The Lazy Genius

Plasma TV components applied to password cracking

Xavier Ashe — Thu, 01 May 2008 08:44:03 -0400

Forget networked PCs or even PlayStation 3s, components commonly found in plasma TVs are the latest thing in password cracking tools.

High performance FPGA (Field Programmable Gate Array) chips are the Chuck Norris of number crunching, equally suited to image processing and (with a bit of modification) password cracking.

During the Black Hat conference in Washington in February researcher Dan Mueller used FPGA kit in an attack that cracks standard GSM transmissions, encrypted using the A5/1 algorithm, in as little as 30 seconds.

The same technology can be applied to crack Bluetooth transmissions in as little as eight seconds, according to security consultancy SecureTest, which ran a demo of the technology at the recent Infosec conference.

Read the full article on The Register.

HP Cuts Investment in their Security Portfolio

Xavier Ashe — Tue, 25 Mar 2008 17:30:10 -0400

Burton Group has specifically commented on HP’s struggle to succeed in this competitive market. Burton Group’s Identity and Privacy Strategies Report, “The Identity Management Market 2007: An Expanding Universe”, Our Catalyst 2007 Keynote “Identity Management Market Landscape 2007: Enabling Security and Control Objectives in the Enterprise”, and our “Vantage Point 2007: Trends in Identity Management” telebriefing, all noted that HP’s ability to compete, mindshare, and market momentum has been in sharp decline.

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product. We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change. Last week Burton Group spoke to HP Software Vice President of Products Eric Vishria regarding this development.

Vishria explained that the Identity Center product line was not performing in this highly competitive market at a level that’s acceptable to HP, but added that the product supports the operations of a number of HP’s critical customers. HP has therefore made the decision to focus research and development efforts on existing customers only.

This was posted on the Burton's Group Identity Blog. Interesting stuff, read more:

Customers of other IdM vendors and customers considering new IdM deployments should also be carefully scrutinizing this announcement. As the market becomes increasingly competitive it is imperative that customers evaluate the viability and long-term strategy of their existing and potential IdM vendors. Burton Group predicts that the market will see continued, or even increased, consolidation in coming months.

Cult of the Dead Cow Releases Goolag

Xavier Ashe — Sun, 09 Mar 2008 10:56:13 -0400

Cult of the Dead Cow, or cDc, an old-school hacking crew famous for its anti-censorship stance, has shipped a new tool that turns the Google search engine into an easy-to-use vulnerability scanner.

Taking its cue from Johnny Long's Google Dorks—search queries that reveal sensitive information—cDc's new Goolag Scan pushes the envelope even more, offering a stand-alone Windows GUI-based application to power the searchers.

The open-source program comes with about 1,500 custom Google search queries embedded by default to run searches for vulnerable Web applications, misconfigured Web servers with open backdoors, sensitive user names and passwords, and other documents accidentally exposed on the Internet.

"It's no big secret that the Web is the platform," said Oxblood Ruffin, a spokesperson for the hacker think tank. "This platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties.

"We've seen some pretty scary holes through random tests with the scanner in North America, Europe and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious," Ruffin said.

The utility ships as a .Net program that can be manually configured to power Google queries for specific servers or for an entire set of domains.

For example, a business can ask Goolag Scan to search for vulnerable servers or "files containing juicy information" on all its Web sites, turning the scanner into a useful auditing tool.

News report from eWeek. Try Goolag now.

Bejtlich points out Gartner Wisdom

Xavier Ashe — Sun, 09 Mar 2008 10:28:25 -0400

2003: "IDSs [intrusion detection systems] have failed to provide value relative to its costs and will be obsolete by 2005." (Gartner, "Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure")

2008: "Our adversaries are very adept at hiding attacks in normal traffic. The only true way to protect our networks is to have an intrusion detection system." (Robert Jamison, Under Secretary of the National Protection and Programs Directorate at DHS)

From TaoSecurity.

Funny "Hacking" Story

Xavier Ashe — Tue, 04 Mar 2008 16:54:35 -0500

After a bit more back-and-forth about how he could "just answer any questions I had right now", the sales rep pointed me to their sample ads, a 7mb PDF with sixteen pages of seemingly real companies, all with the same phone number (555-555-5555) and the same website (00000000000.com). Somehow, that didn't convince me to "invest" several hundred dollars, so the salesman faxed over some more inforation with a single, real ad.

