From lyger at attrition.org Sat Jul 12 06:02:15 2008 From: lyger at attrition.org (lyger) Date: Sat, 12 Jul 2008 06:02:15 +0000 (UTC) Subject: [attrition] Attrition.org's new shirt on eBay Message-ID: http://attrition.org/news/content/08-07-12.001.html It finally had to happen... we sold out. After all of these years, we finally gave in. It's a travesty: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=250269744733 Well, not really. After the last run of Attrition.org t-shirts, we decided to have a little fun and put one up on eBay to see what might happen. The minimum bid is barely above what we spent for each shirt and the shipping and time spent to send to a buyer (if there is one) will barely negate the overall cost. We don't care... it amuses us (do we amuse you? like a clown?). [...] From lyger at attrition.org Tue Jul 15 03:21:08 2008 From: lyger at attrition.org (lyger) Date: Tue, 15 Jul 2008 03:21:08 +0000 (UTC) Subject: [attrition] Open Security Foundation To Maintain Attrition.org's Data Loss Database - Open Source Message-ID: http://attrition.org/news/content/08-07-15.001.html RICHMOND, VA, July 14, 2008 - The Open Security Foundation (OSF) is pleased to announce that the DataLossDB (also known as the Data Loss Database - Open Source (DLDOS) currently run by Attrition.org) will be formally maintained as an ongoing project under the OSF umbrella organization as of July 15, 2008. Attrition.org's Data Loss project, which was originally conceptualized in 2001 and has been maintained since July 2005, introduced DLDOS to the public in September of 2006. The project's core mission is to track the loss or theft of personally identifying information not just from the United States, but across the world. As of June 4, 2008, DataLossDB contains information on over 1,000 breaches of personal identifying information covering over 330 million records. DataLossDB has become a recognized leader in the categorization of dataloss incidents over the past several years. In an effort to build off the current success and further enhance the project, the new relationship with OSF provides opportunities for growth, an improved data set, and expanded community involvement. "We've worked hard to research, gather, and make this data open to the public," says Kelly Todd, one of the project leaders for DataLossDB. "Hopefully, the migration to OSF will lead to more community participation, public awareness, and consumer advocacy by providing an open forum for submitting information." The Open Security Foundation's DataLossDB will be free for download and use in non-profit work and research. The new website launch (http://www.datalossdb.org/) builds off of the current data set and provides an extensive list of new features. DataLossDB has attained rapid success due to a core group of volunteers who have populated and maintained the database. However, the new system will provide an open framework that allows the community to get involved and enhance the project. "For a data set as dynamic as this, it made sense to build it into a more user-driven format.", states David Shettler, the lead developer for the Open Security Foundation. "With the release of this new site, the project can now be fed by anyone, from data loss victims to researchers". [...] From lyger at attrition.org Fri Jul 25 15:53:23 2008 From: lyger at attrition.org (lyger) Date: Fri, 25 Jul 2008 15:53:23 +0000 (UTC) Subject: [attrition] rant: Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws" Message-ID: http://attrition.org/security/rant/prakash_et_al-01.html Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws" Fri, 25 Jul 2008 15:05:25 +0000 (UTC) Jericho (Security Curmudgeon) After being provided a link to the original paper and reading additional comments, I wanted to follow-up to my original post [1] with more thoughts. If you want the slightly more technical review, search down to "methodology review". The paper in question is "Analyzing Websites for User-Visible Security Design Flaws" by Laura Falk, Atul Prakash and Kevin Borders [2]. I strongly encourage more security professionals to provide peer scrutiny to security research coming from universities. As was pointed out, the research was done in 2006 (testing in Nov/Dec) but the results are just now being published. Three people working on a study on 214 web sites should not take that long to publish. To wait so long in publishing research on a topic like this, one must question if it is responsible, or more to the point, relevant. In the world of high end custom banking applications, my experience consulting for such companies tells me that many will do periodic audits from third parties and that these sites get continuous improvements and changes every week. One of the web sites I use for personal banking has changed dramatically in the last 12 months, making huge changes to the functionality and presumably architecture, security and design. The results of a 2006 audit of that site are probably most irrelevant. As with most research papers, the lack of publish date in the header is annoying. The abstract does not mention the 2006 to 2008 time gap between research and publication either. This time difference is seen almost immediately in the citation of Schechter et al, regarding people "disregarding SSL indicators". The current releases of several browsers, most notably IE7 and Firefox 3 make pretty big shifts in how the browser handles and warns about SSL indicators. Each browser is considerably more paranoid and will throw a warning over more discrepencies that each would have ignored in previous versions. [1] http://attrition.org/pipermail/dataloss/2008-July/002565.html [2] http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf [...] From lyger at attrition.org Sat Jul 26 18:48:18 2008 From: lyger at attrition.org (lyger) Date: Sat, 26 Jul 2008 18:48:18 +0000 (UTC) Subject: [attrition] postal: putting the sensual back in non-consensual Message-ID: http://attrition.org/postal/p0017.html so much for constructive criticism intarweb boredomz you don't tug on superman's cape dict response dorfman lives level 6 tech support it's a date some in the trunk worth the transport please call at your convenience satan claws? From lyger at attrition.org Mon Jul 28 17:58:29 2008 From: lyger at attrition.org (lyger) Date: Mon, 28 Jul 2008 17:58:29 +0000 (UTC) Subject: [attrition] rant: A Decade of Oracle Security Message-ID: http://attrition.org/security/rant/oracle01/ Mon Jul 28 13:57:15 EDT 2008 Jericho (Security Curmudgeon) Oracle Corporation, one of the largest software companies in the world, has been providing database software for 30 years. What began as a U.S. intelligence agency funded relational database designed on a PDP-11 and never officially released, later turned into perhaps the largest and most prevalent commercial database used around the world. With global companies relying on Oracle databases for information management, the need for database security is critical. Despite that need, Oracle products have been plagued with all manners of security vulnerabilities that demonstrate Oracle products were not designed with security in mind. As new versions and new products are released, each is found vulnerable to critical issues that allow for trivial denial of service and complete database compromise. The last decade of Oracle product security has been dismal. In the midst of CEO Larry Ellison's promises that their database product was 'unbreakable' and CSO Mary Ann Davidson's repeated claims that security is a core facet of their software lifecycle, security researchers continue to find critical remote vulnerabilities in a bulk of their products. The history provided here is to help make Oracle customers aware of just how little security really matters to Oracle Corporation. It is past time for their customers to take the advice of Davidson and demand better from vendors. It is time for Oracle customers to demand the appointment of a Chief Security Officer that will stop the outright lies and spin-doctoring and turn their attention to the security of future products. Read the executive biography of Mary Ann Davidson and determine if she is living up to her job duties. "We are not just a really good commercial database but also a very secure commercial database." -- Mary Ann Davidson, 30th Anniversary soundbyte quote - 2007.16.04 [...]