(ISC)² Links

CATEGORIES

Archives

More...

(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    Enter your email address:

    Delivered by FeedBurner

    « June 2009 | Main | August 2009 »

    Posts from July 2009

    31 July 2009

    Defending Information Assets by Reducing the Attack Surface

    The best way to protect an Information Asset is to reduce its attack surface. And that should always be the first line of defense. We should also implement appropriate security controls to avoid any attacks on the residual risk and to mitigate the amount of damages.

     

    The first and most important step in reducing the attack surface is to identify the Weakness / Vulnerabilities on an Information Asset.

     

    Steps in Identifying the Vulnerabilities include:

     

    1. Identifying vulnerabilities in the Application

    2. Identifying vulnerabilities in the Host

    3. Identifying vulnerabilities in the Network

     

    Once the vulnerabilities are identified, the next step would be reducing the attack surface.

     

    There are many ways to reduce the attack surface of an information asset including but not limited to:

     

    1. Limit access to the Information Assets.

    2. Limit Privileges (Enforce Least Privilege policies)

    3. Reduce number of services installed on the device (Remove or shutdown unwanted services)

    4. Limit the number of communication Protocols

     

    A Narrowed Attack Surface will reduce the likelihood of an attack and mitigates the extent of damage even if an attack occurs.

    Access to an Information Asset can be limited by enforcing strong access control methods. Access to an Information Asset can also be limited by reducing the entry points (console access, ports etc.,). Unwanted ports and protocols should be disabled on all information systems. Critical Applications should only be installed on a dedicated systems and all unwanted ports, services should  also be disabled.

    I will be discussing  various methods we can follow to identify vulnerabilities and to reduce the Attack Surface in Applications, Hosts and Networks in the next 3 posts.

     

    Part 1: Identify and Reduce Attack Surface in Applications

    Part 2: Identify and Reduce Attack Surface in Host

    Part 3: Identify and Reduce Attack Surface in  Network

     

    Disclaimer: "What ever I discussed here are my personal opinions and they do not represent the opinions or positions of my employer".

    Posted by Praveen Karunakaran on 31 July 2009 in Authentication, Hacking, IT Security, Karunakaran, Network Security, Operations Security, Risk | | Comments (0) | TrackBack (0)

    Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

    <p>Department of Homeland Security Daily Open Source Infrastructure Report</p>

    The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered.  This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

    Week Ending:  Friday, July 31, 2009

    Note:  Be sure to read through to Friday, July 31, 2009.  There are two serious issues there that you must be aware of.  However, do not ignore Monday through Thursday.

    Infrastructure Report for 27 July 2009

    So you believe Microsoft Office is the best tool!  Perhaps you should re-evaluate.

    40. July 23, Computerworld – (International) Microsoft admits it can’t stop Office file format hacks. Microsoft’s plan to “sandbox” Office documents in the next version of its application suite is an admission that the company cannot keep hackers from exploiting file format bugs, a security analyst said on July 23. “What’s been happening is that Office has lots of vulnerabilities,” said Gartner’s primary security analyst. “For the past 18 months, hackers have been fuzzing Office file formats,” he said, referring to the practice of “fuzzing,” a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur. Fuzzing has been a hacker’s best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word. “What’s happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, ‘Okay, we can’t find, let alone fix, every vulnerability. So here’s a way to put a sandbox around the vulnerability.” The sandbox technique mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft’s bestselling Windows application suite. According to a senior security program manager with the Office team, Office 2010 will sport something called “Protected View” that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said the program manager in a post to a company blog this week, will have “minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.” Source: http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks

    Infrastructure Report for 28 July 2009

    Running Internet Explorer 8?  Have you applied the latest patch?  You should! 

    45. July 27, Softpedia – (International) Critical out-of-band patch for Internet Explorer 8. Microsoft is cooking a security refresh for Internet Explorer 8, and earlier supported versions of the browser, that will be released on July 28. According to the Redmond company, the IE update will be accompanied by a security bulletin for Visual Studio. The software giant underlined that, although two separate security bulletins were scheduled for release come July 28, both updates were designed to resolve a single, overall security problem. The move comes as a necessity to ensure that customers benefit from the broadest protections possible explained the director of MSRC. “While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported,” the director noted. The patches coming July 28 are what Microsoft refers to as out-of-band security updates. Source: http://news.softpedia.com/news/Critical-Out-of-Band-Patch-for-Internet-Explorer-8-117601.shtml

    Infrastructure Report for 29 July 2009

    How do you apply patches?  Is it formalized?  Perhaps it should be!

