Dinis Cruz blog: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)

I really like this idea, it keeps security concerns front of mind while developing.  Though in some ways I think it should be integrated as a test suite into a unit testing tool and have security flaws treated as any other bug.

Dinis Cruz blog: Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)

Tor and SIEM

I've been doing a piece of work with a client recently using a SIEM tool to monitor web and application logs for suspicious/fraudulent activity. One interesting strategy they are using is to look for Tor exit nodes in the web logs and flag activity in these sessions as suspicious. I think this is a sensible approach, these days there is a lot more to security decisions than the binary allow/deny of a traditional firewall. The fact that it is coming from a Tor exit node does not automatically make it malicious (there are plenty of legitimate uses for Tor) however it is one part of the toolkit that someone with nefarious intent may use to hide their true identity when attempting to breach your systems. This uncertainty means that the traffic from these addresses isn't an appropriate candidate for blacklisting but rather warrants further investigation. There is a wealth of data like this available, much of it freely available, that is useful to correlate with your own data in order to build a picture of the traffic which is reaching your network. For Example:

Tor Exit Nodes Matched against the source IP address
Google Safe Browsing API Matched against the referer in your web logs (anti-phishing)
SANS Top Sources Matched against the source IP address
Team Cymru Lots of interesting data
Project Honey Pot/ More interesting data
...

I suppose the drawback to this approach is that it is still a little reactive and requires human intervention to investigate which may or may not be a problem depending on volumes. One possible enhancement is to use this data as part of the decision making process (possibly with a low weighting) in a preventative mechanism that utilises a scoring mechanism to decide if traffic is malicious such as a WAF or IPS, though I'm sure this is already implemented to some extent.



Leaky LinkedIn

So since I heard about the leak of the LinkedIn passwords, I've been waiting to see what the first analysis of the dumped hashes would reveal. Theoretically LinkedIn is a bit of a different beast to other sites that have been breached, as the target users are working professionals, the type of people who have more than likely been educated again and again on passwords by their employers.

And here are some results from Qualys, where they pretty quickly obtained 2 million passwords with not a great deal of effort, including gems such as 'm0c.nideknil.' Overall something like 98% of the hashes have now been cracked.

As for LinkedIn, using unsalted hashes to store passwords? This is security 101 stuff and quite frankly, embarrassing for a company of their size and age. Of course the unsalted part may not be the worst, the big question still remains about how the passwords got stolen in the first place.

As Richard previously posted - change your password! And if you are interested in seeing if your password was included* in the released ones: http://www.leakedin.org/

(*not specifically YOUR password, but a hash of the same password as the one you were using.)

LinkedIn Password Breach

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme