I hope everyone is enjoying their holidays. I decided to take some time off from my guests to post another SBR.

Here is the list:
How to Spy Using Van Eck Phreaking – Great video showing Van Eck Phreaking. If you’re unfamiliar with the concept it looks like something out of a James Bond movie. A description of Van Eck Phreaking can be found at the related Wikipedia entry:

Van Eck phreaking is the process of eavesdropping on the contents of a CRT display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept.

Four new papers from the SANS Information Security Reading Room:

• WiFi with BackTrack
• VoIP Security Vulnerabilities
• Log Analyzer for Dummies
• Corporate Espionage 101

A Christmas Packet Challenge – In case you need a break from your guests you can take some time away and rip through some packets.

There is no better Christmas gift, that I can think of to give, than one that involved packets. Its been awhile since I posted a packet challenge, but I couldn’t let Christmas go by without posting one. So for all you fellow packet heads out there, here is one for you to spend your holidays pondering. This challenge is different from last year, so let me tell you the rules for solving this one.

From description to exploit – Great explanation of the work flow used to discover and categorize an exploit.

Every once in awhile I get an opportunity to work on a “known” vulnerability, but with very little or even no available technical details. These known vulnerabilities tend to be “known” just to their finder and to the vendor that fixed the vulnerability. We know they exist because an advisory is published, but not much more than that.
From the point where the vulnerability got fixed, no one (researcher or vendor) has any interest in disclosing the vulnerability details – as it is no longer interesting – leaving security researchers with insufficient information to confirm whether this vulnerability affects anyone else beside the specific vendor – and specific vendor version.

Perl Scripting Book – Harlan just released his latest book on Perl Scripting for IT Security. Check it out! 🙂

Perl Scripting for IT Security is not a follow-on or companion to my previous book, Windows Forensic Analysis. Rather, it goes more into showing what can be done, and how it can be done, in the world of Incident Response and Computer Forensics Analysis using an open-source solution such as Perl. The book, in part, shows that with a little bit of knowledge and skill, we are no longer limited to viewing only what our commercial forensic analysis tools show us.

Nikto 2 Released – Web Server Scanning Tool – Cool!

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Here are a few security papers for you to check out:

• Using Perl, Postgres and SQL to build a Comprehensive, Searchable Database of Firewall Activity on a Checkpoint firewall on the Cheap
• PREVENTION!!! – Network Intrusion Prevention Systems
• Session Hijacking in Wireless Networks
• MPLS and MPLS VPNs: Basics for Beginners

VizSEC 2008 Call For Participation – Work with the visualization of security? Why not check out the CFP?

As a result of previous VizSEC workshops, we have seen both the application of existing visualization techniques to security problems and the development of novel security visualization approaches. However, VizSEC research has focused on helping human analysts to detect anomalies and patterns, particularly in computer network defense. Other communities, led by researchers from the RAID Symposia, have researched automated methods for detecting anomalies and malicious activity.

The theme for this year’s workshop, which will be held in conjunction with RAID 2008, will be on bridging the gap between visualization and automation, such as leveraging the power of visualization to create rules for intrusion detection and defense systems. We hope that VizSEC participants will stay for the RAID Symposium and RAID participants will consider coming a day early to participate in VizSEC.

Fierce 1.0 – I haven’t checked it out yet but I plan on it 😉

Okay, it’s about time. I am finally releasing Fierce 1.0 as a production ready DNS enumeration tool. What does that mean? It means it works. We have now gotten rid of all the kinks that made me think that it was crippled in a way that made me not want to rely on it. So what was fixed? Well, thanks to Jabra we have now patched fierce so that when it does a zone transfer it continues working, in the off chance that someone messes with the zone transfer to fool fierce into stopping before it sees the real output. Alas, it was a small but important issue to fix.

Enabling NetFlow on Virtual Switches – Use VMWare? What about an NBAD solution? Ever wanted to collect flow information from your virtual switches? Well now you can.

NetFlow is a general networking tool with multiple uses, including network monitoring and profiling, billing, intrusion detection and prevention, networking forensics, and SOX compliance. NetFlow sends aggregated networking flow data to a third‐party collector (an appliance or server). The collector and analyzer report on various information such as the current top flows consuming the most bandwidth in a particular virtual switch, which IP addresses are behaving irregularly, and the number of bytes a particular virtual machine has sent and received in the past 24 hours.

