SecurityFeed.info » Heorot.net

Feeds

23887 items (23887 unread) in 97 feeds

• Aviv Raff On .NET (18 unread)
• Bugtraq (bugtraq) Mailing List (605 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (74 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (125 unread)
• Jeremiah Grossman (74 unread)
• Heorot.net (11 unread)
• milw0rm.com (440 unread)
• Nmap Hackers (nmap-hackers) Mailing List (7 unread)
• Packet Storm Security Advisories (373 unread)
• Packet Storm Security Exploits (461 unread)
• Packet Storm Security Headlines (376 unread)
• Packet Storm Security Last 100 (1841 unread)
• Packet Storm Security Last 20 (833 unread)
• Packet Storm Security Last 50 (1441 unread)
• Packet Storm Security Last Files (544 unread)
• Packet Storm Security Miscellaneous Files (109 unread)
• Packet Storm Security Tools (113 unread)
• Rootsecure.net (694 unread)
• SecuriTeam.com (184 unread)
• Security Vulnerability Research & Defense (36 unread)
• SecurityFocus News (139 unread)
• SecurityFocus Vulnerabilities (806 unread)
• Securityvulns news channel (336 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (34 unread)
• The Register - Security (389 unread)
• The Register - Software (457 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (88 unread)
• IceСμbeς (15 unread)
• Linmagazine (186 unread)
• ‫netcraft Bytes :) (38 unread)
• Digg (4061 unread)
• Blonde 2.0 (51 unread)
• The Microsoft Security Response Center (MSRC) (40 unread)
• (IN)SECURE Magazine Notifications RSS (17 unread)
• 0x000000 Security (79 unread)
• ----- Anti-Malware ----- Analysis and Defense (15 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (203 unread)
• C.I.S.R.T. (10 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (47 unread)
• eEye Digital Security - Research Blog (10 unread)
• Ryan Naraine's Security Watch (96 unread)
• Security - RSS Feeds (179 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (75 unread)
• Full Disclosure (290 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (65 unread)
• ha.ckers.org web application security lab (35 unread)
• heise security (342 unread)
• invisiblethings' blog (35 unread)
• Jeff Jones's blog (12 unread)
• JScript Blog (16 unread)
• Matasano Chargen (38 unread)
• McAfee Avert Labs (66 unread)
• Michael Howard's Web Log (26 unread)
• PandaLabs (35 unread)
• Zero Day (273 unread)
• SANS Internet Storm Center, InfoCON: green (232 unread)
• Latest Secunia Security Watchdog Blog Entries (24 unread)
• SecuriTeam Blogs (65 unread)
• Security Fix (115 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (217 unread)
• Sunnet Beskerming Security Advisories (29 unread)
• Technobabylon
• The Recurity Lablog (31 unread)
• Wired: Threat Level (454 unread)
• TrendLabs | Malware Blog - by Trend Micro (159 unread)
• Uninformed Journal (44 unread)
• WabiSabiLabi's blog (22 unread)
• WatchGuard Wire (48 unread)
• Latest Blog Entires From WebSense Security Labs (42 unread)
• Hackszine.com (151 unread)
• DVLabs: Blogs (63 unread)
• Errata Security (81 unread)
• Robert Hensing's Blog (71 unread)
• PaulDotCom Community Blog (10 unread)
• David LeBlanc's Web Log (20 unread)
• Billy (BK) Rios (19 unread)
• David Litchfield's blog (21 unread)
• Farfromr00tin (23 unread)
• aut disce, aut discede (17 unread)
• pwn* (16 unread)
• hackademix.net (42 unread)
• SecurityDot Vulnerabilities (422 unread)
• Vulnerabilities & Exploits (29 unread)
• Malicious Code (26 unread)
• Security Risks (21 unread)
• Digg / Security / upcoming (4195 unread)

Heorot.net (10 unread)

• July 04, 2008
• 0:13

  Holiday Course Discount

   » ‎ Heorot.net

  To celebrate the 4th of July, we are discounting our online courses this weekend only. For those of you who have been interested in taking either the Penetration Testing Fundamentals or Intermediate course, we are discounting the courses a total of 50%. This offer is only good for those who sign up between now and 11:59pm on July 6th. This discount will be the only one all year, so if you have been interested, this is your time.

