Not sure why but “Tuesday” feels like it’s been preceded by about 10 working days already this week. That’s just not right.

Here’s the list:

CfP open for ACM SIGOPS Special Issue on Computer Forensics – Anyone looking to get an article published should check this out.

ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.

The call for paper closes on December 1st, 2007.

So you want to be a writer? – Don is offering to help you out if you’re looking to get started on that book you’ve always wanted to publish. You might want to drop him a line.

Has it ever crossed your mind, in the recent past, that becoming a writer would be neat? Take myself for an example. About six or seven years ago I took stock of my career. I decided that I wanted to implement some career goals. The first was to become a computer security contractor. Problem was, just how do you go about becoming one? For me the solution was to start writing articles about computer security. This would help me reach my goal in that it would get my name and skillset out there to potential clients. Not to mention that if your writing is good enough you can also get paid for it.

Sandcat by Syhunt – Web Server & Application Vulnerability Scanner – Another tool to check out.

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

New Paper: “Log management in the age of compliance” – Another paper by Anton. I’m starting to wonder when he finds time to sleep 🙂

Yeah, I know, not too technical, but still fun – my paper “Log management in the age of compliance” on ComputerWorld: “In my previous article, I described the way in which three regulations (FISMA, HIPAA and PCI-DSS) affect incident response processes. This triumvirate also affects log management, since they [A.C. – these and other regulations] call for enabling logging as well as for log review.”

UserAssist V2.3.0 – Didier has updated his UserAssist tool with some cool new features. Check out UserAssist here

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

* saved CSV files have a header.
* entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
* the Save command also supports HTML.
* support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
* registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

010 Template to Parse an Evtx File – This may come in handy some day soon. I’ll add this link and file it away for later.

I’m excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By “outer structure” I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record – and provably never will. For this task I will provide a more complex tool in a few weeks.

The template parses the following structures:

* File Header
* Chunk Header
* String Table
* Template Table
* Event Record

Detecting the Apple iPhone and other ‘Shadow IT’ Technology –

Worried about people using their fancy new iPhones on your corporate network?
While reading the ‘Declaration of Interdependence’ series of articles in the July 1st issue of CIO Magazine (including an additional online article named ‘Users Who Know Too Much and the CIOs Who Fear Them’), the term “Shadow IT” was used to describe the aggregate amount of personal, walk-in and employee owned software and hardware that makes its way onto corporate networks and computers.

This blog entry discusses strategies to look for applications that should not be running on your network as well as understanding which “unsanctioned” applications may be the most popular. It also discusses how the Passive Vulnerability Scanner can be used to detect Apple iPhones connected to the local IP network.

Some new papers from the SANS Information Security Reading Room:

• Information Security Policy – A Development Guide for Large and Small Companies
• Redefining your perimeter with MPLS – an integrated network solution
• How to Avoid Inofrmation Disclosure when Managing Windows with WMI

Open ports for a bunch of servers – Kind of cool.

This is a first attempt at visualizating open ports detected by nmap in around 60 servers. I’ve used Freshcookies-Treemap and custom scripts. Ports are all TCP.

Beat by a girl! – Hahah…catchy article title. Good post though.

I’ve written before about WhiteHat Security office events in which we race to find the first and best vulnerability in never-seen-before websites – the winner receiving company-wide bragging rights. Speed hack contests are also great for learning and testing one’s skills. They get the competitive juices flowing, typically finish in less than 20 minutes, and keep the day-to-day work fun! Lately, winning has proved to be extremely challenging, especially when you’re up against people like Bill Pennington, Arian Evans, and the entire Operations Team who does this stuff everyday.

We ran two bouts last week. The first was a financial application, which was a little bit different, because it had a social networking aspect. We weren’t provided any usernames or passwords, couldn’t self-register without a special code; and, as a result, the attack surface was limited. This meant we could still probably find the first XSS fast, but the high-severity issue probably wasn’t going to be there. The domain was called out, fingers hit the keyboard, and we were off. Bill P. and I went immediately after XSS in the search fields, but struck out because of proper HTML encoding. Arian, who only sees filters as a challenge, busied himself with some crazy encoding attacks. The rest of the Operations Team were eagerly trying to take down the giants.

