Thursday and lots of meetings. Didn’t quite catch up on everything I wanted to yesterday but I’ll have to tackle that this morning.

Here’s the list for today:

Rain Forest Puppy comes out of retirement – He’s alive!

4 years after retiring from the public security scene, rain forest puppy (rfp) breaks his silence and agrees to an interview where he shares his thoughts. For those that haven’t been around webappsec that long, rfp is one of the REAL pioneers of the industry who contributed a ton of cutting-edge research that we still use today. You’ll also notice that he’s a very humble guy who prefers to continue giving back rather than taking the credit he deserves. Welcome back rfp.

The 6 Steps of Incident Handling in Action PICERL – the easiest way to remember is to think of the fish 🙂

Incident handling is a specialized field which is done best after proper training, guidance and experience. However, if you follow the six core steps to incident handling, you will have a better chance of recovering favorably from an unforeseen incident. The example below is an actual incident I experienced recently. I have outlined the steps taken as they pertain to the six steps of Incident Handling.

Commtouch: Malware Writers’ Tactics Evolving – The article mentions how most network admins fall back to blocking all attachments in emails when an outbreak hits. Had they been prepared, prior to the outbreak, they may have been able to mitigate the infestation without disrupting the business.

“The server-side polymorphic distribution method is an evolution of earlier tactics, where malware writers would introduce new variants over a period of weeks or months, to try to bypass anti-virus engines,” said Rebecca Herson, senior director of marketing at Commtouch, based in Sunnyvale, Calif., in an interview with eWEEK. “Since the end of 2006, this has become the primary distribution method for e-mail-borne malware.”

Battle of the Colored Boxes (part 2 of 2) – Part 2 in the series

Coverage and comprehensiveness is key to effective vulnerability assessment. The more vulnerabilities identified and weeded out the harder it is for the bad guys to break in. In web application security, black box testing is a fairly standard measure of the difficulty and commonly used as a method to improve it. That’s why when Fortify recently published a new white paper entitled “Misplaced Confidence in Application Penetration Testing” (registration required), it immediately peaked my interest. Plus a title like that is bound to generate some controversy (score 1 for marketing). I highly recommend reading their paper first before moving on and having your opinions colored by mine.

The ineffectiveness of user awareness training – I don’t agree…user awareness training should be a requirement for all organizations. Obviously if the checks fail then your training needs to be updated or restructured to be more impact-full.

Some argue that you can effectively train the average user to be “secure” – be one with the password, become the token, know the malware – personally I think it is a losing battle. Security must be transparent to the end user, controls must be implemented that support security but do no inhibit productivity of the average user.

The ineffectiveness of technology solutions – Someone who agrees with me.

Amrit thinks that user awareness training is a waste of time and money. I think he is wrong. I think ineffective user training is a waste of time and money. I also think that if we follow his line of thinking on this that we should abolish user training and all technology designed to secure our networks. After all we spend lots of time and money on them and they still have vulnerabilities that allow the bad guys access to our systems.

Evaluating Forensic Tools: Beyond the GUI vs Text Flame War – Very good points.

Each interface mechanism has its pros and cons, and when evaluating a tool, the interface mechanism used can make an impact on the usability of the tool. For instance displaying certain types of information (e.g. all of the picture files in a specific directory) naturally lend themselves to a graphical environment. On the other hand, it’s important to me to be able to use the keyboard to control the tool (using a mouse can often slow you down). The idea that graphical tools “waste CPU cycles” is pretty moot, considering the speed of current processors, and that much forensic work focuses on data sifting and analysis, which is heavily tied to I/O throughput.

Wednesday and no scheduled meetings. Time to play catch-up!

Here’s the list for today:

Communicating outside your (security) culture – It’s not an easy task to explain risk to someone who doesn’t already know about it.

A little while back I was talking with my six year old, and said six year old asked me “What is risk?”. I realized I didn’t have an answer that was one or two sentences. In fact, I didn’t have an answer that I thought would really get the idea across, though after going through several tries I think I got the idea across. The hardest part was finding a common frame of reference to build on. And yes, I was a bit dismayed that I didn’t have one or two sentences to communicate an idea that is a basic part of Information Security to someone who didn’t know anything about it.

Evaluating malware from a network perspective – Good find, process, and reporting.

Today while looking through my HIPS log like a good sec analyst, I see an interesting event logged on one of the hosts. The file c:windowssystem32wbemunsecapp32.exe (MD5: 60f8ea044b96b7ae8c1a55571d7e2c70) tried to contact 211.22.66.246 on port 7654. Google searching for the file name produced little help beyond this (the fact that AhnLab’s AV engine didn’t detect this one leads me to believe it’s a relatively new variant)

RSA public keys are not private – I’ve never thought of RSA as being insecure until now.

RSA is an extremely malleable primitive and can hardly be called “encryption” in the traditional sense of block ciphers. (If you disagree, try to imagine how AES could be vulnerable to full plaintext exposure to anyone who can submit a message and get a return value of “ok” or “decryption incorrect” based only on the first couple bits.) When I am reviewing a system and see the signing operation described as “RSA-encrypt the signature with the private key,” I know I’ll be finding some kind of flaw in that area of the implementation.

wsus 3 released – Never used it but I’ll have to give it a try.

