Make sure you catch my SANS “Ask the Expert” WebCast tomorrow! 🙂

Here is the list:
De-perimeterization is dead – Well said 🙂

Let me go on record now. The perimeter is alive and well. It has to be. It will always be. Not only is the idea that the perimeter is going away wrong it is not even a desirable direction. The thesis is not even Utopian, it is dystopian. The Jericho Forum has attempted to formalize the arguments for de-perimeterization. It is strange to see a group formed to promulgate a theory. Not a standard, not a political action campaign, but a theory. Reminds me of the Flat Earth Society.

2007 Top Vulnerable Vendors? – Is your company on this list?

New IBM research shows that five vendors are responsible for 12.6 percent of all disclosed vulnerabilities.

Not surprising: In the first half of 2007, Microsoft was the top vendor when it came to publicly disclosed vulnerabilities. Likely surprising to some: Apple got second place.

IBM Internet Security Systems’ X-Force R&D team released its 2007 report on cyber attacks on Sept. 17, revealing that the top five vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities in the first half of the yearor 411 of 3,272 vulnerabilities disclosed.

Mobile Phone Forensic Course Available From Guidance Software – Wow, this would be a great course to take. I’ve always been curious about the world of cell forensics.

This mobile phone forensic course is intended for law enforcement officers, computer forensic examiners, corporate and private investigators, and network security personnel. Participants may have minimal computer skills and may be new to the field of mobile phone forensics. Ideally, students should own or have access to EnCase(r) Forensic Edition and the Neutrino mobile phone acquisition device.

The Next Phase in Patching – I like the idea of the “central update console” but will Microsoft pay for the creation and maintenance of such a service out of the goodness of their hearts? I have my doubts.

Here is my solution: Microsoft needs to come up with a Central Update Console that software and driver developers can hook to configure automatic updates. They already provide this type of feature through the “Add/Remove Programs” console. Good developers utilize this to help users and administrators manage the software that is installed on their systems. How hard would it be to come up with a solution that other developers could hook to help with centralizing the management of updates and provide a significant positive impact on the overall security of every computer on the Interweb? Although the design, development, testing, implementation, and maintenance of this project would be challenging, I am willing to be that this would be a small project in the grand scheme of Microsoft OS development. They don’t need to take every software vendor into consideration, they just need to come up with one method all of them could use. Once a system is developed software developers can start modifying their products to hook the console. They wouldn’t need to take out their current auto-update mechanism, rather, they could leave it in place. This is how the “Add/Remove Programs” console works. Software developers have not removed the mechanism to uninstall from their software, rather, they have placed hooks in the “Add/Remove Programs” console that calls their uninstall and repair mechanism. Users and admins who prefer a particular method are all satisfied.

NSA to Become America’s Firewall – Is this a good thing or a bad thing? What are your thoughts?

The National Security Agency is preparing to take over the job of monitoring the Internet and other domestic communication networks, a massive expansion of the agency’s defense duties into networks used routinely by American citizens, according to a story by Siobhan Gorman of the Baltimore Sun.

LORCON (Loss Of Radio CONnectivity) 802.11 Packet Library – Hmm..low cost way to disrupt wireless communication?

The LORCON packet injection library provides a high level interface to transmit IEEE 802.11 packets onto a wireless medium. Written for Linux systems, this architecture simplifies the development of 802.11 packet injection through an abstraction layer, making the development of auditing and assessment tools driver- independent.

Using LORCON, developers can write tools that inject packets onto the wireless network without writing driver-specific code, simply by asking the user to identify the driver name they are currently using for a specified interface.

Tactical Network Security Monitoring Platform –

Looks like a cool rig. I wonder what the pricing is like?
I am working both strategic and tactical network security monitoring projects. On the tactical side I have been looking for a platform that I could carry on a plane and fit in the overhead compartment, or at the very least under the seat in front of me. Earlier in my career I’ve used Shuttle and Hacom boxes, but I’m always looking for something better.

Five routers on your laptop – I’ve never heard of this before. I’m certainly going to try it out.

In case you haven’t heard about Dynamips/Dynagen yet: Dynamips emulates a variety of IOS platforms (from 2600 to 7200) on Intel platform and Dynagen provides friendlier user interface (more than friendly enough for me, probably too cryptic for GUI addicts). I’ve seen Dynamips a year or two ago, checked what it can do and decided to stay with the real routers in a remote lab environment. In the meantime, the software has improved drastically, allowing you to test all sorts of IOS features and topologies, as long as you don’t expect QoS to work or real-time features to act in real-time (simulation is, after all, a bit slower than the real life).