As I eagerly waited for the follow-up call later that day, I thought I'd take a minute or two to check out their website. Almost immediately, I came across their Federal Procurement Officers Only page. Out of curiousity, I entered a username and password, and then clicked the Login button. Instantly, a JavaScript dialog popped-up...

Since there's really only one thing that could cause such a dialog to pop-up so fast, I checked the source code...

Entertaining story posted on The Daily WTF.

It's official: Pirates crack Vista at last

Xavier Ashe — Mon, 03 Mar 2008 14:21:07 -0500

A genuine crack for Windows Vista has just been released by pirate group Pantheon, which allows a pirated, non-activated installation of Vista (Home Basic/Premium and Ultimate) to be properly activated and made fully-operational.

Unlike cracks which have been floating around since Vista RTM was released in late November, this crack doesn’t simply get around product activation with beta activation files or timestop cracks - it actually makes use of the activation process. It seems that Microsoft has allowed large OEMs like ASUS to ship their products with a pre-installed version of Vista that doesn’t require product activation – apparently because end users would find it too inconvenient.

Best practices for IT security management

Xavier Ashe — Tue, 26 Feb 2008 12:11:03 -0500

The nuts and bolts of an information risk management (IRM) framework are best put in place long before you install the technology. But it's never too late to mitigate business risk by working out the mechanics of functions, requirements and controls. Discover and report on the right priorities, and you can construct a framework for making well-informed decisions.

Read Five steps to building information risk management frameworks and Developing Controls for People, Processes and Technology by Forrester analyst Khalid Kark who details how to build a sound IRM solution in your organization, including:

			Defining domains for your IRM framework
			Three questions to ask when assessing the criticality of IRM requirements
			Overcoming two significant challenges in defining security metrics programs
			Converging physical and logical security through process collaboration

Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement and reporting.

This expert advice is part of a continuing series on IBM best practices for IT security management. IBM security services and solutions such as Tivoli®, Internet Security Systems™, and Rational® enable customers to better manage their infrastructure, operations and IT processes.

PCI compliance drives identity management spending, says IBM's GRC chief

Xavier Ashe — Tue, 19 Feb 2008 15:58:18 -0500

Great interview with Kristin Lovejoy, the director of IBM Governance and Risk Management Strategy over at Information Security Magazine.

When Consul was acquired, how difficult was the technology integration?
Kristin Lovejoy: There was a good bit of integration work that had to occur. Most of it was around assuring that the product offering met the scalability requirements that had to be defined by IBM. IBM's acquisition of the technology undergoes a blue-washing process. The blue washing process assures that the technology sold to IBM customers are not packaged with any kind of code that is not documented—no open source components. Also the database infrastructure had to be reworked and released for DB2.

You've been viewed as a leader in driving the implementation of auditing as a required step in identity and access management. Talk about the importance of auditing.
Lovejoy: Of course it was Sarbanes Oxley where the concept was initiated. Section 404 required organizations to not only look at their business controls but also their IT controls. It points to a requirement that organizations adopt a control framework within the finance, accounting organization, making sure there's no conflict of interest. Sarbanes Oxley made people say trust is ok but now I have to verify. We saw a lot of companies want to be able to monitor privileged users such as database administrators and developers. They wanted to ensure that those that were working in the preproduction environment were only working in the preproduction environment.

In addition to Sarbanes Oxley, there have been over time lots of requirements like PCI DSS and HIPPA that requires you to do audit logging. These requirements, which always said you need to maintain the logs, are now beginning to indicate that it's not simply collecting logs, but you also have to be able to review the activity in logs and identify areas potentially anomalous activity.

New IBM Redbook - Deployment Guide Series: IBM Tivoli Compliance Insight Manager

Xavier Ashe — Tue, 19 Feb 2008 11:03:36 -0500

In order to comply with government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, enterprises have to constantly detect, validate, and report unauthorized change and out-of-compliance actions on their IT infrastructure.

The Tivoli Compliance Insight Manager v8.0 solution allows organizations to improve the security of their information systems by capturing comprehensive log data, correlating this data through sophisticated log interpretation and normalization, and communicating results through a dashboard and a full set of audit and compliance reporting.

We discuss the business context of security audit and compliance software for organizations, and we show a typical deployment within a business scenario.

