I finally broke down and purchased a copy of Microsoft Office 2004 for my Mac. “Why 2004?” you might ask? Well there’s a deal on now that if you purchase Office 2004 you’ll get a free upgrade to 2008 when it’s launched in mid-January. I can’t pass that up 🙂

Here is the list:
Diversification and Security – Very informative article which discusses, among other things, how the U.S. Army is shifting it’s IT infrastructure over to Macs and how this is not a bad thing.

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.”

NIST releases final draft of FISMA guidance – Get it while it’s hot 🙂

The National Institute of Standards and Technology has released the final public draft of a framework that will assist agencies create the security assessments mandated by the Federal Information Security Management Act (FISMA).

Copies of Draft Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” can be downloaded from the NIST site. NIST expects to publish the final edition in March.

Follow-up on using unicornscan for a big scan (400,000+ public IPs) – I’m glad someone has been stress testing this tool. Also interesting is the Tate’s comment on them switching to unicornscan as their primary tool for large job scanning.

We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.

This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.

Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.

Black Hat USA 2007 Video and Audio Podcasts now live – I like the RSS feed format that they used to present these audio and video podcasts.

Black Hat USA 2007 was a great success, and the presentations were wider-ranging than ever. As part of our ongoing effort to spread useful security knowledge everywhere, we offer video of the entire Briefings roster free online. If by chance you didn’t make it to the event in Las Vegas, or if you attended and missed some talks you wanted to see, subscribe to the podcast feed linked here and get your fill. If what you see here piques your interest, consider attending our upcoming conferences – in DC in February, Amsterdam in March and returning to Vegas in August.

TEMPEST by Chris Gates – How about a paper on TEMPEST security? I find that you don’t see as many of these kinds of papers as you should. Perhaps TEMPEST security just isn’t as “sexy” as compliance, hacking, etc.?

TEMPEST is said to stand for ‘Telecommunications Electronics Material Protected From Emanating Spurious Transmissions’ but I also found; ‘Transient Emanations Protected From Emanating Spurious Transmissions’, ‘Transient Electromagnetic Pulse Emanation Standard’, ‘Telecommunications Emission Security Standards’, and several similar variations on the theme but there is no official meaning for TEMPEST it is more the name of the phenomenon rather than an acronym.

How do these “intelligence-bearing emanations” occur? Basic electromagnetic theory tells us that electromagnetic fields occur as current flows through a conductor. A conductor can be anything metal (your power cord, your CAT5 cable, your phone cord, etc). How does your CAT5 cable pass data? In a simple explanation, current is pushed along the wire and the data goes with it; the more current pushed down the wire and the longer the wire the greater potential for these “emanations” because of growing electromagnetic fields.

“Big money! Big prizes! I love it!” – I agree with Tate on this one. The attackers are certainly the winners here.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

Establishing a Practical Routine for Reviewing Security Logs – The good thing about Anton being on vacation is that I beat him to commenting about others log management posts 😉

The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don’t get me wrong—sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.

The MAC Daddy – Great post from Harlan on how to find the MAC address on a system image.

I received a question in my inbox today regarding locating a system’s MAC address within an image of a system, and I thought I’d share the response I provided…

Deleted Apps – Another great post from Harlan. I’m convinced that neither of us really took vacation over the holidays 🙂

As Windows performs some modicum of tracking of user activities, you may find references to applications that were launched in the UserAssist keys in the user’s NTUSER.DAT file. Not only would you find references to launching the application or program itself, but I’ve seen where the user has clicked on the “Uninstall” shortcut that gets added to the Program menu of the Start Menu. I’ve also seen in the UserAssist keys where a user has launched an installation program, run the installed application, and then clicked on the Uninstall shortcut for the application.

I hope everyone is enjoying their holidays. I decided to take some time off from my guests to post another SBR.

Here is the list:
How to Spy Using Van Eck Phreaking – Great video showing Van Eck Phreaking. If you’re unfamiliar with the concept it looks like something out of a James Bond movie. A description of Van Eck Phreaking can be found at the related Wikipedia entry:

Van Eck phreaking is the process of eavesdropping on the contents of a CRT display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept.