Ahhhh Monday……well after a long period of rest (read laziness) I’ve decided to get back on track. This means putting the CISSP exam in my sights, going back to the gym (yes my foot is finally feeling better), eating better, and generally getting more involved in security.

Here’s the list:

The Soft Underbelly? – Database Security – Why won’t people learn? I guess this is the kind of thing that keeps us in business.

It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.

The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.

Oh Look. An Apple WORM. – It was only a matter of time really.

With a few hours work I have put together a proof of concept worm that works on Mac OS X (Intel). I need to get a hold of an older PPC Mac to test that platform but I suspect it will work just fine.

Before I say anymore, because I know some of you will ask, NO I will not send you the PoC or any related details. I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this (Hi Joanna) and yes, Apple will be shown my work. Eventually.

Internet Search Returns Westminster Student Information – I know I probably shouldn’t be surprised…but I am. Why can’t people understand the importance of protecting sensitive information from the public?

Barb, a Westminster College alumnae, received an unpleasant surprise while searching the Internet for her name. Among the results were two files hosted on the Westminster student web server containing the names and Social Security numbers of 100 current and former Westminster students. According to Laura Murphy, Westminster executive director of communications, the files were removed immediately after Barb notified the college and an investigation is on-going. According to Murphy, the files were placed on the web server through an innocent accident and these files were not easily accessible to non-students. However, Westminster is taking this incident seriously and has launched an investigation to help determine what steps need to be in place to prevent such accidents in the future. Westminster has contacted all 100 students and has agreed to pay for one year of credit monitoring for those affected by this incident.

Know Your Enemy: Fast-Flux Service Networks – Interesting article from The Honeynet Project. Check it out.

One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable criminals are constantly developing more sophisticated means of profiting from online criminal activity. This paper demonstrates a growing, sophisticated technique called fast-flux service networks which we are seeing increasingly used in the wild. Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.

In this paper we will first provide an overview of what fast-flux service networks are, how they operate, and how the criminal community is leveraging them, including two types which we have designated as single-flux and double-flux service networks. We then provide several examples of fast-flux service networks recently observed in the wild,. Next we detail how fast-flux service network malware operates and present the results of research where a honeypot was purposely infected with a fast-flux agent. Finally we cover how to detect, identify, and mitigate fast-flux service networks, primarily in large networking environments. At the end we supply five appendixes providing additional information for those interested in digging into more technical detail.

For your weekend viewing pleasure – Some botnet videos on YouTube.

It’s Friday the 13th…queue ominous music…but I’m counting on everything going smoothly today. Is it just me or do things always tend to explode on Friday’s?

Here’s the list:

Oracle UK systems accused in ‘SSH hacking spree’ – “Bad Oracle….bad!”

Compromised computers at Oracle UK are listed among the 10 worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software.

Oracle said it is investigating the reported problem, which it is yet to either confirm or refute.
Click here to find out more!

A box (or group of boxes behind a proxy) at Oracle UK is among the worst offenders for launching attacks, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks.

Patching an IPS – 16 months ! – Woah…..

Looking into disclosure timeline [pdf] of Andres Riancho, Cybsec Security Systems the vendor was contacted on 6th February, 2006 already.

The updated TOS version was released on 4th July, 2007, i.e. last week.

I’m not saying 3Com is slow when fixing vulnerabilities, I think this issue was extremely difficult to resolve. Cybsec will “disclose technical details 30 days after publication of pre-advisory”. Let’s wait!

FG-Injector – SQL Injection & Proxy Tool – New tool to test out.

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

NIST releases revised FIPS crypto standard for review – Review away my friends….review away!

The latest version of the Federal Information Processing Standard for cryptographic modules, FIPS 140-3, has been released for comment by the National Institute of Standards and Technology.

Comments on the draft, available online at http://csrc.nist.gov/publications/drafts.html#fips140-3 , are due to NIST by Oct. 11.

The current standard, FIPS 140-2, grew out of Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. FIPS 140-1 was issued in 1994 with a requirement that it be reviewed every five years. The review and revision process can take several years, and FIPS 140-2 was approved in 2001.