J Wolfgang Goerlich's thoughts on Information Security
DNS Cache Polution

By wolfgang. 28 July 2008 15:57

Much news is being made of the DNS flaw identified by Dan Kaminsky. McAfee Avert Labs Blog has the most succinct description of the problem.

The vulnerability essentially comes from DNS servers using UDP and predictable port sequences during recursive queries. An attacker can guess the next port and respond to the query with a false address. The DNS server accepts the forged attack, and www.mybank.com becomes the attacker's IP address in its cache. It will respond to client requests for www.mybank.com with the forged information.

This can be quite a concern as the website, if properly duplicated, will look exactly the same to the end-user. What happens next is largely up what the attacker intends to do. The most common follow-up would be a phishing attack, wherein the website simply gathers people's banking credentials. Bruce Schneier wrote a recent Wired article on this flaw. Schneier makes an excellent point. "Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely."

Related Links:

“The-Cat-is-Out-of-The-Bag” DNS Bug
http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/

Dan Kaminsky: DNS Checker
http://www.doxpara.com/?page_id=1159

Lesson From the DNS Bug: Patching Isn't Enough by Bruce Schneier
http://www.wired.com/politics/security/commentary/securitymatters/2008/07/securitymatters_0723

Tags:

Security

Risk Management

By wolfgang. 22 July 2008 20:01

Executives run businesses based on risk versus reward, right? To get action, we need to convey the dollars at stake and the likelihood there will be a loss. You’ll often see this as Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO).

The difficulty I run into is that there is not much hard data on the likelihood of an attack and the typical cost. We can guess, but then the figure ends up being skewed and the rationale does not stand up to scrutiny by senior management. I am hopeful that the recent disclosure laws change this by providing solid statistical information.

Tags:

Risk Management

Would you hire an ethical hacker?

By wolfgang. 21 July 2008 10:34

Hackers are not some ominous bad guys. For many years, I have been trying to explain this to family and friends, my staff, my colleagues and auditors. I use words like "criminal" or "attacker" in my memos and emails. Hackers have long been given a bad rap.

That rap is implicit in the question: would you hire an ethical hacker? Bank robbing and espionage may be crimes, but hacking? Linking the work ethical to hacking gives us an opportunity to highlight the difference between a talented unconventional IT wiz and someone practicing digital breaking-and-entering.

Tags:

Security

Information overload - how a day turns into a week

By wolfgang. 13 July 2008 06:15

So how real is information overload? Sure we all hear about it. But can information overload be measured?

Over the past couple months, I did a couple of tests to measure information overload in my field.

The first test that I did was to determine how long it would take me to read an average day’s news. I took a vacation in June and left my RSS feeds on auto pilot. After 20 days, I had 11,907 articles waiting for me. Fair enough. That works out to 595 articles per day. I wrote a quick script to scrape each article and get a word count. The average words per article were 724.

595 articles per day = 11,907 articles divided by 21 days
430,780 words per day = 595 articles multiplied by an average 724 words
2,153.9 minutes = 430,780 words divided by my reading speed of about 200 words per minute
35.9 hours = 2,153.9 minutes by 60 minutes per hour
4.5 days = 35.9 hours divided by 8 hours per day

Result: It takes four days to read one day’s news in theory.

The second test that I did was to actually read one of the day’s news. I picked the day that I returned. I dumped out all articles. I read each one, and checked into the details where appropriate. For a couple articles that were hands-on, I duplicated the work on my computer or on my lab.I set the goal of not just reading but actually understanding and learning from each article.

Result: It takes six days to read a day’s news in actuality.

Information overload in IT and InfoSec is very real. That is the bottom line. There is more coming at us that we can possibly catch up with. In my case, each and every day, I fall a week behind.

Tags:

General

    Log in