Oh Friday…how I love you!

Here’s the list:

General: China taking on U.S. in cyber arms race – Is this the rebirth of the Cold War?

China is seeking to unseat the United States as the dominant power in cyberspace, a U.S. Air Force general leading a new push in this area said Wednesday.

“They’re the only nation that has been quite that blatant about saying, ‘We’re looking to do that,”‘ 8th Air Force Commander Lt. Gen. Robert Elder told reporters.

Elder is to head a new three-star cyber command being set up at Barksdale Air Force Base in Louisiana, already home to about 25,000 military personnel involved in everything from electronic warfare to network defense.

How to enable EFS context menus – All you Windows users…pay attention 🙂

One solution to help reduce the risk for stolen data is to use Windows Encrypting File System (EFS). We’ve already covered before how to use EFS to encrypt a file or folder, and in this simple registry hack, we’ll show you how to make it easier for you to encrypt and decrypt files and folders by adding the Encrypt and Decrypt options on the context menus in Windows Explorer.

EventLog Analysis – Great introductory article by Harlan on Windows Event Log Analysis.

But what about actual Event Log analysis? What about really using the Event Log to get some insight into activity on the system? What can we look for and how can we use it?

Here are some tidbits that I’ve come across and use…please don’t consider this a complete list, as I hope that people will contribute. This is just to get folks started….

DropMyRights: Running programs safely as an admin – Interesting utility. I like the concept.

DropMyRights is a free command-line utility, developed by Microsoft, to help users who must run as an administrator run applications in a much-safer context. In a nutshell, it takes the current user’s token, removing various privileges, and then using that token to start another process, such as Internet Explorer or Outlook.

No wars are won through awareness… – I see both sides of the argument but I personally believe that awareness training should be introduced at the same time that the security measure is implemented.

In security, as in life, one is forced to make certain choices, certain trade-offs on how they focus their time and energy. If one is able to mass unlimited resources, one could come as close to fault tolerance and a secure position as is possible. But in the real world of IT one is faced with limited resources, whether they be knowledge, time, people, money or access to technology. I think it’s great that one can arm themselves with a Sun Tzu Art of War quote-a-day desk calendar and make declarations about how one would actually secure a complex, globally distributed network and how focusing efforts on user awareness training will fend off Mongol hordes riding against our golden palaces, but that is just not realistic.

Finally got a good nights sleep and does it ever make a difference.

Here’s the list:

FBI May Have Broken the Law 1,000 Times in Surveilling Americans – Only those who broke the law have to worry though right? 🙂

The FBI egregiously violated privacy laws and bureau rules to obtain telephone, e-mail and financial records on scores of Americans, according to an internal audit obtained by the Washington Post and reported today.

Is a merger or acquisition in Sourcefire’s future? – Interesting interview with Marty Roesch. I’m very interested in who might be in the market, and have the capital, to merge with a company like Sourcefire.

It’s been a busy year for Sourcefire Inc. founder and Chief Technology Officer Martin Roesch, creator of the widely popular Snort open source IDS tool. In November he announced that Sourcefire had filed with the U.S. Securities and Exchange Commission to raise up to $75 million in an initial public offering (IPO) of stock. Seven months earlier, Check Point had dropped plans to acquire the company amid concerns that foreign ownership of Snort would threaten U.S. national security. In the wake of the IPO, Roesch remains reluctant to go into greater detail on his company’s future direction. But at the Gartner IT Security Summit in Washington D.C., he told SearchSecurity.com how Sourcefire fit into Gartner’s Security 3.0 theme. In the process, he suggested that the war chest Sourcefire has developed as a newly public company could be used in a future merger or acquisition.

Determining the version of XP – Another good post from Harlan on how to discover the version of XP (Home or Pro).