    37. July 27, DarkReading – (International) Nearly half of companies lack a formal patch management process. An open initiative for building a metrics model to measure the cost of patch management found that one-fourth of organizations do not test patches when they deploy them, and nearly 70 percent do not measure how well or efficiently they roll out patches, according to survey results released on July 27. Project Quant, a project for building a framework for evaluating the costs of patch management and optimizing the process, also rolled out Version 1 of its metrics model. Project Quant is an open, community-driven, vendor-neutral model that initially began with financial backing from Microsoft. “Based on the survey and the additional research we performed during the project, we realized that despite being one of the most fundamental functions of IT, patch management is still a relatively immature, inconsistent, and expensive practice. The results really reinforced the need for practical models like Quant,” said the founder of Securosis and one of the project leaders of the initiative. The survey of around 100 respondents was voluntary; participation was solicited mainly via metrics and patch management organizations, so the organizers say the respondents were most likely organizations that take patch management seriously: “The corollary to this interpretation is that we believe the broader industry is probably LESS mature in their patch management process than reflected here,” the report says. Even so, more than 40 percent of them have either no patch management process or an informal one in place. And 68 percent said they do not have a metric for measuring how well they deploy patches, such as the time it takes them to deploy a patch, etc. One-fourth said they do not do any testing before they roll out a patch, and 40 percent rely on user complaints to validate the success of a patch, according to the survey. And more than 50 percent do not measure adherence to policy, including compliance when it comes to patching. Source: http://www.darkreading.com/database_security/security/vulnerabilities/showArticle.jhtml?articleID=218600827

    Infrastructure Report for 30 July 2009

    Are you considering an underground data center?  A few things to consider!

    42. July 28, Computerworld – (International) Data centers go underground. With a renewed focus on data center outsourcing and space in high availability facilities in short supply, investors have snapped up and renovated abandoned mines and military bunkers in the hopes of cashing in. An increase in extreme weather events, heightened concerns about security since the September 11th attacks and the need to provide higher levels of security to comply with regulatory requirements have made these spaces more attractive to some organizations. Before deciding to go underground, IT executives need to identify potential limitations, experts say. Ceiling height can be a challenge to providing sufficient airflow. Another concern is that while computer systems may be protected in a bunker, critical infrastructure needed during a disaster, such as generators, fuel tanks, and air conditioning cooling towers, may be above ground. That could be a problem if the catastrophe is a tornado, warns the chief technology officer at Westec Intelligent Surveillance. Another consideration is that these underground facilities tend to be in rural, out-of-the-way locations. The facilities may be too far away from a company’s primary data center, and finding local lodging for staff in a disaster situation may be difficult. The vice president and general manager at HP Critical Facilities says that security is the primary benefit of using an underground facility to host a primary or secondary data center. But for most of his clients, the ability to get people to the backup data center in a hurry, connectivity options, and finding a facility that meets budget are priorities. Underground facilities usually do not beat out above-ground sites in his clients’ evaluations, he says. The primary benefit of such sites, says an analyst with Gartner Inc., is that they are designed to be highly resilient — often to military specifications. That is important for some government data centers. “But for most commercial enterprises, it probably will not be such a major requirement,” he says. Source: http://www.thestandard.com/news/2009/07/28/data-centers-go-underground?page=0%2C0

    Infrastructure Report for 31 July 2009

    Today’s news contains two serious issues…thus, sitback and read carefully!

    Another virus which warrants your immediate attention!