A Military Grade Encrypting Self-Destructing USB Drive Makes A Great Gift! – Good stocking stuffer 🙂

“IronKey Inc. this week introduced a secure USB thumb drive designed for sensitive government, military and enterprise users. The vendor’s IronKey: Enterprise Special Edition drive is available in 1 GB, 2 GB and 4 GB configurations and features built-in hardware encryption for security of stored data.

Accessing data on the drive requires a password that is verified by hardware, and it features a self-destruct sequence that protects data if an unauthorized user tries to unlock or tamper with the device, according to IronKey, of Los Altos, Calif.

The Enterprise Special Edition drive also performs dynamic drive mapping to work in environments with network-mapped drives and it forgoes features, including Firefox, Secure Sessions, Secure Updates and the IronKey Password Manager, found on other IronKey drives that could compromise security or violate security requirements for secure installations.

For military use, the device has been tested for and passed the MIL-STD-810F military waterproof standards. It was also designed to resist being tampered with or disassembled by hackers, the vendor said.”

Less than a week until my SANS “Ask the Expert” WebCast and a week and a few days until my lunch & learn in Vegas!

Here is the list:

The Web Application Hacker’s Handbook – Hmm…interesting.

Well it’s getting closer! My friend, PortSwigger (also known as Dafydd Stuttard – author of Burp Suite) is getting ever closer to completion of his new book The Web Application Hacker’s Handbook. He’s co-authoring it with Marcus Pinto. I’ve known about the book for a while now, and am really looking forward to reading it.

Experimental Storm Worm DNS Blocklist – I look forward to seeing if this effort is kept up. I’m also curious of the resulting statistics and if they will share the results.

Threatstop is currently experimenting with a DNS based blocklist scheme to dynamically block storm worm infected hosts. Its a test list they offer for free to get some feedback on how well it works for people. The basic idea of their blocklist scheme is not like traditional DNS blocklists, which require a DNS lookup for each new IP address seen. Instead, you add a hostname to your blocklist, which will then resolve to multiple A records, each of which is an IP address to be blocked. It appears that most firewalls will refresh the list whenever the TTL for the record expires. Currently, the following hostnames can be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm infected IPs. This is just a temporary service to test this distribution method with a larger set of users. For more details, see the threatstop.com website.

Analysis of Storm Worm DDoS Traffic – Good analysis of the aforementioned storm worm 🙂

The Peacomm (Storm Worm) botnet is known to launch DDoS attacks against networks which appear to be investigating the botnet — the cyber equivalent of explosive reactive armor. It is still unclear whether the decisions to launch an attack are made by the botnet, a human operator, or both. In exploring this, SecureWorks was able to compile and analyze information regarding timing and types of traffic that may help victims of these distributed denial-of-service attacks mitigate the impac

Covert communications: subverting Windows applications – from SANS Information Security Reading Room

And now for some eye bleeders:
Stolen UM Clinic Tapes Contain Patient Data

University of Michigan is alerting over 8,000 patients of the university’s Community Family Health Center after backup tapes containing patient data were discovered stolen. UM is sending two different letters to different patients depending upon the patient information contained on the tapes. The first letter, already sent to 4,513 people, let patients know that the tapes contained their name, address and medical information. The second letter, that the university plans to send to an additional 4,072 individuals, will let patients know that along with name, address and medical information, their Social Security number was also on the stolen backup tapes. UM police are investigating the theft but the university has no further information on the theft.

Another Mass E-mail Leaks Student Data

Queens University of Charlotte is apologizing to hundreds of university students after a mass e-mail accidentally containing personal information was sent out. The e-mail contained names, address, Social Security numbers, and student IDs. According to university officials, all affected students have been notified of the incident. In addition, the university urges all affected students to place a fraud alert on their credit reports to help prevent identity theft arising from the unauthorized disclosure.

SSNBreach.org Discovers Sensitive Information Online At Rutgers

Aaron Titus of SSNBreach.org contacted ESI to let the editors know about a Sept 14 news release announcing the discovery of four files on the Rutgers University web site containing sensitive information. All told these files contained the names, Social Security numbers, assignment scores, test scores, course grades and other information on 227 students. SSNBreach.org notified both Rutgers and the FBI over the discovery. Rutgers immediately removed these files from the web and requested the files be removed from the search caches of the major search engines.

Registry Analysis – Another good article by Harlan on analyzing the Windows registry.

One of the issues that confronts us today is knowing what we’re looking at or looking for. Having a tool present data to us is nice, but if we don’t know how that data is populated, then what good is the tool when some one-off condition is encountered? If the analyst does not understand how the artifact in question is created or modified, then what happens when the data that he or she expects to see is not present? Remember Jesse’s First Law of Computer Forensics and my own subsequent corollary?