Four new papers from the SANS Information Security Reading Room:

• WiFi with BackTrack
• VoIP Security Vulnerabilities
• Log Analyzer for Dummies
• Corporate Espionage 101

A Christmas Packet Challenge – In case you need a break from your guests you can take some time away and rip through some packets.

There is no better Christmas gift, that I can think of to give, than one that involved packets. Its been awhile since I posted a packet challenge, but I couldn’t let Christmas go by without posting one. So for all you fellow packet heads out there, here is one for you to spend your holidays pondering. This challenge is different from last year, so let me tell you the rules for solving this one.

From description to exploit – Great explanation of the work flow used to discover and categorize an exploit.

Every once in awhile I get an opportunity to work on a “known” vulnerability, but with very little or even no available technical details. These known vulnerabilities tend to be “known” just to their finder and to the vendor that fixed the vulnerability. We know they exist because an advisory is published, but not much more than that.
From the point where the vulnerability got fixed, no one (researcher or vendor) has any interest in disclosing the vulnerability details – as it is no longer interesting – leaving security researchers with insufficient information to confirm whether this vulnerability affects anyone else beside the specific vendor – and specific vendor version.

Perl Scripting Book – Harlan just released his latest book on Perl Scripting for IT Security. Check it out! 🙂

Perl Scripting for IT Security is not a follow-on or companion to my previous book, Windows Forensic Analysis. Rather, it goes more into showing what can be done, and how it can be done, in the world of Incident Response and Computer Forensics Analysis using an open-source solution such as Perl. The book, in part, shows that with a little bit of knowledge and skill, we are no longer limited to viewing only what our commercial forensic analysis tools show us.

Nikto 2 Released – Web Server Scanning Tool – Cool!

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Here are a few security papers for you to check out:

• Using Perl, Postgres and SQL to build a Comprehensive, Searchable Database of Firewall Activity on a Checkpoint firewall on the Cheap
• PREVENTION!!! – Network Intrusion Prevention Systems
• Session Hijacking in Wireless Networks
• MPLS and MPLS VPNs: Basics for Beginners

VizSEC 2008 Call For Participation – Work with the visualization of security? Why not check out the CFP?

As a result of previous VizSEC workshops, we have seen both the application of existing visualization techniques to security problems and the development of novel security visualization approaches. However, VizSEC research has focused on helping human analysts to detect anomalies and patterns, particularly in computer network defense. Other communities, led by researchers from the RAID Symposia, have researched automated methods for detecting anomalies and malicious activity.

The theme for this year’s workshop, which will be held in conjunction with RAID 2008, will be on bridging the gap between visualization and automation, such as leveraging the power of visualization to create rules for intrusion detection and defense systems. We hope that VizSEC participants will stay for the RAID Symposium and RAID participants will consider coming a day early to participate in VizSEC.

Fierce 1.0 – I haven’t checked it out yet but I plan on it 😉

Okay, it’s about time. I am finally releasing Fierce 1.0 as a production ready DNS enumeration tool. What does that mean? It means it works. We have now gotten rid of all the kinks that made me think that it was crippled in a way that made me not want to rely on it. So what was fixed? Well, thanks to Jabra we have now patched fierce so that when it does a zone transfer it continues working, in the off chance that someone messes with the zone transfer to fool fierce into stopping before it sees the real output. Alas, it was a small but important issue to fix.

Enabling NetFlow on Virtual Switches – Use VMWare? What about an NBAD solution? Ever wanted to collect flow information from your virtual switches? Well now you can.

NetFlow is a general networking tool with multiple uses, including network monitoring and profiling, billing, intrusion detection and prevention, networking forensics, and SOX compliance. NetFlow sends aggregated networking flow data to a third‐party collector (an appliance or server). The collector and analyzer report on various information such as the current top flows consuming the most bandwidth in a particular virtual switch, which IP addresses are behaving irregularly, and the number of bytes a particular virtual machine has sent and received in the past 24 hours.