I really apologize to my readers for not updating my blog in a while but I’ve been trying to focus all of my time and effort on my book. I’ll do my best to try and keep-on-postin’ 😉

Here is the list:
Regulatory Compliance Q&A – This is very interesting. I plan on checking this out since regulatory compliance has such a large impact on my day to day work.

We just opened a new topic area in our online forum. Dr. Heather Mark, who did her PhD work in Public Administration and Public Policy, will be leading the Regulatory Compliance track.

Cyber-crime–More Lucrative Than Drugs?? – I believe it. With drug trafficking, based on what I see in movies and read in the media, there are too many middlemen to make it truly profitable unless you are at the top of the food chain. With cyber-crime there tends to be very few people between the attacker and the target and, I would imagine, even less outsourcing of work. Plus, cyber-crime, when compared to drug trafficking, is a relatively new concept in the world of crime. That being said, there are far less people dedicated to the apprehension of the cyber-criminal than there are for drug traffickers.

Recently, the assistant secretary for Cyber-security at the Dept. of Homeland Security made some startling comments about the dangers of online crime. “We’re all at risk of attack,” he announced, and added that Cyber-crime is threatening our infrastructures. He also said it exceeds the drug trade.

Scanning those other wireless technologies beyond 802.11abg – Great post by Michael Dickey with some very good information about some powerful tools.

Josh Wright earlier this year posted a couple wireless security papers which are quite valuable. First he talks about wireless framing; basically a blitz through how wireless 802.11 works. There is also a paper about 5 wireless threats we may not know about. In the list, Wright mentions 802.11n (Greenfield mode) and Bluetooth rogue APs. I think scanning for rogue APs using kismet is becoming fairly common in concerned organizations (or by concerned geeks anyway). But how does one begin to scan to find these other wireless technologies?

Windows Remote Desktop Heroes and Villains from the SANS Information Security Reading Room.

Announcing – Microsoft Bloggers Network! – Excellent idea from Mitchell Ashley to bring Microsoft bloggers together under one banner.

I’ve started reading many more blogs related to Microsoft since joining Network World where I now blog about topics related to Microsoft and the broader industry. So, it naturally made sense to create a network for blogs covering Microsoft topics.

Botnets linked to political hacking in Russia – Yep…well…I’m not surprised 🙂

Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there’s nothing by way of evidence that the Kremlin had a hand in the assaults.

Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines.

BackTrack 3 Beta out! – I’ve been waiting for this for quite some time. I can’t wait for the final revision.

Max Martin and I are ecstatically happy to announce that Backtrack 3 Beta is available for download.

We are all suffering from lack of sleep – we will make a public announcement about this tomorrow.

nmap-4.50.tgz is out – Time to update your nmap version 🙂

This is the first stable release since 4.20 (more than a year ago), and the first major release since 4.00 almost two years ago. Dozens of development releases led up to this. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and and nearly 1,500 new version detection signatures. More than 300 other improvements were made as well.

Breaking News: Successful SCADA Attack Confirmed – Mogull Is pwned! – Great story! This is what happens when security geeks get bored. Note to self – Don’t “Hassle The Hoff (C)”

Rich and I are always IM’ing and emailing one another, so a few days ago before Rich left town for an international junket, I sent him a little email asking him to review something I was working on. The email contained a link to my “trusted” website.

The page I sent him to was actually trojaned with the 0day POC code for the QT RTSP vulnerability from a couple of weeks ago. I guess Rich’s Leopard ipfw rules need to be modified because right after he opened it, the trojan executed and then phoned home (to me) and I was able to open a remote shell on TCP/554 right to his Mac which incidentally controls his home automation system. I totally pwn his house.

How to Do Database Logging/Monitoring “Right”? – Great post Anton. With compliance requirements on everyones minds these days, database security has jumped to the forefront as a primary security concern.

So, people sometimes ask me about how to do database logging/auditing/monitoring and log analysis right. The key choice many seem to struggle with for database auditing and monitoring is reviewing database logs vs sniffing SQL traffic off the wire. Before proceeding, please look for more background on database log management, auditing and monitoring in my database log management papers (longer, more detailed – shorter)

NIST working on new method for finding software bugs It’s worth a shot since reviewing code and following common sense programming practices doesn’t appear to be cutting it.

Researchers a the National Institute of Standards and Technology and the University of Texas at Arlington hope to release for beta testing next month a tool to help spot possible problems in complex software.