I received an interesting comment to one of my recent blog posts…the poster was musing that he wished he could determine the version of XP (Home or Pro), presumably during a post-mortem examination. As this struck my interest, I began to research this…and most of what I found applies to a live running system. For example, MS has a KB article that tells you how to determine the version of XP you’ve got. Also, the WMI class Win32_OperatingSystem has a value called “SuiteMask” which will let you determine the version of the operating system; to see if you’re on the Home version of XP, perform a logical AND operation with the SuiteMask value and 0x0200 (the “Personal” bit) – if it succeeds, you’re on XP Home. You can also use the Win32::GetOSVersion() function in Perl, or implement the WMI Win32_OperatingSystem class in Perl.

TSK 2.09 Released – New version of The Sleuth Kit ready for your downloading pleasure.

Version 2.09 is now available. This release fixes some bugs for large files and hash databases on Windows, some stability bugs with corrupt file systems, some ‘ils’ flag bugs, and some updates to internal libraries. All users should apply this update.

Security Views Case Study #1 – Unauthorized P2P Software on Company Laptop – I’m sure a lot of system/network/security people can relate to this story.

This is the first in what unfortunately could be many posts I’ll call “Case Studies”. It’s unfortunate, because breaches are now publicized on such a regular basis, I could make a blog entirely about them, as SC Magazine now does. It’s called the Breach Blog. In my case, I was thinking it may be helpful to add some value to some of their entries by doing a bit of analysis and guidance on what you can do to avoid them.

Fuzzled – PERL Fuzzing Framework – Another fuzzing tool for you to try out.

Fuzzled is a powerful fuzzing framework. Fuzzled includes helper functions, namespaces, factories which allow a wide variety of fuzzing tools to be developed. Fuzzled comes with several example protocols and drivers for them.

Port number not shown in access-list log output – This one is more for my reference so I don’t forget it in the future 😉

The reason for this behavior is very simple: unless a line in the IP ACL matches on the layer-4 port numbers, the router does not inspect them; the log action thus has no port number to show in the syslog printout.

To fix the printout, you have to force the router to inspect the layer-4 port numbers.

Irongeek.com – Hacking Illustrated Videos – Something tells me that I’ve mentioned this site before but I can’t find the post. This is a great site with some great instructional security videos.

If you’re interested in learning how to test the security of your network by attacking it, Irongeek.com has a number of flash/AVI videos that walk you through the mechanics of specific attacks.

Notable entries:
Using Cain and the AirPcap USB adapter to crack WPA/WPA2
Cracking Windows Vista Passwords With Ophcrack And Cain
Passive OS Fingerprinting With P0f And Ettercap
SSH Dynamic Port Forwarding
Basic Nmap Usage
Boot from Phlak and run Chkrootkit to detect a compromise
Cain to ARP poison and sniff passwords

Running…out…of…steam…must…get…sleep…this…week.

Here’s the list:

FBI aims to disrupt bot masters – Well one is in Texas so maybe we’ll see some stiff jail time.

The FBI announced on Wednesday that an ongoing cybercrime initiative, dubbed Operation Bot Roast, has identified more than a million PCs compromised with bot software and resulted in charges against three people for violations of the Computer Fraud and Abuse Act.

Darknet Videos – I love this idea. People don’t always understand the importance of security unless you present it to them in a way they can relate to.

I was thinking that the darknet authors should create videos when they write about different tools… It should be fun to see presentations… and also would bring darknet more hits…
I made a video for my previous article, and uploaded it to youtube: stealth techniques – syn

Classified US Intel Accidently Leaked via Powerpoint – If this isn’t a reason for implementing extrusion prevention policies I don’t know what is.

This is why these powerpoint slides should be made into .pdfs or flash presentations! The leak occurred via the data object used to create one of the slide graphs. Here’s the original article:

By reverse engineering the numbers in an underlying data element embedded in the presentation, it seems that the total budget of the 16 US intelligence agencies in fiscal year 2005 was $60 billion, almost 25% higher than previously believed.

10 reasons why the Black Hats have us outgunned – I think one of the items missing from the list is that it’s just not cool to be on the defensive. The perception has always been that being the blackhat cowboy is more fun that being the security pro sheriff.

So, you want to be a hacker? It’s as easy as…