It’s May…and it’s snowing. Snow!?!?!?!

Here’s the list:

The Windows Vista Security Blog is Back – Sometimes it’s better to lay low while the dust settles 🙂

We’re back! You’ve probably noticed that the blog hasn’t been updated much lately. We’re going to change that and you can expect to see regular posts again. Windows Vista has been publicly available for over 100 days now, and we think we’re holding up pretty well. As we said, no software is 100% perfect and will contain vulnerabilities, but overall it’s nice to see the new security features in Windows Vista and the defense in depth strategy paying dividends. Look for more posts about Windows Vista security technologies soon.

ISIC – IP Stack Integrity & Stability Checker – Another tool to check out.

ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendencies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments… But the percentages are arbitrary and most of the packet fields have a configurable tendency.

NSM tip : Watch out for the quiet ones – I’m looking forward to the upcoming Unsniff release.

The Unsniff beta build (1.5) we are using at the site has a Top-N feature for a whole set of statistics (IPs, MACs, Conversations, protocols, subnets, interfaces, etc). This is a fairly common feature in many tools. We ran Top-N for a while on one of their key entry points. It was fine and produced great results from a traffic analysis point of view. Day in and day out, these Top-N feature the same hosts/subnets at the same time of day.

From a Network Security Monitoring (NSM) angle, this kind of data invariably features entities that already have a high trust level. Most Top-N analysis are soon taken over by the “usual guys” like Exchange, company video streaming, training, VoIP and so forth.

When Good Intentions Go Bad – You know what they say about the road to hell being paved with good intentions 🙂

The author of W32.Uisgon.A appears to have been a computer science student who wanted to collect samples of viruses that were being brought into his college by USB sticks.

So he wrote a program that copies suspected virus samples to a Windows share and a ‘good’ worm to propagate his program. The worm copies itself to network shares and USB sticks and runs the sample collector from a remote Windows share.

Eventually, he intended to terminate the worm by replacing the sample collector on the Windows share with a fixtool.

However, his design resulted in the worm infecting machines outside his university and well beyond his control. In particular, USB sticks weren’t just plugged into computers within his university network, but computers outside the university as well causing his worm to spread uncontrollably. Once the worm began spreading outside the university he had no way to terminate them as he had no way of accessing them.

The end result is a ‘good’ worm that is infecting computer networks in-the-wild and is no better than the ‘bad’ worms it was supposed to catch.

Researcher Reveals 2-Step Vista UAC Hack – Hack Vista, cha -cha-cha, one, two, cha-cha-cha.

Paveza said in the paper that the vulnerability uses a two-part attack vector against a default Vista installation. The first step requires that malware called a proxy infection tool be downloaded and run without elevation. That software can behave as the victim expects it to while it sets up a second malicious payload in the background.

I wanted to point out the following post from Andy Willingham’s blog called Time to think. It’s not really security related but does illustrate a good point — Make sure you always have your resume up to date. I was told a long time ago that if you stop looking at job postings then you might miss your dream job. Those are my words of wisdom for the day 🙂

Here’s the list:

Comprehensive SQL Injection Cheat Sheet – I was looking for something like this yesterday. Perfect!

Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself.

Fact or Fiction: The future of SIMs – I completely agree with you Raffy…SIMs can do active response although some do not do it very well. I’m wondering if he meant that you might get burned with active response unless you totally understand how it works prior to enabling it? I’ve seen situations where people have enabled active response mechanisms only to find that they didn’t exclude core routers from the block list…effectively bringing down their network in the middle of the night.

I was just listening to this podcast about security information management (SIM) systems. Tom Bowers from Information Security magazine is talking about various topics in SIM. Unfortunately I have to disagree with Tom on a couple of points, if not more.

Malware Stats or Ghost in the Browser – I’ll have to give this paper a read.

I found an interesting link after visiting Zeno’s post on a Malware paper produced by Google to document malware on the internet. Firstly, let me start by saying, this is a really good paper, as it discusses the ways in which malware propagates. Not that it’ll be news to anyone who reads this site religiously, but it’s still interesting to see all our theories validated.

Secondly, be wary of the statistic 1 out of 10 websites have malware. Google hand selected 17 million and only did a deep dive into 4.5 million sites out of their own repository. It’s well known that Google does not spider the entire internet (it’s a very small portion in reality) and also, they picked those URLs because they were likely conduits. They weren’t arbitrary. So let’s just take that statistic off the table. Yes, the Internet is a scary place, but not 1 out of 10 sites actively trying to screw you scary.

Great New Site for Data Loss Statistics – Good for presentations to customers/clients

There is a great new site, etiolated.org, that takes the privacy breach data accumulated by attrition.org and parses it into some very interesting statistics, trends charts, provides areas for commentary, and lots of other interesting and useful information.

Critical Unicode Flaw Undercuts Firewalls, Scanners – Maybe it’s time to give your vendor a call and see how things are progressing?

The U.S. Computer Emergency Response Team is reporting a network evasion technique that uses full-width and half-width unicode characters to allow malware to evade detection by an IPS or firewall.

The vulnerability affects virtually every major firewall and intrusion prevention system available, including products from Cisco Systems. Given Cisco’s major share of the market, at least for enterprise routers and VPN and firewall equipment—according to Gartner, Cisco was at the top of the heap with 66 percent of that market in 2006—that means most businesses will be affected.

Deployment Best Practices Series – Deployment Expertise – Cisco NAC specific article but it’s very thorough.

Many organization sfall victim to “I thought I could get it working” and then really do not receive the benefits of NAC Appliance. This is the reason why to have a successful deployment you must have experience with the product.