Reversing ROL-1 Malware – Good analysis Didier…quality post!

Today I want to explain how I deal with a piece of malware that obfuscates its strings.

After dealing with the packing, we end up with an unpacked PE file. BinText reveals some strings, but not URLs. Searching for HTTP with XORSearch (version 1.1) doesn’t reveal any XOR encoding.

Foremost – Recover Files From Drive or Drive Image AKA Carving – Tool to check out.

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

Slides of the IMF Workshop – Some slides to check out from Andreas’ presentation on Windows Memory Analysis.

Here are the slides from my demonstration of Windows Memory Analysis tools and techniques, that I recently gave at the 3rd International Conference on Incident Management and IT Forensics in Stuttgart.

Enduring attack trends : ISTR XII – A must read for anyone who deals in any aspect of security. The bad news…malicious activity is here to stay. The good news…we’ll all have jobs this year 😉

Volume XII of Symantec’s Internet Security Threat Report is out and shows that malicious activity over the Internet is here to stay. During the first six months of 2007, our analysis of the proportion of malicious activity in each country showed little variance form the last reporting period. There was some change in certain specific areas of malicious activity, but overall it seems that once a malicious Internet population is established in a country, it remains there.

A System of Persistent Baseline Automated Vulnerability Scanning and Response in a Distributed University Environment – from the SANS Information Security Reading Room

I Can Hear You Now: Eavesdropping on Bluetooth Headsets – This was a great video. Good work Josh 🙂

I’ve been spending more time evaluating Bluetooth technology lately, and have put together a YouTube video demonstrating an attack against a Bluetooth headset.
Recent advances in SDR technology including Dominic Spill’s paper “BlueSniff: Eve Meets Alice and Bluetooth” have made it possible to identify the Bluetooth device address for non-discoverable devices like headsets. Unlike early attempts to discover undiscoverable Bluetooth devices such as RedFang, BlueSniff reveals 3 or 4 bytes of the address within seconds by passively capturing an active Bluetooth connection. The remaining 3 of 2 bytes of the Bluetooth address can be determined by testing each of the common Bluetooth OUI’s, using the results of the BNAP, BNAP project.
Once the Bluetooth device address is known, an attacker can connect to the headset as if he were a legitimate phone, authenticating with a fixed PIN of “0000”. Even when not configured in discoverable mode, my JawBone headset will respond to these unsolicited connection requests, allowing an attacker to pair with it and record any audio within range of the headset microphone. The attacker can also inject arbitrary audio through the headset device as well, which could get interesting when applied with finesse.

New Uninformed Journal – Vol 8 – Something to download and read through.

Get it here. Papers include:

Real-time Steganography with RTP
PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3
Getting out of Jail: Escaping Internet Explorer Protected Mode
OS X Kernel-mode Exploitation in a Weekend
A Catalog of Windows Local Kernel-mode Backdoors
Generalizing Data Flow Information

Fun Preso on Proxy Logs – Ever think you’d hear “fun” and “proxy logs” used in the same sentence?

I did a few insightful webcasts for LogLogic lately, here is one of them (webcast with voice, slides only), on analyzing and managing web proxy logs. It goes well with my logging tip #12, also on proxy logs.

Alright…things are calming down again. Expect to see more regular posts 🙂

Here is the list:

ArcSight files for $74.8 mln IPO – Very interesting. Hopefully this IPO fares better than than the Sourcefire one.

Morgan Stanley & Co Inc, Lehman Brothers Inc, Wachovia Capital Markets LLC and RBC Capital Markets Corp are underwriting the IPO, the company told the U.S. Securities and Exchange Commission in a preliminary prospectus.

Information Security Consultancy – Market Analysis Summary – If you’re struggling to get your consultancy rolling or are considering starting one then this is a must read.

According to the business plan that I am following, a Market Analysis Summary is performed by analyzing Market Segmentation, Target Market Segment Strategy, and Service Business Analysis. If I am reading into this correctly the basic gist of a Market Analysis Summary is to help determine who the business will target, what services they will provide to these targets, and identify who are the competitors that will be offering similar services to the targets. In an effort to determine if I am correct, and to provide more information online, the following is what I have written to satisfy the Market Segmentation and Target Market Segment Strategy. I am hoping that people will comment and let me know if I have forgotten something, misinterpreted something, wandered off the path, or completely misunderstood the goal.

Searching for evil: Recommended video – Agreed, very interesting video. Check it out.

Professor Ross Anderson gives an excellent video on malware, phishing and spam, called “Searching for Evil”. Highly recommended viewing.