    33. July 29, Spamfighter News – (International) Computer virus Hidrag.a rapidly spreading across networks. Security researchers have found Hidrag.a, a computer virus, which spreads through browser exploits, network shares and IRC (Internet Relay Chat), as reported by Pc1news on July 10, 2009. Researchers state that once the virus is executed, it stays inside the system’s memory and attempts to infect .scr and .exe files running on the infected PC. In addition, Hidrag.a might establish a backdoor that allows an intruder to make an unhindered entry to the infected computer, putting possible banking and financial data at risk. After execution, Hidrag.a makes its own duplicate copy of approximately 36K in size and plants it on the Windows directory by naming it svchost.exe, according to the researchers. Following this, the virus registers the ‘.exe’ file within the auto-run key of the PC’s registry. The researchers also state that Hidrag.a has a connection with various other files like setup.exe, malware.exe and NoDNS.exe. In fact, other security companies also analyzed this virus. While Symantec and McAfee refer Hidrag.a as W32.Jeefo, Microsoft refers it as Jeefo.A. Other names given to Hidrag.a are Jeefo-3, Virus.Parite.B, TROJ_FLOOD.AF, and so on. Meanwhile, the security researchers said, the malicious Hidrag.a virus has caused the maximum number of infections in the United States where an aggregate of 43,601 strains of malevolent web traffic has been reported. China, which follows the United States, has as many as 42,597 strains of malevolent traffic owing to Hidrag.a. Along with these nations, Brazil, Japan and India are other countries that are infected with the malicious Hidrag, while the United Kingdom, Germany, France, Italy and Russia have also been infected. Source: http://www.spamfighter.com/News-12803-Computer-Virus-Hidraga-Rapidly-Spreading-Across-Networks.htm


    Your corporate antivirus is one you can trust.  What about the ones used by clients connecting into your network?

    34. July 29, CNET News – (International) Report finds fake antivirus on the rise. Malware posing as antivirus software is spreading fast with tens of millions of computers infected each month, according to a report to be released on July 29 from PandaLabs. PandaLabs found 1,000 samples of fake antivirus software in the first quarter of 2008. In a year, that number had grown to 111,000. And in the second quarter of 2009, it reached 374,000, the technical director of PandaLabs said in a recent interview. “We’ve created a specific team to deal with this,” he said, of the rogue antivirus software that issues false warnings of infections in order to get people to pay for software they don’t need. The programs also typically download a Trojan or other malware. PandaLabs found that 3 percent to 5 percent of all the people who scanned their PCs with Panda antivirus software were infected. Using that and worldwide computer stats from Forrester, PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs. About 3 percent of the people who see the fake warnings fall for it, forking over $50 for an annual license or $80 for a lifetime license, according to the technical director. Last September, a hacker was able to infiltrate rogue antivirus maker Baka Software and discovered that in one period an affiliate made more than $80,000 in about a week, said a PandaLabs threat researcher. A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. Source: http://news.cnet.com/8301-27080_3-10298253-245.html

    Note:  The DHS only maintains the last ten days of their reports online.  To obtain copies of earlier reports or complete summaries, go to:

     http://dhs-daily-report.blogspot.com/

     

    Posted by Bob Johnston on 31 July 2009 in Current Affairs, Johnston | | Comments (0) | TrackBack (0)

    27 July 2009

    Are federal agencies receiving mixed messages on information security?

    Since 2002, federal agencies have been following an unclear road of policies that have left them struggling to meet compliance rather than leading efforts to improve information security.  The Federal Information Security Management Act (FISMA) has been interpreted through a multitude of policies from the Office of Management and Budget (OMB) through individual agency security programs.  However, since its inception, reports continue from year to year through Department Inspector Generals (IGs) and the Government Accountability Office (GAO), suggesting that federal agencies are still persistently weak in information security.

    Has FISMA really met its purpose?

    The Federal Information Security Management Act, Section 301, Subsection 3541 (“Purpose”) identifies 6 purposes:

    1. Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.
    2. Recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities.
    3. Provide for development and maintenance of minimum controls required to protect Federal information and information systems.
    4. Provide a mechanism for improved oversight of Federal agency information security programs.
    5. Acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector.
    6. Recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

    Are the purposes of FISMA (as noted above) appropriately interpreted or has the meaning of FISMA been lost through the crowded distractions of government policies?

    Based on the reports from government oversight offices such as IGs and the GAO, federal agencies, although improving in their ability to meet compliance with key information security activities such as security awareness training, contingency plan testing, and testing and evaluation of security controls, are still lacking in effectively implementing security controls necessary in protecting information resources. 

