Adobe Sandboxes Flash in Firefox

I am happy to post that Adobe has released beta code for sandboxing Flash content within Firefox.  Sandboxing is an excellent way to isolate ancillary code from the operating system and other applications.  I have been using it for years to keep my browser and its myriad vulnerabilities isolated after experimenting with it in malware analysis.  It just makes sense to contain the raft of cruft that tends to come in from an uncontroled, but necessary network, like the Internet.

It is not a foolproof method for containing all malware or avoiding malicious content, but it cuts down significantly on the impact of what mal-content can do by restricting its reach, and it increases the cost, package size, and effort required on the part of the bad guys to get through an additional layer of defense.  Every defensive layer that they have to identify and circumvent presents another opportunity to discover and analyze their attack code…

Adobe used elements of Google’s Chrome sandboxing technology in its Reader code after a flurry of vulnerability announcements and high profile attacks targeting the application.  Adobe says that since its launch in November 2010, they have not seen a single successful exploit in the wild against Adobe Reader X, where they initially offered sandboxing technology.

The new code currently supports Firefox 4.0 or later running on Windows 7 or Vista.  Adobe promises wider browser protection soon.  More details will be given at the CanSecWest security conference in Vancouver, BC next month.  I sure would like to attend this conference.  Maybe I will meet some of you there?!

UPDATE:  ComputerWorld reports that IE is next on Adobe’s list to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said today.

Metrics. Not Just For Breakfast Anymore

Over the past couple of years, I have found myself being drawn back to my IT roots, looking to solve the same old problems that plagued IT when I was so much younger had a full head of hair, and still had to learn that I hadn’t learned it all quite yet.  Back in the day, my boss asked me how the systems were running, and how IT was performing.

I thought a moment, and responded, “All of the systems appear to be running well, we haven’t had any downtime lately, and the server room is humming along nicely.”  He waited.  I broke the silence with “It’s all good.”  My boss, being the patient and well mannered fellow that he was, reiterated, “So the systems are all up, but how is IT doing?  Are we at capacity on any of the systems, and are our processes working like they should?”  I couldn’t respond honestly, so I admitted it.  He had never asked me before how our processes were working, so it must have been all that golf he had been playing lately that had gotten to him.  We were blind to whether we were doing the right things, and doing them well or poorly.  My engineers and I had put together some fantastic systems and processes for the company, reliable, scalable, capable, but had forgotten to consider how we would be able to measure when we needed to scale, improve, support, or replace them.  DOH!  We did have basic system health gauges, but that was just for monitoring CPU and RAM thresholds.  Time to think bigger, and smaller.

Why do we collect metrics?  Metrics are a critical component of Management, whether it be Information Security, or Projects, and Programs.  If you aren’t monitoring your exposures and measuring your results, how will you know whether you have been successful?  IT is all about strategy.  We implement systems in order to meet business objectives.  IT systems support the objectives of the business.  The business could still run without IT.  Much slower, ineffecively, inefficiently, and at a retarded pace, but the business could still run.  Without metrics, how do you prove the value that your IT or Security team is bringing to the organization?  How do you justify continued spending on improvements, new tools, new technologies? Continue reading →

Global Security Defence Agenda Report

McAfee and the Security and Defence Agenda (SDA) have revealed their findings in a report that attempts to paint a global view of the current cyber-threat, (sigh* Cyber?  Really?) defensive measures, and an assessment of the road ahead.  The report was created to identify key areas for discussion, highlight trends, and to help governments and organizations understand how their security defense posture compares to others.

This report involved a survey and interviews with roughly 250 leading authorities worldwide with over 80 security experts in government, international organizations and academia.  It is aimed at the “influential layperson”, and deliberately avoids technical jargon.

Some Key Findings:

• 57% of global experts believe an arms race is taking place in cyber space.
• 45% of respondents believe that online security is as important as border security.
• 43% identified damage or disruption to critical infrastructure as the greatest single threat with wide economic consequences.
• 36% believe information security is more important than missile defense.
• US, Australia, UK, China and Germany all ranked behind smaller countries for their state of incident readiness. Continue reading →

Late Breaking Attack Vectors WebCast

Mike Kachmar sent me an email invitation to a monthly webcast that should be interesting, and offers an opportunity to grab a few of those elusive CISSP CPE credits.  I thought I’d extend the invitation along.  Previous webcasts have been both intersting and informative.

