So, in honor of George Carlin, here is a list of 7 things that you can’t say if you are a security consultant:

7. Anti-virus has not and never will work.

6. Your vendor’s security product (X) will NEVER make you more secure.

5. Compromise is inevitable and there is nothing you can do to stop it.

4. Security professionals are completely unqualified for what they are doing.

3. Code will never be secure.

2. Defense in depth doesn’t work.

1. Security is an illusion and won’t ever be perfect. It hasn’t worked the physical world, and certainly won’t work in virtual worlds. Ever.

A little tongue-in-cheek, but let me know what you think.

Feel free to add to this in the comments.

I stumbled upon these Firefox plugins the other day that allow you to test websites against a set of predetermined XSS or SQL injection parameters on a given website. The tools include XSS-Me, SQL Inject-Me, and Access-Me, all designed to test the security of the website in an easy fashion:
http://www.securitycompass.com/exploitme.shtml 

I thought these were pretty cool. I ran it against a corporate email website that is commonly used and was surprised by the amount of XSS that was successful. Be careful not to fiddle with Firefox while this is running because it will destroy the test. Also, Firefox 2 ate up a lot of memory while doing this, so I wouldn’t run it on that 486 sitting in the corner.

This is freaking interesting. In case you haven’t heard about the encrypted letter that Fermilab was sent and asked for help breaking, here is some more information:

http://www.symmetrymagazine.org/breaking/2008/05/15/code-crackers-wanted/ 

http://www.jgc.org/blog/2008/05/breaking-fermilab-code.html

http://www.gmilburn.ca/2008/05/17/fermilabs-strange-letter-progress/ 

Also, a report of spiking scans for SSH brute force logins using common username and passwords:
http://www.securityfocus.com/news/11518

You can always run SSH over a different port than 22 if the firewall is configured for that. How about 2222? Make sure root is not allowed, and the username/password isn’t easy to brute force (30 character passwords with upper/lowercase letters, numbers, and special characters).
Of course, none of this matters if you have a rootkit keystroke logging on your computer (see previous article).

Have a nice day!

That shouldn’t come as a shock to anyone, but for those who still doubt and put their faith in AV for protection, read this article:

http://www.darkreading.com/document.asp?doc_id=153760&WT.svl=news1_2

Thought this was a pretty nice graphic from CSO Magazine (of all places) showing different botnets and how they map to the IPs and domains that serve as command and control:

http://www.csoonline.com/article/348317/What_a_Botnet_Looks_Like 

Symantec came out with their Internet Security Threat Report a couple of days ago:

http://www.symantec.com/business/theme.jsp?themeid=threatreport

The report of course suggests that Internet Security is getting worse and the bad guys are getting better, same story as always. One of the highlights though is they do acknowledge the targeted attack dangers, which is a big step forward for an anti-virus vendor:

Attackers have adopted stealth tactics that prey on end users on individual computers via the World Wide Web, rather than attempting high-volume broadcast attacks to penetrate networks. This may be because enterprise network attacks are now more likely to be discovered and shut down, whereas specifically targeted malicious activity on end-user computers and/or web-sites is less likely to be detected.

A good read for those who are interested in the new threat landscape.

There is a great article at CSO Magazine that goes over information all IT people should learn about, even if security isn’t their primary responsibility.

This article reinforces what I have been saying for awhile — one of the greatest threats to businesses around the globe is the current state of computer security and the lack of well crafted security programs to protect data and financials. In my opinion, companies and governments need to stop modeling their security programs on a prevention model and shift toward a detection / response model.

Found a pretty good blog post from the CTO of Big Fix that talks about why he believes securing an IT infrastructure is expensive for a variety of reasons:

http://techbuddha.wordpress.com/2008/01/23/the-high-cost-of-securing-it/ 

He also talks about strategies for approaching a CFO to justify spending of security dollars, which is interesting.

