Even though I felt recharged yesterday I was still quite tired from the flying and the “relaxing” over the weekend. I’m starting to get back into the swing of things so expect posts to get back to normal frequency.

Here’s the list:

My New and Fun Fun Fun Role! – Well it looks like Anton has himself a new role and title. I hope he fares better than Martin did when he moved into an evangelist role.

I have a sneaking suspicion that not everybody checks my site regularly. And that’s OK – you need to check my blog, not the site 🙂

However, if you do check the site, you might have noticed that my position title has changed! My new position is … drum-roll … Chief Logging Evangelist.

Yes, I joined the ranks of “evangelists” which take its origin from Guy Kawasaki.

Am I excited? That would be the understatement of the year!

Nduja Cross Domain/Webmail XSS Worm – Webmail XSS Worm??? Interesting and a little scary considering how much people rely on webmail these days.

Rosario Valotta sent me an email today describing a webmail XSS worm he has written – the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services, Libero.it, Tiscali.it, Lycos.it, and Excite.com and built a worm that works across all four domains.

Pentagon E-mail System HACKED – “What can we do to take the heat off of DHS for failing so miserably on their audit??? Wait…let’s disclose a huge hack that occurred at the Pentagon…that’ll get them off our backs!”

The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.

I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.

IT Security Specialists See Salaries Rise in First Half – I love seeing articles like these considering friends and colleagues in the industry are not seeing the same thing. Who are these people getting all of these raises all the time anyway?

Demand for highly trained and certified IT security professionals is forcing CIOs and IT managers to shell out higher salaries, and to adjust their budgets to meet the increased security expectations of their customers and their executive management teams.

In the past six months, salaries for certified IT workers rose 2 percent, bucking a yearlong trend in declining pay for IT certifications, according to a report issued this week by IT work force research firm Foote Partners.

Just got back from a very enjoyable bachelor party in Ottawa over the weekend and I feel recharged. Funny how some downtime fixes you up 🙂

Here’s the list

AFF for Windows – Interesting…I’ll have to give it a shot.

Since version 2.3 the shared libraries and utility programs which implement the Advanced Forensic Format (AFF), are also available for the Microsoft Windows platform.

AFF is meant to be an open-source, extensible alternative to proprietary forensic image file formats. Beside the main program library, afflib, the package comes with the following utility programs:

* afconvert converts AFF into RAW/ISO and vice-versa
* afcopy copies a forensic image and verifies the resulting file
* affix attempts to repair a corrupted forensic image
* afinfo provides some information about the forensic image
* afstats calculates some statistics, e.g. the amount of data contained in an AFF image and the compression ratio
* aimage creates a new forensic image

ARP Spoofing in Real Life – Richard is right. This is probably one of the hardest attacks for students or people new to security to visualize actually happening and it’s great that a documented example is available.

Sometimes I wonder if students are thinking “That is so old! Who does that anymore?” In response I mention last year’s Freenode incident where Ettercap was used in an ARP spoofing attack.

Thanks to Robert Hensing’s pointer to Neil Carpenter’s post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.

“Good Practice Guide for Computer-Based Electronic Evidence” Updated – I would think this would also be very good for organizations who interact with law enforcement on a regular basis.

The Association of Chief Police Officers in co-operation with 7Safe released an updated edition of their Good Practice Guide for Computer-Based Electronic Evidence.

On 66 pages the free guide provides background information, flowcharts and sample questions to aide in the investigation of computer-related crimes. While it is primarily intended to be used by police officers, the guide is also helpful for investigators working within the private sector.

Vista security events get noticed – Notice how he says “for most security events”? My developers have noticed lately that Microsoft documentation has a lot of “most” scenarios where log files have more columns than documented and examples show what should happen “most of the time”.

Doriansoft noticed that there’s a relationship between our pre-Vista security event IDs and our Vista-era security event IDs.

For most security events:
VistaEventId = PreVistaEventId + 4096

Why is this?

We needed to differentiate the Vista events from the pre-Vista events, because we were significantly changing the event content and didn’t want to break automation. However we wanted to preserve the knowledge that security professionals already had in their heads about security events, so we wanted to make sure that there was a relationship between old and new event IDs.

We decided to offset the old IDs by some constant to get the new IDs. I wanted to offset them by a decimal number (say 6000, so 528 would become 6528, etc.). However event IDs are declared in hex in the source code and are all 3 digits long (528 = 0x210), and Raghu, my developer, wanted to conserve effort, and he won that battle so we added 0x1000 (4096) to the existing event IDs.

CarvFS at Work – Documentation is good but examples are always a bonus! Good work.

“Chopstick” published two articles about CarvFS in his blog Chirashi Security.

His first post describes the installation of CarvFS on Ubuntu Linux. he also installs libewf in order to access disk images in Expert Witness format, which is normally used by EnCase.

Just to give us an example of how CarvFS works, a second article shows the examination of a memory card.

There was a lack of news on the blogosphere the past few days due to the July 4th holiday in the U.S. so I’ve decided to hold off until today to post my suggested blog reading.

Here’s the list:

Don’t think about it, just get on the plane – Wow, this made my morning. Kind of goes hand in hand with my earlier post on lack of due diligence at the airport. Thanks Mike!

