Running a little late on the book but trying to push through to get it done. Might not be many updates to the blog this coming week.

Here is the list:

New resource for Reverse Engineering – Something to check out.

dELTA wrote to tell us about the release of “The Collaborative RCE Tool Library” which he explains as:
“In very few words, the design goal of this project is to leverage the advantages of the wiki architecture, where everybody can contribute, while at the same time ditching all the disadvantages of the wiki architecture, add just enough moderation, and finally bring the world one step closer to the nirvana of the semantic web.”

http://www.woodmann.com/collaborative/tools

The site is very cool and worth checking out. We’re also looking forward to the library of infosec tools that he says is going to be his project for 2008.

Ethical Conflict in the Webappsec Domain – Would you consider this a case of “the best defense is a good offense” or just a bad idea?

yes, folks… robert hansen (aka rsnake), the founder and ceo of sectheory, felt it would be a good idea to hold a contest to see who could create the smallest xss worm… ok, so there’s no money changing hands this time, but that doesn’t mean the winner isn’t getting rewarded – there are absolutely rewards to be had for the winner of a contest like this and that’s a big problem because lots of people want rewards and this kind of contest will make people think about and create xss worms when they wouldn’t have before…

dumpcrack1.2.py.txt – New version of the dumpcrack utility has been released.

dumpcrack is a utility that will take in a list of MD5 checksums from a database dump and attempts to crack them using a wordlist or milw0rm’s database.

Your InfoSec Dream Job? – I think I may have to participate in this little experiment 🙂

Assuming you were going to stay in the “Information Security” industry, what would you do if you could pack up your office tomorrow and move into shiny new digs in your dream job? What would that be? With whom? Doing what?

New articles from the SANS Information Security Reading Room:

• Web Based Attacks
• Analysis of a Browser Exploitation Attempt
• Configuring and Tuning Cisco CS-MARS
• Exploitation Kits Revealed – Mpack

Privacy: Comedian Tom Green Reveals Internals of House through Published Camera Test – I still remember the time I had the opportunity to push him down the stairs while drinking in a bar in Ottawa. One of my biggest regrets was not going through with it 😉

Here’s where we get to the fine line of privacy and what is considered private. Many people consider the inside of their home to be a private space. In fact in the US we often question the extent to which the law can or cannot dictate the actions we do in our homes. So is intentionally publishing this video a leakage of data? My vote is ‘Yes’ because the intent of the video was to demonstrate the wireless capabilities, not an internal view of his house. I admit that both sides may be argued convincingly.

chkrootkit-0.48.tar.gz – New version of chrootkit released.

This version includes new tests: common SSH brute force scanners, suspicious PHP files; enhanced tests: login, netstat, top, backdoor; and some minor bug fixes

The Case of the Missing AutoPlay – This was a cool and very informative post. I suggest you take a read through.

I’ve been presenting talks on Windows Vista kernel changes since TechEd US in the summer of 2006 and one of the features I cover in the session is ReadyBoost, a write-through disk caching technology that can potentially improve system performance by leveraging flash media as a disk cache. I explain ReadyBoost in depth in my TechNet Magazine article, “Inside the Windows Vista Kernel: Part 2”, but the basic idea is that, since flash has significantly better random access latency than disk, ReadyBoost intercepts disk accesses and directs random-access reads to its cache when the cache holds the data, but sends sequential access to directly to the disk. During my presentation, I insert a USB key, whereupon Windows displays an AutoPlay dialog that includes an option to configure the device for ReadyBoost caching…

Top 10 security headlines of 2007 – Good reference in case you need to put a presentation together on past threats.

IT professionals worried about new attack techniques in 2007 as well as potential data breaches and the growing likelihood that their most valuable security tools would pass from the management of one vendor to another. Here is an unscientific look at what we considered the biggest stories of 2007…

Unrealistic Uber-Hackers now portrayed as murders – I’ll probably go see the movie but the technology behind it couldn’t be as bad as the movie Hackers. On a side note I do believe that Hollywood is starting to hire better consultants to inject some “reality” into the technology that they’re trying to convey in their movies. The real question is…how does one get a gig like that? 🙂

The movie Untraceable is hinged upon a computer savvy hacker who murders people online using technology. Watch the trailer below for multiple “hacker” and cyber-crime references. It’s my belief that the evil computer hacker character is a trend we will see continue to multiply in frequency within Hollywood films however unrealistic.

openstego-0.3.0.zip – A new version of openstego has been released.

OpenStego v0.3.0 includes support for password-based encryption of the data. GUI also includes the corresponding changes. OpenStego is now more or less complete. Main thing remaining is addition of support for other file formats like JPG, BMP.

now….back to the book 🙂

Alright Mother Nature. You and I have an issue that we need to work out. I’m not sure what I did to you but I don’t think dumping 60cm (~24in) of snow on my house is an appropriate response.

