Category: Suggested Blog Reading
Suggested Blog Reading – Sunday April 20th, 2008
I really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).
Here is the list:
RegRipper – Harlan Carvey has posted several posts lately (here, here, here, and here) about his RegRipper tool. I suggest you check it out.
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.
The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.
An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.
SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.
If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.
CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.
Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.
Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room
Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.
It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.
What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.
For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.
The Top 10 Security Events of 2008 – Were you “where it was at”?
The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.
Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.
Check it out in the Knowledge Base.
Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.
Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.
Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.
Fun Reading on Security – 1 – Here’s a pile of Anton’s favorite links over the past few days.
Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.
The Six Dumbest Ideas in Computer Security – Marcus Ranum takes a run at the dumbest ideas in computer security.
Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.
Suggested Blog Reading – Monday February 18th, 2008
Ugh….I haven’t had a case of the flu like this for years. I’m finally over it (I think) and hopefully things will be getting back to normal soon.
Here is the list:
PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications – This is an interesting tool that I haven’t heard about until today.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.
From the SANS Information Security Reading Room:
Enterprise Security 2008 Learning Guide – Good collection of articles to check out.
2008 won’t just be a year of the same old network, application and compliance issues. New malware has hit the scene, cyberterrorist attacks have become more common, and virtualization technology has presented different enterprise network security challenges. Mike Chapple, Michael Cobb, Joel Dubin, Mike Rothman and Ed Skoudis explore various information security areas and point out the new threats that every organization needs to be ready for.
More on Hating Agents – Everyone hates them but they are required – no, not lawyers….I’m talking about log agents. Anton lists some good pros and cons for leveraging an agent to get you your logs.
I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged.
Password Cracking Wordlists and Tools for Brute Forcing – Ever want to find a good word list for your audits?
I quite often get people asking me where to get Wordlists, after all brute forcing and password cracking often relies on the quality of your word list.
Do note there are also various tools to generate wordlists for brute forcing based on information gathered such as documents and web pages (such as Wyd – password profiling tool) These are useful resources that can add unique words that you might not have if your generic lists.
Also add all the company related words you can and if possible use industry specific word lists (chemical names for a lab, medical terms for a hospital etc).
Is the mobile malware threat overblown? – Overblown…maybe. Under-exploited…possibly. Not receiving the amount of attention it deserves…definitely!
The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.
Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.
True, enterprises continue to experience little by way of mobile phone attacks. But that’s only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.
New Docs at SWGDE – Some new docs on forensics. Thanks Harlan.
The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on “Live Capture”.
Could computer forensics help your organisation? – Umm…ya?
Forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs…
Scary concept: Friendly worms – If this ever became a reality, which I doubt it will, how long would you expect it would take before someone exploited the updating and transport mechanism to “do evil”?
This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.
SQL Injection Tutorial Now Available! – Very cool. Good for Oracle in taking a step to help people secure their product and applications.
By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. This tutorial employs text and diagrams to present concepts, design issues, coding standards, processes, and tools. Flash-based demos and simulations allow you to visualize what you have learned, and assessment quizzes help you gauge your learning progress.
Suggested Blog Reading – Sunday February 10th, 2008
I’m a little confused why more snow has fallen over the past 3 months than has fallen over the past 2 years. I’m getting sick of clearing it!
Here is the list:
Birth of IPv6 – Is your organization pushing towards IPv6? I didn’t think so 
Well tonight’s the night. For the first time, IPv6 domain resolution will be possible from a root server. Just a few addresses mind you, according to this article. You may ask “what took so long?”. The answer is that we did not really need it. IPv6 bakes in some security that was addressed by SSL in IPv4 so that driver did not help. The other issue, a rapidly depleting address space, was managed by NAT(Network Address Translation). But now depletion is really staring us in the face. It is getting hard to get address space. Soon you will see the first bidding wars for owners of large blocks of free IP addresses. Technically you are not allowed to sell IP addresses so don’t expect a market for them. But do expect high valuations for shells that control IP address blocks.
(IN)SECURE Magazine Issue 15 – Looks like Issue 15 is finally out.
Articles in this issue include: Proactive analysis of malware genes holds the key to network security, Advanced social engineering and human exploitation, part 1, Free visualization tools for security analysis and network monitoring, Hiding inside a rainbow, Internet terrorist: does such a thing really exist?, Weaknesses and protection of your wireless network, Fraud mitigation and biometrics following Sarbanes-Oxley, QualysGuard visual walkthrough, Application security matters: deploying enterprise software securely, Web application vulnerabilities and insecure software root causes: solving the software security problem from an information security perspective, A dozen demons profiting at your (jn)convenience, The insider threat: hype vs. reality, Interview with Andre Muscat, Director of Engineering at GFI Software, How B2B gateways affect corporate information security, Reputation attacks, a little known Internet threat, Italian bank’s XSS opportunity seized by fraudsters, The good, the bad and the ugly of protecting data in a retail environment, Interview with Mikko Hypponen is the Chief Research Officer for F-Secure, Interview with Richard Jacobs, Technical Director of Sophos and Interview with Raimund Genes, CTO Anti-Malware at Trend Micro.
A funny thing happened on the way to reviewing my logs – Interesting article from Andy Willingham on his journey implementing a SIEM solution.
