RMS Titanic was compliant!

This was posted to an interesting blog that I follow and thought that it may interest you all.

http://www.guerilla-ciso.com/archives/651

From the post:

the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind. Those regulations indicated that all passenger ships over 10,000 tons required 16 life boats, and that’s how many the Titanic had.

The Titanic incorporated many innovative design features but only included the minimum number of lifeboats to satisfy compliance.

Also from this post:

So, the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.

As technology leaders in our industry, we need to be aware of the consequences for only doing the minimum amount in order to satisfy our compliance concerns since we, too, are one iceberg away from a very bad day.

Just some food for thought, ...

Cisco releases 2008 Annual Security Report

Cisco has released their 2008 Annual Security Report.

Report can be found here.

Registration is required for download but email address is not verified. =)

Highlighting Global Security Threats and Trends

The Cisco Annual Security Report provides a comprehensive overview of the combined security intelligence of the entire Cisco organization.

Encompassing threat and trends information collected between January and October 2008, this document provides a snapshot of the state of security for that period. The report also provides recommendations from Cisco security experts and predictions of how identified trends will continue to unfold in 2009.

Key Findings

This year's report reveals that online and data security threats continue to increase in number and sophistication. They propagate faster and are more difficult to detect.

Key report findings include:

* Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide

* The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007

* Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity

* Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007

* Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers' mail


Fortunately, responses to these threats and trends are improving. Advances in attack response stem from the increased collaboration between vendors and security researchers to review, identify, and combat vulnerabilities.

SANS ISC is reporting 0-day exploit for Internet Explorer in the wild

Just a heads up that SANS Internet Storm Center is reporting a 0-day exploit for Internet Explorer in the wild.

In these situations it is always wise to exercise caution when using IE until more details emerge.

My apologies if you have seen this already …

Thanks,
Joe

<<<>>>

0-day exploit for Internet Explorer in the wild
Published: 2008-12-10,
Last Updated: 2008-12-10 09:38:03 UTC
by Bojan Zdrnja (Version: 1)

As reported by some other researchers, there is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon.

This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine.

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser. After setting up the heap (spraying it – allocating 159 arrays containing the shell code) the exploit checks if couple of things are satisfied before continuing:

The user has to be running Internet Explorer
The version of Internet Explorer has to be 7
The operating system has to be Windows XP or Windows 2003



If these things are satisfied, the exploit creates an XML tag as shown above. What is also interesting, and can be seen in the code above is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.

We have not confirmed yet if other versions are affected (Internet Explorer 6 or Internet Explorer 7 on Microsoft Windows Vista).

How to mitigate? This is a difficult question as we have not analyzed this completely yet. If you use an alternative browser you are not affected. When we get more information we will update the diary.

--
Bojan

CSIS Commission on Cyber Security for 44th Presidency has published its final report

The CSIS Commission on Cyber Security for 44th Presidency has published its final report:

The final document titled Securing Cyberspace for the 44th Presidency is available here.

If you get a moment, this may be worth a look since speculation in the security community is that this report is likely to significantly influence US government actions -- organization changes, regulations, laws, purchasing, and R&D funding, etc.

My apologies if you have already seen this, ..

Over HALF A BILLION records of personal information have been exposed/mishandled in the past eight years

From the Holy $#@! department, this just in from a ComputerWorld article authored by Jay Kline.

From the article:

By my count, over half a billion records of personal information have been exposed or mishandled in the past eight years. And these are only from breaches where a record count has been publicly revealed.

That's more than the population of the European Union, and more than the number of people living in the U.S., Canada, Mexico and all of Central America and the Caribbean combined.

need I say more, ...

WASC Web Application Security Statistics 2007

For those hungry for more web application security vulnerability data, WASC has released its Web Application Security Statistics report for 2007

Direct link to report is here.

Thanks,
Joe

<<<>>>

Web Fraud 2.0

A couple weeks back Brian Krebs at the Washington Post ran a series on Web 2.0 fraud (here). My apologies if you have seen this already but if not, I recommend that you take a few minutes to check out some of these posts.

Think of this as SasS for the bad guys and if you have not yet been exposed to the existence of these services then I am pretty sure you will find this series *very* illuminating.

Web Fraud 2.0: Cloaking Connections
These days, nearly every aspect of the underground online economy that supports commercial crime operations has been automated. Online forums and criminal social networking sites have long offered aspiring newbies tips on getting started. But a slew of extremely popular...

Web Fraud 2.0: Validating Your Stolen Goods
If there is any truth to the old saying that there is no honor among thieves then it is doubly true for thieves who transact with one another yet never actually meet face-to-face. Perhaps that explains the popularity of certain...

Web Fraud 2.0: Digital Forgeries
For businesses, positively identifying someone online - by name, or physical location - is extremely difficult. Many Internet firms seek to verify the identity of customers by requesting scanned copies of their driver's licenses, passports, or utility bills. But what...

Web Fraud 2.0: Distributing Your Malware
The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that...

Web Fraud 2.0: Thwarting Anti-Spam Defenses
Spammers have made great strides this past year in defeating CAPTCHAs, the distorted text used as a security test to ensure a person and not a machine is behind a computer screen. But automated programs that spammers use to thwart...

Thanks,
Joe

<<<>>>