CIS Releases Virtual Machine Security Guidelines – I haven’t read this yet but these guidelines are long overdue.

The Center for Internet Security has released their v1.0 guidelines for generic virtual machine security. I will say that this is a basic, concise and generally helpful overview to practical things one might consider when deploying, configuring and beginning to secure a virtual machine.

Being a CISSP – I still hold this certification in very high regard and plan on getting it for most of the reasons that Andy outlines in his article. It’s a personal goal for me and I won’t be happy until I achieve it. Santa has the Iron Man…I have the CISSP exam. Only difference is that I can eat all the pizza I want while working towards my goal 😉

The CISSP is not the cert for everyone. It depends on what your career goals are and where your interest in security are. It may be the best thing that you do for your career or it could be just another bunch of letters after your name. I think a lot of it’s value depends on you and how you use it.

OSCP (Offensive Security Certified Professional) Training and Challenge – This was an excellent account of the OSCP offering. I’ve often contemplated signing up for this as I would be curious to see how it would help the people who ask me for career advice in regards to security certifications. I’ll put it on my list of things to-do.

I’m writing this post, as I really feel that this course needs to get more publicity. Over the last few years I have done countless security courses, and exams from some of the top players in this market, and nothing has come close to the OSCP training.

Interesting Forensics and Logging Presentations from DFRWS – Download them and read them when you get a chance. Never hurts to have reading material handy when you’re stuck at an airport 😉

Some fun reading material here: DFRWS 2007 preso and papers. A few fun pieces on logs to, specifically
* “Introducing the Microsoft Vista Log File Format. Andreas Schuster. (paper)
* Automated Windows Event Log Forensics. Rich Murphey. (paper)
* Analyzing Multiple Logs for Forensic Evidence. Ali Reza Arasteh, Mourad Debbabi, Assaad Sakha, and Mohamed Saleh. (paper)”

And now for a few eye-bleeders:

File On Purdue Web Page Contains Student Information

Purdue University is alerting 111 student about a file found on the Internet containing student information. The file, stored on an unused but still available web page, contained student names and Social Security numbers. This incident affects students enrolled in the Fall 2004 Animal Sciences 101 class at the university. Purdue has since removed the web page and notified the 111 students affected by the incident. In addition, Purdue has setup a hotline – 866-275-1181 – for any student that did not receive a letter but believes they might be affected by the incident. More information on this incident can be found at www.purdue.edu/news/coa0709.html.

Another Laptop Containing Student Information Stolen

De Anza College is warning a number of students that the recent theft of a De Anza laptop might place them at risk for identity theft. The laptop, stolen from the home of a math professor, contained information on 4,375 students including names and some Social Security numbers. According to De Anza officials, however, both the laptop and the student information are password-protected, but there is no information on the type of pass-word protection or if encryption was used as well. De Anza officials have sent letters and e-mails to all affected students, but fear that the college’s contact information may be out of date. De Anza urges any student that took a mathematics class between 1991 and 2003 as well as between 2005 and the present to e-mail Kathleen Moberg, Dean of Admissions and Records, or call (408) 864-8292 to determine if they are affected by this theft.

Yahoo Search Returns Spreadsheet Containing USC Student Grades and SSNs

Aaron Titus of SSNBreach.org made a startling discovery over the weekend when a Yahoo search returned a spreadsheet contain the names, Social Security numbers, assignment scores, test scores, course grades and indications of academic misconduct on 3,199 University of South Carolina students. The spreadsheet was found on USC’s Biological Sciences Department web site. Titus notified the university and the FBI on the same day the file was discovered and USC immediately began removing the information. However, the information still remained in major search engine indexes according to Titus. In an odd turn, it seems that USC has yet to inform the students affected by this incident. According to second-year chemistry student, Elyse Coolidge, “I feel disappointed [over the lack of notification]. If the university knows they made a mistake, they should at least have the integrity to tell me.”

Hopkins Waits Five Weeks To Disclose Data Theft

Johns Hopkins University waited five weeks before notifying patient and their families about the theft of a desktop computer containing patient information. The computer, taken from an “administrative area” of Johns Hopkins on July 15, contained patient names, Social Security numbers, dates of birth, medical history and other personal information. According to University officials, the computer was secured to the desk by a steel cable and it was password-protected. However, the computer did not contain an encryption software to protect the data nor was a the data password-protected. According to Gary Stephenson, Hopkins spokesperson, police were notified about the breach two weeks after the computer went missing but the university delayed notification due to fears public notice “might sabotage the efforts” to recover the computer. Johns Hopkins is offering to pay for a year of credit monitoring services for affected patients.