I wanted to point out the following post from Andy Willingham’s blog called Time to think. It’s not really security related but does illustrate a good point — Make sure you always have your resume up to date. I was told a long time ago that if you stop looking at job postings then you might miss your dream job. Those are my words of wisdom for the day 🙂

Here’s the list:

Comprehensive SQL Injection Cheat Sheet – I was looking for something like this yesterday. Perfect!

Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself.

Fact or Fiction: The future of SIMs – I completely agree with you Raffy…SIMs can do active response although some do not do it very well. I’m wondering if he meant that you might get burned with active response unless you totally understand how it works prior to enabling it? I’ve seen situations where people have enabled active response mechanisms only to find that they didn’t exclude core routers from the block list…effectively bringing down their network in the middle of the night.

I was just listening to this podcast about security information management (SIM) systems. Tom Bowers from Information Security magazine is talking about various topics in SIM. Unfortunately I have to disagree with Tom on a couple of points, if not more.

Malware Stats or Ghost in the Browser – I’ll have to give this paper a read.

I found an interesting link after visiting Zeno’s post on a Malware paper produced by Google to document malware on the internet. Firstly, let me start by saying, this is a really good paper, as it discusses the ways in which malware propagates. Not that it’ll be news to anyone who reads this site religiously, but it’s still interesting to see all our theories validated.

Secondly, be wary of the statistic 1 out of 10 websites have malware. Google hand selected 17 million and only did a deep dive into 4.5 million sites out of their own repository. It’s well known that Google does not spider the entire internet (it’s a very small portion in reality) and also, they picked those URLs because they were likely conduits. They weren’t arbitrary. So let’s just take that statistic off the table. Yes, the Internet is a scary place, but not 1 out of 10 sites actively trying to screw you scary.

Great New Site for Data Loss Statistics – Good for presentations to customers/clients

There is a great new site, etiolated.org, that takes the privacy breach data accumulated by attrition.org and parses it into some very interesting statistics, trends charts, provides areas for commentary, and lots of other interesting and useful information.

Critical Unicode Flaw Undercuts Firewalls, Scanners – Maybe it’s time to give your vendor a call and see how things are progressing?

The U.S. Computer Emergency Response Team is reporting a network evasion technique that uses full-width and half-width unicode characters to allow malware to evade detection by an IPS or firewall.

The vulnerability affects virtually every major firewall and intrusion prevention system available, including products from Cisco Systems. Given Cisco’s major share of the market, at least for enterprise routers and VPN and firewall equipment—according to Gartner, Cisco was at the top of the heap with 66 percent of that market in 2006—that means most businesses will be affected.

Deployment Best Practices Series – Deployment Expertise – Cisco NAC specific article but it’s very thorough.

Many organization sfall victim to “I thought I could get it working” and then really do not receive the benefits of NAC Appliance. This is the reason why to have a successful deployment you must have experience with the product.

For the first golf round of the season I think I did quite well. I am, however, a little sore after using muscles that haven’t been used all winter.

Here’s the list for today:
SPAM and Anti-Spam – Article from the SANS Information Security Reading Room

Unintended consequences – It doesn’t really hit you until you see the graph.

You know what would be really scary? To have the same “success” with the SPY-ACT as we did we CAN-SPAM. In that event, the only people being helped would be security vendors. In other words, good for me, bad for you.

Here come the “rolling” scanner reviews! – I wish they did these reviews more often (with as little marketing spin as possible).

It’s been too long since the web application security industry had a good in-depth review of the various vulnerability assessment solutions available. And never have any in the past included software-as-service-models like ours from WhiteHat. Network Computing’s Strategic Security: Web Applications Scanners review plans to test products from Acunetix, Cenzic, N-Stalker, SPI Dynamics, Syhunt Technology, Watchfire and WhiteHat Security. Thankfully they have Jordan Weins conducting the reviews rather than someone with extremely limited domain knowledge. For those who recall, Jordan is not there average journalist. I personally got to see him win Security Innovations’s Interactive Testing Challenge web hacking competition. This should be really interesting to watch unfold!

