What a nice, relaxing weekend. Back to the grind!

Here’s the list:

Get your second degree in “ethical hacking” – Not sure how many people will give this love as the term “ethical hacking” still doesn’t impress a lot of people.

If you’re looking to groom a new CSO for your company or looking to boost your career into an executive position, there’s a new master’s degree that might work for you. Just don’t expect a football home team, warns Information Week, since all the curriculum is online.

The new program, launched by the EC-Council University, currently has 6 students and 9 faculty, and students are expected to study only half-time, while working in the security industry in some capacity.

Four Solaris Virtual Machines – Need a Solaris test-bed? Why not use these pre-configured VMWare images?

There are now four Solaris VMs available from Sun, including S10U3 and Solaris Express (aka Nevada) build 55. VMware tools are pre-installed (at least in the two I downloaded), but the VMs are still using IDE disks so they won’t work for ESX/VI users.

Newsmaker: DCT, MPack developer – Interview with the MPack guys.

In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites.
Click here for Core!!

“ The project is not so profitable compared to other activities on the Internet. It’s just a business. While it makes income, we will work on it, and while we are interested in it, it will live. ”

“DCT”, one of three developers of the MPack infection kit

A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims’ systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it’s malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000.

You just got 0wned. Now what? – What would you do? What is the right answer for your type of incident? 🙂

Imagine that you are arriving at your office and you look through the window. Inside the building you can see someone burglarizing the building. What would you do?

You have a few options, you could (1) call the police; (2) you could ignore the burglary and go get a cafe’ latte double mocha espresso and hope that the burglar leaves before anyone sees him; (3) or you could open the door to the office, and shout, “Hey! Get out!”, wait for the burglar to leave.

Oracle refutes ‘SSH hacking’ slur – I think it’s great that Oracle blamed a paper by Daniel Cid, who works for me at Q1 Labs, as the root cause of their public perception as a “top attacker”. Well Daniel, I guess any press is good press 😉

An investigation by Oracle has revealed the none of its systems were involved in launching a recent brute force attack on secure servers around the net.

From the beginning of May until earlier this week, “compromised computers” at Oracle UK were listed among the ten worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks. DenyHosts is a script for Linux system administrators designed to help thwart SSH server attacks. Around 6,800 users contribute to the data it collects.

The greatest virus of all time – This is fantastic work!

There is a virus on the net from a long time, the damage inflicted by it is unstoppable, or at least that was though, check it out yourself

Insider Threat Example: Payroll Employee Threatens To Illegally Use Other Employees’ PII If Not Given a Good Review – Good case study.

On June 27, 2007, the St. Louis Metropolitan Sewer District (MSD) fired an employee who had worked in the payroll department there for 10 years.

Why? He downloaded Social Security numbers and other personally identifiable information (PII) about 1,600 current and former MSD employees to his own personal computer, and then some of his coworkers reported to their management that he had threatened on June 20 to maliciously use the PII if his manager gave him a bad performance appraisal.

MSD contacted the FBI and the St. Louis police department right after learning of the threat, they obtained the now-ex-employee’s computer from his home and “said they are very confident that the document had not been copied or sent to another source.” The name of the ex-employee has not been released pending investigation.

piggy – Download MS-SQL Password Brute Forcing Tool – Another tool for you to play with.

Piggy is yet another tool for performing online password guessing against Microsoft SQL servers.

It supports scanning multiple servers using a dictionary file or a file with predefined accounts (username and password combinations).

CyberSpeak interview – Check out Didier’s interview.

My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent 😉 But I’m not French, I’m Flemish!

To a new kind of sleuth, phones leave a rich trail – Good article with some solid examples of how law enforcement leverages the forensic process for cell phones.

Because of the wealth of information they hold, cell phones are now part of almost every large forensic examination or criminal or civil case. Even so, Hanson estimated that Minnesota has less than a dozen full-time computer and cell phone forensic experts.

Law enforcement officials and forensics experts said cell phones are simply the latest in a long line of new technologies to which they have adapted, from land-line phones to camcorders to pagers to computers.

But they also agree that the cell phone’s ubiquity is unrivaled.

New Trend in Attacking the Java Runtime Environment? – I thought you just let it run long enough and it would eat up so much memory that it’s bloated corpse would block any malware 🙂

Attacks targeting vulnerabilities in the Java Runtime Environment are anything but new. Several researchers have previously visited this topic and the results have been some fantastic research. However, in recent weeks the DeepSight Threat Analyst Team has been investigating several Java issues resulting from a notable increase in vulnerabilities reported affecting the Java Runtime Environment and its associated components.

The threat landscape has seen a dramatic increase in attacks targeting client-side vulnerabilities in recent years. Vulnerabilities have been exposed in a variety of applications including media players, Web browsers, ActiveX controls and mail clients, to name just a few. The ubiquitous nature of the Java Runtime Environment makes it a prime candidate for attackers. With this in mind, it is not surprising to see much of the preliminary research into exploitation of environments like the Java Virtual Machine manifest itself both in recently disclosed vulnerabilities and the consequent exploitation of these issues “in the wild.” This research has likely been (or will be) exacerbated by the fact that portions of Java are now open-source.