This is the second IBM Redbook covering IBM Tivoli Compliance Insight Manager - the first book being the Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager, SG24-7530.

This IBM Redbooks publication is a valuable resource for security officers, administrators, and architects who wish to understand and deploy a centralized security audit and compliance solution.

Download the Deployment Guide Series: IBM Tivoli Compliance Insight Manager
Publish Date: February 15, 2008 ISBN Number: 0738485705

Security in Dilbert

Xavier Ashe — Mon, 11 Feb 2008 13:22:47 -0500

TSOM and TCIM Integration! (TSIEM)

Xavier Ashe — Tue, 05 Feb 2008 12:01:02 -0500

Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) today are focused on prioritizing security initiatives to support their business goals, and on managing technical risk and governance. Their organizations are challenged to both minimize security-based business disruptions and ensure and demonstrate compliance with privacy regulatory requirements, with a limited set of resources. Security information and event management (SIEM) technology can provide a solution to these challenges, and provide greater leverage of people and greater visibility of their existing security infrastructure.

IBM offers two SIEM complementary capabilities for the security information and events:

A real-time, network event-oriented management dashboard that facilitates attack recognition and incident management
An information analysis dashboard to assess how well an organization adheres to its security and governance policies

IBM Tivoli Security Information and Event Manager V1.0 (TSIEM) is comprised of two products: IBM Tivoli Security Operations Manager V4.1 (TSOM) and IBM Tivoli Compliance Insight Manager V8.5 (TCIM). These products, working together, help you realize the full promise of enterprise SIEM. By centralizing log collection and event correlation across your enterprise, you can leverage an advanced compliance dashboard to link security events and user behavior to your corporate policies.

Tivoli Security Information and Event Manager delivers a comprehensive foundation to help address your SIEM requirements. As a result, IT organizations can reduce their exposure to security breaches; collect, analyze, and report on compliance events; and manage the complexity of heterogeneous technologies and infrastructures. TSIEM provides support for numerous applications, operating systems, security products, and network infrastructures, as well as desktop and mainframe systems.

Using TCIM and TSOM together provides the benefits of both products, through their complementary user-centric and network-centric perspectives. Integration between TSOM and TCIM can provide additional unique capabilities:

Identify important audit and administrative events from the network/security infrastructure for privileged user monitoring and compliance reporting. This leverages the broad network and security product support of TSOM and its correlation capabilities to provide added value auditable events for use in the TCIM privileged user monitoring and audit and compliance reports.
Identify network-centric policy violations with TSOM, and forward these high level correlated events to TCIM for consolidated compliance dashboard and reporting and views.

The integration described in this document provides the foundation to accomplish these two general use cases. It describes the specific of configuring TSOM to send events to TCIM.

Dowload the Tivoli Security Information and Event Manager: Tivoli Security Operations Manager and Tivoli Compliance Insight Manager Integration Guide

Pass-The-Hash Toolkit

Xavier Ashe — Sat, 02 Feb 2008 10:03:35 -0500

Pass-The-Hash Toolkit v1.2 is available.

What is Pass-The-Hash Toolkit?

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

Direct download links:
source code:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2_src.tgz
binaries:
http://oss.coresecurity.com/pshtoolkit/release/1.2/pshtoolkit_v1.2.tgz

More info:
http://oss.coresecurity.com/projects/pshtoolkit.htm
http://oss.coresecurity.com/pshtoolkit/doc/index.html

what's new:
http://oss.coresecurity.com/pshtoolkit/release/1.2/WHATSNEW

From Hexale.

Tivoli Security Information and Event Manager

Xavier Ashe — Tue, 29 Jan 2008 11:22:48 -0500

This product offering is the next evolution of what I've been doing at IBM. Finally, a public announcement!!

IBM Tivoli Security Information and Event Manager V1.0 helps IT security organizations obtain valuable security insights that your organization can act on, by:

    * Facilitating compliance by using centralized dashboard and reporting capabilities.
    * Helping to protect intellectual property and privacy by auditing the behavior of all users — privileged and nonprivileged.
    * Managing security operations effectively and efficiently with centralized security event correlation, prioritization, investigation, and response.

IBM Tivoli Security Information and Event Manager V1.0 offers:

    * Integration and exchange of events between IBM Tivoli Security Operations Manager and IBM Tivoli Compliance Insight Manager correlation engines.
    * New endpoint pricing for both security incident and audit log collection.