Here is the list:
iptables-1.4.0 – I can’t remember the last time that I saw an update to iptables.

The netfilter core team has released iptables-1.4.0. This is the first final release of the new iptables branch 1.4. This release contains lots of bugfixes and improvements for the previous release candidate which strongly improves IPv6 support. Please, upgrade!

wsScanner – Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool – Another tool for you to try out.

wsScanner is a toolkit for Web Services scanning and vulnerability detection.

Tools to help protect your internet anonymity – Some good tools to help with your pen tests.

Ever need a disposable phone number or temporary login in credentials to stop receiving spam?

Here is a link to a number of websites that have potentially useful privacy tools.

The Visibility of Information Risk Management – I don’t anticipate this changing any time soon. Breaches don’t have the “sexy” factor that a political assassination or the US dollar falling would have. Sad times we live in.

I picked up today’s WSJ and got a cold, hard dose of reality. In it, is an article called “Data Security Breaches Reach a Record in 2007″. It’s a fairly retrospective article that discusses the four to eight-fold increase in compromised records for EOY 2007 vs. EOY 2006 (the discrepancy in increase estimates is due to Attrition.org using deposition information from Visa & Mastercard in the TJX case, vs. the “only” 46 million number used by TJX).

What is most disturbing to me is not the increase from 2006. It’s not that the AP article is inaccurate, or that I see how others report on our industry from afar and I find it lacking. What is disturbing is that it’s buried at the back of section B – right next to the page and a half or so of legal notices.

World’s Top Surveillance Societies — Updated with link – Interesting read. Apparently Big Brother is watching quite a few people 🙂

Privacy International, a UK privacy group, and the U.S.-based Electronic Privacy Information Center have put together a world map of surveillance societies, rating various nations for their civil liberties records.

Both the U.S. and the UK are colored black for “endemic surveillance,” as are Thailand, Taiwan, Singapore, Russia, China and Malaysia.

sshutout-1.0.5.tar.gz – Nifty.

sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemon. The daemon is meant to mitigate what are commonly known as “dictionary attacks,” i.e. scripted brute force attacks that use lists of user IDs and passwords to effect unauthorized intrusions. The sshutout daemon blunts such attacks by creating firewall rules to block individual offenders from accessing the system. These rules are created when an attack signature is detected, and after a configurable expiry interval has elapsed, the rules are deleted.

WebGoat 5.0 on Ubuntu – Take a read in case you’ve run into this problem.

Some days I love Ubuntu, some I friggin hate it. today I hate it.

WebGoat comes with a nifty little .sh script to check to make sure you have sun java 1.5x installed.

well, after installing sun java 1.5.x with synaptic finding the nifty directory its in “/usr/lib/jvm/java-1.5.0-sun” then pasting that in the script it still took a dump giving me

Please set JAVA_HOME to a Java 1.5 JDK install or JVM Is not 1.5 errors.

so I just deleted all that check code, put export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun/ at the top of the script and it now works…

Where to submit malware samples – If you’ve ever wondered where you submit malware that you find/discover/experience then check out these links.

Some of you might want to know where to submit virus/malware samples to security companies. This blog post might help.

First, each vendor has their own submission process. For example, Symantec has this page, McAfee has this page, Sunbelt has this page — and so on. However, email addresses are available — you can package your malware sample into a zip or RAR file, password protect it (common practice is to use the password ”infected”) and send off the sample. A full list of submission addresses is here.

Now, if you’re feeling lazy (or just plain too busy), you can always submit a sample to Virustotal. All the vendors that are part of VirusTotal receive samples, so it’s an easy way to get a sample to a lots of companies. I’m not particularly sure if it’s the fastest way to get samples out there to the security companies, but the samples do ultimately get to all of us. (Clarification — VirusTotal gets us the samples immediately. But it’s up to the vendors to get these samples into their threat signatures. For some, this takes a bit of time.)

Best Book Bejtlich Read in 2007 – It’s a good thing that Richard is such an avid reader. It’s an even better thing that he doesn’t pull any punches when it comes to his reviews. Of course, I saw that knowing that he wants to review my book when it’s released….gulp!

Last year I posted my first year-end ranking of books I had read and reviewed in 2006, titled Favorite Books I Read and Reviewed in 2006. I decided to continue the tradition this year by posting my 2007 rankings, and awarding Best Book Bejtlich Read in 2007 (B3R07).

2007 was not my most productive year in terms of reading and reviewing books. I read 17 in 2000, 42 in 2001, 24 in 2002, 33 in 2003, 33 in 2004, 26 in 2005, and 52 in 2006. This year I read and reviewed 25 books, several during the last week.

