Of Bytes and Badges

I’m happy to say that I passed the SANS GIAC Security Essentials (GSEC) exam today with a score just shy of 94%. Not only was the training course I attended in Baltimore a big help, but a lot of what I’ve learned in my Security Informatics Masters program at Johns Hopkins came in handy as well.

Thinking about potentially going for a Gold certification, in the eventual pursuit of a GIAC Security Expert (GSE) certification. We’ll see!

- David Oxley

I love reading Byron Acohido’s excellent blog, “The Last Watchdog.” However, some of his recent titles are really getting to me:

“Unstoppable new phishing attacks blanket Facebook, Twitter, Hotmail”

…as in, spammers and phishers are targeting social media sites. Surprise, surprise.

“Windows 7’s security ‘time bomb’”

…that is, why it’s default UAC settings could be the target of a very complex, difficult attack.

And so on. I already had a bit of a rant against his previous article in USA Today, “Cyberthieves find workplace networks are easy pickings,” entitled “Are We Really So Vulnerable?”, here.

I understand the need for catchy titles to get readership. Heck, I try to do the same! However, there’s a fine line between educating the public and scaring them with fear, uncertainty, and doubt, especially when the situation is nowhere near as dire as it’s been advertised. There is no Windows 7 “time bomb” — there’s a questionable choice in default security stances. These phishing attacks are no more “unstoppable” than they’ve been when spammers have focused on them in the past.

I feel especially strong about this in regards to cyber security. Most people are either totally unaware of current happenings in cybercrime, or they have a very simplified understanding of the situation. Scaring them with such titles just drives them deeper into the clutches of security vendors who promise a panacea with signature-based scanning (heh). Sure, if they read it, they may see things differently. But titles have a big impact on those who know nothing more about the subject.

Do you think I’m being too harsh? Thoughts?

- David Oxley

As mentioned by Dr. Avi Rubin in his “Security and Privacy” course, originally by Dr. Eugene Spafford at Purdue:

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”

Don’t believe it? Look-up the latest consumer information breaches on news sites, then tell me the ratio of database compromises to successful attacks on communication encryption. You know, SQL injection vs. breaking AES, 3DES, etc.

Yeah, that’s what I thought.

- David Oxley

(In Russia, luxury cars and cybercrime seem to go hand-in-hand)

Did RIPE NCC and Russian police aid the Russian Business Network? In short, yes and no.

But first, the back story. If you weren’t already aware, the Russian Business Network was (and is – more on that later) a massive criminal enterprise operating out of St. Petersburg, Russia. They have been implicated in activities ranging from malware distribution to money laundering all the way to child pornography. In the past, they’ve been associated with installs of the infamous MPack exploit kit, C&C operations of the Storm Worm botnet, and, more recently, the ubiquitous ZeuS crimeware package. These are the kind of folks that give “organized cyber crime” its name.

As you can probably guess, there have been some substantial efforts undertaken to have these guys brought-down. The Russian Business Network (Exploit) Blog has kept-up the pressure on the RBN throughout its lengthy history, as has Spamhaus, Brian Krebs with SecurityFix, and many other researchers and vendors. Likewise, law enforcement officials in both the US and Russia have been working to track-down the group’s members, known for driving around St. Petersburg in a bulletproof, black Audi R8.

Or have they?

Comments made by members of the FBI and SOCA (UK’s Serious Organised Crime Agency) at this week’s RSA Europe Conference (FBI Supervisory Special Agent Keith Mularski and Andy Auld of the SOCA, to be more exact) have had a mixed reception among news agencies and the blogosphere. Some have portrayed them as pointing fingers at Internet registrar RIPE NCC and the Russian police as being complicit to the crimes of the RBN. Others have put a more positive spin on things, detailing the plans made for greater cooperation between US and UK authorities.

So what’s the real situation?

Read more…

I know things have been sparse here, but as a WordPress user myself, I definitely wanted to spread the word about WordPress’s newest release, 2.8.5. From the site:

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

Changes include fixing an in-the-wild DoS trackback vulnerability, removing areas of PHP code evaluation, file upload tweaks, and letting-go of deprecated tag importers. Nothing as monumental as the last security release (and resulting worm), but important nonetheless.

As mentioned at the WP site, definitely make-sure that your site has not been exploited previously before upgrading. Use the WordPress Exploit Scanner to ensure that any vestiges of badness have been cleaned-away.

- David Oxley