In talks to write a book….stay tuned for more info 🙂

Here’s the list:

A Taxonomy of Information Systems Audits, Assessments and Reviews – from the SANS Information Security Reading Room

Security Implications of the Virtualized Data Center – from the SANS Information Security Reading Room

UserAssist Q&A – Didier answers questions from his recent talk on his UserAssist tool.

I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want to share here.

Fake NetBIOS Tool – Simulate Windows Hosts – Another tool to add to the collection.

FakeNetbiosDGM sends NetBIOS Datagram service packets on port UDP 138 to simulate Windows hosts bradcasts. It sends periodically NetBIOS announces over the network to simulate Windows computers. It fools the Computer Browser services running over the LAN and so on.

FakeNetbiosNS is a NetBIOS Name Service daemon, listening on port UDP 137. It responds to NetBIOS Name requests like real Windows computers: for example ‘ping -a’, ‘nbtstat -A’ and ‘nbtstat -a’, etc.

The iPhone, our new security nightmare – I don’t see this being any more of a nightmare than an iPod or PDA. It’s use must be regulated as with any outside electronic device in your organization.

The dawn is near; the iPhone blitz lays prepared to turn your security team into zombies. On June 29th, your helpdesk systems will be inundated with whines to “make my new flashy iPhone work with my work PC”. No amount of beer, ThinkGeek gadgets or favors will get me or my team to kowtow.

DHS to Answer for Hundreds of Cyber Break-Ins – Looks like someone was looking for a patsy and they found one in Scott Charbo.

DHS CIO Scott Charbo is scheduled to appear tomorrow before a House Homeland Security subcommittee hearing entitled “Hacking the Homeland.” The panel follows a hearing April in which Commerce and State department officials recounted how hackers broke into and gained control over a number of systems in a series of targeted attacks. Since that testimony, committee leaders demanded answers to dozens of questions about DHS’s compliance on cyber-security standards, and whether it, too, had suffered similar break-ins.

MySQL Database Tuning Tips – Not specific to security but important none the less.

I came across a great article on MySQL performance tuning. It’s got a few very practical tips for examining the database settings and tweaking them to achieve the best performance.

“What’s this got to do with security”, you ask? As you know, Sguil stores all of it’s alert and network session data in a MySQL backend. If you monitor a bunch of gigabit links for any amount of time, you’re going to amass a lot of data.

I try to keep a few months of session data online at any given time, and my database queries have always been kinda slow. I learned to live with it, but after reading this article, I decided to check a few things and see if I could improve my performance, even a little.

Using Access Control Lists and authentication in Squid (Part II) – Part 2 in the series.

Now that everyone has mastered the basics of Squid, we are ready to have a little more fun. In case you missed it, we published Part I of this series recently. Access Control Lists (ACLs) allow Squid to do many interesting things in addition to just providing a caching proxy server. A properly configured set of ACLs can do things like:

• restrict access to websites by IP address,
• limit or block websites by name, such as www.badsite4kids.com2,
• restrict web access by time and day, or
• regular expression matches, such as .exe files or “porn” in URL names.

You can additionally add custom html error messages that let your users or children know why they have been blocked from the web.

I neglected to mention the cost for these services, as many commercial software programs provide these features too. It is free, you just need to configure it yourself. How’s that for some motivation to learn a little more advanced Squid?

One round of golf and my back is shot. This getting old thing really sucks.

Here’s the list:

Mpack attack infects PCs on massive scale – I’m sure you’ve seen this all over the internet but why should I be the only one not mentioning the Mpack attack?

A malware distribution and attack kit sold commercially through underground channels on the Internet has compromised hundreds of thousands of systems in the past six months, including an epidemic of infections that hit Italian Web servers this past weekend, according to security and antivirus firms.

Known as Mpack, the kit consists of commercial-grade software components written in the PHP Web programming language and apparently sold by a group of Russian programmers. The software, which comes with a year of support, was first mentioned in an analysis penned by antivirus firm Panda Software. In mid-May, Panda stated that the software had compromised at least 160,000 computers.

How to get the most out of a SIM – OooOoOoOoo…I can’t wait until Bejtlich gets a hold of this article 🙂

However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.

AfterGlow Example – Visualizing IP Tables Logs – I love this idea of visualizing logs.

