F.R.I.D.A.Yay!!!!!

Here’s the list for today:

Do we need 100Gbps IPS? – I don’t see why we wouldn’t but it sounds like Alan’s main problem is the profitability of the company, not the product itself.

To me this is just a classic case of my marbles are bigger than your marbles. This boys and their toys mentality may be great for NASCAR racing, but this kind of folly will I think continue to drag down the bottom line over at 3Com. Who are they going to sell a 100Gbps IPS to and how many can they buy. I disagree with Masri that 100Gbps is at the core of enterprise networks. I can understand being out in front of a market, but when you haven’t been profitable for 6 years and as the article points out because of the financial structure involved in the H3C partnership buyout, allocations of expenses make it harder to show profitability, can you afford to chase white elephants.

PPT Metadata – Sounds like a good script. I haven’t quite made it to chapter 5 yet 🙂

I received an email recently asking if I had any tools to extract metadata from PowerPoint presentations. Chapter 5 of my book includes the oledmp.pl Perl script, which grabs OLE information from Office files; this includes Word documents, Excel spreadsheets, and PowerPoint presentations. I’ve run some tests using this script, and pulled out things like revision number, created and last saved dates, author name, etc.

Why Security Pros Use Macs – Interesting points. I purchased my MacBook so that I could have the power of Unix with the usability of Windows (without the frequent crashing).

Laptops are tools. You use them to provide a service to a vast array of clients. What tool is going to enable you to multi-task the best, save you time, and serve the broadest possible customer base?

Snort 3.0 licensing – Marty chimes in on the recent Snort 3.0 licensing.

If you want to know what Snort 3.0’s licensing language is going to be, try reading it. It’s available in the first Snort 3.0 pre-alpha release I did last month and we’re using the GPL. Apparently it was hard to locate because it was in a file called COPYING instead of one called LICENSE. The origin of naming the license file COPYING comes from the FSF as I recall and is typical of most GPL projects. Anyway, to avoid further confusion (and so I can tell people to look at my blog if it comes up!) I’ll post the preamble that we added to the COPYING file before the GPL license language in Snort 3.0 right here

Blogging on corporate laptops is risky business – …..as I blog this from my work laptop during my lunch break 🙂

When employees fire up their company-issued mobile devices at home or at the airport, they often use the technology for both business and personal pursuits like blogging. According to one industry expert, it’s a very dangerous trend.

Hardware Security Modules: part I – the basics – The quality of articles from these guys never cease to amaze me.

HSMs and PKI are pretty big subjects, and putting every piece of information about them into a blog post would make it fairly unreadable. What follows is therefore a basic primer of information you will need to understand before I go any further with the meat of the issue, which I hope will be expanded on arising from any questions that people may have. If you know this already, great stuff, we’ll pick up on the actual HSMs tomorrow.

Removal Instructions for Trojan.Kardphisher – Tuck this one away in case you get infected.

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan, which “attempts to steal credit card numbers by tricking the user into entering their credit card details to activate Windows.” This entry explains how to remove the Trojan.

Again I let the post slip to noon. Must be the nice weather outside 🙂

Here’s the list for today:

Bots on the Corporate LAN I agree with his comment in the article: “So it’s obvious that there are bots on corporate networks, but it’s not obvious how serious a problem it is.” Until a massive outbreak happens to your organization most will continue to consider a bot infestation something that happens on “other organizations” networks.

Opinion: Of course bots exist on corporate networks, but how big a problem are they? It could be that nobody knows.

People like me, who write about security, are flooded with reports on the state of malware. They’re often valuable enough and say interesting things, but on certain points they are invariably, and infuriatingly, vague.

Retailers haven’t learned from TJX – still running WEP – I guess my above statement applies to this as well 🙂

When I blogged earlier this week about TJX’s failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn’t already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX’s WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they’re doing today. The reason I looked at the large retailers is because they’re the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I’m going to tell you what I found.

More on Snort 3.0, GPL and derivatives – Word on the street is that Marty was saying some things in the IRC channel that a man in his position shouldn’t have been saying.

In response to my post yesterday a few comments (you can click on the right column to see them) have responded that as GPL, there is nothing really changing with Snort 3.0, Sourcefire in order to “avoid misunderstandings” is defining what they consider to be a derivative work. I think therein lies the rub. What Sourcefire is saying is that if you want to do a front end for Snort, you can do so and just point people to snort.org to download Snort which will run separate and apart from the front end (lets not even talk about rules for the moment).

Forensics in the Enterprise – I was sent an demo copy of EnCase v5 but I never got around to playing with it.

I had the opportunity last night to attend a demo of Guidance Software’s EnCase Enterprise product. I use the standalone version of their product, EnCase Forensic already, and the Enterprise edition looks like an interesting extension.

EnCase Forensic runs on a single Windows workstation and allows you to image suspect hard drives and conduct detailed analysis on their contents. It’s got a number of handy features built in, like the ability to do keyword searches, extract web viewing history and identify email messages. Pretty nice, and it makes most common forensic tasks a breeze.

How To Back Up MySQL Databases Without Interrupting MySQL – Good bit of information to have.

This article describes how you can back up MySQL databases without interrupting the MySQL service. Normally, when you want to create a MySQL backup, you either have to stop MySQL or issue a read lock on your MySQL tables in order to get a correct backup; if you don’t do it this way, you can end up with an inconsistent backup. To get consistent backups without interrupting MySQL, I use a little trick: I repplicate my MySQL database to a second MySQL server, and on the second MySQL server I use a cron job that creates regular backups of the replicated database.

Little late posting this one today…better late than never!

Here’s the list for today:

Note to Universities: Web Sites Providing A Security Breach Playground – Remember when Universities were only breeding grounds for STD’s?

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Management and security: Still separate but equal? – Should they really be separate?

I’ve said it before and I’ll say it again: It makes sense to use certain technologies to both manage and secure your network. Yet while vendors continue to provide integration between, say, configuration management software and endpoint security products, most companies are keeping the tools separate — for now.

Liability of reverse engineering – I’m not sure where I stand on this…

Christopher Hoff asks an admittedly naïve question: “If I … engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA’s that expressly forbids reverse engineering, how would I deflect liability for violating these tenets …”.

This reflects that while such issues are frequently discussed in our industry, few know what the words actually mean. For example, reverse-engineering a patent is a contradiction in terms, because you can just read the patent rather than reversing the code that implements a patent.

Automated Security Scanning Considerations – Good article.

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

Is Snort 3.0 going to be open sourced? – I think it would be a mistake to close the source on this now. It would only look bad on Marty.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel. It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be. I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation. Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer. However that being said, my understanding is that Snort 3.0 will have some license changes. My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times. However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL. So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work. My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

The five phases of recovering digital evidence – Part 2 in the series…

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In this post we’ll examine each of the five phases in finer grained detail.

Another educational institution, another SIEM eval – Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

Report available for WASCs Distributed Open Proxy Honeypot Project – It’s quite a good report. Lots of detail.

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff.

That’s all for today…I’m busy 🙂