At work we’re in the process of implementing a SIEM (Security Information Event Management) system. I’ll leave the vendor nameless for the moment but they have a reputation of making most everything harder than it needs to be. Until that time all logs have to be reviewed manually and obviously that means that they are not reviewed in real time. I have others that monitor most of the logs but I monitor our IPS logs from the UTM device. Usually I review them each morning when I come in but last week I didn’t get a change to so yesterday I was playing catchup.
Interesting tool – pdump.exe – I’ll have to give this a shot.
Toni at Teamfurry.com has a new tool that has some interesting functionality, it dumps process memory, but it also saves each allocated memory region to a separate file.
I’ve played with it a little bit and it seems like it has potential.
Rebecca Herold’s 2008 speaking dates – If you’re in the area I strongly suggest you drop by and check out one of Rebecca’s presentations.
January 18: The Importance of Verifying Third Party Security Programs
Learning event at the Grand Rapids, Michigan ISSA chapter meeting
Web Site: http://www.gr-issa.org/February 21: Anatomy of a Privacy Breach
Learning event at the University of California, Berkeley
Web Site: http://www.truststc.org/seminar.htmMarch 18: Anatomy of a Privacy Breach
Learning event at the Iowa ISACA chapter meetingApril 27: The 30 Second Security Pitch
Learning event at the CSI SX conference
Web Site: http://www.csisx.com/conference/view-by-day.phpApril 30 & May 1: Executive Summit: Security and Privacy Collaboration
2-day learning workshop at the CSI SX conference
Web Site: http://www.csisx.com/conference/workshops.phpJuly 23 & 24: Executive Summit: Security and Privacy Collaboration
2-day learning workshop hosted by the Charlotte, North Carolina ISACA chapter.
Getting over the hump with vulnerability counts – What is more important? The total number of vulnerabilities or the number of highly exploitable vulnerabilities?
Should our vulnerability counts be going up or going down? That is an important question every security professional should be considering when laying out a security program.
If you believe vulnerability counts should be increasing, then presumably you believe that we are only covering the tip of the iceberg with respect to the total number of vulnerabilities in production. In this case, you are taking a short-term view of what is happening in security – it is okay to be hoping the counts increase in the short term, but eventually you want them to decrease (right?).
Give yourself a little time with SQL Injection – Interesting article on blind SQL injection.
I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.
To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?
Answer? Time.
Security Metrics – How Often Should We Scan? – Personally, I think your frequency of scans should be dictated by the criticality of the systems, the type of systems, the data stored on the systems, and of course…your documented security policy.
I get this question from Nessus users and Tenable customers very often. They want to know if they are scanning too often, not often enough and they also want to know what other organizations are doing as well. In this blog entry, we will discuss the many different reasons why people perform scans and what factors can contribute to their scanning schedule.
German Police Creating LE Trojan – “Law Enforcement Trojan”? I’m not sure if this will fly.
German cops are pushing ahead with controversial plans, yet to be legally approved, to develop “remote forensic software” – in other words, a law enforcement Trojan. Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks…
From the SANS Information Security Reading Room:
Spending for IT security gains ground in 09 budget – I can’t remember a time when security/IT/(random item) spending wasn’t “gaining ground”.
New details on federal IT spending plans, made available by the Office of Management and Budget today, show that $103 out of every $1,000 requested for IT spending next fiscal year — or about $7.3 billion in total — will be devoted to improving IT security. That is 9.8 percent more than what was slated for fiscal 2008, and 73 percent more than the $4.2 billion budgeted for cybersecurity in fiscal 2004.
DFRWS 2008 Announcement – I need to come up with a paper for this
The DFRWS 2008 CfP and Challenge have been posted!
The CfP invites contributions on a wide range of subjects, including:
- Incident response and live analysis
- File system and memory analysis
- Small scale and mobile devices
- Data hiding and recovery
- File extraction from data blocks (“file carving”)
And here’s a couple that should be interesting:
- Anti-forensics and anti-anti-forensics
- Non-traditional approaches to forensic analysis
Submission deadline is 17 Mar, with author notification about 6 wks later.
Python for Bash scripters: A well-kept secret – Good post for all of us who know Bash scripting but want to break into Python.
Python is easy to learn, and more powerful than Bash. I wasn’t supposed to tell you this–it’s supposed to be a secret. Anything more than a few lines of Bash could be done better in Python. Python is often just as portable as Bash too. Off the top of my head, I can’t think of any *NIX operating systems, that don’t include Python. Even IRIX has Python installed.
The Flow of MBR Rootkit Trojan Resumes – Why…won’t…this…die?
Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR) in order to take control of a compromised computer. The people responsible for this threat kept busy cranking out newly compiled versions of this Trojan in the weeks following its discovery. However, near the beginning of January the output of new variants mysteriously halted. Taking a quick look at the following table of Trojan.Mebroot sample data it appears as though a massive QA plan was performed by the gang, starting back in November 2007.
A Practical Approach to Managing Information System Risk – Another paper to check out.
The mantra spinning around in the heads of most security managers affirms that managing security is about managing risk. Although they know this is the right approach, and they understand the importance of balance in designing and implementing security controls, many of them—including me—came up through the ranks of network engineering, programming, or some other technical discipline. While this prepared us for the technology side of our jobs, the skills necessary to assess and understand business risk arising from the use of information systems were not sufficiently developed.