    FISMA has offered the idea of a comprehensive framework.  However, agency responses to FISMA have been plagued with inconsistencies that have prevented an effective governmentwide implementation.  A consistent strategy is pertinent to ensure agencies choose to protect their information resources with a common framework.  Therefore, a national strategy should be established that is very specific, but agile enough to offer both strategic and tactical objectives for agencies to use as a basis for developing their own information security strategic plans.  The national strategy would bring together competing and relevant policies into a common, more meaningful set of goals for agencies to bring into their own strategic plans.

    The national strategy should be focused on making security objectives: measurable, specific, consistent, and achievable. 

    1.    The national strategy should be broad enough to cover the scope of information security across the federal government, but offer more granular, specific metrics for agencies to extend to meet their own underlying mission and business goal.  Without having key performance indicators, agencies will be faced with continual challenges in demonstrating both to themselves, the OMB, and Congress the true state of security within their individual agencies.  In addition, OMB will also need some way to represent the state of information security across the entire government landscape.

    2.    The national strategy should be specific.  Without clear, concise, and targeted criteria, agencies will fail to invest appropriately in securing their information systems, thereby wasting valuable resources.  By having a national strategy with specific objectives, federal agencies and offices, as well as Congress responsible for oversight of Federal agency information security programs can have a way to more effectively understand what improvements should be made to address shortcomings in agency implementations of their security programs.

    3.    The national strategy should be the vehicle for communicating objectives that are necessary for implementing information security consistently across the federal government.  A consistent set of national objectives will encourage agencies to share information and security practices, without necessarily hindering agencies from effectively implementing security practices more closely aligned with their own mission and business security requirements.  National objectives will need to support the broad vision and mission of the national strategy, however be tangible to actually be measured through specific performance indicators.

    4.    The national strategy should be achievable through accomplishable national security objectives that have realistic implementation timeframes.  Without ensuring agencies have the capability to meet objectives, agencies will be met with resource constraints that will lead to creative responses that are currently commonplace and focus on satisfying the checkbox through inherent insecure implementation, rather than adequate information security.  By establishing attainable national security objectives, agencies can better incorporate realistic steps into their agencies information security program plans that ensure actionable steps are taken and progress and can be accurately tracked and reported.

    In conclusion, FISMA has not necessarily failed in its purpose, but rather the government leadership has failed in addressing the purposes through a national strategy that seeks to incorporate measurable, attainable security with common security objectives.

    Posted by Matthew Metheny on 27 July 2009 in Current Affairs, IT Security, Metheny, Metrics | | Comments (0) | TrackBack (0)

    26 July 2009

    Treating risks

    Convention has it that there are just four ways of "treating" risks:

    1. Mitigate the risk, typically by reducing the associated threat, vulnerability and/or impact.
    2. Avoid the risk by not doing something risky.
    3. Transfer the risk, for example by forcing business partners to enter into a binding contract that places huge costs and liabilities on them for security breaches while leaving you appearing squeaky clean (don't laugh: PCI DSS does this).
    4. Accept the risk.  Shrug your shoulders and accept that the costs of mitigating, avoiding or transferring the risk outweigh the advantages (as you perceive them).

    Well I'm not so sure that's a complete list.  Here are some more possibilities:

    • Explore the risk - which means doing things like analyzing or assessing the risk, researching the risk parameters and algorithms
    • Ignore or deny the risk.  This looks a little like risk acceptance at first glance but it revolves around either genuine or feigned ignorance.  "It'll never happen to me" is one justification.  "It hasn't happened so far" is another variant, "so it probably won't".  "You don't know it will happen, since your risk analysis is full of holes and ridiculous assumptions" is only marginally better than "Trust me, it's not a problem."
    • Exploit the risk, which is of course what hackers, fraudsters, scammers, industrial spies and other Bad Guys do (in the information security context), and how arbitrageurs, forex traders, bankers, corporate treasurers, insurers and other Good Guys do (in other contexts).  Summed up by "Run with it, live dangerously and enjoy the rush' (a.k.a. the bunjee jumper's guide to risk management).
    • Hype the risk, with its corrollary, downplay the risk, which is what politicians do all the time.  "Folic acid in your bread will reduce the risk of neural tube defects" says one.  "Folic acid in your bread will increase the risk of cancer" says another.  "What's folic acid?" say most of the population, "Pass me the butter."

