Supposed to be a nice day today so perhaps I’ll try and get 9 holes in before I have to pick my wife up at the airport tonight 🙂

Here’s the list:

The Big Ol’ Ubuntu Security Resource – This is a few days old but a good article to read through regardless.

If you’ve recently switched from Windows to the Linux distribution Ubuntu, you’ve probably experienced a decrease in spyware — and malware in general — on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu’s default install has its flaws, like every other operating system.

To combat these weaknesses, IT Security has prepared a guide to help you close your system’s backdoors and protect you from some of the common Ubuntu exploits. Look at this big ol’ Ubuntu security resource as an introductory guide to securing Ubuntu, along with a list of the software you’ll need to stay protected.

Insider Threat Example: Ex-Coca-Cola Employees Sentenced to Prison For Trying To Sell Trade Secrets To Pepsi – This is the example I typically use when justifying the purchase of an SEM/SIM/SEIM/NSM solution. Nice to see that I wasn’t inventing a scenario that wasn’t possible 🙂

CNN reported that a couple of ex-Coca-Cola employees were sentenced to prison and ordered to pay $40,000 each for “conspiring to steal and sell trade secrets to rival Pepsi.”

One will get 8 years in prison and the other will get 5 years.

Another ex-Coca-Cola-worker was also involved and will be charged with wire fraud and unlawfully stealing and selling trade secrets, as were the other two, and sentenced this summer.

Pepsi notified Coca-Cola that the three had offered to sell samples of a new Coke product to Pepsi for $1.5 million.

Foundstone Blast – TCP Network Service Stress Test Tool – Another cool tool to add to your kit.

Foundstone Blast v2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.

Features:

/trial switch adds the ability to see how the buffer looks before sending it
/v switch adds verbose option – off by default
/nr switch turns off initial receive after initial connect – HTTP services don’t send and initial response, Mail services do
The /nr switch fixes the effect of HTTP timeouts when sending GET strings
/dr adds double LF/CR’s to buffers(useful for GET requests) off by default

“Defeating” Whole Disk Encryption – Part 2 “Ok, I’ve got the password, now what” – Part two in the series.

In my last post I discussed some techniques for obtaining a PGP encrypted password from a DD image of the physical memory. Let’s quickly take a look at how to tackle a dead box before we start to tie all this together.

Latest test results from Andreas Marx – Sounds like a good test.

We tested 29 products for the detection of most recently seen verified working Win32 PE malware of the last 12 month — separated into the four categories backdoors, bots, trojan horses and worms.

Only detection has been tested, as this was the main request of magazines and readers, some more reviews regarding the system disinfection capabilities and the proactive (behaviour-based) detection will follow within the next two months. Furthermore, as announced during the International Antivirus Testing Workshop last week, we will more closely review the lifecycle of the products, to get a better impression about the developments of the products over time and also risky situations.

Dell & Google Secretly Installing Software to Make Money Off Your Typos – Those….bastards….how is this business practice not illegal?

New Dell machines that include the Google toolbar as part of a marketing agreement also include a secret program that redirects non-url information typed into a browser window to a Dell-branded page filled with ads. For example if you type in dogfood.cim, instead of getting a browser error message, the secret Google Address Redirector redirects the query to an ad-filled page of search results.

The Most Famous (or Infamous) Viruses and Worms of All Time – This is a great slide show that would make a great presentation to senior management.

The last few years have seen no shortage of viruses and worms. Here’s a not-so-fond look back.

Protecting against SSH brute-force attacks – Good article on a common attack method.

Practically all UNIX-based servers run a SSH server to allow remote administration across the Internet. From time to time, you might notice a large number of failed login attempts. Often, these are brute-force attacks against your SSH server

In this hack, we’ll show you 5 tips to protect machines running SSH daemons from brute-force attacks.

Adobe Lies, Badly – This blows my mind!

Adobe just posted a workaround for a security bug in their installer: Security bulletin: Workaround available for security vulnerability caused by installing Adobe Version Cue CS3 Server on some Mac systems.

