I apologize for not having any weekend updates but the weather was far too nice to sit at my computer. Going forward I will probably not have an update on Saturday and may only post one on Sunday if there is some good quality news that can’t wait for Monday. Here is the list for Today (including some from Saturday and Sunday):

Nirbot Neutered?

Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.

Apple Safari 0Day Demonstrated

According to the contest rules the OSX box was fully patched and the exploit had to require no user intervention. This first attack “owned” the OSX box with user privileges but under the contest rules that was all the exploit had to do. The second OSX box is still up for grabs and for that one a new exploit has to be used and the flaw must lead to a root level compromise.

LLTD – Link Layer Topology Discovery Protocol

Gomor released a LLTD (Link Layer Topology Discovery Protocol) implementation written in Perl (using Net::Frame framework).

CanSecWest RoundUp

It was a great week in Vancouver, Canada. It began with some really good instructional classes that the CanSecWest guys call Dojo Sessions then moved into some excellent and not so excellent presentations. Here is my breakdown of each day and what talks I thought were the best, the worst and why.

Reverse engineering with a VM

In a previous comment, Tim Newsham mentions reverse engineering an application by running it in a VM. As it so happened, I gave a talk on building and breaking systems using VMs a couple years ago. One very nice approach is ReVirt, which records the state of a VM, allowing debugging to go forwards or backwards. That is, you can actually rewind past interrupts, IO, and other system events to examine the state of the software at any arbitrary point. Obviously, this would be great for reverse engineering though, as Tim points out, there haven’t been many public instances of people doing this. (If there have, can you please point them out to me?)

Noisy Decloaking Methods

Yesterday while I was helping Jeremiah with he forced basic auth cookie testing he asked a good question, which is how you can better de-anonymize users through alternative methods. Some of the initial thoughts he had wouldn’t work, but the first thing that popped into my head was FTP and Gopher. Using out of bound methods to make TCP or UDP connections to a monitoring site are easy ways to correlate users (compared with time).

NetSecAnalyst: The Handbook

My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won’t make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can’t have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe

Understanding Stealth Malware

Ever wondered whether Blue Pill really works or was just a PR stunt? Ever wanted to see how practical are various timing attacks against it? (And can even those “unpractical” be cheated?) Or how many Blue Pills inside each other can you run and still be able to play your favorite 3D game smoothly? Or how deep Alex can hook into Windows NDIS to bypass your personal firewall? Do you want to see Patch Guard from a “bird’s eye view” perspective? Or do you simply want to find out how well the latest Vista x64 kernel is protected? Ever wondered how rootkits like Deepdoor and Firewalk really worked? You can’t sleep, because you’re thinking constantly about how Blue Pill-like malware can be prevented? Does Northbridge hacking sound sexy to you? 🙂

Spider Trap For Stopping Bots

David Naylor (a semi-reformed SEO Blackhat) has an interesting writeup on how to stop badly behaving robots from spidering your site. I would hardly call this technique new (I’ve seen this scripts in one form or another for nearly a decade). However, it’s a good primer for anyone who runs a big website and who is otherwise powerless to stop people from doing it.

what I learned a few weeks ago: http request smuggling

Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!

PCI: Is Compliance Really the Goal?

I think that really is the goal for larger merchants, but I’m not so sure about the smaller one’s. I can’t help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven’t done the serious research to determine whether that’s true, but given the implementation time lines referenced in the article, it seems plausible. It’s also possible that there aren’t outsourcing services that really meet the needs of smaller merchants.