Implementing SOA Patterns: The Service Firewall – Brought to you by the letters ‘S’, ‘O’, and ‘A’ (I hate that acronym!). Good article though 🙂

The Service Firewall becomes, then, more difficult to implement because there are several ways in which it can implemented, using several different technologies. You could use BIG-IP Application Security Manager (ASM) as a centralized WAF to implement the pattern, placing ASM at the edge of the network as a transparent or inline proxy-service that bi-directionally scans messages for potential threats. This has the advantage of providing protection for all services and reduces complexity through centralization. You could also use iRules to implement any number of centralized, reusable threat-based protections, particularly those launched via content and connections, such as an xDoS attack. This has the benefit of customization to the environment, but may not offer advanced features included in WAF products such as signature scanning and policy-based security. Neither address logic-based exploits, which are typically cited as the primary driver for custom-code based security solutions in a SOA environment.

Weird IE7 Event Log – Good article as well as a link to a new forensic oriented blog here: http://breach-inv.blogspot.com/

Too me this looks like a failed attempt to install a new event log. I tried to “repair” the log on my test system by adding the usual configuration like file name, file size, retention time and a primary module. So far the log file is still empty. So I ask: Has anybody encountered a properly configured and non-empty IE7 event log?

I’m quite happy that the golf courses are starting to open up. In fact I think I’ll go tonight for 9 holes 🙂

Here’s the list for today:

Social Engineering & the Need for Awareness & Training: Fraudsters Are Calling Businesses Pretending to Be SEC Staff Members – Good angle of attack.

On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding “immediate access to confidential records.”

New Release of Libewf – Will have to give it a whirl…

The program library libewf supports the SMART and EnCase data formats which are widely used in disk imaging. The library compiles under Linux, *BSD, OS-X and Microsoft Windows. The latest version was released on May 12, 2007 by its authors Robert-Jan Mora and Joachim Metz.

Filipino Cybersleuth Named World’s Best For 2007 – That’s quite the honor. I wonder if he’ll be talked into leaving for a position in North America?

A Filipino cybersleuth was awarded the world’s best computer investigator for 2007 by an international organization of computer forensics experts.

Alexander Ramos, a computer forensics analyst with the Philippine National Police, was awarded the 2007 Timothy Fidel Memorial Award by organizers of the Computer Enterprise Investigations Conference for his work in cracking down a hacking group that preyed on telecommunications networks worldwide.

VoIP Security Testing Tools List from VoIPSA – I find it funny how big VoIP testing is these days. I wonder if consultants are starting to see an influx of requests for VoIP related security engagements.

This list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. It is separated into the following seven broad categories:

* VoIP Sniffing Tools
* VoIP Scanning and Enumeration Tools
* VoIP Packet Creation and Flooding Tools
* VoIP Fuzzing Tools
* VoIP Signaling Manipulation Tools
* VoIP Media Manipulation Tools
* Miscellaneous Tools
The key objectives of the list are as follows:
1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA’s Best Practices Project.
2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
3. Provide vendors the information needed to proactively test their VoIP devices’ ability to function and withstand real-world attacks.

Forensic Laws – Quite a few comments materialized from this post.

I mentioned a concept or idea in my book, but I wanted to follow up on it a bit…I believe to be a theorem. Okay, maybe not a theorem (there’s no math involved), so how about a law. Let’s call it the First Law of Computer Forensics. Yeah, yeah…that’s the ticket! Kind of like “Murphy’s Law”.

Using Rootkits to Defeat Digital Rights Management – Well written article.

The Sony rootkit debacle highlighted the use of rootkits to prevent pirates and authors of CD burning, ripping, and emulation utilities from circumventing Digital Rights Management (DRM) restrictions on access to copyrighted content. It’s therefore ironic, though not surprising, that several CD burning and disc emulation utilities are also using rootkits, though the technology is being used in the opposite way: to prevent DRM software from enforcing copy restrictions.

Because PC game CDs and DVDs do not need to be compatible with set-top players software vendors can store data on media in unorthodox ways that require software support to read it. Attempts to make a copy of such media without the aid of the software results in a scrambled version and the software has DRM measures to detect and foil unauthorized copying.

Introduction to Identity Management – Part III – The third, and final part, in the Identity Management series.

Mergers and acquisitions tend to grow IT organizations horizontally. Companies such as Johnson and Johnson or Proctor and Gamble may have dozens of divisions that developed as the result of such activity. The challenge of integrating processes and personnel is big enough without trying to force a common directory environment. In these cases, the Meta Directory shines. As we mentioned early, today’s LDAP products are incredibly flexible in their ability to synchronize with AD, Novell, and other LDAP directories. By leveraging this capability, an organization can maintain a common Meta Directory that contains information from every business unit, without ever changing the way that business unit operates. Something as simple as a company Whitepages can scale very easily to include new divisions using this method.