It’s amazing how much work can accumulate when you’re only gone from the office for two days. You can see from the short list of items today that I wasn’t overly impressed with the content out on the blogosphere. Once you weed out all of the postings about the IBM acquisition of Watchfire and the Julie Amero trial you’re not left with much to talk about 🙂

Here’s the list:

How to Deploy Vista Security—Piece by Piece – I have yet to install Vista but the improvements do make it sound…finally useable 😛

There’s a bushel of security enhancements in Windows Vista—they comprise the most important aspect of the new operating system and the most compelling reason to upgrade, analysts say—but they’re not all perfect, nor are they silver bullets.

Common Event Exchange Formats – XDAS – Wow…this article brings up nearly all of my comments and concerns about “common” formats. Check it out.

CEE, the Common Event Expression standard which is a work in progress, lead by Mitre. I was one of the founding members of the working group and I have been in discussions with Mitre and other entities for a long time about common event formats. Anyways, one of the comments to my blog entries pointed to an effort called Distributed Audit Service (XDAS). I have not heard of this effort before and was a bit worried that we started something new (CEE) where there was already a legitimate solution. That’s definitely not what I want to do. Well, I finally had time to read through the 100! page document. It’s not at all what CEE is after. Let me tell you why XDAS is not what we (you) want:

Could I Have a Side of Fries With That Security Please? – Interesting awareness idea.

Now, I’m not saying you should go out and buy McDonald’s biscuits and burgers, attach a security or privacy motto to them, and hand them out to everyone. Not only would the vegetarians likely be upset, but what company has an information security education budget to be able to afford that? Unless you could get the local McDonald’s…or Culver’s (my personal preference), or Dairy Queen, or Subway, or whatever…to donate enough of their tasty tidbits. Hmm…there’s an idea…

2007 Log Management Survey Detailed – I’m not shocked by the results. Everyone I speak with on the topic indicates that compliance is a primary driver for acquiring a log management solution.

Turns out that despite its importance, security is not the prime motivation for log management. More than half of those surveyed reported operations management and monitoring the health of the network as the prime motivation for using log data. And, 43% indicated compliance with SOX, PCI and other mandates as the top priority.

Now that I”m back home I hope that I won’t have to travel to Houston again any time soon. The city is nice but it’s involves quite a bit of time on a plane to get there and back 🙂

Here’s the list:

IBM to Buy Watchfire Security Software Firm – This is an interesting acquisition for IBM to improve their web application security offerings.

BM, the world’s largest technology services company, said on Wednesday it will buy privately held security and compliance testing software company Watchfire Corp. for an undisclosed amount.

The deal is expected to close in the third quarter, International Business Machines Corp. said in a statement.

How to become a “security guru” – I someday hope to become a Gru as well 😛

The most important issue facing you experts is that people aren’t going to listen to you most of the time. It doesn’t matter if you are the summer intern or the CEO: getting people to listen is hard. It’s not your job to “tell” people what the right answer is, but to “sell” your idea. If you get angry and poison your working relationships, you are not going to be an effective salesman. The reason experts get angry or frustrated is because they blame others for not listening to the “truth”, rather than blaming themselves for their inability to sell their ideas.

Additional Image Bypass on Windows – Another example of image bypass on a Windows machine.

Michael Schramm posted about another way to do image filter bypassing using alternate file streams on NTFS file systems. Pretty cool stuff (thinking outside the box of what a file really means on different systems)

Undercover Exploits and Vulnerabilities – This post presents a timeline of undercover exploits going as far back as 1988.

I am trying to keep this updated, but life intervenes. Please let me know if I’ve missed some (browser/office vulns?). Note the animated cursor bug in April ’07 does not fit the definition.

Some Enterprise Traffic Analysis – Wow, what a great resource to practice your traffic analysis skills.

Finally, we got some spare time to analyze a few traces available on the LBL-ICSI project website. We would like to extend a big thank you to these guys for making such a valuable resource publicly available.

First thing to note is that these traces have their payloads stripped, only the first 54 bytes are captured. This precludes some of the advanced features like PDU, Stream, and User Objects, from working. Secondly, we are better off doing “traffic analysis” rather than “protocol analysis” on this huge glob of data.

Survey: Microsoft IIS twice as likely to host malware – I kinda always knew 🙂

Web sites hosted on Microsoft’s Web servers are twice as likely to have embedded malware as those using the open-source Apache software, Google security researchers stated in survey results published on Tuesday.

The importance of vulnerability research – If we stop looking, we stop finding. That is as simple as I can put it.

Testing in-house and vendor-built software for security holes should be an enterprise priority, said a group of vulnerability research experts speaking on a panel at the Gartner IT Security Summit held here this week. But Rich Mogull, the Gartner analyst who hosted the panel, questioned how practical it would be for companies to dedicate the dollars and resources required for this testing.

Well my training session has completed and I head back home on the first thing smoking tomorrow morning. At the client site I was amazed to discover that the employees are mandated to take a ten minute break every hour. Not only are they told to take a break but their workstations actually lock them out after a specified period of time or after ‘x’ number of keystrokes. I’m fairly certain this would kill my productivity but it appears to work well for them. Very strange 🙂

Here’s the list:

2007 Security by the Numbers – Good set of statistics for use in your sales or technical presentations.

Phishing, spam, bot networks, trojans, adware, spyware, zero-day threats, data theft, identity theft, credit card fraud… cybercrime isn’t just becoming more prevalent, it’s getting more sophisticated and subtle every day. At least that’s the conclusion suggested by recent threat reports from major industry players and government organizations.

Iframe > malicious javascript > trojan, (Tue, Jun 5th) – Interesting analysis.

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

My Presentation: Interop Moscow Keynote on Security Trends – Always a pleasure to read one of Dr. C’s presentations 🙂

Here is my recent keynote presentation on security trends from Interop Moscow (sorry, teaser version only – I plan to give it again some time)

SQLBrute – SQL Injection Brute Force Tool – New tool to check out.

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).

How to find your websites (Road to Website Vulnerability Assessment part 1) – Refresher of steps to take in order to start assessing a website for vulnerabilities.

I spend a lot of time with companies, mostly large and medium sized, who are interested in finding the vulnerabilities in their websites. Obviously the first step in the VA process is to first FIND the websites. Now this may come as a surprise to many, companies with more than 5 or 6 websites tend not to know what they are, what they do, or who’s responsible for them. And if they don’t know what websites they own, there is no hope of securing them.