I came across this unbelievably funny YouTube video and had to share it. If you ever travel, especially if you travel frequently, you’ll ROFL (roll on the floor lauging) watching this. I still laugh each time I watch it. As the saying goes, you just can’t make this stuff up. Truth is funnier (as well as stranger) than fiction most of the time.

Video: Geeksquad caught copying personal files from PC – I had a feeling that deploying under trained, fresh out of school kids with their CompTIA A+ certification was a bad idea. Now I know that feeling was justified.

Do you expect privacy when you’re computer is repaired? Trust your technicians?

You shouldn’t. In this case it’s porn. This video is a great argument for keeping your data on a high capacity external hard drive.

Security Views Case Study #3 – The long-time employee threat – Another good case study from Scott.

The individual, a senior database administrator who had worked at the company for seven years, saw the opportunity, didn’t think he’d get caught, and took the chance.

1) Either there were no confidentiality safeguards on the client’s information, or the safeguards that existed were weak enough for a single person to exploit.

2) Access logging and/or audits of access logs were not being done. (If they were, the thief would have known he would get caught, unless he was the only one responsible for the audits. But then the theft might never have been detected.)

7 Deadly Sins of Website Vulnerability Disclosure – Good post…only Jeremiah forgot to post a “7th Deadly Sin”

Someone you don’t know, never met, and didn’t give permission to informs you of a vulnerability in your website. What should you do? Or often just as important, what should you NOT do? Having security issues pointed out, “for free,” happens to everyone eventually (some more than others). People unfamiliar with the process often make poor judgment calls causing themselves more harm than good. We witness these missteps regularly, even amongst security vendors who should know better. I figured that if we document some of these mistakes, maybe we’d start learning from them. Then again, the original seven deadly sins certainly haven’t vanished. 🙂

Email encryption with GPG and Mail.app – I’m still new to my Mac but I’ve been searching for a way to leverage the power of GPG. Now I can 🙂

Email is sent across the Internet as plain text, which means that almost anyone can read your private emails and sensitive information. We’ve already covered before how to send encrypted emails with Mozilla Thunderbird, and while Thunderbird is a cross-platform email client that will work on Mac OS X, it just might not be your favorite email application.

If you’re concerned about your email’s security, this hack shows four easy steps to configure Apple’s Mail.app email client to send and receive encrypted emails.

Top 11 Reasons to Look at Your Logs – Another great post by Anton. The excuse I typically hear is “I don’t have time to look at ALL my logs”. Unfortunately this just isn’t going to cut it anymore with so many powerful tools out there to assist you in collection and analysis.

As promised, I am following my Top 11 Reasons to Collect and Preserve Computer Logs with just as humorous and hopefully no less insightful “Top 11 Reasons to Look at Your Logs.”

Malicious insider sells Fidelity

National customer data

– Still don’t think the insider threat is something to worry about in your organization?
Fidelity National Information Services Inc. admitted this week that Certegy Check Services Inc., a Fidelity subsidiary that provides check processing services, was “victimized” by a database administrator who stole and sold bank and credit card data on up to 2.3 million customers.

Fidelity said in a statement that the St. Petersburg, Fla.-based administrator misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. The incident does not involve any outside intrusion into or compromise of Certegy’s IT systems, the company added.

The “Insider Statistic”, Good Data, & Risk – Pursuant to my previous entry above 🙂

One of the most hallowed statistics quoted by consultants and analysts alike is what I like to call the “Insider Statistic”. You know the one – a few years back somebody, somewhere, released a study that said 60% (I’ve seen quoted as high as 80%) of all attacks come from the inside. I’m not even going to bother going into the history here, as I don’t feel like spending the 20 min. Googling for the source.

Now every.freakin’.time I’m in some meeting room somewhere and somebody brings that one up, it’s used to justify controls to reduce the probability of a technically sophisticated attacker within the perimeter who intends to harm. I always wonder if it matches reality. There are so many variables to consider that I always wondered what the “catch” was. Now I think I know.

New INFOSEC workbook now online – You may want to download this for research or bed time reading.

Regular readers of this column know that I give a graduate seminar to my MSIA students every year in June called “INFOSEC Year in Review” or “IYIR” for short. This year the 135 graduating students and about 50 more students who will graduate in December received a 453-page book with 1,240 abstracts (including introductory material such as the list of categories) dating from Jan. 1, 2006, through May 30, 2007, classified using 280 possible categories.

The workbook is a selection I made from a total of 3,532 abstracts in that period. The full database and a complete PDF listing of the contents will be posted on my Web site later after some volunteers and I finish adding keywords to the abstracts.

At least I know one thing I don’t want to do with my life – I was quite surprised when I saw that Martin was leaving his “dream” job. This is kind of a wake up call to me as I have often thought that I would like to be a product evangelist too. Maybe I need to put some more thought into it 🙂

Mitchell Ashley, Alan Shimel and the whole crew at StillSecure did everything they could to help me, but it turns out I’m just not built right to be in marketing. Obviously, I love spouting off my own opinions, but when it comes to representing a company and speaking on their behalf, my own instincts are my own worst enemy. I like to tell the whole, direct truth, and that’s not what marketing is about; it’s about shading the truth to put your company and your product in the most positive light possible. Not that marketing is a bad thing, it’s just not how my thought processes work.