Introducing AppTrust

Posted in Application Security on November 12, 2009 by Matthew Flick

FYRM Associates is proud to announce our new AppTrust offering that enables organizations to produce secure applications in a timely and cost-cutting manner. The typical, flawed approach to application security is based on the network security model of “when we find a vulnerability, we patch it.” This forces your organization into a never-ending game of catch-up with attackers that is nothing more than a costly and time-consuming strategic failure.

The AppTrust Assessment, Training, and Certification solutions break this mold with a strategy that enables your organization to implement applications that are secure as soon as they enter production.

You can read more about FYRM Associates’ new AppTrust offering at our Web site, http://apptrust.fyrmassociates.com, or contact FYRM Associates at http://scr.im/fyrmsales or (877) 752-7170 for more information.

Leave A Comment »

XAB – Cross Site Scripting Anonymous Browser updated and seeking help

Posted in Application Security on November 10, 2009 by Matthew Flick

A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: xab.sourceforge.net.

We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.

Leave A Comment »

XAB Presentation @ OWASP DC Chapter Meeting on 9/2

Posted in Application Security, Conferences, Events, OWASP with tags , , on August 25, 2009 by Matthew Flick

I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found here. See you there!

Leave A Comment »

OWASP AppSec DC 2009 Sponsor

Posted in Application Security, Conferences on August 20, 2009 by Matthew Flick

OWASP just launched the official AppSec DC 2009 site @ http://appsecdc.org. We’ll be out in force and will most definitely have some type of party/event. Check back here often or follow us on Twitter (getFYRM) for updates. We’ll see you there!

Leave A Comment »

Follow us on Twitter (getFYRM)…and RSVP Deadline Passsed

Posted in Black Hat, Conferences, DEFCON, Events with tags , , , , on July 30, 2009 by Tim

You can follow us on Twitter under getFYRM. We’ll be tweeting updates this weekend for the happy hour tonight (see below) and for the netbook winners.

The RSVP deadline for the happy hour tonight has passed. See Tony or Matt if you still want in. Also catch them for swag and a chance to win one of two Asus netbooks.

Leave A Comment »

U.S. needs to attract more Cybersecurity Ninjas

Posted in Government, Jobs on July 27, 2009 by Matthew Flick

I’m not sure why I continue to keep a close eye on this administration and the Federal Government, but I guess someone needs to step up to do it. Hannity & Colmes, Limbaugh, and Jon Stewart might know the government but they sure don’t know security ;) I also think being so close proximity wise to the nation’s capital I’m constantly inundated with news clips, stories, and critiques that it’s hard not to form some opinion.

A report released by Partnership for Public Service, a nonprofit organization devoted to building a better federal work force and Booz Allen Hamilton, a management consulting firm, finds the Federal Government is at risk of being unable to fight off attacks on the nation’s computer networks unless it strengthens its cyber-security work force. The report identified the four main challenges “as uncoordinated leadership of cybersecurity workers; a cumbersome hiring process that discourages people from seeking government jobs and fails to provide a career path for those who do; and hiring managers and human resource specialists who disagree on the quality of IT candidates.”

The report contained several recommendations for actions to help resolve some of the issues right now. One point that is strongly suggested is that agencies should put someone in charge of hiring cybersecurity talent now and not waiting for instruction from the White House’s new cybersecurity coordinator. The report also included a checklist for cybersecurity talent management agencies can use as a reference point.

I think its fair to say the public sector continues to lag behind in most things information security related. The lack of budget, resources, training and awareness is not too different than what we see in the private sector. However, the disparity in those areas especially with some of the “most critical” agencies can be disturbing. I hope President Obama and his cybersecurity appointed folks move fast to address the raised issues in this latest report. I totally agree each agency should move forward independently but at the same time coordinated strategic efforts and sensible guidelines/frameworks are going to be critical across our government. I hate to admit it, but I do think a major roadblock is going to be the pay scale for government positions. Security folks are at the top of the IT pay scales and right now don’t translate well on the government’s GS scale. A bit cliché but money talks.

Please President Obama, please get your cybersecurity A-team put together quickly, get advice with cybersecurity thought leaders and representatives in the private sector, and give the agencies serious security budgets to get things accomplished. We need more ninjas on our side, protecting our “cyber-borders”.

Leave A Comment »

We’re Hiring!

Posted in Jobs with tags , , on July 23, 2009 by Matthew Flick

We are looking for a National Account Executive and a Senior Security Consultant. Ideal candidates would have experience with application and network security (selling and delivering, respectively). Both positions are remote. Send your resume to http://scr.im/fyrmcareers.

Leave A Comment »

Bluetooth 3.0 + HS: Compromising Your Security at 24 Mbps

Posted in Wireless Security with tags , on July 1, 2009 by Tony Flick

On April 21, 2009, the Bluetooth 3.0 specification was adopted by the Bluetooth Special Interest Group (SIG). This new specification includes new attributes such as:

  • High speed data transfer of large files (~24 Mbps)
  • Bluetooth low energy

The new specification achieves these new attributes by including an 802.11 radio, aka Wi-Fi, that allows lower energy usage when attempting to transfer large amounts of data. While ultra-wideband (UWB provides ~480Mbps) was widely rumored to be included in the upcoming specification, it was absent from the final release. Utilizing the Wi-Fi radios will increase the data transfer speed, which results in a lower per bit energy usage. The Bluetooth radio will still be utilized for the initial operations such as device discovery, initiating connections, and profile configurations. The result is that Bluetooth 3.0 devices will utilize the appropriate radio to minimize power consumption.