OSVDB Search Tips & Tricks – Good article on how to efficiently search the OSVDB database.

I should have started a series of these posts long ago. One of the more frustrating parts of most VDBs is the lack of a helpful search function. Searching for some products (SharePoint) is easy enough, as the name is distinct and not likely to find many matches. If you happen to know the script affected (logout.php), that too can make the search fast and painless. However, what if you want to list all vulnerabilities in PHP?

New hacking technique exploits common programming error – This is where code reviews come in handy as well as knowledge of security concepts.

Researchers at Watchfire Inc. say they have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability.

Jonathan Afek and Adi Sharabani of Watchfire stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company’s AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn’t a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Dual Database Breach Exposes 5,500 UM Records – Today’s eye bleeder.

The University of Michigan is alerting current and former students about the exposure of personal information after an unknown individual(s) gained access to two School of Education databases. These databases contained the names, addresses, and some Social Security numbers of 5,500 individuals. At this point there is no evidence that the individual(s) that gained access were after personal information, but the university’s public safety department is investigating the incident. The breach was first discovered on July 3 and the university began sending out notifications on July 16. According to Kelly Cunningham, a university spokesperson, the notifications were sent out as a precaution.

Fox News, Directory Indexing, and FTP Passwords – Wow. I wonder how long it will take Bill O’Reilly to blame terrorists…or illegal aliens…or the Democrats?

A 19 year old photography student (Gordon Lowrey) found that the Fox News website had Directory Indexing enabled (now disabled). Sure it’s not a good practice (against PCI-DSS), but typically not a big deal security wise and it happens occasionally on other major websites. What made this one interesting in the person navigated up the directory tree their way to the /admin/ folder, no password required, where inside was a curious bash shell script thats still available.

ISP Seen Breaking Internet Protocol to Fight Zombie Computers — Updated – Can’t say that I agree with this approach.

Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.

I was so swamped at work yesterday that by the time I got home I was exhausted. Needless to say I didn’t get a chance to post a Suggested Blog Reading (SBR) post so I’ll combine them today. Enjoy your weekends!

Here’s the list:

Secure browsing with Squid and SSH – Not anything new but a good refresher for those looking to browser securely and for those looking to detect such activities 😉

Public areas that offer access to the Internet (airports, open wireless networks etc.) have no security in place. If you’re at a public WiFi spot, your personal information can be sniffed by other malicious users. This hack will show you a way to secure your web browser when using public networks.

In a nutshell, we’re going to setup a proxy server (Squid) on a trusted SSH server and create a secure connection from our laptop, over a public network to a secure remote server. We’ll tell the browser to use the secure SSH tunnel as a HTTP proxy.

Musings on 100% Log Collection – I’ve always agreed with Anton on collecting as much log data as you can in order to get a full view of what is happening. You wouldn’t pay a security guard to close his eyes and take 20 minute naps during his shift would you?

One of the most exciting, complicated and at the same time very common questions from the field of log management is the “what logs to collect?” question (this, BTW, implies that logs not collected will be left to rot wherever they were generated and thus might or might not be available at the time of dire need. You are collecting logs, aren’t you?). This comes up during compliance-driven log management projects (in the form of “what to collect for PCI DSS compliance?”) as well as operationally-driven (in the form of “what logs from this application do I need to detect faults and errors?”) or security-driven log management projects (in the form of “which logs will help me during the incident response?”)

FTester – Firewall Tester and IDS Testing tool – Another tool to check out.

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.

Web Page Exposes Purdue Student Information – Here’s an “eye bleeder” for you.

Purdue University is apologizing to students after it discovered a web page containing student information was available on the Internet. This page, containing the names and Social Security numbers of 50 students, was discovered during a routine review of the Purdue web space. The individuals affected by this incident involve those students enrolled in the university’s industrial engineering 500-level course between spring 2002 and fall 2004. Purdue has already mailed out letters to those affected students, but has setup a hotline – 866-605-0013 – and a web site – www.purdue.edu/news/coe0706.html – to help answer any questions students have about the incident.

Nearly Ten Percent of Companies Have Fired Bloggers, Survey Claims – Uh oh!

Nearly ten percent of companies have fired an employee for violating corporate blogging or message board policies, and 19 percent have disciplined an employee for the same infractions, according to a new survey from Proofpoint, a messaging security company.

Almost a third of companies “employ staff to read or otherwise analyze outbound email,” while more than fifteen percent have hired people whose primary function is to spy on outgoing corporate email. A quarter have fired an employee for violating corporate email policies. Twenty percent of the companies and almost thirty percent of companies with more than 20,000 employees had been ordered by a court or a regulator to turn over employee emails.

Learn to use Metasploit – Tutorials, Docs & Videos – Good link to check out.

Metasploit is a great tool, but it’s not the easiest to use and some people get completely lost when trying to get the most out of it.

