Friday, May 30, 2008

ISO 27000 Standards

The ISO/IEC 27000-series numbering has been reserved for a family of information security management standards (ISMS). It is derived from a successful British Standard called BS 7799.

The following ISO27000 standards are either already published or still works in progress:
  • ISO/IEC 27000 - To provide an overview/introduction to the ISO27k standards.
  • ISO/IEC 27001:2005 - This is the Information Security Management System (ISMS) requirements standard/specification.
  • ISO/IEC 27002:2005 (formerly known as ISO/IEC 17799) - This is the code of practice for information security management describing a comprehensive set of information security control objectives and a set of generally accepted good practice controls.
  • ISO/IEC 27003 - To provide implementation guidance for ISO/IEC 27001.
  • ISO/IEC 27004 - This is an information security management measurement standard to help improve the effectiveness of ISMS.
  • ISO/IEC 27005 - This is an information security risk management standard to ISO27k standards.
  • ISO/IEC 27006:2007 - This is a guide to the certification or registration process for accredited ISMS certification or registration bodies.
  • ISO/IEC 27007 - This is a guideline for auditing Information Security Management Systems.
  • ISO/IEC 27008 - To provide guidance on auditing information security controls.
  • ISO/IEC 27010 - To provide guidance on sector-to-sector interworking and communications for industry and government, supporting a series of sector-specific ISMS implementation guidelines starting with ISO/IEC 27011.
  • ISO/IEC 27011 - This is an information security management guidelines for telecommunications (also known as X.1051).
  • ISO/IEC 27031 - This is an ICT-focused standard on business continuity.
  • ISO/IEC 27032 - This is the guidelines for cybersecurity.
  • ISO/IEC 27033 - To replace the ISO/IEC 18028 standard on IT network security.
  • ISO/IEC 27034 - To provide guidelines for application security.

Thursday, May 29, 2008

Why Harddisk Encryption is so Important?

If you haven't encrypted your hard drive (running Vista), think again. Here's how a Windows Vista got hacked with physical access to the machine.

First, reboot the Windows Vista machine with Backtrack 3 CD. Then move utilman.exe to utilman.old, and copy cmd.exe to utilman.exe.

Boot into Windows Vista after it is done. And when it comes to the login screen, hit Win-U (or Ctrl-U) to invoke the utility manager. (Verify with the command whoami).

Done.

(This is from Offensive-Security.com)

Sunday, May 25, 2008

(ISC)2 Blog Launched

(ISC)2 launched a new blog recently. The goal is to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

Monday, May 19, 2008

Debian PRNG Security Vulnerability

PRNG = Pseudo/Predictable Random Number Generator.

This is a critical vulnerability and the exploit/POC is released.
Note: This vulnerability applied to any Debian-based Linux distribution including Ubuntu.

All OpenSSH and X.509 keys generated on vulnerable systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. Characteristics of potentially vulnerable keys include: The was generated since 2006-09-17 and generated using 'openssl', 'ssh-keygen', or 'openvpn --keygen'.

From SANS: there are 2 scenarios basically,
  • The public key is known publicly (TSL/SSL web server) -> no brute force needed, the attackers walk in private key in hand;
  • The public key isn't found (Eg. SSH server) -> brute force of some 260K keys needed (~20min).

References:
  • http://isc.sans.org/diary.html?storyid=4420
  • http://isc.sans.org/diary.html?storyid=4421
  • http://www.milw0rm.com/exploits/5622
  • http://metasploit.com/users/hdm/tools/debian-openssl/