This post has no technical value. Just experimenting with how much traffic I can get by putting the term “clickjacking” in a post. 
But seriously, if you want to know anything about it, go listen to Martin’s podcast interview with Jeremiah and Rsnake. You can also go over to Computerworld and take a look at the Q&A.
So…
clickjacking…
clickjacking…
clickjacking…
Rsnake
Robert Hansen
Jeremiah Grossman
Whitehat Security
SecTheory LLC
OWASP
Vet
To everyone reading this, take it from me that Palo Alto Networks has some excellent stuff. I have seen this put into production networks and watched it give tremendous insight into what is getting in and out. I wish this box had been around when I was an Information Security Manager and Network / Security Engineer. It would have made my life a lot easier because I would have been able to block traffic according to layer 7, not just the traditional port / IP combination like in typical firewalls. Please read below for a tease of what you will see if you are in the Houston area and come see the seminar.
====================================================
The network security space is in desperate need of innovation! It’s no secret that the Internet generates the majority of traffic on today’s corporate networks. The question is, how can you know exactly what that traffic is, and control it in a way that’s best for your business?
Comprehensive Internet visibility and control is now essential – not just of network ports, but of the actual applications, users, and content flowing through the firewall. Unfortunately, traditional firewalls are missing three key ingredients that prevent them from delivering the Internet security and protection your organization requires.
Please join us for a 90-minute seminar that puts a spotlight on what’s really happening in today’s enterprise networks, and provides strategic guidance on how to regain the visibility and control you need.
SEMINAR HIGHLIGHTS
In addition, you’ll hear from a CISO of a leading Midwest bank, who has experienced the pain that comes with the inability to control Internet traffic, but is now enjoying unprecedented network visibility and control.
LOCATION
Date: Wednesday, October 22nd, 2008
Time: 11:30 am to 1:00 pm (registration begins at 11:15 and lunch served)
Place:
Sullivan’s of Houston
4608 Westheimer
Houston, TX 77027 (MAP & DIRECTIONS)
Phone: (713) 961-0333
To reserve your place at this luncheon, please click HERE.
Vet
Just got this from Skype. Anyone else ever see this? I have never received spam from Skype.
Vet
Here’s episode #6. Jim was in a hotel room in California, so forgive any degradation in quality and the shorter-than-usual length. Just another risk when you are a world-traveling consultant like Mr. Broome.
As usual, we welcome feedback of any kind (we reserve the right to delete profanity). Please let us know how you like / dislike the show.
Also, I know the feed is broken via feedburner. Not sure what is going on there. I am looking into it. For now you can download the podcast via the link below.
OK, here are the show notes:
InfoSec News Update:
Discussion on Remote access and employee termination - Open discussion on the recent articles
and whitepapers:
Segment 2:
And the wonderful music picks from Jim:
Come on people. Working on an RFP response, and the vendor misspelled HIPAA. Drives me frickin’ insane.
Vet
OK folks. Here’s the long awaited episode 5 of the the podcast. Sorry for the delay in getting this one out. Hurricane Ike put a big damper on our plans since I was without electricity for a few days. Internet has been spotty as well, but it held up for Jim and I to record last night.
Show notes:
Music:
Vet
The last few days have held many challenges. Basic necessities like food and water have been in short supply. Not so basic necessities like electricity, air conditioning (thank God for the cool front that came down right after the storm), phone, and TV have been gone. But the one thing that has really bothered me is the loss of the Internet (Starbucks and other places were closed). This has caused me to feel more disconnected than ever before. And though it was probably good to unplug for a few days, it is also how I earn a living for the most part. The information junkie in me is also suffering greatly.
So when the Internet came back up at the house, I was thrilled. The junkie in me would be satiated. I started tapping a vein, and then I connected. I started working and surfing. I looked at what was going on with the world, with the tropics (nothing so far), and security. I got some work done. I reconnected.
Well, this morning, it all hit again like a brick. Yes, the Internet was dead. I was without my fix. But hey, I remembered that Starbucks had opened up. W00T! I headed out for my fix.
When I arrived, I ordered a beverage, and sat down to connect. I expected the typical T-Mobile screen with the AT&T Internet link (I have AT&T broadband at the house, so Internet is free for me at Starbucks). It surprised me when I connected straight to the Internet without any portal screen. What was going on? When I expressed surprise to the guy sitting next to me, he stated that they had opened up their Internet to everyone for free. That was a pleasant surprise, even though it would have been free for me. It really made me feel grateful, and it showed that people care. So kudos to Starbucks on 2920 and Kuykendal in Spring, TX. I appreciate you, and I will bring you my business from now on.
Vet
I’m back!! Water, power, phone, AND Internet.
