Waking up at 3am for no good reason is like getting punched in the face when you’re not looking. Those are my words of wisdom for the day. Talk amongst yourselves.

Here’s the list:

Why IT doesn’t really get security – Teach them a lesson. When they hand you their thumb drive kindly thank them and put it in your pocket 🙂

Since I’ve started my new job I’ve there have been four (4) different occasions where members of the IT staff have given me their USB thumb drives to transfer data to. These are guys that I work with daily but I don’t know them and they don’t really know me. One guy even gave me a U3 drive.

Teaching Viruses and Worms – I think this would be a very good class to teach in parallel with a course on ethics in IT.

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

Google Ranked Worst In Privacy – For a company that prides itself on a “do no evil” motto they don’t understand the concept of protecting their user base.

This is a non-technical post and completely my own opinion (as if you asked). I’m sure you all have seen this by now, in the news, on blogs, or even on Google’s employees’ sites but it’s time for me to discuss my view on Google’s recent ranking of the absolute worst privacy of the top 23 companies chosen for scrutiny by Privacy International in their latest report. They ranked lower than anyone else looked at, and the list included companies like Microsoft, eBay, Yahoo and MySpace.

Security Education Conference – Toronto (November 20-21, 2007) – I wonder if I’ll be able to get away to attend?

The Security Education Conference is unique to central Canada and provides an opportunity for IT professionals to collaborate with their peers and learn from their mentors. Held this year at the Metro Toronto Center in downtown Toronto, this conference runs two days and features Keynotes from North America’s most respected and trusted experts. Speakers are security professionals with depth of understanding on topics that matter. This conference is a must attend for every IT professional.

NY man pleads guilty to spamming AOL subscribers – Good…now change the venue to Texas and give him the chair.

Adam Vitale, 26, pleaded guilty in federal court in Manhattan to breaking anti-spam laws. He was caught making a deal with a government informant that sent spam e-mails advertising a computer security program in return for 50 percent of the product’s profits, prosecutors said.

“Defeating” Whole Disk Encryption, Part 3 – Part 3 in the series.

In Part One, we reviewed obtaining the last 16 characters of the PGP password from a computer that was live. In Part Two, we reviewed how to set up your VMware box so you can boot the image. In this post we will review the options for imaging the computer, be forewarned, neither is a perfect solution.

Citrix buys Caymas NAC assets – Golden rule in the networking business…don’t be the only company at the buzzword party without the latest buzzword solution as your date.

Citrix is buying the assets of NAC vendor Caymas Systems, which is out of business and whose products have some overlap with the Citrix’s SSL VPN products.

A spokesman for Caymas says the company’s assets have been bought by Citrix, but did not reveal the price. Citrix spokespeople could not be reached this morning for comment.

Router’s responses to port scans – Just in case you forget what it looks like 🙂

Recently I was trying to figure out what the various port states reported by Nmap really mean. This is what’s actually going on:

• If a packet is intercepted by a router’s access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
• If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
• If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
• In some cases, the router simply doesn’t reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).

I think we’re going to play the “how much golf can Andrew get in this week” game. 🙂

Here’s the list:

Introduction to Antispam Practices – Interesting read.

According to a research conducted by Microsoft and published by the Radicati Group, the percentage held by spam in the total number of emails sent daily has been constantly growing since 2005. As a result, spam is expected to represent 77% of emails sent worldwide by 2009, amounting to almost 250 billion unsolicited emails delivered every day.

PHPIDS Released – I wonder how effective this will be?

This has been in development for quite a while, but the intention is to react (more like an IPS than an IDS) to potential attacks. From the site:

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

It’s all about Network Flow – I’m a big fan of NetFlow in corporate environments. It becomes quite useful when you run out of span ports or don’t have the money for a passive flow collector or expensive tap. I haven’t had a chance to try out silktools but I look forward to giving it a shot.

It is undeniable that all other projects are interesting too, but that doesn’t make my point here and I have no time to check them out yet. The main reason why I’m looking into silktools is because it also offers wide range of analysis tools like argus do. Instead of just doing flow data collection, one can perform in depth analysis on the netflow data using the analysis tools that packed with silktools. But again I found out all these great tools come with complexity and that blow away a lot of new comers.

And the answers please… – Hey did you do last nights homework? Can I take a look? I just want to check my answers….

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto’s hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you’ll learn a bunch.

Emerging Information Security Threats, 2007 – I can’t remember the last time Lenny posted something on his blog. I was starting to think the RSS feed was broken. Very good article though. Well worth the wait 🙂

As organizations erect barriers to protect their data, attackers are unleashing new ways of finding and exploiting weaknesses. The threat landscape is one of professional, highly skilled online criminals who create, buy or trade advanced tools that allow them to steal confidential company data, disrupt business operations or snatch logon credentials and other personal information. The teen-aged script kiddies who focused on compromising systems for fame and game are receding into the distant past. Today’s profit-minded attackers are more likely to carry a briefcase than a skateboard.

