Get In Touch
Recently by Bill Brenner
Tuesday, July 31:
KEYNOTE SPEAKER: GENERAL KEITH B. ALEXANDER
Wednesday, Aug. 1:
BIG DATA FOR WEB APP SECURITY: Mike Arpaia & Kyle Barry
ABOVE MY PAY GRADE: CYBER RESPONSE AT THE NATIONAL LEVEL: Jason Healey
POST EXPLOITATION OPERATIONS WITH CLOUD SYNCHRONIZATION: Jake Williams
Tom Kopchak (CG2): Attacking and Defending Full Disk Encryption
Ed Bellis, Michael Roytman: Vulnerability & Exploit Trends: A Deep Look Inside The Data
Michael "DrBearSec" Smith: Calling All Researchers: A Discussion on Building a Security Research Framework
Alex Hutton (CG2): Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout
Thursday, Aug. 1:
Nicholas J. Percoco and Joshua Corman: The Cavalry Isn't Coming
Javvad Malik: How embracing social media helped me stop the hackers, save the world and get the girl!
Alex Pinto (Joel Wilbanks): Using Machine Learning to Support Information Security
Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme: Breach Panel
Steve Werby: Crunching the Top 10,000 Websites' Password Policies and Controls
BSides Las Vegas 2013 will be held July 31 and Aug. 1 at Tuscany Suites & Casino on Flamingo Ave.
Microsoft has released seven security bulletins addressing 34 CVEs. Since so many Akamai customers run Windows environments, we find it important to let you know whenever these are rolled out.
Jonathan Ness, an engineer for Microsoft's Security Response Center, says six bulletins have a maximum severity rating of critical, and one has a maximum severity rating of Important. Below is a table to help you prioritize patch deployments in your environment.
|Bulletin||Most likely attack vector||Max Bulletin Severity||Max Exploit-ability rating||Likely first 30 days impact||Platform mitigations and key notes|
|Victim browses to a malicious webpage.||Critical||1||Likely to see reliable exploits developed within next 30 days.||17 CVE's being addressed.|
(win32k.sys and TTF font parsing)
|Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM.|
Additional attack vector involves victim browsing to a malicious webpage that serves up TTF font file resulting in code execution as SYSTEM.
|Critical||1||Public proof-of-concept exploit code currently exists for CVE-2013-3660.||Public EPATHOBJ issue (CVE-2013-3660) addressed by this update.|
Kernel-mode portion of TTF font parsing issue (CVE-2013-3129) addressed by this update.
(.NET Framework and Silverlight)
|Victim browses to a malicious Silverlight application hosted on a website.||Critical||1||Likely to see reliable exploits developed within next 30 days.||.NET Framework and Silverlight exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.|
|Victim opens a malicious TTF file using an application that leverages GDI+ for font parsing.||Critical||1||Likely to see reliable exploits developed within next 30 days.||User-mode (gdiplus.dll) exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.|
|Victim opens malicious .GIF file using a 3rd-party application that leverages the DirectShow library.||Critical||1||Likely to see reliable exploits developed within next 30 days.||No Microsoft end-user applications are known to be vulnerable to the single CVE being addressed by this update.|
|Victim browses to a malicious webpage or opens a malicious Windows Media file.||Critical||2||Difficult to build a reliable exploit for this issue. Less likely to see an exploit developed within next 30 days.||One CVE being addressed.|
|Attacker having write access to the root of the system drive (C:\) places malicious file that is run as LocalSystem by Windows Defender during its signature update process.||Important||1||Likely to see reliable exploits developed within next 30 days.|
Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default.
|To exploit the vulnerability addressed by this update, attacker must have permission to create a new file at the root of the system drive. (C:\malicious.exe)|
Experts say distributed-denial-of-service attacks against U.S. banks are not over, despite what's now been a two-month cease-fire by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. Security vendors tell me the group's botnet is growing. And when these attacks do resume, they won't be easy to fight. This next wave of DDoS attacks will be different from what we have seen in earlier waves of attacks, dating back to mid-September 2012, researchers believe. As a result, many of the mitigation strategies and defenses banks have in place could prove ineffective.
"There is no single cause," Kobrin said. "A half a dozen failures have to happen along the way." One such failure is a lack of routine patching. Another failure is that admin access is often easy to get.
What to do about all this? Kobrin offered this advice:
--Banks can build a more defensible online infrastructure, get a better handle on all the apps in its system and build closer relationships with its hosting providers, since attacks usually come from trouble on the provider's side of the court.
--CMS users can be more diligent in adding patches as they're released, and remove unused plug-ins. The more customized your site is, the more plug-ins you probably have sitting there. Users can also add IDS and turn off unused sites.
--Hosting providers can set up safer defaults, offer automatic updates and offer a fully managed CMS.
Black Hat in particular is a noisy event. The vendors, in an effort to really fit in with the attitude of the conference, come up with all kinds of theatrics. One year, a guy was dressed up as a "Mad Russian" hacker mastermind. His attire was a cross between Captain Caveman, Charles Manson and Rasputin. I don't remember the vendor he worked for. I also remember that between sessions, it's hard to move around as people mingle in the middle of crowds rushing from one talk to the next.
The talks themselves are often surrounded by drama, though that part has calmed down in the last couple of years. Sometimes a vendor will try to stop a talk about exploits for a vulnerability in their products. Lawyers are brought in and a mess ensues. This happened in 2005, when Cisco moved to squash a talk by then-ISS researcher Michael Lynn on an exploitable issue with Cisco's IOS router operating system. The move proved to be a waste of time for Cisco, since the story got out anyway. But what was worse, in my opinion, was that a lot of good talks went unreported in the media because everyone was too busy chasing the hype over this one talk.
And so my advice here is to remember what you do in your day-to-day job, find the talks that most closely address the challenges you want to overcome and don't let drama and noise divert you from the plan.
Tip 2: Make time for B-Sides
At the same time Black Hat is going on, security practitioners will be giving talks at another event called Security B-Sides. This one is for those who maybe couldn't afford to attend Black Hat or DefCon or for those who wanted to speak at those events but were rejected for one reason or another.
It's a more low-key affair than the major conferences, and there are gems to be found on the agenda. The event has gotten considerably bigger in the last couple years but it's still something you'll want to make time for. The content is worth it.
Details for this year's event:
When: July 31-Aug. 1
Where: Tuscany Suites and Casino on Flamingo Ave.
It's more about the networking, anyway
To me, the most important part of the Las Vegas events is the networking. In some cases, you get to finally meet a bunch of people you only knew through Twitter up to that point. You'll also make many new contacts who will offer you a variety of helpful feedback in the years to come.
If there's an opportunity to have coffee with a fellow security practitioner at the same time a bunch of sessions are going on, go for the coffee. The talks may entertain, but it's the relationships you forge over coffee or a meal that will likely lead to useful collaborations and lines of support when you need it most.
Too much drink in public can hurt your career
This last piece of advice is along the same lines as the last one. If you're hitting the parties at night, where the booze is almost always free flowing and paid for by the vendors, remember that opportunities abound to make fresh business contacts. A game of poker and a few drinks can be the stuff future partnerships are made of. I don't drink anymore, or play poker, but I've made valuable contacts just by hanging out and being an observer.
This can cut both ways, of course.
If you enjoy too many free drinks and get plastered, you run the risk of making a big fool of yourself. I've seen some well-regarded security professionals do this many times, and when they do it's all people talk about for the next week.
I wouldn't want to be that person.
I hope you found this helpful. Safe travels and enjoy the week!