In the Details section of the advisory, Adobe says:

To be granted access to these ports, the installer must first turn off the personal firewall. Currently, it is not automatically re-activating the firewall once it sets up Version Cue CS3 Server, creating a potential security vulnerability.

Well my wife is out this week so maybe I’ll try and do some golfing in between book reviews and home lab work 🙂

Here’s the list:

Cisco IPS – Support of ‘minreq-‘ Style Signature Updates has Ended – Thought I’d put this out there in case you’re still using the old style signatures 🙂

Beginning with S288, customers must be running IPS version 5.1-5-E1 or later to install signature updates. Signature updates on sensors running IPS versions older than 5.1-5-E1 (i.e. sensors using the nomenclature ‘IPS-sig-S2XX-minreq-5.1-4’) are no longer supported.

The E1 Engine update for IPS Version 5.1(5) is available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images.

nCircle buys compliance vendor Cambia – Sounds like a logical aquisition for nCircle to bolster their VA offerings.

Software vendor nCircle Network Security Inc. has acquired Cambia Security Inc., a provider of risk and compliance management software.

Cambia, based in Alpharetta, Georgia, sells a product called Cambia CM, which can be used to audit the configuration of computers on a network and help determine if they are in compliance with company policy or government regulations.

Cisco MIBs updated – Wow, great resource!

We recently updated the Cisco MIB package ZIP file for Unbrowse SNMP. You can download it for free here. (28.9 MB). The new MIB package contains all the latest MIBs released by Cisco on their public website. This package contains 1024 MIB Modules, and over 68,000 unique objects.

Google Launches Online Security & Malware Blog – I’ll have to add this to my watch list 🙂

Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we’ve been looking for a way to foster discussion on the topic and keep users informed. Thus, we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we’ll tackle is malware, which is the subject of our inaugural post.

Fresh From CEIC2007: Updated Presentations! – I’ll have to check these out.

CEIC 2007 NTFS AttributeId

CEIC 2007 NTFS Object IDS

CEIC 2007 NTFS Initialized Size

CEIC 2007 BitLocker

CEIC 2007 Vista

“Defeating” Whole Disk Encryption – Part 1 – I can’t wait for part 2.

An issue that we are going to continue to encounter is computers with whole disk encryption (WDE). I’m going to post a couple of techniques that have worked for me, and hopefully they’ll be of use to someone else out there. In this post, we will look at PGP’s WDE, although the techniques outlined here should be easily applied to other encryption schemes.

All I Need to Know About Security Programs I Learned from the Pawn – Well written post with an interesting take on security.

The foundation of the game is the chess board. The board can be compared to the business itself, with alternating colored boxes, some black and some white representing elements and challenges of the business. Rows and columns can be divisions or groups as well as levels of management and project silos. The capabilities of the pieces contrast nicely with the personality types found in management. Rooks can move straight up a vertical, taking a bottom up or a top down approach. Bishops can move diagonally across silos, touching upon varying verticals and management levels. Knights are the often coveted consultants, jumping between silos and levels in an attempt to address everyone and everything. Finally, King and Queen are two great examples of security leadership. The King is all-powerful, but chooses to stay within his local area, while the Queen moves all around.

These positions address the bigger picture. However, when an information security group with limited resources spends too much time building top heavy organizations, insecure applications and weak architectures slip through the cracks. It has been my experience that the pawn’s gradual, forward movement is what makes security work in the trenches. Assessment frameworks and complicated review processes work great, but sometimes, it is the basic approach that needs to be developed first. I have developed a simple, four step process that I use every day to manage the tidal wave of security decisions that flood my inbox.

Using VMware for malware analysis – If your organization is constantly fighting malware outbreaks then why not build a virtual lab to get familiar with handling the incidents?

Even if malware analysis is not your primary occupation, once in a while you may find yourself wondering about the nature of an unfamiliar malicious executable that crosses your desk. Starting your investigation with behavioral analysis — an observation of how the specimen interacts with the file system, the registry and the network — can rapidly produce useful results. Virtualization software such as VMware is incredibly helpful in this process.