What a crazy, crazy, crazy week.

Here is the list:

XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details.

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?

Is That a Hole in Your Kernel or Are You Just Pleased to See Me? – Interesting article. Pulll that cert 🙂

Anyway, before these came another example, though I’ve only just got around to blogging about it. Why is it a good example? Well it was in a common open-source driver which is signed by a third-party and used pretty widely by the technical community. The driver is WinPCap, the packet-sniffing driver used by tools such as WireShark. The vulnerability is a bug that allowed arbitrary kernel memory to be written to.

An Evening With a Friend – I promised Ron I’d include this in my SBR today. It’s quite a good story (Shimmy agrees) and would serve as a good article to use when speaking to a small business about security (for all you consultants out there).

Several weeks ago, a good friend of my family who is a lawyer for an application hosting company and I were speaking about network security and I brought up Nessus. “Can you scan one of our hosted sites?” he asked. A short while later, especially after asking the right sort of legal questions, we were looking at the results of a non-credentialed Nessus scan for a high traffic web site.

Preventing XSS Using Data Binding – Cool demo.

Stefano Di Paola sent me an interesting email the other day. Honestly, it took me a good hour of playing with it before I finally wrapped my brain around what was going on. Using data binding he can make JavaScript attach user content to the page while validating that it does not contain active content. That is, styles are okay, but JavaScript is not. Very interesting. Here’s the demo (warning, not for the technically feint of heart).

Detecting and Preventing Rogue Devices on the Network from the SANS Information Security Reading Room

U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available – “Helping corporate America receive an F on their audit since 2007”

I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all organizations that handle personally identifiable information (PII).

rtpBreak – RTP Analysis & Hacking Tool – Another tool for your belt.

rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.

Advance your career – master the fundamentals – Great article for those starting out in security and a refresher for those who have been involved in it for some time.

I’ve been really impressed by the exploration and resulting discussion of the fundamentals taking place in the Security Catalyst Community. Join the discussion: What are your “fundamentals” for security?

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues – and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

PCI Poll results – Too complex but equally easy as dirt? I don’t understand the voters.

Now I know that the numbers don’t add up but voters were allowed to select multiple answers and the percentage is based on the total number of voters.

So I guess it goes back to my original thought that the level of difficulty that PCI compliance involves depends on the shape of the network you are working with. Large or small if it is a poorly designed network you are going to have a struggle. If it is a securely designed network then your job will be much easier. The issue isn’t understanding what is required it’s putting the requirements into practice.

Virtual Machine Replication & Failover with VMWare Server & Debian Etch (4.0) – Something I’ve always thought about but haven’t investigated further. Good article.

This tutorial provides step-by-step instructions about how to create a highly available VMware Server environment on a Debian Etch system. With this tutorial, you will be able to create Virtual Machines that will be available on multiple systems with failover/failback capabilities.

The system is based using components of “The High Availability Linux Project” , namely “DRBD” and “Heartbeat”.
The free open-source edition of DRBD will only allow a 2-node active/passive environment, so this is not for large businesses!. Also, the heartbeat/drbd setup configured in this tutorial, is by using 2 Ethernet NIC’s. I recommend that at least the nic to be used for DRBD replication (eth1 in this tutorial) is 1Gbit or more.

WebCast On Hacking Intranets – “Webcasts….get your webcasts here…..”

If you missed our Blackhat talk the other day and wanted to hear it, Whitehat is sponsoring a webcast this Tuesday. It’s at Tuesday, August 21, 2007 at 11:00 AM PDT (2:00 PM EDT). This is going to be almost a direct repeat of our Blackhat talk, so for those of you who already made it, don’t worry if you miss it.

MPack: Getting More Dangerous – Good follow up article with more information on the latest version of MPack.

In our previous analysis we discussed ‘What is Mpack and how it works’. We had reviewed MPack version 0.84 in our previous blog. This time we will compare it with an updated version, MPack v 0.91.