  Additionally, you can set your start date for whatever is convenient for you - just let us know when you sign up if you need to delay. We have included links with the discount already included within this post. If you have any questions about this offer, or the courses provided at Heorot.net, please don’t hesitate to contact us. Thanks!

  To sign up for the Heorot.net Penetration Testing Fundamentals class, please select below:

  

  
  
  
  

  To sign up for the Heorot.net Intermediate Penetration Testing class, please select below:

  

• April 12, 2008
• 8:17

  Hakin9 Magazine article

   » ‎ Heorot.net

  The staff at Heorot.net is excited to announce that Hakin9 magazine is printing an article about De-ICE.net and its Penetration Test LiveCDs, which is the Open Source project founded and supported by Heorot.net. This project is designed to provide legal penetration testing scenarios for anyone interested in learning how to conduct professional penetration tests. Along with the training programs at Heorot.net, this project provides engineers and managers of all skill levels a way to increase their professional knowledge in security and auditing by learning real-world techniques useful in corporate penetration tests.

  For more information about the Hakin9 magazine 3/2008 issue, you can visit:
  http://hakin9.org/prt/view/about-the-mag/issue/807.html

  For more information about Heorot.net training opportunities, you can visit:
  http://heorot.net/training/

• April 02, 2008
• 22:41

  Press Release - New Location

   » ‎ Heorot.net

  We’ve recently made exciting improvements to our business. On April 2, 2008, the founder at Heorot.net signed a tenant agreement for an office location on the north side of Colorado Springs, CO. This change will allow us to provide better service to clients interested in participating in our regional Colorado training. Previously, the training location was random, which posed difficulties for the Heorot.net staff and students. With this new agreement, we have a dedicated location to provide for all our training needs.

  Naturally, we are excited about moving away from an Internet-only group, into a “brick-and-mortar” organization that will be better able to provide extended Penetration Testing training for the future. In addition, we are in the process of obtaining a toll-free number for those of you with any questions about our courses. Please feel free to contact us for further information about any of our online classes, regional training, or on-site training opportunities. We offer discounts for various groups as well as previous students who have successfully completed our courses, so make sure you take advantage of the discounts available.

  We would also like to thank all the support we have received up to this point from our students and those individuals who have contributed their time and effort towards the De-ICE.net Pentest LiveCD project - without your support and enthusiasm, none of this would have happened. The team at Heorot.net is in your debt.

  - Thomas Wilhelm
  Founder, Heorot.net

• February 20, 2008
• 22:08

  To use or not to use a Methodology: That is the question

   » ‎ Heorot.net

  Occasionally I run across comments against the use of a Penetration test methodology.  It seems every time I do, my blood pressure rises.  The arguments against methodologies usually go along these lines:

  • Methodologies restrict the ability of a pentester from doing his/her job
  • You cannot script how an attacker might attack a system; therefore you cannot script how a pentester should attack a system
  • Methodologies prevent a pentester from getting into the “mindset” of a hacker
  • Methodologies are only for beginner pentesters
  • Methodologies are only for managers and clients; otherwise, they waste time.
  • Pentesting is an Art, not a science

  In my personal opinion, these types of arguments can be boiled down into one thought:  “Oh, the cleverness of me.”

  Most of the time, I never hear particular examples as to what within a methodology bothers people, or is flat-out wrong.  The responses (including the ones above) tend to be overtly opinionated, and not subjective at all.  Let us take a quick look at the steps within a pentest as proposed by the ISSAF:

  • Information Gathering
  • Network Mapping
  • Vulnerability Identification
  • Penetration
  • Gaining Access and Privilege Escalation
  • Enumerating Further
  • Compromise Remote Users/Sites
  • Maintaining Access
  • Cover the Tracks

  All these steps are very valid (based on personal experience as a pentester), and I would contend that most good penetration testers that do not use a methodology still perform these same steps, as needed.  In fact, I would contend that if those who do not use a methodology would actually delve into the details within each of these steps, they will find they use at least 90% of the procedures presented.

  The real difference is that those who do not follow a published methodology do not realize they actually - in fact - follow a methodology; their own.  These people may like to think they are capable of conducting penetration tests better than most, because they have an edge others don’t - an artistic edge. Well, I hate to be the bearer of bad tidings, but if you can repeat a process, it is no longer an art form, it is science.  And sciences can be quantified and improved on.  Art cannot.  Which is the real downfall for those who do not support the use of methodologies… their resistance to actually approaching pentesting as a science weakens the study, and prevents others from gaining in a shared knowledge.