Managing expectations – a valuable skill and worth the time – This is a key skill in any business. I wish that the burger jockeys at the local fast food joint would take the time to understand this concept. Good post Michael!

One of the biggest things I have learned since I have been in IT is that you have to develop the skill of managing customer expectations (to clarify, the term “customer” means the people for whom you are doing your job – clients, users, etc.). If your customer believes you can perform a service that you cannot, then you have not done a good job in managing expectations, and you will likely end up dissapointing him and hurting the professional relationship.

February 2007 Root Server Attacks – A Qualitative Report – Very good analysis and notes.

During the ISP Security BOF at NANOG 40 last week in Bellevue, Washington, John Kristoff of Neustar Ultra Services provided a nice summary of what actually occurred during the February 6/7, 2007 DNS attacks.

He began by providing a summary of the considerable amount of mis-information provided about the attacks, with his personal favorite being an article titled UltraDNS attack targeted G and L root servers (1st Update). I suppose I can see how such a title might prove a bit misleading. From there, John noted some of the more useful information provided at the time, and in particular that from a lightning talk at NANOG 39 by Dave Knight at the tail end of the attacks.

I know I say this on almost every Friday but boy am I glad it’s Friday.

That being said it was only a matter of time before I missed one of my Suggested Blog Reading posts. Being out of the country for the first half of this week certainly caused some bumps in my normal routine. Hopefully I’m back on track and shouldn’t miss another post 😉

I’d also like to take a moment to congradulate fellow blogger and CTO of Whitehat Security Jeremiah Grossman on being named to the 2007 InfoWorld CTO 25 list. He’s in good company for sure.

Here’s the list:

How to rate the value of your websites (Road to Website Security part 2) – Part two in the series.

Part 1 (How to find your websites) of the series describes a process for website discovery. This piece (part 2) describes a methodology for rating the value of a website to the business that many of our customers have found helpful. Website asset valuation is a necessary step towards overall website security because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing brochure-ware. Some websites transact million of dollars each day, others make no money or maybe a little with Google AdSense. The point is we all have limited security resources (time, money, people) so we need to prioritize and focus on the areas that offer the best risk reducing ROI.

Lets talk vulnerability discovery – Another quality post by Jeremiah.

Last year I began talking about how vulnerability “discovery” is becoming more important than disclosure as we move into the Web 2.0 era. Unlike traditional software, web applications are hosted on someone else’s servers. Attempts to find vulnerabilities, even with honest intentions, on computers other than your own is potentially illegal. Eric McCarty and Daniel Cuthbert serve as examples as covered by Robert Lemos from SecurityFocus. Whatever your opinion on the issues, few outside web application security field appreciate the finer points or understand the potential long term affects. People have been listening though.

stealth techniques – syn – Good review of how powerful hping is.

This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…

Encrypt a file in Windows – Reminder on how to hide your files from prying eyes.

If you’re sharing a computer with other users and don’t want them to read certain files, you’re going to need a decent protection mechanism. Fortunately, Windows provides a built-in encryption mechanism that protects your files at the file system level.

Windows Encrypting File System provides a file encryption technology used to store encrypted files on NTFS file system. Once you encrypt a file or folder, you work with the encrypted file or folder just as you normally do. This means that you do not have to manually decrypt the encrypted file before you can use it.

On remote log injection attacks – Daniel actually showed me, on his laptop, just how easy it was to make this happen. I was amazed, as were the people running the projects involved, how easy it was to inject bogus data. Luckily Daniel is a good guy and let the proper people know about the issue prior to releasing his paper 🙂

A fun paper on remote log injection attacks from Daniel Cid (of OSSEC fame): “the goal of this document is to show some of the most common problems with log injections that we need to be aware when developing programs that parse log messages.”

Recommended Windows Audit Logging Policy – This is a great post. People ask me all the time what types of events they should be logging. The ideal answer is “all logs” but in some environments this isn’t possible or practical. This article gives you some good suggestions on key events to log.

Here is a great post from Randy Smith on preferred Windows logging policy. This is indeed a very common question we face: what logging to enable (my guide on what logging to enable to assist with PCI compliance is coming soon)

Priamos Project – SQL Injector and Scanner – Interesting tool to try out. There is also a demo video to learn more.

You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.

You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).

Matasano Preps ‘Firewall Mixer’ – I’m anxious to give this a try. Since it runs on VMWare it will be quite easy to evaluate and implement.

The new Clockwork software, currently in beta, provides centralized and easier-to-understand control and change management for multiple vendors’ firewalls. Firewalls are typically manually configured and managed separately. “The problem enterprises have is that they have 200 firewalls from multiple vendors and no control or change management for what the rules are, let alone any understanding of what all those rules mean and why they’re there,” says Thomas Ptacek, principal and founder of Matasano.