Don’t miss the “Late Breaking Computer Attack Vectors” webcast!  They are also giving away a Apple iPad2 at the end of the webcast (already got one, but another one wouldn’t hurt…).  You do NOT need to be present to win.  Simply register with complete and accurate information and we will announce the winner at the end of the webcast.

The webcast is sponsored by Thawte and hosted by Larry Pesce, from the PaulDotCom Team, Wednesday February 1, 2012 2:00PM ET

REGISTER HERE:  https://cybersecurityworldevents.webex.com/cybersecurityworldevents/onstage/g.php?t=a&d=669294014

Join the paulDotCom Team as they take a practical look at the most recently identified threats IT Security Professionals face on a daily basis.  Rather than narrating a lifeless monologue on the most recent global data correlation, they will take an “everyman’s” approach to the Who, What, When, Where and Why of the most recent attack vectors.

Rather than asking them to do the impossible and tell us in advance what the topics will be – after all, how “Late Breaking” can that really be? They will be modifying and editing their presentation up until a few moments prior to the webcast based on the most recently identified attack vectors.

I should be back in the office from my morning interviews by then, so I’m ALL in…

13 Rules of Intelligence

I came across this post on the “Intelligence War” blog site.  The original 13 rules were written by Admiral Sir John Godfrey, Royal Navy, Director of Naval Intelligence, 1939-1943.  These rules written decades ago have stood the test of time fairly well.

1. Fighting commanders, technical experts and political leaders are liable to ignore, under-rate or even despise intelligence.  Obsession and bias often begin at the top.
2. Intelligence for the fighting services should be directed as far as possible by civilians.
3. Intelligence is the voice of conscience to a staff.  Wishful thinking is the original sin of men of power.
4. Intelligence judgments must be kept constantly under review and revision.  Nothing must be taken for granted either in premises or deduction.
5. Intelligence departments must be fully informed about operations and plans, but operations and plans must not be dominated by the facts and views of intelligence.  Intelligence is the servant and not the master.
6. Reliance on one source is dangerous; the more reliable and comprehensive the source the greater the dangers.
7. One’s communications are always in danger; the enemy is always listening in, even if he cannot understand.  Intelligence has a high responsibility for security.
8. The intelligence worker must be prepared for villainy; integrity in handling of facts has to be reconciled with the unethical way they have been collected.
9. Intelligence is ineffective without showmanship in presentation and argument.
10. The boss, whoever he is, cannot know best and should not claim that he does.
11. Intelligence is indivisible.  In its wartime practice the divisions imposed by separate services and departments broke down.
12. Excessive secrecy can make intelligence ineffective.
13. Intelligence is produced from files, but by people. They require recognition, continuity, and tradition, like a ship or a regiment.

Any Vulnerability Management or Incident Response process could benefit from knowing, understanding, and applying these 13 rules.

Job Search Responses

Interesting discussion over at TechCrunch regarding potential employer response (or lack thereof) to hiring candidate submissions.  (Please, prospective employers, don’t get your knickers in a bunch, I’m not complaining, really I’m not.  Everybody updates ME.)  Most of this diatribe is based on the article, but I recommend reading and posting your own comments at TechCrunch.

There are plenty of job search engines, recruitment vehicles and so on out there on the Web.  If you’ve ever been on the job hunt, you know how frustrating and time consuming it is to manage the job hunt process.   </Start Griping>  You spend hours filling out forms and fields, manually recreating your resume in yet another database, adding more and more “action verbs” to your resume, etc.  You fire off application after application.

Then you wait.  Your prospective employer doesn’t respond.  You send a follow-up email.  Nothing.   Another follow-up after a couple of weeks, still nothing.   Maybe you get an interview.  You send a thank you and a follow-up email.  Nothing…….

Job searchers absolutely hate this resume black hole.  This deficiency impacts the relationship that the company may have with potential employees, who may also be potential customers.  It can damage your company’s reputation.  In a recent study 72% of respondents said they would be less likely to recommend companies’ products or services or write a positive review online if companies don’t respond to their applications.  All people want is a response or an update.  </End Griping>

This is the pain point a startup called StartWire is trying to solve.  Their value proposition lies in being a sort of project management tool for the job search process.   StartWire launched in early 2011 and had attracted 50,000+ registered users by January 1st of this year. Continue reading →

Microsoft Prepares Threat Intelligence Service

ThreatPost reports that Microsoft is testing a new service to distribute information from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.