FireEye will generate tables of tests to look for adverse reactions that can cause applications to crash. Because crashes can be caused by unexpected interactions between large numbers of configurations, testing possible configurations can be prohibitively costly and time consuming. The project has reduced the number of parameters that need to be tested to a manageable level, and FireEye will calculate which possible combinations need to be tested for an application.

Ah vacation….I’ve taken a week off to recharge my batteries and hopefully catchup on some reading, blogging, updating my other website, and whatnot.

Here is the list: 

First Line of Defense for Web Applications – Part 2 – Part 2 in the series.

Hello everyone, as promised I am back with the next post on input validation series for web applications. Knowledge is power right :). So knowing what all things to validate when you start your web project can save you a lot of headache down the road. So here are some of most important aspects on input validation every developer should be aware of.     

Making Progress in the Battle against Rootkits – Not quite winning the battle…but making progress at least.

The results of that test, conducted by Thompson CyberSecurity Labs, indicate that McAfee was able to detect 16 of the 17 rootkits tested (a 94 percent success rate), and was able to remove 15 of the 17 rootkits (88 percent). Symantec detected 15 and removed 15 of the 17 (88 percent in both cases). We’re even more pleased to note top-notch detection AND removal of the sample set of rootkits used in the test. And this is in our existing, shipping AV product deployed across more than 100 million machines worldwide. 

SANS’s Fun Securty Book List – Is your favorite book (or maybe YOUR book) on the list? 🙂

“The Best Security Books to have in your library” by SANS GIAC Advisory Board. “Security Warrior” is, of course, proudly featured among other good books, such as “Tao of NSM”, “Security Metrics”, ” Hacker’s Challenge” and many others. Check it out!    

Poll Results: Which Logs Do You Collect? – I also expected firewalls to be number one on the list. I wonder if compliance regulations were the drivers behind Linux/Unix servers being ranked so high? I figure that’s why the database came in at 5th spot.

First, which of my expectations were NOT met? Well, I did expect that firewalls will be #1, not Linux/Unix servers. Admittedly, the difference is not so big, but I am impressed: Unix syslog still rocks the logging world :-)Second, the top source of collected logs is also the hardest to analyze due to its lack of structure. Nowadays I treat syslog from Unix/Linux as “broken English” and not as “data.” It is a dog to parse (that is why we try to find something novel)Third, I was amazed that database logs were THAT high on the list. Wow! All the evangelizing seems to have worked out :-)Fourth, Windows server log collection is still in the dumps – but we need it! Go grab LASSO and dump those event logs into syslog without pesky agents. Easy!Firth, other Unix logs – what are those? We might never know what the respondents meant: still, I think that these are binary audit logs and other fine-grained audit logging. Indeed, many people starting to look at BSM audits and other “ugly ducklings” of logging.Sixth, web server logs are gold – everybody knows it. The poll confirms this as well: they are #2. Some fun analysis tips from me are coming soon.    

Pimp my PE presentations now available – I haven’t had a chance to review but it certainly sounds interesting from the abstract.

A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PEs found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we’ve developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we’ve developed.   

Exploring Protocols 2: Writing some tools – Delayed…but worth it 🙂

In this much delayed installment I’d like to expand on my last one entitled “Exploring Protocols 1″. This is going to be a long one, folks. I guess the big delay in getting this out resulted in a backlog of all the things I wanted to cover. The discussion veers into tools and samples some simple code for dissecting unfamiliar PDUs. There’s more to the “protocol tool” category than just dissecting, of course. But it’s usually the first step and this post will try to focus mostly on it. 

Screencast: Snort — Tactics for basic network analysis – Refresher on Snort anyone?

Snort is a robust tool that can be used in a number of ways to assess the security posture of a network, but it takes time to learn and it can be tricky to obtain all the data that Snort can provide.In this step-by-step demonstration, SearchSecurity.com contributor Tom Bowers offers a brief introduction and history of Snort, and explains what it can do for information security pros and how to use it for the first time.   

AIX: 2007’s Security Manatee – It’s not often you hear about AIX outside of organizations who installed it years (and I do mean years) ago. Personally, if you’re going to continue to support an operating system you should try and keep it as secure as your competition, lest your customers jump ship.

In the past, I have acknowledged QNX and IRIX as security manatees for their complete lack of effort around local security.iDefense released seven, count them, seven local privilege escalation vulnerabilities in AIX today. Four of them are actually stack overflows. Yes, you heard me, stack overflows. One of them is actually in ftp. Another one is in dig. Yes, dig is setuid root on AIX.   