  Let’s be honest.  People who are really good at penetration testing aren’t artists.  They are individuals who have studied and practiced their skills, not graced with a unique gift.  Sure, there may be some characteristics in their personality that allows quicker progress, but just like the military, you have to practice the way you fight, and penetration testing is no exception.  The “art” of war taught at colleges across the globe, and is constantly reevaluated to improve tactics and overcome obstacles.  The same type of effort should be put forth toward pentesting, which is a war in its own right.

  We have an opportunity to improve our trade.  Methodologies can allow us to “stand on the shoulders of Giants,” by sharing our knowledge to add to the common body of knowledge.  Let us not forgo this opportunity because of misplaced egoism.
  Comments?  I’d love to hear them.

• November 01, 2007
• 23:36

  Hacking at NASA

   » ‎ Heorot.net

  Before I get too far into this blog, I want everyone to understand I’m using the old definition of “hacking” (the good kind) when talking about NASA hacks.  Also, I’m talking about NASA employees hacking, not NASA being hacked.

  Turns out there’s a rip in a solar array that needs to be fixed quickly.   If not, NASA’s schedule will be impacted negatively.  To correct this problem, the astronauts are going to attempt a spacewalk and patch the tear using “a makeshift brace […] using short strips of aluminum and tape.”  Ingenuity at its finest… and it will probably work.

  What’s caught my attention about this whole incident is here is an organization that is so fixated on procedures and redundancy that you would think they would have a difficult time thinking outside the box.  This isn’t the first time NASA has had to scramble with unique ideas to get past an obstacle, but it seems that it would be a difficult mental hurdle to jump for people steeped in repetition and strict procedural guidelines.  Well, it turns out that NASA focuses heavily on learning Creative Problem Solving, which has helped keep people alive.  Yes, there have been some disasters associated with the NASA space program, but that does not mean their creative process has failed.  If anything, the failures have pushed the need for creativity further.

  So, how does strips of aluminum and tape translate to IS security management?  The creativity at NASA isn’t something inherent in the organization - it is trained into the programs, employees, and contractors.  There is a concerted effort on the part of NASA to teach creative problem solving, knowing that it will be needed in the future.  How many security organizations are teaching problem solving to their employees, or just falling back on the assumption employees are clever enough and will come up with a solution when a problem presents itself? Creative problem solving is something that can be taught, and should be encouraged within all organizations, not just ones who shoot people into space.

• October 30, 2007
• 17:38

  Cracking passwords quicker

   » ‎ Heorot.net

  This is clever.  Seems someone has thought of a way to employ the processor on an nVidia GeForce 8800 graphics card to brute force passwords.  It sounds like this is still theory, but the article mentions the cracking could be accelerated by a factor of 25.  Imagine - having a card that is dedicated to hacking passwords.  I’d definitely want something like that for Christmas.

  So, what does this mean to IS security managers?  Simply that the strength of your password policy just got weaker.  For those who use one-time passwords, including the use of tokens, this does not affect you.  But for those who rely on monthly password changes to secure their data, your passwords are jeopardized.  The article mentions:

  “Windows Vista’s password system, which would normally take months to crack using a brute force technique, could be broken in a matter of days.”

  In other words, the window of opportunity has just opened wide for password cracking to be effective.  Should password resets occur more frequently?  Unless you’re going to require users to change passwords almost daily,  it won’t matter.  You might require even more complexity within a password, but people already have enough problems remembering their password - additional complexity will simply increase the number of helpdesk calls access admins receive.

  So, how can someone prepare for this new threat?  Well, honestly, this threat is not new - it’s just speedier.  Organizations have been told repeatedly that passwords are inherently vulnerable, and that additional authentication methods need to be in place to thwart attacks against corporate data.  If two- or three-factor authentication is required to access company assets, a broken password is ineffective.  More and more organizations are beginning to migrate away from single-factor authentication (like passwords), which is a good thing, but it’s use is not universal.

  For those who have hesitated to employ advanced authentication, do not be surprised when the day arrives when your security policy requires daily password resets.  I guess this sort of thing was bound to happen.

• October 29, 2007
• 19:06

  Laptop theft in the workplace

   » ‎ Heorot.net

  A clever thief was captured recently, after stealing over 100 laptops.  His cleverness is associated not with any technical prowess, but rather his ability to “social engineer” people into believing he belongs at the victim’s workplace.  This is just another example how physical security is an important component to protecting company assets, yet one that is easily exploited.