Security information and event management (SIEM) is a primary concern of CIOs and CSOs in many enterprises and organizations. There is a need to centralize security-relevant events and analyze the consolidated data to obtain valuable security and compliance insights.

IBM offers two complementary perspectives on SIEM:

    * A real-time, network event-oriented management dashboard that facilitates attack recognition and security incident management.
    * An information analysis dashboard to monitor how well an organization adheres to its security and governance policies.

IBM Tivoli® Security Information and Event Manager V1.0 is comprised of two products that work closely together to help realize the full promise of enterprise SIEM: IBM Tivoli Security Operations Manager V4.1 and IBM Tivoli Compliance Insight Manager V8.5. Now you can centralize log collection and event correlation across the enterprise, and can leverage an advanced compliance dashboard and regulatory compliant reports to link security events and user behavior to corporate policies.

Tivoli Security Information and Event Manager V1.0 delivers a foundation from which to address your SIEM requirements — now and into the future. As a result, IT organizations can lower their exposure to security breaches; control the costs of collecting, analyzing, and reporting on compliance related events; and manage the complexity of heterogeneous technologies and infrastructures. IBM Tivoli Security Information and Event Manager offers end-to-end capabilities including:

    * Security compliance dashboard.
    * Security operations dashboard for security incident management.
    * Real-time log aggregation, correlation, and analysis of security incidents.
    * IT operations integration.
          o Recognize, investigate, and respond to security incidents automatically.
          o Streamline incident tracking, handling, and resolution.
    * Mainframe, operating system, application, and database audit analysis.
    * Privileged user monitoring and auditing (PUMA).
    * Log management reporting.

Hackers Hit Scientology With Online Attack

Xavier Ashe — Mon, 28 Jan 2008 17:01:00 -0500

A group of hackers calling itself "Anonymous" has hit the Church of Scientology’s Web site with an online attack.

The attack was launched Jan. 19 by Anonymous, which is seeking media attention to help "save people from Scientology by reversing the brainwashing," according to a Web page maintained by Anonymous.

Anonymous claims to have knocked the Church’s Web site offline with a distributed denial-of-service attack, in which many computers bombard the victim’s server with requests, overwhelming it with data in the hope of ultimately knocking the system offline. True to its name, Anonymous does not disclose the true identities of its members.

The attacks were spurred by the Church’s efforts to remove video of movie star Tom Cruise professing his admiration for the religion, according to an Anonymous video manifesto posted to Youtube.

Heh. Awesome. I mean.... HACKING IS BAD. You shouldn't do this. Even to people who had it coming. Read more.

Metasploit Project Releases version 3.1

Xavier Ashe — Mon, 28 Jan 2008 09:10:10 -0500

The Metasploit Project announced today the free, world-wide availability of version 3.1 of their exploit development and attack framework. The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits. "Metasploit 3.1 consolidates a year of research and development, integrating ideas and code from some of the sharpest and most innovative folks in the security research community" said H D Moore, project manager. Moore is referring the numerous research projects that have lent code to the framework.

These projects include the METASM pure-ruby assembler developed by Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort outlined in the Metasploit Blog, the Windows kernel-land payload staging system developed by Matt Miller, the heapLib browser exploitation library written by Alexander Sotirov, the Lorcon 802.11 raw transmit library created by Joshua Wright and Mike Kershaw, Scruby, the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain Sarmejeanne, and a contextual encoding system for Metasploit payloads. "Contextual encoding breaks most forms of shellcode analysis by encoding a payload with a target-specific key" said I)ruid, author of the Uninformed Journal (volume 9) article and developer of the contextual encoding system included with Metasploit 3.1.

Read the full announcement here. The new GUI is pretty slick. This is my most common tool when testing my security implementations. I use Cain & Abel a lot also. Anyway, I am glad to see the project is still moving forward nicely.

IBM digs into security management

Xavier Ashe — Thu, 10 Jan 2008 09:29:53 -0500

IBM is aggressively expanding its security portfolio in hopes of becoming the de facto source of advice and technology for businesses looking to adopt high-level IT governance and risk management strategies -- a transformation among customers that officials at Big Blue cite as both ongoing and inevitable.

