Barracuda Networks Details Security Breach

2 May 2011

Barracuda Networks website suffered a breach on April 8, 2011. It appears that all the crackers got were some people’s names and email addresses from a Marketing database used to send event announcements and such emails to opt-in customers.

On Tuesday, April 26, Oliver Wai, a Product Marketing Manager at Barracuda Networks posted a blog entry detailing how the SQL injection attack was conducted.

We need to see more companies step up like this and provide useful technical (and anecdotal) information about breaches of their data. It helps us all to be reminded to watch out for such things, but also to see it in action. All too many who are not up to their eyeballs in that, “security nonsense,” as I’ve heard some of them call it, don’t have the benefit of seeing what those of us in the know have seen, like this example which Barracuda Networks has so graciously shared.

I’m sure there are a number of people who will now be more interested in examining their Barracuda Web Application Firewall product.



UTOSC 2009 Keysigning non-Party

10 Oct 2009

Oh, well. That was mostly a bust. There were only twelve people in the room at the peak of it and only 7-8 traded keys. With all the last minute work going on, the Utah Open Source Conference 2009 organizers didn’t have the chance to get the word out from my post on doing the keysigning party.

FYI … I took down the “keysigning” email address from my domain a couple of days ago (after I got an email from someone whom I was expecting to send me their key).

I’ve already asked the UTOSC folks to plan on me doing two (or more?) sessions for the keysigning party in 2010. For next year, I plan on doing a presentation session, where I will talk about the reasons why keysigning is so important, how the system as a whole (the web-of-trust, the keyrings, etc.) works and provide a brief introduction to the actual protocols and algorithms used. The idea is that someone can come away from that session able to do three things:

1. Make a well informed decision to participate in the web-of-trust.
2. Explain just enough to help their friends also understand it.
3. Understand it enough to trust it based on their own understanding, instead of just entirely on the word of us “experts” who have been using it for years.

The second session would be the keysigning party, itself. Perhaps there could be two of these? The main one would be in the second evening and the second keysigning party could be a family-day thing.

Anyway, we’ll all be much better prepared for next year.



Utah Open Source Conference 2009

7 Oct 2009

Visit [ http://www.utosc.com/ ] for the details.

This year, I’m not doing any presentation. I have some ideas for next year.

I will be running the keysigning party on Friday, October 9 at 7:15pm at the conference. I’m stepping into doing this a bit last minute, so we’re going to provide some additional info and the instructions for the keysigning party on the UTOSC website should be updated very soon.

To participate, just show up. If you want help generating a key pair and getting started, there will be several people there who can assist you, just be sure to bring your own notebook computer. If you have keys, please, email me your full key ID (not a short or medium) at keysigning@openbrainstem.net. It is a good idea to digitally sign that email. If you have multiple keys, include them all. I actually have three separate keys these days and 2 of them have multiple IDs associated with them.

(and PGP) allow us to digitally sign messages (usually email, but can be used with other communications systems, too), code and other documents. It also let’s us encrypt files, emails and just about anything else. This is an extremely important technology for a lot of reasons, some of which I’ve discussed in past articles on this blog (and others). Defending our privacy and ensuring the integrity of our personal, family and business communications is vital. We sign each other’s keys to build a “web of trust.” This is the critical step that makes the whole thing usable.

If you have never used PGP or GPG (a.k.a. GnuPG, Gnu Privacy Guard) before, visit the GnuPG website for a basic description of how to generate your key pair.

If you have never participated in a keysigning party, check out the Keysigning Party HOWTO and/or [ http://keysigning.org/ ].

Immediately following the Utah Open Source Conference 2007 keysigning party, I wrote a simple script to help help you sign-lots-o-keys. You can download the script from [ http://www.openbrainstem.net/download/sign-lots-o-keys ]. If I have time before the keyparty in just two days, I have some little updates that I would like to implement in that script. But don’t hold your breath. Perhaps there will be time at the conference on Saturday?

So, please, plan on joining us on Friday. These are always good fun.



Block SSH Cracking Bot-Nets with Netfilter

2 Jan 2009

A few weeks ago, I was looking through some Netfilter documentation, just poking around, looking at some modules I’ve never seen/played-with/hear-of and I came across the recent module. I decided to try it out on one of my servers that gets anywhere from zero (0) to tens of thousands of crack attempts via SSH per day and see if I could weed out some of these bot-nets. It also occurs to me that this could help fight email SPAM-bots, too.

Of course, it’s very important to have good, strong password security practices. If you have poor passwords, none of this will matter, as you’ve probably already been compromised whether you know it or not. This means that all users have to have strong passwords. Techniques for helping users to create and use strong passwords are beyond the scope of this article, but I will write about these things in the near future.
Read the rest of this entry »



Petrov Day

26 Sep 2007

I’ll thank Tene for pointing me at this one:

Take a look at http://www.overcomingbias.com/2007/09/926-is-petrov-d.html. This was probably one of the most important moments and one of the best decisions anyone ever made in the entirety of the 20th century.