I am sitting in Seville, at the First conference, where I will be teaching a workshop on Wednesday. The topic is going to be insider threat visualization. While sitting in some of the sessions here, I was playing with my iptables logs.

Phishers and Malware authors beware! – Interesting release. I’ll leave it up to the developers of the world to comment on it’s usefulness.

OK, so it might be a little early to declare victory, but we’re excited about the Safe Browsing API we launched today. It provides a simple mechanism for downloading Google’s lists of suspected phishing and malware URLs, so now any developer can access the blacklists used in products such as Firefox and Google Desktop.

The API is still experimental, but we hope it will be useful to ISPs, web-hosting companies, and anyone building a site or an application that publishes or transmits user-generated links. Sign up for a key and let us know how we can make the API better. We fully expect to iterate on the design and improve the data behind the API, and we’ll be paying close attention to your feedback as we do that. We look forward to hearing your thoughts.

CA Mainframe Security Blacked Out Globally – “Sources say that the problem was so secret that they didn’t know how to fix it” 😛

Computer Associates’ Top Secret security product for the mainframe blacked out worldwide on June 16, staying dark for 19 hours and bringing down financial institutions such as banks and insurance systems.

CA said in a statement that the bug affected approximately 50 customers worldwide and did not introduce any security issues. “It prevented a subset of CICS users from signing on during a 19-hour period (from 6/16 to 6/17) because of an internal memory representation of the time/date value, which caused the host to deny the sign-on request,” according to the statement.

An Incident Handling Process for Small and Medium Businesses – From the SANS Information Security Reading Room

HP Acquires SPI Dynamics – Interesting move by HP. I wonder if they plan on extending the SPI offerings in their product lines?

Early this morning, so early that the cat was still snug beside me in bed on the west coast, HP announced its acquisition of security assessment firm SPI Dynamics, headquartered in Atlanta, GA.

HP already integrates SPI security technology into its software, and the acquisition is expected to add more quality management capabilities to HP’s software portfolio and strategy.

I just realized that my Friday post said Thursday as the day of the week. Oops….QA is fired!

Here’s the list:

Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network – Here is a good example of where system and device logs are important.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Trinity Rescue Kit – Free Recovery and Repair for Windows – Another good tool to keep in your back pocket.

Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

A summary of the main features:

• easily reset windows passwords
• 4 different virusscan products integrated in a single uniform commandline with online update capability
• full ntfs write support thanks to ntfs-3g (all other drivers included as well)
• clone NTFS filesystems over the network
• wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
• easy script to find all local filesystems
• self update capability to include and update all virusscanners
• full proxyserver support.
• run a samba fileserver (windows like filesharing)
• run a ssh server
• recovery and undeletion of files with utilities and procedures
• recovery of lost partitions
• evacuation of dying disks
• UTF-8 international character support

Heap Spraying vs. Heap Feng Shui – Good explanation of some proof of concept code.

The heap allocation code used in this exploit was quite advanced and completely different from the conventional Heap Spraying code used in the attacks that I’ve seen so many times. In this case, the exploit page (keyframe.html) used a special compact heap manipulation library named “heapLib.js” which after some investigations introduced me to the mystical world of the “Heap Feng Shui”.

How to create a computer-emergency response team – Although not a single source of information this article does get you started with important information on how to form a CERT.

Perhaps the most important thing needed for a successful recovery from a data breach is a prebuilt team of employees, pulled from different departments, who can lead the company out of crisis.

New Skillz Challenge! – For those of you with some free cycles.

Hello, Challenge fans! The Intelguardians crew is back this month with another challenge to tickle your fancy and bake your noodle. This month, Matthew Carpenter takes the helm, penning a challenge based on the movie Serenity. Shockingly, a recent SFX magazine poll found that Serenity had overcome Star Wars as the most popular Sci-Fi movie among its readers. It’s amazing what someone can accomplish with a bot-net voting in these on-line polls… Isn’t it, Matt? I hope you enjoy the challenge, as you help the Serenity crew thwart a nasty bot-net to escape the Reavers and the Alliance.

Netstat Revealed! – Another video to add to your collection.

Another video in 2-3 days… I think i this becoming like a mania for me… Anyway in this video i played around with netstat so that for those who do not play with it could see the possibilities it offers to us

Visually Assessing Possible Courses of Action for a Computer Network Incursion – New paper posted to the SANS Information Security Reading Room.