As the waves of security threats and data management regulations have washed ashore and left organizations struggling to balance perimeter and internal security concerns with mounting obligations to protect highly-valuable data, companies are being forced to take more of a top-down approach that addresses broad sets of IT-oriented risks, versus individual problems, IBM officials maintain.

And while a host of players ranging from security software makers to massive IT consultants have begun marketing themselves as those best suited to help customers embrace a governance and risk management approach, IBM executives claim that their firm's mix of technology, services and partnerships place it at the top of any list of providers capable of helping organizations prepare their security operations for the future.

"We feel that we're ahead of the curve and driving forward our ability to meet these needs, some of which that might not yet have emerged from a broad perspective," said Kris Lovejoy, IBM's director of corporate security strategy.

"We feel that we are creating security risk management capabilities and have an opportunity to commoditize them in a way that can be leveraged at large," she said. "From an overall strategic perspective, that doesn't mean that customers are ready to stand up en masse right now and require everything we've built, but we're actively trying to extend the portfolio in advance of that trend."

...

Great article over at InfoWorld.

FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

Xavier Ashe — Thu, 10 Jan 2008 09:12:23 -0500

Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

The revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it's aware of the issue and has designed a solution it will test shortly.

"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."

Microsoft wireless keyboards crypto cracked

Xavier Ashe — Tue, 04 Dec 2007 15:42:19 -0500

Security researchers have cracked the rudimentary encryption used in a range of popular wireless keyboards.

Bluetooth is increasingly becoming the de-facto standard for wireless communication in peripheral devices and is reckoned to be secure. But some manufacturers such as Logitech and Microsoft rely on 27 MHz radio technology which, it transpires, is anything but secure.

Using nothing more than a simple radio receiver, a soundcard and suitable software, Swiss security firm Dreamlab Technologies managed to capture and decode the radio communications between a keyboard and a PC. The attack opens the way up to all sorts of mischief including keystroke logging to capture login credentials to online banking sites or email accounts.

Dreamlab cracked the encryption key used within Microsoft Wireless Optical Desktop 1000 and 2000 keyboards. As most products in Microsoft's wireless range are based on the same technology other products are likely to be insecure. Max Moser and Phillipp Schrödel of Dreamlab Technologies succeeded in eavesdropping traffic from a distance of up to ten meters using a simple radio receiver. More sensitive receivers may make it possible to capture keystrokes over larger distances.

Read the full article on The Register.

Guide for Mapping Types of Information and Information Systems to Security Categories

Xavier Ashe — Fri, 09 Nov 2007 13:07:06 -0500

Draft Special Publication 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories and Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, is now available for public comment at http://csrc.nist.gov/publications/PubsDrafts.html. The draft revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in draft Volume II include security categorization recommendations and rationale for mission-based and management and support information types

'Unbreakable' BD+ Blu-ray protection cracked

Xavier Ashe — Fri, 09 Nov 2007 10:46:12 -0500

A software firm reckons it has definitely cracked the forthcoming BD+ copy protection on Blu-ray discs even though Sony says it has beefed up the protocols involved.

Confident developer SlySoft says it has the ability to get round the Blu-ray camp's latest security protocol - despite its latest AnyDVD software only cracking Blu-ray's older security system, AACS (Advanced Access Content System). Currently, Blu-ray disks are digitally encrypted using that system, also used by the HD DVD camp. But BD+ is a new layer of security that is exclusive to Blu-ray.

Blu-ray: not so tough

"We already found a way to crack BD+ and we have just turned to fine-tuning," said James Wong, SlySoft's head of development in a statement. "I should really think about hiring a bodyguard now, since this product won't please everybody."

Read the full article on Tech.co.uk.

More feedback about IBM Security

Xavier Ashe — Sat, 03 Nov 2007 12:32:08 -0400

I am getting word if more and more coverage on these announcements that IBM made on Thursday. Here are a few excerpts from new stories:

Investor's Business Daily: "It's an extremely ambitious strategy but also one that plays well to some of the company's fundamental strengths," said analyst Charles King, of research firm Pund-IT, whose clients include IBM. It "does very well at developing end-to-end solutions and its view of enterprise IT is quite sweeping in comparison to some of its competitors."

eWEEK: "We've been seeing the security market itself lurch form headline to headline, and customers in particular need to stop thinking about their strategy in terms of the latest crisis," said Lovejoy. "We're trying to elevate risk management above other security conversation; starting with PCI fits that mold well, because it dovetails with this concept of starting with a risk management plan."