WSUS 3.0 has been released. I’m bouncing this link over where I found it, The Sean Blog, since he made a nice list of the pertinent downloads. If you don’t know WSUS or don’t use it and don’t do anything special for Windows patch management, you should really look into WSUS. It does one set of tasks and does it very well.

VNC ‘scans’ with windows size of 55808 – I haven’t seen it…have you?

One of our readers wrote in with the following:
“Over the last couple days I’ve noticed a different type of 5900/TCP (VNC?) portscan/attack. Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS. The filter is patterned after: Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU’s in the US and Taiwan.”

Something Else To Look For…

Is this really such an issue, something you should be concerned about when performing IR or conducting an investigation? Let me add some perspective…not long ago, I examined a worm that had infected several systems, and it created an entry for itself in the RunOnce key; the entry was prepended with a “*”. Does anyone get the significance of that?

First day of May, and I’m feeling OK! The sickness has passed through me and I’m feeling 99% better with the exception of still being a little tired.

Here’s the list for today:

MITMing an SSLized Java App – Good article

I was recently working on a Java-based application that communicated exclusively over SSL. This is a good thing for the application, but a bad thing for someone trying to test it. I naively thought that I could edit a couple of files and boom, be on my way.

Encryption for PCI Compliance – Good discussion on key lengths, algorithms, backups, etc. to meet PCI compliance.

Although we have discussed encryption and the PCI requirements before, many people still do not understand how to properly implement secure encryption systems. So, this post is aimed to make this as simple to understand as possible by answering the common questions that people ask.

Nokia eyes scalability with new security appliance – You can keep throwing hardware at the problem but ultimately Check Point has to work on the performance of their software.

The IP690 is based on a multicore, multithreaded Intel Corp. processing platform to accommodate future software, including applications from other vendors, Taylor said. It’s Nokia’s first appliance based on this kind of architecture.

Power of Negotiation – Insightful post.

Spinning up a new security program is no easy feat. Neither is changing the direction of one that is already in place. One of the first things that everybody identifies as necessary is policy. Whenever the auditors come through and organization or department, documented policies are one of the first things they ask to review. But policies are one of the hardest things in security, or business for that matter, to generate and update. Heck, in comparison, ethics is easier than policies. In ethics, usually, when a person has to think about something then they are probably crossing the line. But with policies how much is enough and where does it start crossing the line. By line I am talking about things such as cost efficiency, individual privacy, and any number of other questionable subjects.

Think *ACCIDENTAL* Leak Prevention – It’s really like rubber sheets for your bed…just in case 😉

Here is a useful bit of insight that emerged from this discussion: if you think of such products as ACCIDENTAL leak prevention defenses, you will likely get over the intense desire to claim that “they are all hopelessly broken by design.” This idea was inspired by this post , which said: “There is no doubt that these systems are evadable […] Inadvertent data leakage is a different story [and can be managed effectively].”

Open Source Training – I’m not sure how valid Wireshark certification would be but the BSD one looks interesting.

I’d like to mention a few notes on training for open source software that appeared on my radar recently. The first is Wireshark University, the result of collaboration among Laura Chappell and her Protocol Analysis Institute, Gerald Combs (Wireshark author), and CACE Technologies, maintainers/developers of WinPcap and AirPcap. WiresharkU is offering a certification and four DVD-based courses, along with live training delivered through another vendor.

Wireless NAC != Wireless IPS: AirTight…Leaks… – Good assessment.

Rob Graham and I came in contact with some Airtight boxes. In case you don’t know they are a maker of wireless IDS technology. Since we know a thing or two about wireless we wanted to look and see how these boxes work and if the perform as advertised. If you don’t want to read the entire blog post the short answer is: not completely. In our quick peek we found 3 problems. If we were doing a real assessment we would have pulled out the screw drivers and, ICE gear, and disassembler but instead we looked at this from a blackbox remote perspective.

Should the Network Security Industry Exist? – Am I obsolete already?

Last week, I read that well known security expert and writer Bruce Schneier recently opined that there should be no network security industry, because software vendors should make their products so secure that there would be no need for third party security products. He apparently said this at the Infosecurity conference in London (which, interestingly enough, is sponsored by security vendors). You can read about his comments here (incidentally, all of us here hold Bruce in very high regard, so this blog post is not intended to be criticism of him).

Hiding Inside a Rainbow – Very clear post about rainbow tables. Didier’s been motivated since returning from Black Hat Europe 🙂

Steganography is the art of hiding messages so that uninitiated wouldn’t suspect the presence of a message. A rainbow table is a huge binary file used for password cracking. This is the first in a series of posts on research I’ve done on how to hide data in rainbow tables, and how to detect its presence.

XML Firewall Architecture and Best Practices for Configuration and Auditing – GSEC Gold Certification honors paper from Don Patterson (PDF format)

Stealth for Survival: Threat of the Unknown – GCIH Gold Certification paper from Ken Dunham (PDF format)