Visa Payment Application Mandates and Deadlines – Need to comply with PCI? Make sure you note these dates on your calendar.

• Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. Effective date: 1/1/08
• VNPs (VisaNet Processors) and agents must only certify new payment applications to their platforms that are PABP-compliant. Effective date: 7/1/08
• Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. Effective date: 10/1/08
• VNPs and agents must decertify all vulnerable payment applications. Effective date: 10/1/09
• Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications. Effective date: 7/1/10

Understanding the Common Vulnerability Scoring System (CVSS): Part 1 – Ever wonder what the CVSS acronym being thrown around means? Is it THE answer…probably not. Is it AN answer…probably more accurate 🙂

The Common Vulnerability Scoring System (CVSS), initially announced in February 2005 on the U.S. Department of Homeland Security’s web site, is designed to “provide open and universally standard severity ratings of software vulnerabilities”. Oracle was one of the first software vendors to adopt CVSS to provide a standard-based indication of the severity of the vulnerabilities fixed in its products. Oracle has provided CVSS Base Scores in the risk matrices of the CPU documentation since the October 2006 Critical Patch Update (CPUOct2006). In June 2007, FIRST (Forum of Incident Response and Security Teams) published the second version of the standards: CVSS 2.0, which was implemented by Oracle with the October 2007 Critical Patch Update (CPUOct2007). Note that in this discussion, we will address the new CVSS 2.0 Scoring System if not otherwise noted  

EH-Net Exclusive: BackTrack 3 Teaser Video – Ummm….WOW!!!!

Most of you by now have heard of BackTrack (http://www.remote-exploit.org/backtrack_download.html), the highly popular and regarded Linux Security Distro for ethical hackers. Straight from the project’s developers come this teaser video. With several examples of what the new version can do and a running time of 6:16, we hope to have you on the edge of your seat in anticipation. Especially nice are the demos of the new features highlighting Offensive Security’s Wireless Security Course, Aircrack-ng (http://aircrack-ng.org/doku.php). This is the second offering of an eventual triumvirate of classes to be offered by OffSec.  

Daemonlogger 1.0 released – Hey, cool. I may have to give this a shot this weekend. I really like the idea of being able to create a “tap-on-demand” without paying the big bucks for a hardware tap.

Daemonlogger 1.0 is available on my user page on snort.org. It’s got a couple new features but nothing major, if you’re a Daemonlogger fan it’s definitely worth a download!  

Stack Based Overflows: Detect & Exploit from SANS Information Security Reading RoomMy goal: play on a bigger stage – Turns out Mr. Ashley is striking out on his own. Good luck to you Mitchell!

So putting this nudge into action, to play on a bigger stage, I am joining the Network World blog . I’ll have some posts up beginning in the next few days or so. I’m VERY excited about this. It fulfills some of my key goals and it’s definitely playing on a bigger stage. I’ll still be blogging here, on The Converging Network, and podcasting along with Alan, but my posts on each blog will be different, not duplicates. When I have the URL for the Network World blog, I’ll post it up.   

Database tripwires… – Interesting idea. Anyone have any comments either way on this approach?

I was thinking about the problem of creating a cheap tripwire for database servers that doesn’t require a third party agent and it will alert us to when someone’s snooping around places in our databases where they shouldn’t be snooping. We could set up a honeypot table or view with an appropriately attractive name like USERNAMES_AND_PASSWORDS. Because this is a fake table no-one should ever really be looking at it and we can get the database to alert us when anyone touches it: there’s a snooper online.This could be achieved with a trigger in the case of an UPDATE, INSERT or DELETE of course but not so with a SELECT query. This limitation is easy to fix in Oracle with the use of fine grained access control by setting a policy on the table in question using DBMS_FGA. But what about other database servers that don’t have an equivalent? Well, we can still achieve the same results with a simple view.  

And finally, here are a bunch of eye bleeders:

• More Security Trouble for MSU
• Excel File Woes at MSU
• CUNY Students At Risk After Laptop Theft
• Stolen Ferris State University Laptop Contained Applicant Data
• Another Lost USB Drive Contains Student Information
• Bates College Financial Aid Information Available On Campus Network
• 19 Years Worth of Student Data Available Through Dixie State Search
• University of Cincinnati Informs Students of Another Incident