Investor's Business Daily: "The more we engage with our clients, the more it becomes clear that security as it has been until now is broken," said Val Rahmani, general manager of infrastructure management services for IBM Global Technology Services. "Many clients have 32 different vendors doing security for them. Who can manage 32 different vendors doing related aspects of the same thing?"

InfoWorld: "[IBM is] in a position that few others in IT can match or challenge when it comes to having a fairly complete story across multiple aspects of enterprise IT and systems integration—but security had long been an obvious gap in that story," said Scott Crawford, an analyst with Enterprise Management Associates. "What they are pushing towards with this announcement is a strategy that takes a more comprehensive approach to security across multiple fronts. With the rise of focus on a more strategic approach to GRC, I would expect more vendors to take a more strategic approach to the IT security and risk management market," he continued. "This is an example of a company that can take on such an initiative with more credibility than many."

And we also have some video and radio coverage:

Bloomberg
NBC (18 Clips)
ABC (14 Clips)
WCBS (radio):

IBM Security, a good place to be right now!

Xavier Ashe — Thu, 01 Nov 2007 15:40:56 -0400

NYTimes.com - IBM Plans Major Security Initiative
Bloomberg - IBM Plans to Spend $1.5B to Help Customers Secure Data
ZDNet - IBM touts enterprises free of fear and $1.5B security spend
SearchSecurity.com - IBM to boost security spending, push PCI DSS program
Internetnews.com - IBM: Security Is Our Brand
HardOCP - IBM Announces End-to-End Solution for PCI Compliance

Just to name a few... So, yeah, I've been busy. I am now working on both Tivoli Security Operations Manager (TSOM) and Tivoli Compliance Insight Manager (TCIM). These products work very well together in what is dubbed "The IBM SIEM Solution". The articles above speak of Tivoli and Watchfire (part of the Rational brand) in Software Group and ISS in Global Technology Services. So the $1.5B will be spread around a bit.

The comforting thing is that IBM is making a significant investment into allowing it's recent acquisitions (Consul, Micromuse, ISS, Watchfire) work together to meet the customer's needs. No longer will people doubt me when I say "I'm a security guy" and "I work for IBM" together.

Here's the official press releases:

Developer deploys graphics cards to accelerate password cracks

Xavier Ashe — Wed, 24 Oct 2007 09:07:47 -0400

Nvidia's GeForce 8 series of graphics chips can be used to crack Windows NT LAN Manager (NTLM) passwords 25 times more quickly than was previously possible, security software developer Elcomsoft has claimed.

The Russia-based company this week announced the second major release of its Distributed Password Recovery application, a tool designed to recover forgotten or lost passwords for a wide range of application and document types, including PDP-protected ZIP files, Adobe Acrobat PDFs, Lotus Notes ID files and Microsoft Office documents.

Elcomsoft admits its software uses "brute force" to crack a file's password, thus exposing the lost key to the user. The technique essentially tries all possible password combinations until it finds the one that fits. It works, but it's time time-consuming.

"Using a modern dual-core PC you could test up to 10m passwords per second," Elcomsoft said, "and perform a complete analysis in two months."

But use a GeForce 8 series card and Nvidia's Compute Unified Device Architecture (CUDA) tools to run the cracking algorithms on the GPU rather than the CPU, and you can finish up in 3-5 days, the developer claimed.

"Since high-end PC mother boards can work with four separate video cards, the future is bright for even faster password recovery applications," it added.

CUDA was launched almost a year ago to enable scientists and engineers to use graphics cards typically aimed at gamers for more serious number-crunching applications. The GeForce 8 series of GPUs went on sale in March 2007.

From The Register.

Need to print something?

Xavier Ashe — Sun, 21 Oct 2007 21:04:59 -0400

Try this Google Search. Have fun!

US military gets secure smartphone

Xavier Ashe — Sun, 21 Oct 2007 20:58:58 -0400

Finally, there's a phone plan that allows you to switch from the US government's Secret Internet Protocol Router Network to the unclassified Internet Protocol Router Network with a single keystroke.

The US National Security Agency has authorised military and government personnel to order General Dynamics' Sectera Edge secure, wireless smartphones, which will not only allow them to make secure calls but also to e-mail and Web browse in either classified or unclassified mode.