    I'm sure there are still others ... comments welcome ...

    Posted by Gary Hinson on 26 July 2009 in Hinson, Risk | | Comments (0) | TrackBack (0)

    25 July 2009

    Videos from Team Cymru

    Short videos (slide desks and voiceover) on various security topics, mostly relating to malware in some way.  Basic information, but quite suitable for security awareness presentations.

    Posted by Rob Slade on 25 July 2009 in Events, IT Security, Online safety, Slade, Training | | Comments (0) | TrackBack (0)

    24 July 2009

    Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

    The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered.  This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

     

    Week Ending:  Friday, July 24, 2009

    Infrastructure Report for 20 July 2009

    Are you paying attention to the issues associated with Twitter?  No.  Perhaps you should!

     32. July 16, BBC News – (International) Twitter calls lawyer over hacking. The microblogging service Twitter is taking legal advice after hundreds of documents were hacked into and published by a number of blogs. TechCrunch has made public some of the 310 bits of material it was sent. It posted information about Twitter’s financial projections and products. “We are in touch with our legal counsel about what this theft means for Twitter, the hacker and anyone who accepts...or publishes these stolen documents,” said a co-founder of Twitter. In a blog posting he wrote that “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. “From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.” The co-founder went on to stress that “the attack had nothing to do with any vulnerability in Google Apps.” He said this was more to do with “Twitter being in enough of a spotlight that folks who work here can be a target.” It is believed a French hacker who goes by the moniker “Hacker Croll” illegally accessed the files online by guessing staff members’ passwords. Source: http://news.bbc.co.uk/2/hi/technology/8153122.stm

    Infrastructure Report for 21 July 2009

    So you trust Linux.  You might want to read the following and learn more! 

    40. July 17, The Register – (International) Clever attack exploits fully-patched Linux kernel. A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews. The exploit code was released on July 17 by an individual who works for grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses. Linux developers “tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it’s still possible for an attacker to figure out ways around this system,” said a senior security researcher at Immunity. “The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing.” The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable does not point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS. Source: http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/

    Infrastructure Report for 22 July 2009

    You would think that Adobe applies its own fixes to its downloadable products.  Think again!


    33. July 20, IDG News Service – (International) Adobe doles out bug-filled PDF Reader to users. Adobe delivers an out-of-date version of Reader to users who download the popular application from its Web site, a security company warned on July 20. The edition Adobe currently offers includes at least 14 security vulnerabilities that have been patched by the company in the last two months. Danish vulnerability tracking vendor Secunia first noticed that Adobe was offering an outdated Reader when users of its Personal Software Inspector (PSI) utility, which scans Windows PCs for unpatched applications, started complaining when the tool said they were running a vulnerable version, even though they had just downloaded the PDF viewer. “There was some confusion about Adobe Reader,” said the manager of the PSI partner program. “Users had downloaded the latest Reader, but still PSI was telling them that it was vulnerable.” At first, Secunia suspected that PSI was throwing off a “false positive,” but that was not the case. “Adobe.com ships software with known vulnerabilities,” the manager said. The version now hosted on Adobe’s Web site is Reader 9.1, an edition that was released March 10 to plug several holes, including one that had been actively exploited by hackers since at least January 9, 2009. Adobe has issued two security updates since then. The first, released May 12, patched another “zero-day” bug in Reader, while the second, issued June 9, fixed at least 13 critical flaws reported by outside researchers and secretly patched an unspecified number of bugs found by Adobe’s own security team. Computerworld confirmed that Adobe’s Web site offers Reader 9.1 to users who download the application. Adobe did not reply to a request for comment on why it posts an out-of-date edition on its site. Source: http://news.idg.no/cw/art.cfm?id=9993F159-1A64-6A71-CE634C98EC3363A7

    Infrastructure Report for 23 July 2009

    Running Firefox 3.0.nn rather than 3.5.n?  If so, here are some patches you need!