Microsoft expects to offer three realtime feeds, which third parties could access for free.  Organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own.  Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure.  Companies could use the data to look for malware infections, or correlate data on botnet hosts with data on click fraud and other scams.  CERTs might be interested in threats relevant to their region. Microsoft hopes this service will also help smaller organizations battle large, powerful, global botnets, lowering the cost of monitoring and responding to infections.  The company wouldn’t give a timeline for the real time threat feed.

Despite the proliferation of “Bad Microsoft, just fix your code” comments on the ThreatPost site, I see this personally as the right track to take given the current state of things, and applaud the moxy Microsoft is showing in the battle against malware.  Yes, Microsoft and EVERY other vendor needs to constantly improve their code and coding practices.  Blah blah blah.  What will NEVER happen is one day we will wake up and all code will be impervious to attack and exploitation.  We have yet to perfect human creativity, and we are light years away from producing unflawed anything.  Give it a rest.

My concerns with this I hope are addressed before Microsoft opens the feed-gates.  How will the data that is captured from botnet command and control servers, and I suspect from data repositories associated with those C&Cs be managed?  Will it be handed over intact, leaving anyone infected subject to their own personal wiki-leaks in reverse (Government gets your goodies), or will it be properly sanatized to protect individual privacy?  How will this data cleansing be made transparent?  I trust everybody at the table, as long as I can cut the cards and watch the deal…

OpenSource DLP Releases New Version

The OpenSource (as in FREE!!!) Data Leakage Protection team has released version 0.4.3 recently.  I first blogged about this product back in May 2010.  If you are running this app, or are looking for an on the cheap solution to DLP, might want to wander over and have a look.

Got Any iPad App Recommendations?

As I’ve been bragging all week long, my beautiful wife bought me an iPad2 for Christmas this year.  I’ve been poking around the app store, downloaded some new tunes (the kids have had it with my ragged old country music), and have scooped up as many free or cheap tools as I can find.  I’ve downloaded, tried and deleted so many apps already, but I’m still looking for a few choice ones.

What apps do you find useful?

My keepers list so far:

• Media/News
  • Facebook
  • LinkedIn
  • ResumeHD
  • CardMunch (for Linkedin)
  • CityNews
  • TO CityMinute
  • TheStar
  • DarkReading
  • CIO Digest
  • Security Tech Reader
  • ProSec Mag
  • WordPress Blogger
  • International Gamers News
  • National Cyber Security News
  • McAffee Threat Feed
  • CP24 News
  • Toronto Metro
  • FeedlerRSS
  • Bunch of iBooks (PDF)
• Travel
  • Toronto Path Map
  • TTC Rocket Man
  • TripIt
  • iTranslate
  • Compass
  • WeatherEye
• Utility
  • CompassFree Spreadsheet
  • QRScanner
  • Sci-Calculator
  • Project Mgmt Flash Cards
  • Liquid Planner
  • iJobs
  • Monster Job Search
  • CCTV Tools
  • Vtrace
  • NoiseSniffer
  • Fing (Network Scanner)
  • MobiControl
  • NetStat
  • Log Caliper
  • iVulnerable (CVSS Lookup)
  • Free WiFi Finder
  • Unit Converter
  • Cisco Tech Support Tools
  • Cisco Subnetting
  • NetMon
  • 5-0 Radio (Police Scanner)
  • Gadget Guide
  • SAP StreamWork
  • AnyConnect
  • SpiceWorks (LAN Management)
  • ROVE Mobile Admin
  • Dog Trainer
• Audit
  • Mobile Auditor
  • Device Inspector
  • iWorkFlow
  • Audit411
  • Internal Auditor Mag
  • iAuditor
  • CMO Audit Tools
  • Palm-T Home Inspector
  • Audit360Pro

Arachni v0.4 Web App Security Scanner

Tasos Laskos at Zapotek reports that Arachni 0.4 Open Source Web Application Security Scanner Framework is now available, and this new version makes this tool even faster and more useful than ever.

If you are not familiar with Arachni, it is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.  The application trains itself by learning from the HTTP responses it receives during the audit process, and is able to perform meta-analysis to assess the trustworthiness of results and identify false-positives.

It takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web app’s complexity, and is able to make adjustments accordingly. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Arachni is versatile, covering a great deal of use cases, ranging from a simple command line scan, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits.

The addition of the Grid scanning capability allows you to connect multiple nodes into a grid to perform lightning-fast scans.  Arachni distributes the workload granularly, down to individual page elements, to ensure optimal distribution, aggregating bandwidth and CPU.

It will work under any flavor of unix that supports Ruby, including Cygwin for Windows implementations.

New Goodies: Continue reading →