Vet
Image credit: NASA
Here’s a slightly modified pic that I posted on TwitPic. It shows where Ike is supposed to go and where I live (Tomball, TX).
Image credit:wunderground.com and me.
Thanks for the prayers. I’ll see everyone on the other side…
Vet
This is pretty cool. A poker table that can read RFID tags in the cards. Hmmm… Thinking of the hacking / cheating possibilities with that.
Vet
I have been blocking more and more Twit spam followers lately on my Twitter account. Some of the accounts have been suspended by Twitter, which is great, but it is still a a nuisance. Just one more by-product of Web 2.0 I guess.
But the real quandary is what to call Twitter Spam. SPIT is already taken (Spam over Internet Telephony). Maybe SPITT, with an extra “T”? How about TWAM? But most spam names are acronyms and start with “SP”. How about SPER? Uhhh, that would probably not be good. SPITTER? Hmmm, that might work.
Any ideas?
[UPDATE]: What about “Spittle”?
Vet
Episode 4 is here folks. We had a couple of times of weirdness happen, so forgive some of the bumps and weird splices going along. Here are the things Jim and I had some discussions around:
Also wanted to give shout outs to Ross at http://www.secureputer.com and Jean-Christophe at http://www.phocean.net, two brand new security blogs out there, which we mentioned in the show.
Music notes:
Vet
Let me know what you think. No, it is not my head.
Vet
I had a dream last night that I should move to Ubuntu on my laptop. Some dude (don’t know who he was) was in my dream, and he acted like he knew me and we were in business together. He said we needed to move to Ubuntu on our laptops. I agreed. Is this prophetic? Probably not. Just thought it was interesting.
Vet
Actually, this is a legitimate email, but I just about had to laugh when I saw the subject. Michelle, I really don’t want to know. You and Obama keep that to yourselves…
Vet
I have recently created a website that will strictly host the podcast. The site is located at http://infosecplacepodcast.com/. The feed for site is located here.
I am not going to put a lot of design into the site. I simply wanted a place for a separate site and feed for simplicity. I will still be posting the podcast here as well.
Vet
I sometimes get sick of my fellow Computerworld blogger Steven J. Vaughan-Nichols, A.K.A. Cyber Cynic. He is an avowed Linux-phile, which is fine with me. But he is constantly going on rants about how secure Linux is and how it’s great and wonderful and how Windows is so insecure and both sucks and blows.
But in this article he actually ends up surprising me. He talks about a bunch of Linux boxes getting attacked through compromised SSH keys. He goes on to say how the Linux admins that didn’t fix the problems are idiots and how he would have fired them if they worked for him. And he is where he surprises me. He says:
Linux really is more secure than most operating systems, but, as the security mantra goes, "security is a process, not a product."
That statement seemed so painful for Steven to get out. I think I actually felt him straining to get those words out (maybe Steven has been eating too much cheese lately). He actually had to admit that an admin actually had to work to make Linux secure. Of course, he couldn’t let that go without first saying that Linux "really is more secure than most operating systems", but at least he said it.
Seriously folks, I am not some Windows fan boy. I know I have said that a million times, but it is true. I don’t care what OS you use. You are ALWAYS going to have to secure it by patching and hardening. It is the nature of the beast. You can make a Windows box just as secure as a Linux box if you harden it correctly.
Steven is right that security is a process. You have to do your due diligence. If you love Linux and hate Windows, then use Linux for your server. But don’t let that cloud your brain when it comes time to lock that box down.
Vet
Get your DR / BC plans dusted off if you are on the Gulf Coast in the US. Gustav is looking like a threat. Image from wunderground.com.
Of course, these monsters are always unpredictable, but the models are all pointing to hitting in the Gulf somewhere.
Vet
I have learned a lot in the last week about how not setting expectations and not being prepared can have a huge negative affect on a project. I know that sounds really logical and obvious. I have seen how being unprepared can slow projects. I have seen how not setting expectations can cause a project to totally derail. But the complexity and importance of a project affects proportionately the level of preparedness and the level of expectations that need to be set. You can’t walk into a large and very important project with confidence unless you have spent a major amount of time and effort. And you can’t go into a project without knowing what is expected and making damn sure the customer understands those expectations. It is essentially asking for disaster to strike if you do that.
That is exactly what I have experienced on two different projects last week and this week. One was a wireless technology demonstration that is the first step into wireless for a very large enterprise company in Houston (I won’t discuss the other for fear of someone there reading this post). The project is easily over $1 million in equipment and services, and is likely going to get close to $2 million. With that kind of dinero in play, and with the possibility of even more on the far back end, you have to come loaded for bear. You have to be organized, and you have to test. That didn’t happen (there were multiple issues and people in play, but I blame myself for a lot of it). We had one day to prepare for a three day demo, and we didn’t make it happen. Consequently, the first 1 1/2 days were disastrous.
