Posted on

Security Planning Guide for 2013

Our team (specifically Ramon Krikken | Phil Schacter | Eric Maiwald | Dan Blum | Mario de Boer | Anton Chuvakin)  has just released an annual security planning guide: “2013 Planning Guide: Security and Risk Management.” Every GTP customer should go and read it! It’s abstract states that “The Nexus of Forces brings great opportunities and risks. This Planning Guide provides information security and risk teams with invaluable insights for prioritizing security and risk projects in 2013.”

In the guide, our team tackles the following topics:

Here are a few fun quotes:

  • “Gartner has identified the effects of the Nexus of Forces — information, social, mobile and cloud — as the key macro trends driving IT and information security in 2013.” […] The impetus and nature of these trends are described in more detail in “2013 Professional Effectiveness Planning Guide: Coming to Terms with the Nexus of Forces.”
  • “Building controls that work with a variety of endpoints, cloud services, and hybrid IT means focusing on agile security programs and architecture, which includes monitoring as an important component.” […] “in an increasingly hybrid IT and mobile world, monitoring must see farther beyond the walls, farther above the infrastructure layers and deeper into the application context.”
  • “Other continuing security market drivers are the effects of general volatility on security, a more dangerous threat landscape, complex and evolving regulatory standards of protection, consumerization and mobility, and the ongoing transformative effects of cloud computing.”
  • “Security information and event management (SIEM) solutions are vital as the hub for security monitoring, but other tools such as DLP and database audit and protection (DAP) are needed. Enterprises must prioritize goals and operationalize monitoring to make it effective.”
  • “Implement alert triage and report review processes, and commit people to executing them. Bulk up the gaps with dedicated service providers or tool vendor professional services.”

Finally, I know that some of my esteemed blog readers are upset that I occasionally post links to materials requiring various forms of Gartner subscriptions. Well…mmm…get a subscription already!

Related posts:

Original news article at https://blogs.gartner.com/anton-chuvakin on November 03, 2012 at 12:08AM

Posted on

How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole

Mathematician Zach Harris, 35, of Jupiter, Fl., poses for a portrait on Tuesday. Photo: Brynn Anderson/Wired

It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.

So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate.

Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.

The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.

For security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help.

Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps it was set up by Google’s tech team behind the scenes, with recruiters as unwitting accomplices.

Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game.

“I love factoring numbers,” Harris says. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he plugged his personal website:

Hey Larry,

Here’s an interesting idea still being developed in its infancy:

https://www.everythingwiki.net/index.php/What_Zach_wants_regarding_wiki_technology

or, if the above gives you trouble try this instead:

https://everythingwiki.sytes.net/index.php/What_Zach_wants_regarding_wiki_technology.

I think we should look into whether Google could get involved with this guy in some way. What do you think?

-Sergey

Harris made sure the return path for the e-mails went to his own e-mail account, so that Brin and Page could ask him how he’d cracked their puzzle. But Harris never got a response from the Google founders. Instead, two days later, he noticed that Google’s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.

Oops, Harris thought, it was a real vulnerability he’d found.

Original news article at https://www.wired.com/threatlevel on October 24, 2012 at 04:00PM

Posted on

Telcos riddled with security holes: #HITB2012KUL Researcher

https://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T1%20-%20Philippe%20Langlois%20and%20Emmanuel%20Gadaix%20-%206000%20Ways%20and%20More.pdf

A security industry veteran has criticised telecommunications equipment vendors for supressing knowledge of vulnerabilities that could result in hundreds of millions of dollars worth of network outages.

In a presentation to Hack In The Box Malaysia (pdf), P1 Security director Philippe Langlois described how a single malformed network packet could disable a carrier’s GSM subscriber database.

Original news article at https://news.hitb.org/ on October 16, 2012 at 06:03AM