Phone-Shield set to increase police prosecution rates – Sounds interesting.

A new mobile phone faraday bag called the ‘Phone-Shield’ has been launched by Tamworth-based Disklabs, is set to increase the ability of the police to successfully and cost-effectively prosecute in cases where mobile phone data comprises an essential element of evidence. The new Phone-Shield has been designed by Disklabs to ensure that data on a suspect’s mobile phone can be investigated without that data being compromised when the phone connects to its relevant network…

Navy offers scholarships for IT pros – I think this is a great idea.

To help meet its demand for IT security specialists, the Office of the Navy’s Chief Information Officer will offer scholarships to civilian Navy and military personnel for postgraduate studies in the field of information assurance.

The scholarships are available from the of Defense Department’s Information Assurance Scholarship Program, and will pay for tuition, fees and books for master’s- and doctorate-level studies in biometrics, computer science, information systems, telecommunications, business management and administration, as well as other areas with a focus on information assurance, according to the Navy CIO’s office.

I finally broke down and purchased a copy of Microsoft Office 2004 for my Mac. “Why 2004?” you might ask? Well there’s a deal on now that if you purchase Office 2004 you’ll get a free upgrade to 2008 when it’s launched in mid-January. I can’t pass that up 🙂

Here is the list:
Diversification and Security – Very informative article which discusses, among other things, how the U.S. Army is shifting it’s IT infrastructure over to Macs and how this is not a bad thing.

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.”

NIST releases final draft of FISMA guidance – Get it while it’s hot 🙂

The National Institute of Standards and Technology has released the final public draft of a framework that will assist agencies create the security assessments mandated by the Federal Information Security Management Act (FISMA).

Copies of Draft Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” can be downloaded from the NIST site. NIST expects to publish the final edition in March.

Follow-up on using unicornscan for a big scan (400,000+ public IPs) – I’m glad someone has been stress testing this tool. Also interesting is the Tate’s comment on them switching to unicornscan as their primary tool for large job scanning.

We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.

This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.

Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.

Black Hat USA 2007 Video and Audio Podcasts now live – I like the RSS feed format that they used to present these audio and video podcasts.

Black Hat USA 2007 was a great success, and the presentations were wider-ranging than ever. As part of our ongoing effort to spread useful security knowledge everywhere, we offer video of the entire Briefings roster free online. If by chance you didn’t make it to the event in Las Vegas, or if you attended and missed some talks you wanted to see, subscribe to the podcast feed linked here and get your fill. If what you see here piques your interest, consider attending our upcoming conferences – in DC in February, Amsterdam in March and returning to Vegas in August.

TEMPEST by Chris Gates – How about a paper on TEMPEST security? I find that you don’t see as many of these kinds of papers as you should. Perhaps TEMPEST security just isn’t as “sexy” as compliance, hacking, etc.?

TEMPEST is said to stand for ‘Telecommunications Electronics Material Protected From Emanating Spurious Transmissions’ but I also found; ‘Transient Emanations Protected From Emanating Spurious Transmissions’, ‘Transient Electromagnetic Pulse Emanation Standard’, ‘Telecommunications Emission Security Standards’, and several similar variations on the theme but there is no official meaning for TEMPEST it is more the name of the phenomenon rather than an acronym.

How do these “intelligence-bearing emanations” occur? Basic electromagnetic theory tells us that electromagnetic fields occur as current flows through a conductor. A conductor can be anything metal (your power cord, your CAT5 cable, your phone cord, etc). How does your CAT5 cable pass data? In a simple explanation, current is pushed along the wire and the data goes with it; the more current pushed down the wire and the longer the wire the greater potential for these “emanations” because of growing electromagnetic fields.

“Big money! Big prizes! I love it!” – I agree with Tate on this one. The attackers are certainly the winners here.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

Establishing a Practical Routine for Reviewing Security Logs – The good thing about Anton being on vacation is that I beat him to commenting about others log management posts 😉

The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don’t get me wrong—sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.

The MAC Daddy – Great post from Harlan on how to find the MAC address on a system image.

I received a question in my inbox today regarding locating a system’s MAC address within an image of a system, and I thought I’d share the response I provided…

Deleted Apps – Another great post from Harlan. I’m convinced that neither of us really took vacation over the holidays 🙂

As Windows performs some modicum of tracking of user activities, you may find references to applications that were launched in the UserAssist keys in the user’s NTUSER.DAT file. Not only would you find references to launching the application or program itself, but I’ve seen where the user has clicked on the “Uninstall” shortcut that gets added to the Program menu of the Start Menu. I’ve also seen in the UserAssist keys where a user has launched an installation program, run the installed application, and then clicked on the Uninstall shortcut for the application.