While this new specification promises significant speed improvements and efficiency, new technology always presents new risk. The new high speed data transfer protocol works by first initiating the connection via the traditional Bluetooth protocol. Then, the device creates an ad-hoc connection (peer-to-peer) between the two devices creating a personal area network (PAN). The new standard calls for 128-bit AES encryption, which is commendable; however, the 3.0 specification remains backwards compatible. So, if one device is an older generation, the devices will use the older specification to perform communication. Thus, the communication between the two devices will be susceptible to the traditional attacks against Bluetooth.

When performing traditional wireless security assessments, one of the most common recommendations is to configure wireless clients to only join infrastructure networks (Access Points). But as mentioned before, the transfer of large amounts of data will go over an ad-hoc connection. Thus, the communication between the two devices will be susceptible to the traditional attacks against ad-hoc networks.

By combining the two radios, the Bluetooth SIG will advance the abilities of Bluetooth devices, but will also introduce new attack vectors. Within the next year, devices will be emerging that implement the Bluetooth 3.0 + HS specification. The question then becomes, are you going to get bluejacked at 24 Mbps?

Leave A Comment »

Black Hat / DEFCON 2009 Reception

Posted in Black Hat, DEFCON, Events on June 22, 2009 by Tim

We’ll be hosting an informal reception at the Hofbräuhaus Las Vegas on Thursday, July 30 to celebrate Tony and Matt’s Black Hat and DEFCON presentations. Please RSVP to rsvp[shift+2]fyrmassociates.com or talk to one of the guys wearing the FYRM Associates shirts at Black Hat. The beer will start flowing at 6 PM and we’ll be around until at least 8 PM.

Leave A Comment »

LAN Party anyone? Let’s volunteer to hack Government websites…

Posted in Application Security, Government, Penetration Testing on June 21, 2009 by Matthew Flick

Would I volunteer my time? Sure, why not. Is it really a good or realistic idea to have our Military and Government solicit an army of volunteers to test their web sites? Probably not. Jeremiah Grossman, CTO and founder of WhiteHat Security, this past week voiced his opinion on a topic that isn’t entirely new, but hasn’t been brought up by an industry pundit for a while. He estimates “fewer than ten percent of United Stats .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities” and suggests getting vulnerability researchers to volunteer to test those web sites.  I honestly didn’t see his blog entry until late Thursday and up til now sort of waited to see all the comments to his thoughts. It seems feedback is back and forth with the more detailed responses are on the “not so good” idea side of the fence. Jack Mannino had a good response, which Jeremiah is planning to respond to.

Here are my thoughts: Have you ever worked directly for/with the government? Not a rhetorical question or being a smart a$$, but seriously. It’s a given that the US Federal government doesn’t spend enough money or resources on cybersecurity [see previous blogs]. I cannot imagine how difficult it would be to attempt to coordinate these “volunteer tests” with the Federal Agency, the government security teams that protect the site, the network and system folks responsible for the site, and then all the contractors involved in monitoring and supporting the site… that’s just a fraction of the folks on the government site. We’ve done contract work with the Federal Government and doing a simple scan of a small environment from a single source address took a tremendous amount of coordination and planning. It would be insanity to try to coordinate dozens of volunteers. And that is just one of a couple pre-planning obstacles I can see.

What about from a slightly tangent ethics view; is it volunteers or freebies? The Federal Government from what I’ve experienced has pushed procurement and purchasing folks through different types of ethics training to prevent inappropriate kickbacks to individuals and organizations. Could a big corporate entity like “Big Yellow” for example be allowed to volunteer a team of young staffers to “pen-test”? Wouldn’t it then be ironic if that same company down the line got a chance to bid on projects or even technologies to be implemented? You got to expect someone out there to try to take advantage of it.

The one point that Jack made mention that I’m not going to rehash too much but agree with is regarding incident response. Could you imagine being the contractor or GS-10 sitting in the SOC during “volunteer pen-test day”? If the government doesn’t have the tools to assess their own web sites, I wonder if they would have the technologies or resources in place to review the logs generated to figure out what is considered “normal” vs. “bad” traffic.

I’m not entirely sure if Jeremiah really thinks it’s a good idea or is throwing it out there for media fodder (I see SC Magazine already picked it up). It does bring up some interesting early debate but the more I think about it, it just doesn’t seem reasonable.

However one thought I did come up with and please pardon me if there is already an organization like this, is taking a page from the National Guard. It would still require some money, background checks, a tremendous amount of coordination and volunteering. How about a “Cybersecurity National Guard” unit, where people can volunteer X hours a month and have one of the core responsibilities testing government and military web sites. I’m deeply familiar with the military and intelligence community programs and teams that do this, but this “volunteer” group could be staffed with vulnerability researchers who have extra time or want to do something more valuable for ISC^2 CPEs ;)

1 Comment »

« Older Entries
Newer Entries »