It’s Thursday…one day between me and my precious weekend.

Here’s the list:

Webinar: Cross-Site Request Forgery – Free webinar if you’re interested.

For those interested in learning about Cross-Site Request Forgery (CSRF), WhiteHat is hosting a webinar on July 24, 2007 at 11:00 AM PDT. This is about the basics, in and outs, and solutions in straight forward terms. If you want to attend registration is free.

Secret Military Materials Posted to Unprotected Public Servers – This has “good idea” written all over it.

In the latest government scandal that may make you drop your head in your hands and groan, the Feds have accidentally posted critical information to unsecured public FTP servers — critical as in blueprints, aerial photographs, and geographical surveys that could show Iraqi insurgents entry points and weaknesses at key military sites. The Associated Press published their report this afternoon.
The military may know something about secrecy in the trenches, but next to nothing about security on the Internet. They initially refused to release the information, and then unwittingly posted it online, according to AP:

The military calls it “need-to-know” information that would pose a direct threat to U.S. troops if it were to fall into the hands of terrorists. It’s material so sensitive that officials refused to release the documents when asked.

But it’s already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.

Snort Report 7 Posted – Richard has posted his 7th Snort report. These are always a good read for anyone who uses Snort.

In the last Snort Report we looked at output methods for Snort. These included several ways to write data directly to disk, along with techniques for sending alerts via Syslog and even performing direct database inserts. I recommended not configuring Snort to log directly to a database because Snort is prone to drop packets while performing database inserts. In this edition of the Snort Report I demonstrate how to use unified output, the preferred method for high performance Snort operation.

Fun Intrusion Story – “Major network penetrations of any kind are exceedingly uncommon.” …. HAHAHAHAHAHAH.

Here is an enlightening account of a major intrusion investigation of a cell phone network in Greece.

Tina Bird’s Logs and Law Summary – Good reference material.

Here is the most comprehensive summary of all legal, regulatory, policy and other guidance documents that mention logging, created and maintained by none other than Tina Bird, who seem to be back in logland full time 🙂

Do-It-Yourself Forensics – Exceptionally good article from a legal publication.

All over America, vendors stand ready to solve the e-discovery problems of big, rich companies. But here’s the rub: Most American businesses are small companies that use computers — and along with individual litigants, they’re bound by the same preservation obligations as the Fortune 500, including occasionally needing to preserve forensically significant information on computer hard drives. But what if there’s simply no money to hire an expert, or your client insists that its own IT people must do the job?

Misplaced Class Roster Contained Student Social Security Numbers – Wow….just…..wow.

For the second time in as many months, Texas A&M, Corpus Christi is alerting students over the loss of personal information. This latest incident involved the temporary loss of a class roster containing the names and Social Security numbers of the 49 individuals enrolled in A&M-CC’s Business Law 3310 class. The adjunct professor for the class, Terrell Dahlman, immediately notified School of Business officials and class students when he discovered the roster missing. In an e-mail to students, Dahlman asked each student to check their handouts to see if they accidentally picked up the roster. A student, it turns out, did accidentally pick up the roster and returned the roster to Dhalman during the next class. According to Marshall Collins, vice president for marketing and communications, A&M-CC will not investigate this incident further since the roster was returned. When asked about A&M-CC using Socials Security numbers for identification, Collins replied, “All we have to go by is Social Security numbers. It’s one of the fallacies of the system.”

Busy, busy busy. If only I had more time during the day.

Here’s the list:

Searching inside payload data – Good little SQL statement to hang on to.

Almost all of my searches involve IPs and/or port numbers, and Sguil has a lot of built-in support for these types of database queries, making them very easy to deal with. Sometimes, though, you want to search on something a little more difficult.

This morning, for example, I had a specific URL that was used in some PHP injection attack attempts, and I wanted to find only those alerts that had that URL as part of their data payload.

Constructing a query for this is actually pretty easy, if you use the HEX() and the CONCAT() SQL functions. If you’re using the GUI interface, you only have to construct the WHERE clause, so you can do something like the following…

Explaining Sensitive Information – Unfortunately there is no definitive method for classifying sensitive information. Which begs the question…shouldn’t there be?

Classification of data starts with defining that data. Unfortunately there are many definitions for personal or private information and these definitions are often different depending on country, state, organization, regulation, and other factors.

Network Security Monitoring Case Study – I love case studies!

So this is the major question. How do you convince management or other functional areas that monitoring is important? It sounds to me like my friend has already scored some wins by freeing bandwidth used by misconfigured systems, simplifying firewall rules, and examining individual problematic hosts.

It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.

If I need to spend $1000 to hire a guard to protect my $10000 taxi, I am not earning a return on my investment — I am preventing the theft of my taxi. If I invest that $1000 in a ticketing and GPS system that makes me more productive ferrying passengers (perhaps increasing my dollars per hour worked), then I have enjoyed a ROI once my $1000 expense is covered.

Breach vs. Incident: Semantics or Something More? – Personally, I tend to think that a “breach” is an intrusion outside of policy whereas an “incident” would be the proceeding results of the aforementioned breach (attack a server, obtain sensitive documents, etc.).

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

Evtx Event Record – Interesting.

This article documents the structure of a single event record within a Vista Event Log (.evtx) file.

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record’s size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

Laptop Containing UMN Student Information Stolen from Locked Car – Sigh…..

The University of Minnesota is alerting students after a laptop containing student grade information was stolen from a professors car during a trip to Palo Alto. The laptop, belonging Elizabeth Beaumont of the political science department, contained the names, e-mail address, internal University IDs and grades for students enrolled in Beaumont’s classes from fall 2005 until present. While the University has a policy that all non-public information must be encrypted, 70-80% of the political science laptops, including Beaumont’s, have no encryption. The University has plans in place to ensure all political science laptops are encrypted by the end of the summer.

Even though I felt recharged yesterday I was still quite tired from the flying and the “relaxing” over the weekend. I’m starting to get back into the swing of things so expect posts to get back to normal frequency.

Here’s the list:

My New and Fun Fun Fun Role! – Well it looks like Anton has himself a new role and title. I hope he fares better than Martin did when he moved into an evangelist role.

I have a sneaking suspicion that not everybody checks my site regularly. And that’s OK – you need to check my blog, not the site 🙂

However, if you do check the site, you might have noticed that my position title has changed! My new position is … drum-roll … Chief Logging Evangelist.

Yes, I joined the ranks of “evangelists” which take its origin from Guy Kawasaki.

Am I excited? That would be the understatement of the year!

Nduja Cross Domain/Webmail XSS Worm – Webmail XSS Worm??? Interesting and a little scary considering how much people rely on webmail these days.

Rosario Valotta sent me an email today describing a webmail XSS worm he has written – the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services, Libero.it, Tiscali.it, Lycos.it, and Excite.com and built a worm that works across all four domains.

Pentagon E-mail System HACKED – “What can we do to take the heat off of DHS for failing so miserably on their audit??? Wait…let’s disclose a huge hack that occurred at the Pentagon…that’ll get them off our backs!”

The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.

I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.

IT Security Specialists See Salaries Rise in First Half – I love seeing articles like these considering friends and colleagues in the industry are not seeing the same thing. Who are these people getting all of these raises all the time anyway?

Demand for highly trained and certified IT security professionals is forcing CIOs and IT managers to shell out higher salaries, and to adjust their budgets to meet the increased security expectations of their customers and their executive management teams.

In the past six months, salaries for certified IT workers rose 2 percent, bucking a yearlong trend in declining pay for IT certifications, according to a report issued this week by IT work force research firm Foote Partners.