Oh how I enjoy holiday Monday’s…

Here’s the list:
Argus 3.0: Cisco Netflow – Good intro to using Argus with NetFlow if you’ve never been exposed to either before.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn’t identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe).

Hiding Inside a Rainbow, Part 2 – Part Two in the series.

In my previous post about steganography and rainbow tables, I explained a technique to hide data in a rainbow table. The disadvantage of this method is that there is a way, albeit costly, to detect the hidden data. This is because we replace the random bytes, that makeup the start of the chain, by the data we want to hide, thereby breaking the chain. A broken chain can be detected by recalculating the chain and comparing the recalculated hash with the stored hash. If they differ, the chain is broken.

Pre-connect NAC – The first building block of a controlled guarded enterprise LAN – Good overview of “pre-connect” NAC.

For those of you who are confused by the different terms, pre-connect NAC is the phase in which the identity of the device and the identity of its user are to be verified.

Litchfield on Oracle Live Response – I can’t believe I missed this one. Thanks Harlan/Richard!

Thanks to Richard Bejtlich, I learned this morning that David Litchfield, famed security researcher with NGSSoftware, has released a paper entitled Oracle Forensics Part 4: Live Response. In that paper, David starts off by discussing live response in general, which I found to be very interesting, as he addresses some of the questions that we all face when performing live response, particularly those regarding trust and assurance…trusting the operating system, trusting what the tools are telling use, etc.

More Terms from Logging Glossary Published – I can’t wait to see how this list grows.

As I mentioned here, I started publishing the LogLogic Logging Glossary. Here are the terms and definitions published so far:

Alert
Audit Logging
Context Information

Windows Home Server versus Linux or BSD – I don’t think I’ll be up late at night pondering which to choose 😛

Last year whenever people asked me what to use when building a home server, I’d tell them to use Linux or FreeBSD because there was absolutely nothing from Microsoft under a few hundred dollars. There was no way anyone would spend a few hundred dollars on Windows Small Business Server so Linux or FreeBSD was their only choice. With Windows Home Server on the horizon, Microsoft might just steal a piece of the home server appliance market from Linux.

This Old Vulnerability: Sendmail 8.6.9 – I think these articles are a fantastic idea. Simply telling people that sendmail is/was vulnerable just doesn’t cut it. Showing some historic examples will drive the point home. Someone give this guy a laptop 🙂

Today on This Old Vulnerability, we will take a quick tour through a classic metacharacter/delimiter injection attack. Our petri dish will be Sendmail 8.6.9 (and 8.6.10). The vulnerability was caused when sendmail would take input from a remote identd (the username) and blindly write it into a sendmail queue file.

Enumerate Windows Users In JS – Creepy-cool!

Sergey Vzloman is at it again… He sent over a really interesting piece of demo code (he tested it in IE6.0 and FF – I was only able to test it in Firefox) that enumerates users on Windows systems. Right now, as the code stands in his demo (with only minor tweaks from me) it only tries four accounts and is intentionally noisy to show what it’s doing, but it works pretty well.

Friday already. I have to remember to go to the butcher tomorrow morning to pick up my brisket….mmmm…..brisket. On another note, I’ve noticed a decrease in posting on my RSS feeds today. I suspect that this may be due to everyone getting ready for Interop in Vegas next week.

Here’s the list:

pwdump6 1.5.0 as well as fgdump 1.5.0 Released for Download – New versions of some great tools.

A while ago some updates of pwdump and fgdump were released, namely pwdump6 1.5.0 as well as fgdump 1.5.0.

Version 1.5.0 of both programs takes advantage of some changes which makes them less likely to be detected by antivirus, at least as of today. This will be particularly helpful to those of you dealing with recent, more aggressive AV solutions. The README file for pwdump6 has also been updated to give some examples, as it seems some folks were having a hard time figuring out how to get started with it.

Does Using “Certified” Software Products Improve Compliance? – What does “Certified” really mean anyway?

You see software vendors touting that their products have been certified and that they will help companies meet “compliance,” but I have found very little research into what this really means, or if it means anything at all.

Estonian DDoS Attacks – A summary to date – Good analysis of the issues that Estonia was facing.

Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.

Gone in 120 seconds: cracking Wi-Fi security – Does it scare you? It should.

When WEP was compromised in 2001, the attack needed more than five million packets to succeed. During the summer of 2004, a hacker named KoreK published a new WEP attack (called chopper) that reduced by an order of magnitude the number of packets requested, letting people crack keys with hundreds of thousands of packets, instead of millions.

Last month, three researchers, Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann developed a faster attack (based on a cryptanalysis of RC4 by Andreas Klein), that works with ARP packets and just needs 85,000 packets to crack the key with a 95 per cent probablity. This means getting the key in less than two minutes.

It’s May…and it’s snowing. Snow!?!?!?!

Here’s the list:

The Windows Vista Security Blog is Back – Sometimes it’s better to lay low while the dust settles 🙂

We’re back! You’ve probably noticed that the blog hasn’t been updated much lately. We’re going to change that and you can expect to see regular posts again. Windows Vista has been publicly available for over 100 days now, and we think we’re holding up pretty well. As we said, no software is 100% perfect and will contain vulnerabilities, but overall it’s nice to see the new security features in Windows Vista and the defense in depth strategy paying dividends. Look for more posts about Windows Vista security technologies soon.

ISIC – IP Stack Integrity & Stability Checker – Another tool to check out.

ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendencies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments… But the percentages are arbitrary and most of the packet fields have a configurable tendency.

NSM tip : Watch out for the quiet ones – I’m looking forward to the upcoming Unsniff release.

The Unsniff beta build (1.5) we are using at the site has a Top-N feature for a whole set of statistics (IPs, MACs, Conversations, protocols, subnets, interfaces, etc). This is a fairly common feature in many tools. We ran Top-N for a while on one of their key entry points. It was fine and produced great results from a traffic analysis point of view. Day in and day out, these Top-N feature the same hosts/subnets at the same time of day.

From a Network Security Monitoring (NSM) angle, this kind of data invariably features entities that already have a high trust level. Most Top-N analysis are soon taken over by the “usual guys” like Exchange, company video streaming, training, VoIP and so forth.

When Good Intentions Go Bad – You know what they say about the road to hell being paved with good intentions 🙂

The author of W32.Uisgon.A appears to have been a computer science student who wanted to collect samples of viruses that were being brought into his college by USB sticks.

So he wrote a program that copies suspected virus samples to a Windows share and a ‘good’ worm to propagate his program. The worm copies itself to network shares and USB sticks and runs the sample collector from a remote Windows share.

Eventually, he intended to terminate the worm by replacing the sample collector on the Windows share with a fixtool.

However, his design resulted in the worm infecting machines outside his university and well beyond his control. In particular, USB sticks weren’t just plugged into computers within his university network, but computers outside the university as well causing his worm to spread uncontrollably. Once the worm began spreading outside the university he had no way to terminate them as he had no way of accessing them.

The end result is a ‘good’ worm that is infecting computer networks in-the-wild and is no better than the ‘bad’ worms it was supposed to catch.

Researcher Reveals 2-Step Vista UAC Hack – Hack Vista, cha -cha-cha, one, two, cha-cha-cha.

Paveza said in the paper that the vulnerability uses a two-part attack vector against a default Vista installation. The first step requires that malware called a proxy infection tool be downloaded and run without elevation. That software can behave as the victim expects it to while it sets up a second malicious payload in the background.