysis, the greater the control bias, and the greater the underestimation of risk. The second explanation is the availability heuristic. Basically, we judge the importance or likelihood of something happening by the ease of bringing instances of that thing to mind. So we tend to overestimate the probability of a rare risk that is seen in a news headline, because it is so easy to imagine. Likewise, we underestimate the probability of things occurring that don't happen to be in the news. A corollary of this phenomenon is that, if we're asked to think about a series of things, we overestimate the probability of the last thing thought about because it's more easily remembered. According to Jørgensen's reasoning, people tend to do software risk analysis by thinking of the severe risks first, and then the more manageable risks. So the more risk analysis that's done, the less severe the last risk imagined, and thus the greater the underestimation of the total risk. The third explanation is similar: the peak end rule. When thinking about a total experience, people tend to place too much weight on the last part of the experience. In one experiment, people had to hold their hands under cold water for one minute. Then, they had to hold their hands under cold water for one minute again, then keep their hands in the water for an additional 30 seconds while the temperature was gradually raised. When asked about it afterwards, most people preferred the second option to the first, even though the second had more total discomfort. (An intrusive medical device was redesigned along these lines, resulting in a longer period of discomfort but a relatively comfortable final few seconds. People liked it a lot better.) This means, like the second explanation, that the least severe last risk imagined gets greater weight than it deserves. Fascinating stuff. But the biases produce the reverse effect when it comes to movie-plot threats. The more you think about far-fetched terrorism possibilities, the more outlandish and scary they become, and the less control you think you have. This causes us to overestimate the risks. Think about this in the context of terrorism. If you're asked to come up with threats, you'll think of the significant ones first. If you're pushed to find more, if you hire science-fiction writers to dream them up, you'll quickly get into the low-probability movie plot threats. But since they're the last ones generated, they're more available. (They're also more vivid -- science fiction writers are good at that -- which also leads us to overestimate their probability.) They also suggest we're even less in control of the situation than we believed. Spending too much time imagining disaster scenarios leads people to overestimate the risks of disaster. I'm sure there's also an anchoring effect in operation. This is another cognitive bias, where people's numerical estimates of things are affected by numbers they've most recently thought about, even random ones. People who are given a list of three risks will think the total number of risks are lower than people who are given a list of 12 risks. So if the science fiction writers come up with 137 risks, people will believe that the number of risks is higher than they otherwise would -- even if they recognize the 137 number is absurd. Jørgensen does not believe risk analysis is useless in software projects, and I don't believe scenario brainstorming is useless in counterterrorism. Both can lead to new insights and, as a result, a more intelligent analysis of both specific risks and general risk. But an over-reliance on either can be detrimental. Last month, at the 2009 Homeland Security Science & Technology Stakeholders Conference in Washington D.C., science fiction writers helped the attendees think differently about security. This seems like a far better use of their talents than imagining some of the zillions of ways terrorists can attack America. This essay originally appeared on Wired.com. Read more... |
I came up with extending the notion of infrastructure as a foundation and layering what I call metastructure and infostructure layers atop.
These groupings really align well and simplify how I talk about various elements of Cloud.
Last week Kevin L. Jackson wrote an insightful article titled: 
I’ve covered this before in more complex terms, but I thought I’d reintroduce the topic due to a very relevant discussion I just had recently (*cough cough*)
We have been informed that Control is a "finalist" for the American Society of Business Publication Editors (ASBPE) Azbee Awards. We are a "finalist" in the under 80,000 circulation category, for Magazine of the Year.
sino a la recopilación que Edgar y Dani han tenido a bien a compartir con todos nosotros en su 
| Últimos virus detectados |
| Avisos y alertas de Inteco CERT |
|