To help you guys out here is a bunch of links, videos, tutorials and documents to get you up to speed.

You can start with this, a good flash tutorial that shows you step by step how to use it

Nessus 3.2 BETA — Example ‘nessuscmd’ usage – I may have to give this a shot this weekend. I haven’t had a chance to test the beta yet.

The BETA of Nessus 3.2 includes support for a new command line method to invoke quick Nessus scans. This blog entry details some interesting examples for port scanning, operating system identification, testing of a certain bug and testing Windows and UNIX credentials using the nessuscmd tool.

Lots of information out there today. I’ve made a decision not to post any links to the InfoSecSellout debacle…oh wait…crap!

Here’s the list:

Creating and Managing an Incident Response Team for a Large Company from the SANS Information Security Reading Room

From Elk Cloner to Peacomm: A quarter century of malware – Good article here on maleware.

A quarter century of malware. You’d think we would have had this problem licked by now, yeah? No, not even close. Self replicating code was first theorized in 1949, the dawn of the computing age, and appeared in the wild around the early 1980s. The fundamental theories on computer viruses were worked out by Fred Cohen; you can read his original paper online from the early 1980s. The tension between usability and security is directly discussed in this seminal paper. From the paper’s ending, “To quickly summarize, absolute protection can be easily attained by absolute isolationism, but that is usually an unacceptable solution. Other forms of protection all seem to depend on the use of extremely complex and/or resource intensive analytical techniques, or imprecise solutions that tend to make systems less usable with time.” In fact, because of the nature of a general purpose computer, Cohen points out, you can never fully protect against viruses.

FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats / FBI’s Magic Lantern Revealed / FBI Spyware: How Does the CIPAV Work? — UPDATE – Three really good articles from WIRED on the FBI’s CIPAV software.

In general, a CIPAV utilizes standard Internet computer commands commonly used over local area networks (LANs) and the Internet to request that an activating computer respond to the CIPAV by sending network level messages, and/or other variables, and/or information, over the Internet to a computer controlled by the FBI. The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other on-going investigations and/or future use of the technique.

What’s up with Snort licensing – Clarification for the masses on Snort licensing and GPL3.

There have been a lot of questions and speculation about the things we (Sourcefire) have been changing in Snort’s licensing recently and it needs to be addressed so that we can clear the air.

There are three things that people have been asking questions about or having issues with.

1) GPL v2 lock that we put in place on June 29th.
2) “Clarifications” in Snort’s license language (Snort 3.0).
3) “Clarifications” with regard to assignments of ownership for contributed code (Snort 3.0).

Let me address these issues in order.

Outlook Email Forensics – Not a bad read for anyone who has to do some Outlook forensics in a pinch.

I have done this previously and can’t recall everything, however I would like to share here about what I have done before I’m out of memory. I myself don’t use outlook mail client therefore I need to convert it to unix mbox mail format so that I can examine them, I found libpst that can do the job for me and install it via FreeBSD port

Biometrics could guard Australian borders by 2010 – I’ll believe it when I see it fully implemented.

The Department of Immigration and Citizenship (DIAC), the Department of Foreign Affairs and Trade (DFAT) and the Australian Customs Service are all using biometrics for varying levels of identity management.

A DIAC spokesperson said the department will increase the use of biometrics for identification in the lead-up to 2010, when it expects to provide a single identity for DIAC clients “regardless of what business function is being undertaken”.

Under its three-year identity management strategy, covered by the Migration Legislation Amendment (Identification and Authentication) Act of 2004 and the Privacy Act, DIAC will employ facial recognition, iris scanning, and fingerprinting to verify the identity of noncitizens entering Australia.

Louisiana State Student, Faculty Information Left Unprotected For Two Years – I’m going to start calling these “eye bleeders” because when I read them I get so flustered I think my eyes will start to bleed.

The Louisiana Board of Regents announced that it has determined that information on students and staff at universities within the Louisiana State University system were left available to unauthorized individuals for an unknown amount of time. This information included information such as the names and Social Security numbers on groups of individuals including all 10th grade students within Louisiana students between 2001 and 2003 that took the state’s Educational Planning and Assessment Plan test as well as any individual employed within the state university system between 2000 and 2001. An investigation is still ongoing to help determine what exactly happened, but the information has been secured and there is no evidence that it was accessed by any unauthorized individuals. The board first learned of the problem from Richard Angelico, a reporter at WDSU-TV in New Orleans.

Free ePO Vulnerability Scanner – Interesting idea by eEye to release a free scanner aimed at detecting vulnerabilities in ePO/CMA/ProtectionPilot. Probably worth checking out if you’re using these products.

Just wanted to give a quick heads-up that the eEye R&D team has put together a free Class C scanner (available here: http://www.eeye.com/html/downloads/other/ePOScanner.html) for the latest vulnerabilities found within McAfee ePO, CMA, and ProtectionPilot. These are some pretty serious vulnerabilities with a very large impact in networks where ePO/CMA/PP are installed, therefore warranting the free scanner.