    35. July 21, CNET News – (International) Firefox 3.0.12 patches five critical problems. Mozilla on July 21 released Firefox 3.0.12, an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs. “We strongly recommend that all Firefox 3.0.x users upgrade to this latest release,” Mozilla said on its developer blog. “If you already have Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting ‘Check for Updates...’ from the Help menu.” Version 3.0.12 fixes five critical problems and one high-level security problem, according to the Mozilla security advisory site. Mozilla is trying to move people to the newer Firefox 3.5, which offers faster JavaScript program execution, new privacy features, and a handful of technologies geared for more powerful Web applications. And Mozilla is pushing the new browser hard. Security and stability fixes for the 3.0.x series will end in January 2010. Source: http://news.cnet.com/8301-1009_3-10292587-83.html?part=rss&tag=feed&subj=News-Security

    Infrastructure Report for 24 July 2009

    This is one patch that needs to be applied promptly!

    30. July 23, Computerworld – (International) Adobe promises patch for seven-month old Flash flaw. Adobe Systems Inc. on July 23 admitted its Flash and Reader software have a critical vulnerability and promised it would patch both next week. One security researcher, however, said Adobe’s own bug-tracking database shows that the company has known of the vulnerability for nearly seven months. In a security advisory posted around 10 p.m. Eastern time on July 22, Adobe acknowledged that earlier reports were on target. “A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems,” the company said. The “authplay.dll” mentioned in the advisory is the interpreter that handles Flash content embedded within PDF files, and is present on any machine equipped with Reader and Acrobat. Adobe said it would patch all versions of Flash by July 30, and Reader and Acrobat for Windows and Mac no later than July 31. Until a patch is available, Adobe said users could delete or rename authplay.dll, or disable Flash rendering to stymie attacks within malformed PDF files. Adobe did not offer any similar workaround for Flash and could only recommend that “users should exercise caution in browsing untrusted websites.” Source: http://www.computerworld.com/s/article/9135826/Adobe_promises_patch_for_seven_month_old_Flash_flaw

    Note:  The DHS only maintains the last ten days of their reports online.  To obtain copies of earlier reports or complete summaries, go to:

     http://dhs-daily-report.blogspot.com/

    Posted by Bob Johnston on 24 July 2009 in Current Affairs, Johnston | | Comments (0) | TrackBack (0)

    22 July 2009

    Security Maxims

    Roger Johnston's original list of security maxims.

    Posted by Rob Slade on 22 July 2009 in IT Security, Operations Security, Risk, Slade, Training | | Comments (0) | TrackBack (0)

    TCP covert channel

    Advertised as RSTEG (Retransmission STEGanography), the technique described in this paper actually uses the standard TCP operations to allow you to set up a kind of covert channel.  Interesting idea, although likely neither terribly dangerous nor important.

    Posted by Rob Slade on 22 July 2009 in Confidentiality, Digital Forensics, IT Security, Network Security, Privacy, Slade, Telecom, Training | | Comments (0) | TrackBack (0)

    21 July 2009

    DOCSIS introduction

    Basic physical layer transmission fundamentals don't get covered much these days, which makes the more advanced technologies that much more mysterious.  This DOCSIS (Data Over Cable Service Interface Specification) tutorial is fairly simplistic, but it does provide some starting concepts in order to understand what is going on with cable modems.  More details, and other pointers, are available at Wikipedia.

    Posted by Rob Slade on 21 July 2009 in Network Security, Slade, Telecom, Training | | Comments (0) | TrackBack (0)

    Praxiom ISO 27001

    Praxiom is primarily interested in selling you their products and services, but this section of their Website does have some helpful material in getting an overview of ISO 27001 and what people are doing about it.  (The site also has materials on other parts of the ISO 27K family.)

    Posted by Rob Slade on 21 July 2009 in Certifications, IT Security, Risk, Slade, Training | | Comments (0) | TrackBack (0)

    Next »

    The (ISC)² bloggers

    • Tipton W. Hord Tipton, CISSP-ISSEP, CAP, (ISC)² Executive Director
      Schmidt Prof. Howard A. Schmidt, CISSP, CISM (Hon.)
      Sarah E. Bohne, Director of Communications & Member Services

    Recent Contributors

    Past Contributors