The phones will still operate using the existing GSM, CDMA and commercial Wi-Fi networks.

Sweet... I know a few folks that will happy to not have to carry two phones anymore. Real the full article on ZDNet Australia (why is the Australian ZDNet covering this?).

Why gangsters love their BlackBerrys

Xavier Ashe — Tue, 09 Oct 2007 21:01:49 -0400

Police often say that organized crime in B.C. is big business.

So perhaps it was only a matter of time before gangsters here adopted the device of choice among corporate workaholics: the BlackBerry.

The device has become so popular among B.C. gang members that an internal RCMP "threat assessment" on organized crime produced this year devotes an entire section to the device.

...

"Every message that is sent via a BlackBerry is broken up into 2Kb [kilobyte] packets of information, each of which is given a 256-bit key by the BlackBerry server," said Totzke. "That means to release the contents of a 10Kb e-mail, a person would have to crack five separate keys, and each one would take about as long as it would for the sun to burn out -- billion of years."

Read the full article.

Understanding SOA Security Design and Implementation

Xavier Ashe — Wed, 03 Oct 2007 12:47:51 -0400

Securing access to information is important to any business. Security becomes even more critical for implementations structured according to Service Oriented Architecture (SOA) principles, due to loose coupling of services and applications, and their possible operations across trust boundaries. To enable a business so that its processes and applications are flexible, you must start by expecting changes – both to process and application logic, as well as to the policies associated with them. Merely securing the perimeter is not sufficient for a flexible on demand business.

In this redbook security is factored into the SOA life cycle reflecting the fact that security is a business requirement, and not just a technology attribute. We discuss a SOA security model that captures the essence of security services and securing services. These approaches to SOA security are discussed in the context of some scenarios, and observed patterns. We also discuss a reference model to address the requirements, patterns of deployment, and usage, and an approach to an integrated security management for SOA.

This book is a valuable resource to senior security officers, architects, and security administrators.

Download the RedBook here.

UK can now demand data decryption on penalty of jail time

Xavier Ashe — Tue, 02 Oct 2007 20:26:26 -0400

New laws going into effect today in the United Kingdom make it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes provisions for the decryption requirements, which are applied differently based on the kind of investigation underway. As we reported last year, the five-year imprisonment penalty is reserved for cases involving anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.

The law can only be applied to data residing in the UK, hosted on UK servers, or stored on devices located within the UK. The law does not authorize the UK government to intercept encrypted materials in transit on the Internet via the UK and to attempt to have them decrypted under the auspices of the jail time penalty.

Read the full article on ArsTechnica.

Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services

Xavier Ashe — Sun, 30 Sep 2007 06:23:52 -0400

Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.

Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world.

"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."

Ha... these Cavemen folks are getting a bad rap these days.

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."

Yup, I agree. A caveman could do that. Read the full article at Information Week.

IBM Tivoli in Gartner's Leader Quadrant for User Provisioning

Xavier Ashe — Fri, 07 Sep 2007 09:03:39 -0400

IBM (NYSE: IBM) today announced that Gartner, Inc. has positioned IBM in the Leader Quadrant of its latest Magic Quadrant for user provisioning (1).

User provisioning is a subset of identity management that addresses an enterprise's need to create, modify, disable and delete user accounts and entitlements across a heterogeneous IT system infrastructure, including operating systems, databases, directories, business applications and security systems.

IBM is positioned in the Leaders Quadrant of Gartner's Magic Quadrant update for the second half of 2007 based in part on a measurement of product capability, market performance, customer experience and overall vision, according to Gartner.

"While IBM provides the industry's strongest identity and access management solutions, with software such as Tivoli Identity Manager and Tivoli Access Manager, customers are finding even greater value in IBM security management software as we continue to expand and integrate the industry's broadest portfolio," said Al Zollar, general manager, IBM Tivoli Software. "IBM's growth in security management is driven by customer needs for IT governance and risk management solutions and well-integrated software that spans automated identity and access management, security information and event management, and security audit and compliance."

Yay for us! I am diving more and more into the TIM and TAM products, but still focus most my energy on TSOM and TCIM. That keeps me busy enough. Read the full article at CNN, Yahoo, TMCnet, Excite, and about 50 other sites.