  As the saying goes, water flowing downhill follows the path of least resistance.  This seems to be true for criminals as well.  In one organization, the thief entered by tailgating through a security door that required a badge.  Another case, when confronted by an employee, he stated he was “looking for Steve” (head of IT for this particular company), which was enough to smooth over the worries of the employee.

  Simple stuff.

  These tactics are not unique among thieves, and the Information System Security profession has been talking for years about how to prevent this type of employee manipulation.  The real question is “why does it keep happening.”  A lot has been written on human interaction, and how people can be manipulated, but that’s not the perspective of “why” I’m talking about.  The question has less to do with those who are duped, than why training programs about physical security and social engineering are ineffective.  We know these types of “attacks” will occur within pretty much every workplace, yet they still happen.  Also, the organizations who lost these laptops were not small businesses, and undoubtedly had some sort of security training program in place to deal with this type of threat.  Yet, it still didn’t prevent them from being victimized.

  Sometimes management focuses too much on one component of security.  However, all components need to be constantly monitored for effectiveness.  Just like water, management needs to be proactive and constantly identify the path of “least resistance” and improve that component until it is no longer the weak point within a security program.  The ability to identify weakness and solidify defenses is a constant struggle and has many facets and involves serious effort.  However, the work required to do shore up your security program is certainly less stressful than trying to determine if any critical information was on any missing laptops.

• October 24, 2007
• 6:53

  Who would want to hack the Rockies?

   » ‎ Heorot.net

  It was announced today that the reason so many people had a problem purchasing playoff tickets for the Rockies home games was the site selling tickets was a target of an “external, malicious attack.”  The question on many people’s mind was “why the Rockies?”  The team hasn’t been around long enough to have developed a rivalry or hatred that many other teams experience.  Maybe a fan of Arizona or Philadelphia is behind the attacks - who knows.  All I do know is that the managers of Paciolan Inc. (the company running ticket sales) were caught unprepared, and their lack of readiness was plastered all over the national news.

  One problem many security managers face when trying to convince upper management of the need for a comprehensive security program, including auditing, is the irrelevant question of “why anyone would attack this corporation.” Paciolan didn’t see a denial of service attack coming, but they should have expected it.  Up until yesterday, it seems upper management did not think a Business Continuity Plan (BCP) was necessary.  After all the negative press, I bet they will have one in place very quickly.  Who knows what type of long-term effect this will have on Paciolan’s profits, and whether or not people will look elsewhere for their ticket-sales management.  I can’t think of a better justification for a BCP for those in upper management who wonder “why would anyone target us” than this event.

  As Paciolan found out, it’s not a matter of “if,” it’s a matter of “when.”  How many times does this saying have to be repeated before it sinks in?  And for those who continue to ask “why target us”… the answer is “because.”  That’s the only reason a malicious hacker needs.  Oh, and one more thing…

  Go Rockies!

• October 18, 2007
• 23:59

  How much should security cost?

   » ‎ Heorot.net

  I’ll be the first to admit - security people are techno-junkies.  When some new tool comes out that promises to make our lives easier, we want it.  We crave it.  And we think of justifications as to why we need it.  In some cases, our reactions almost seem Pavlovian.  I’ve seen cases where an organization bought a new spam appliance because… well, because it was cool.  “This device can protect 30,000+ email accounts, and block thousands of spam messages an hour” - it didn’t matter that the whole company had less than 40 people, and the only person who had a spam problem was the CEO.  What did matter is that a case was made that hours of employee time was lost dealing with spam every day, and if the problem could be solved, the company would save money.

  That is the same type of justification I hear often - “if we buy <some shiny box> we can save the company gobs of money.”  Considering most people are paid a salary, there is no return on investment - just because you take away something that occupies an employee’s time does not mean they will spend that time improving widgets or writing cleaner code.  Any time I hear that something will “save money,” I cringe.  If salary expenditures can’t be reduced because of the new appliance, or if there is no real connection between the appliance and production or quality improvement, it’s a loss, not a gain.