A major issue with the project was that expectations were not set adequately with the client. They had a process for gauging technologies, and unfortunately that was kept mostly hidden from the team trying to setup the demo. Another contributor to the problem (don’t want to call it a failure yet) was a lack of preparedness. Under advisement from one of our wireless consultants, we had the technical team come into our local Houston offices the day before the demo was scheduled so we could do a dry run. Though we spent several hours on that, we still were not comfortable with the results. But we really had no choice but to move ahead because this was our one shot at the project. Put all of that together, mix well, and bake for 20 minutes on 450 degrees, and you have a disaster pie waiting for you at the end.
But what about knowledge and flexibility, Michael?? Those words are in your title? Well, here’s what I have to say about that. The missing factors that would have allowed us to be successful from day one in that demo were knowledge and flexibility. We had to end up calling in a big gun from the wireless company that had both of those factors after the original resource starting losing it. The original engineer on the job had a good degree of knowledge (though he was still fairly new), but was severely lacking in flexibility. When the customer went on a tangent and asked for something even slightly outside the scope of the original demo, he locked up and started making excuses (I hope he doesn’t read this, but oh well). That did not go over well with the customer. But when the big gun walked in a took over, that went out the window. He knew the product well, and he was flexible. Thus, he was able to meet whatever the client threw at him.
The other things that chaps is that if the big gun had been engaged on day one, the original problems would not have appeared. Oh well.
So summary, you have to prepare, and you have to set expectations. But if those turn out to be too light, or if you just run into a customer who likes to stroll down tangent lane, then you have to have a high degree of knowledge, and you have to be flexible. They ARE the customer, after all.
BTW, the second 1 1/2 days were much, much better. Actually, it was extremely successful. But by then a lot of damage had been done. And to top it off, the project lead got called on emergency meetings during the successful part of the demo, so the bad taste stayed in her mouth. Not good. I’ll let you know what happens. I also plan on podcasting about this when Jim and I next get together.
Vet
Here’s the latest installment of the podcast. Jim Broome talks about some of the BH / DC talks he was interested in and rubs in the fact that I didn’t get to go (he also rubs in the fact that he was in Hawaii last week - thanks Jim).
We get some closure on the Dan Kaminsky / DNS issue (well, it was closure for us anyway).
We talk a little about Alan Shimel’s adventures in pwnage. We are not giving any details about the issue, but we give the big guy a little sympathy and some major props for his renewed sense of security importance and writing about the whole thing so we can all see how the process doesn’t work.
Then Jim busts into his favorite two segments. One is the Geek Toy segment, where he talks about the SanDisk Sansa TakeTV device. Very cool stuff for the traveler. And the other segment is the Consultant’s Corner, where Jim gives some advice for writing up and presenting an executive outbrief for a project.
The rest of the podcast is just general bantering and virtually poking each other in the ribs. We had fun with this one. Leave some comments on what you think. We’ll discuss some of them in the next podcast.
Music for this podcast is:
Vet
I have two things to say:
1. Welcome back to the blogosphere Alan. Great to have you back.
2. You people who screwed with him are filthy bastard racist cowards.
Vet
There has been a lot of "news" spam lately with subject lines that include "CNN" or "MSNBC". Been kinda crazy. Thankfully Postini, which I just signed up for, has caught all of that crap.
Vet
So there is a particular security product manufacturer that Accuvant sells that I cannot name since I will get in trouble (love ya’ Dan!) that has a good product, but their support has been horrendous lately. Actually, even their product has been slipping, now that I think of it. And it is starting to hurt the relationship we have with a couple of customers because we recommended the product back when they were kicking some major butt all around. And it really just pisses me off because this started just a few months before they got bought by a big company. Oops, man, that probably gave it away, didn’t it? Huh? Wadda mean there’s only been about 20 companies that fit that description? Oh yeah…
As I was saying, this started just a few months before the announcement of their getting snapped up. This just seems backwards to me. Does management just get that distracted that their quality starts sucking wind? Shouldn’t they be trying to concentrate more on quality? Maybe the deal was pretty much done and they figured what the heck? The new guys will clean up the mess?
I experienced that back when Juniper bought Netscreen as well. I was a customer, and their support went straight to hell for about a year, then it all came back together. But I kinda expected that to happen. That was a big deal. The company I am talking about is not that big, so there should not be a drop in quality like that. And the Juniper / Netscreen issues didn’t start until AFTER the buy out. This is happening BEFORE the buy out.