Petrov decided to not destroy the world just because a bunch of flashing lights told him that five (that’s right only five) US missiles might be heading towards the USSR.



sign-lots-o-keys

11 Sep 2007

On the last day of the Utah Open Source Conference 2007 (UTOSC), there was a PGP/GPG key signing party, hosted by Scott Paul Robertson. It was good to be able to get set up to properly sign so many keys, but it did give me a little problem; I needed to sign everyones’ keys with each of my 4 active keys. That would have been over 100 times running the gpg command. Sounds like something begging to be scripted, so I did.

I’m posting the script, which is still very rough, as I didn’t both taking any time when I whipped it up last night to take care of everything that it really should be doing. Still, I’ll work on it here and there, I’m sure. You can download it from http://www.openbrainstem.net/download/sign-lots-o-keys. If you feel like makeing some fixes, either post your patches (please, create them as a unified diff file, if you wouldn’t mind) and put a link in the comments here and/or on your own blog.

Enjoy!



Gun Shapped Notebook Battery

18 Aug 2007

Poor Ben Forta. The fact that he’s actually struggled to get through airports for a while before figuring this out seems rather strange to me. How could he be the only one? Why have none of my co-workers (at least, to my knowledge) not had similar troubles with their ThinkPad notebooks?

It seems that several TSA inspectors at several different airports were mistaking the laptop battery for a possible gun in Ben’s notebook bag as it went through X-Ray scanners.



IRS Security Troubles

16 Aug 2007

Simply, un-excusably Amazing.

The recent MSNBC story, “Computer security problems found at IRS,” discusses security problems found at the IRS. One of the more interesting items:

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

But even more disturbing:

Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.



Commercial eVoting Security Problems Abound

15 Aug 2007

Recently, California’s Secretary of State was required to perform a security screening of the eVoting systems that the State of California is thinking of/planning to use. The California Secretary of State appears to have been highly opposed to this outside audit process, according to information found within the official reports (the site has lots of links to very interresting documents, most of which are well worth the reading).

Matt Bishop’s comments on the nearly total lack of cooperation from the California Secretary of State’s office gave to the review process are utterly amazing. It’s good to see that Debra Bowen (California’s Secretary of State), has now taken the step of decertifying, dis-approving all previously approved eVoting systems.

Avi Rubin has some excellent comments on the whole eVoting situation.

The State of Florida is getting into the act, reporting on their own security reviews of commercial eVoting systems (PDF). In this letter to Diebold (PDF) which the State of Florida has published, they give Diebold an ultimatum:

Based on the report, the Bureau of Voting systems Certification has determined that certain vulnerabilities outlined must be corrected by August 17, 2007, to continue this certification. Failure to do so will result in a denial of certification.

There’s 3 pages of required fixes attached to that letter.

The U.K. Electoral Commission recently released their report detailing serious security flaws in eVoting systems.

Electronic voting is a hard problem, but that doesn’t excuse Diebold Election systems, Inc., Hart InterCivic, Sequoia Voting Systems and Elections Systems and Software, Inc. from their demonstrated complete lack of fundamental understanding of how to secure … well, anything and in particular, they’ve all shown that they have no one with even the first clue of how to either implement nor apply cryptography correctly.

Applause go to both Florida and the U.K. for recognizing bad vendor crap in the first place. An extra-hearty ‘atta-girl’ goes out to Debra Bowen in California for throwing out approvals and certifications of these seriously flawed systems.

This topic is far too important to leave in the hads of the proprietary, closed-systems mindset crowd. It must be open. The code must be open and available to everyone. All systems must be thoroughly tested by reputable, recognized, outside authorities. I hope we’ll see an open source/free software implementation of an eVoting system that could be used for governmental elections. Such a system wouldn’t be limited to only government use, either, but I believe it would find place in many corporations and other institutions.



DHS Wants DNSSEC keys

9 Apr 2007

You might not know what DNSSEC is. That’s fine, most people don’t know either. The basic idea is to implement a replacement for the horribly flawed security model of standard DNS while not breaking backward compatibility. That’s what DNSSEC is, in a nutshell. It works by using methods similar to the way that SSL key-signing authorities work, but just for DNSSEC DNS servers.

Well, the illustrious and all wise folks at the US Department of Homeland Security have apparently decided that they should have copies of the DNSSEC key-signing keys. Given that someone told them that these were the “cryptographic keys to the Internet,” it’s very understandable that they would drool over them.

I wonder how disappointed they’ll be if they succeed in commendiering a copy of the key-signing keys and then learn what they really are; merely the keys used to sign keys used by DNS servers which are authoritative for registered domains, and nothing more.

What’s next? Is DHS going to start demanding the key to every city, too?