  So, when should new “toys” be purchased?  There are some appliances that are so ingrained in our minds as being useful, that their purchase is almost rote.  For example, firewalls.  No company should possibly think of doing business over the Internet without a firewall.  Company’s also need a decent patch process, or else they become too mired in worms and viruses to be effective in their day-to-day business activities.  The reason they are so embedded in most companies is not because they save money (some devices and designs can be very costly), but rather that they reduce actual threats to the company: hit by a worm - nobody works; don’t have a patch program - get hit by a worm and nobody works.  But not all applications actually reduce a threat.

  Back to our spam analysis, some would argue that spam often carries malicious code that could ravage a network if an employee negligently executes the code.  This is true, but since we know nothing is fool-proof we have to assume this will happen regardless if there is a spam blocker on the network or not.  It might happen less frequently if something filters all email looking for spam.  However, an equally effective alternative could be a better training program for employees, explaining what malicious code might look like in an email.  In other words, a new appliance should not take the place of educated employees, and spam is not the real threat to the company - lack of user awareness is.

  Despite the techno-lust many security people have, it does not always make sense for managers to buy the latest and greatest gizmo suggested by security experts or vendors.  Now, I know this is not some new revelation - managers have been dealing with this type of over-hype for many, many years.  However, sometimes it is difficult to really know what is beneficial, and what is wasteful.

  I had a discussion with someone who had been in the military, who had the responsibility for a broad swath of military network security at one point in his career.  When he was placed into the role, one of the biggest problems was, that despite all the money being spent on applications to improve security, the amount of incidents within his area of responsibility increased.  As a solution, his subordinates constantly made suggestions to acquire newer versions of old appliances along with new appliances.  Instead, he put a moratorium on all new purchases for a year and instead funneled the money towards training.  This quickly reversed the trend, and the incidents decreased.

  Jan Killmeyer proposed five components within an Information Security Architecture (she has added three more, but the original five are sufficient for this discussion).  They are:

  • Security Organization / Infrastructure
  • Security Policies, Standards, and Procedures
  • Security Baselines / Risk Assessments
  • Security Awareness & Training Programs
  • Compliance

  Overall, the appliances used to reduce threats are a minor component to an overall-successful information security program.  An organization should not pour additional funds into infrastructure if training programs and compliance monitoring are lacking.  A new shiny box will not make up for a lack of strong security policies, standards and procedures.  And, unless the techno-junkies or vendors can demonstrate how their newest favorite appliance can “save money” that actually ends up in your pocket, perhaps the funds to purchase are better off untouched until all other areas of a security program are improved.

  Security costs money.  That is well known.  It also does not “save money,” either.  The sooner people within the security community accept that notion, the better.  What security does is enable the organization to succeed.  But to succeed, a security program must balance all components effectively, and not just focus on the shiny toys.

• 5:26

  Who’s listening on your VoIP?

   » ‎ Heorot.net

  Once again, another vulnerability in a VoIP appliance has been discovered.  This one is pretty unique, since it deals with Cross-Site Scripting; but as with any new technology, bugs will be discovered, exploits created, and patches written. In other words, it will be just another day of the same repetitious cycle we have been playing all these years in the Information Security field.   As with any technology, there should be an expectation of someone creating an exploit that allows them to listen in on conversations.  If that conversation happens to have a CEO as a party to the call, who knows what secrets could be revealed. While that is an interesting scenario, it is a bit of a stretch (for now); plus there are usually easier methods to obtain information from a corporation’s inner sanctum.  But that might change.

  One thing I’m sure most people have noticed is the recent increased interest stockholders (and the government) have taken in how publicly-traded companies are managed (as evidenced by SOX, HIPPA, Enron, et al).  One result has been the need for more HR to refine document-retention policies.  Many corporations have become very worried about paper trails in case of legal suits and are trying to reduce the voluminous amount of documentation generated daily.  The amount of work required to obtain all records related to a law suit is tremendous and costly.  Another motivation to reduce this volume, is that the less documentation lawyers have to provide opposing council, the less chance something damaging will turn up. One way to deal with this issue is that many companies have encouraged managers to send fewer emails and make more phone calls when dealing with sensitive issues.

  Unfortunately, corporations have been pushing upper management towards the use of phones at the same time IT departments have been getting rid of “Plain Old Telephone Systems,” in favor of cost-saving VoIP technology.  Decisions to deploy VoIP do not take into consideration this issue of increased use by upper management, but probably should.  VoIP is not simply a cost-savings decision - security should have a large voice in how VoIP is deployed within a corporation… because that day will come when somebody will hack into and record a conversation that should never have been recorded.