So if there are any manufacturers reading right now, please think about this. If you are getting ready to sell, please do everything you can to maintain quality in your product and support. Don’t screw over your employees (don’t know if that is happening here, but the drive of the sales team seems to have dropped dramatically). Because if your quality drops, I am going to quit recommending you, and so will a lot of people. Of course, if you already have your money and are at the beach, you are probably not reading this and couldn’t give less of a crap anyway.
Vet
There’s not really a flaw (that I know of), so sorry for the theatrics. Just thought that would be a good draw.
But really, there is a human problem from which NoScript cannot protect you. What if you have setup a website as trusted through NoScript, then that site gets compromised? If there is malware in the compromised site, it is possible that your trusted relationship will allow that code to run and infect you. Yes, there are extra protections built into NoScript to protect against even trusted sites (see screenshots below), but this is still a problem if you have a site in the whitelist and it gets compromised.
This seems obvious now that I see it, but I never thought about it until Alan’s blog got compromised. My advice would be to whitelist as little as possible and to use the temporary allow feature for everything that doesn’t cause you severe headaches.
NoScript Advance options:
Vet
Here’s one of those times (link NSFW) when doing something that seems contrary to good security practices because of a legitimate business need can cause you problems. This guy had an email account get hacked by someone, and the offender sent out a nasty email to everyone. But the email account was for a deceased employee who used to handle customer relations, and they needed to keep the address alive so emails could be forwarded to another employee. OK, first, that would constantly creep me out if I was getting email addressed to a dead person. But the real point is that sometimes legitimate business needs that go counter to good security practices can cause problems. It sucks, but that is the way it is.
However, if there is a legitimate business need that could potentially cause security headaches, it is up to the security staff to put in a compensating control. According to the poster, there was a real business need to have this email account alive. So if that is the case, why didn’t they just create an alternate email address for the currently living employee instead of keeping the email account alive? Maybe their software wouldn’t allow it, but I doubt it. In this case, there was no compensating control.
To me, it sounds like someone just did the easiest thing (though that can be argued because they had to setup a forwarding address, which is really just as much labor as setting up an alternate email) instead of making this secure. It’s a lesson, though thankfully they didn’t cause any terrible harm (unless you are extremely offended by dirty pictures).
Vet
Blackhat, Defcon, security conference, hacking, DNS vulnerability, DNS exploit, virtualization security, etc.
There, I posted about BlackHat.
Vet
I just posted over at my CW blog about the lost laptop from the company running the Clear program. Whiskey Tango Foxtrot, over?
When you read, take a look at the quotes I found from their website. Friggin’ classic.
Vet
Here’s the second installment of the podcast. Joining me is my cohort and cohost, Jim Broome. Some of you may know Jim from his blog. Jim is definitely one of the more technical bloggers out there, serving up all kinds of geek toy and hacking fun. I hope to keep Jim around a long time since he has a whole lot of experience in the security field, and he is in no way shy to talk about it. :) Also, Jim is doing most (if not all) of the mixing and production work on the podcast since he has a lot of cool toys and has experience in the broadcast industry. So thanks Jim!
Some show notes:
Stick with us as we get all the bugs worked out. I hope to bring some new perspectives and liveliness to security podcasting.
Vet
I just read a post by Mike Rothman where he is revisiting the "Big is the New Small" post he wrote oh so long ago (is it just me, or does 2 years in the blogging world seem more like 20?). Basically, it was all about the consolidation of the security market, which is still happening, as Mike points out.
But the little nugget that Mike points out but really doesn’t give enough time to is the integration issue. Mike says this:
There are many that cling to the "best of breed" myth. It’s even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn’t happen.
I added the emphasis there because I think that is important. I have seen some of these bigger companies that have a centralized management platform (especially the end-point security companies) that have bought these different products and are still trying to integrate them all into that platform. Their vision is good as far as the concept goes. "Let’s put all of these products into a central management console that can provide all the information in a single spot." It makes their offerings attractive to the client if it worked. I think this is the reason a lot of people are going with some of these "bloated, unresponsive, lumbering vendors." Some of it may be that they don’t want to work with 5 different companies, but I think that happens more often in infrastructure types of products (DLP products, now mostly owned by bigger companies, still often sell as best of breed much of the time because they each have their own strengths).
What I see as something of a trend (though not long term because the consolidation will still happen) is that some of these shops will look at best of breed in some areas for a while because the integration they were sold has not been delivered. I really see some of these shops not wanting "good enough" because it isn’t close enough to actually being good enough. These products that should have been integrated and functioning smoothly by now are still struggling to get off the ground, and they are causing more management headaches.
I guess we’ll see. Some people may continue to struggle through and wait for the promise. But I see a lot of people getting aggravated, and they are being almost forced to make some changes in order to manage the problems.
Vet