Interesting article on how some Maxtor external USB drives were shipped with malware that executed when plugged into Windows machines. The malware then exfiltrated the data stored on the drive to foreign websites. Fascinating article:
http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

Apparently, VMware Fusion 1.0 (51348) has problems accepting keyboard input when Checkpoint SecureRemote VPN client is running on Mac OS X 10.4.10. Turning off the SecureRemote client allows

I find this only affects my machine after I have VPN into the network and then tried to launch Fusion.
What is interesting is that according to this post the way to discover that it is the SecureRemote client is to issue the following on the command line of the Mac:

ioreg -l -w 0 | grep SecureInput

“IOConsoleUsers” = ({”kCGSSessionGroupIDKey”=20,”kCGSSessionOnConsoleKey”=Yes,”kCGSSessionIDKey”=256,” … “kCGSSessionUserIDKey”=501, “kCGSSessionSecureInputPID”=311}) “IOConsoleUsersSeed” = <14000000>

Then take the value of kCGSSessionSecureInputPID and search for it in the process list:

ps auxww | grep 311

In my case, that was the PID for the SecureRemote client. Very cool.

Saw this post about a pretty comprehensive SQL Injection cheat sheet:

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/ 

Thought it went into some great detail, so check it out.

Also, this article was pretty good as well as an introduction to SQL injection:
http://webappsec.org/projects/articles/091007.shtml 

Here is how you can set up an encrypted disk within OS X to store sensitive files:

1. Open up the Disk Utility (don’t click on a volume)
2. Select “New Image”
3. Select name, location, size, and then select encryption > AES 128 bit
4. Select “create”
5. Type in the password, but make sure you do NOT select to store it in the keystore *
6. That’s it. Just drag and drop all files to the volume, and unmount it when you are done.

* This defeats the purpose of having a separate encrypted volume because OS X will keep the key in escrow and allow the volume to be mounted by anyone with your credentials on your computer. This password should be different from your OS X password and the FileVault master password for maximum protection. Also, for extra protection, make sure the password is over 30 characters in length and is a mix of uppercase, lowercase, numbers, and special characters.
Taken some from this article: http://www.macosxhints.com/article.php?story=20070711100831587

So this is not new, but I thought it was a nice illustration of the difficulty in trusting software.

FFsniFF is a Firefox sniffer that takes all HTML form input and emails it out. It even hides from the extension manager. Source is posted.

http://azurit.elbiahosting.sk/ffsniff/

Thought this was pretty funny: A trojan called Trojan.Kardphisher after installation and restart, pops up a Windows activiation form that asks for your credit card, CVV2 code, ATM pin:

Here is the Symantec information.

I thought this letter to Optimus Prime from GEICO was one of the funniest things I have read in a long time. Enjoy.

http://mcsweeneys.net/2007/7/9weaver.html

Just upgraded my T42 IBM to Feisty Fawn and everything except the font rendering looks great.
To enable smooth fonts, put the following in a file in your /home directory named .fonts.conf:

<?xml version=”1.0″?>
<!DOCTYPE fontconfig SYSTEM “fonts.dtd”>
<fontconfig>
<match target=”font”>
<edit name=”autohint” mode=”assign”>
<bool>true </bool>
</edit>
</match>
</fontconfig>
Then, log out and log back in again and the fonts will be very smooth.

Also, I followed these instructions to get Beryl up and running, which works flawlessly.

Great video and article about how some researchers hacked Cisco’s Network Access Control (NAC) solution:

http://www.net-security.org/article.php?id=1001 

This guy posted a new icon theme set for OpenOffice based on the Tango/Human theme that is default in Ubuntu.

http://ubuntuforums.org/showthread.php?p=2168119 

All you do is move the zip file to /usr/lib/share/openoffice/share/config/ and restart OpenOffice. OO looks much better, although I have noticed a slight performance decrease in OO.

I have been waiting for this for a long time. People much smarter than me figured out how to run your Windows partition from Ubuntu using VMWare Player. I have a seen a couple of ways to do this, here are some links:

http://www.advicesource.org/ubuntu/Run_Existing_Windows_Instalation_On_Ubuntu_With_Vmware_player.html

http://rougebob.com/Running-a-Windows-Partition-in-VMware.htm