Andrew Hay

The next blog on the “blogs I read” list is The Security Catalyst. From the ‘About’ page:

Get engaged and prepare to be entertained as expert on security and the protection of information and professional speaker Michael Santarcangelo (and friends) takes a refreshingly direct but entertaining (and easy to follow) look at the important issues in how we think about and protect our information assets.

From discussing the basics of securing your home computer in an easy-to-understand manner to preparing you to make the right choices in your important projects, the Security Catalyst has you covered. Our goal is to make your job easier and allow you to be more effective (check out our programming improvements for 2007 below).

The Security Catalyst is designed and produced in a way to provide value to security professionals, interested business professionals and even consumers. Security happens easier when the ‘catalyst’ is involved. Listen today and improve the way you practice information security. Plus, earn valuable CPE credits by listening (or even guest writing!).

I first saw this blog mentioned in a post referencing the Security Catalyst Community Forums, of which I am a proud member.

Pros:
- Provides podcasts for professionals and a “family security series” for all computer users
- Qualified list of contributors that produce quality content
- Associated forum that is open to all security professionals and is very active

Cons:
- Not as frequently updated as most sites but the content makes up for the lack of updates

Conclusion:
- A great blog, community forum, and podcast resource. I strongly encourage everyone to join the Security Catalyst Community.

Well it’s the last day of April (can’t believe it!) and I’m stuck home with the Flu. I hadn’t been sick all winter so I guess I was due.

Here’s the list for today:

A Safer Apple Experience per Grandma Roberts

In these days where everyone is getting worked up over OS X vulnerabilities it’s somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It’s really quite touching and means a lot that she cares enough to take an interest in what I do.

Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved – I completely agree.

I’ve written about many times, but it is worth repeating many times more; technology alone will not solve a company’s information security, privacy or compliance challenges and requirements. The human factor is significant and must be addressed.

Friday Quickies – April 27, 2007 – I don’t agree with Rothman’s declaration that SIM is dead. Just because a vendor adds log management, an important data point when performing incident handling, doesn’t mean that they’re grasping at straws. As he said in his own article…the space is “evolving”.

SIMs not dead, eh? – Then why is almost every SIM vendor announcing a dedicated log management appliance? NetForensics is the latest (NetForensics press release) and they also extended their monitoring capability to databases (another NetForensics release). How many more data points do we need about the evolving SIM space before we can finally start shoveling dirt on it?

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 1 – Make sure you turn down your volume as the music is A LITTLE LOUD FOR WORK!!!!

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running auxiliary modules against a server running MSSQL, and then we’ll take a look at using the MSFweb GUI to run the idq exploit with the meterpreter payload. What is unique about the idq bug is that it will NOT give you administrator or system on the box, but you can use the rev2self command in meterpreter to elevate your privileges from IUSR_MACHINENAME to SYSTEM. While we’re at it, we also dump the hashes using hashdump for a little extra fun.

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 2 – Part 2 (and the music isn’t as loud this time)

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running “browser” exploits where you have to get the victim to connect back to your listening Metasploit instance. We’ll use the ie_createobject exploit via the MSFweb GUI, and then we’ll use the wmf_setabortproc exploit using the built in msfconsole (a new addition in MSFWeb 3.0). We’ll also take a look at using custom meterpreter scripts; first to see if the victim is running in vmware and second, to clear the event logs.

Something New To Look For – Danger…danger…

So, what’s this all about? Remember how some malware tries to shut off AV software or the Windows Firewall? Well, the script that Hogfly found uses reg.exe to set all of the values (except the first one) to 0, and effectively shuts down any error reporting, which is essentially a visual notification that something is wrong on the system.

CSIRTM resources online – I’ll have to make time in the coming days to read through this white paper.

As part of the preparations for a new graduate course in CSIRTM to be offered to students as an elective in the Norwich University Master’s of Science in Information Assurance (MSIA) program, I put all my articles together into an edited white paper on the subject and added some new material.

Protected but Owned: My Little Investigation – Good write-up with screen captures.

Check out my write-up here. It is about my investigation of a desktop protected by various security software, but 0wned nonetheless. And to those paranoids who are dying to ask a question “Was this my own system?” I can give a resounding “NO!”

Movie Time: DNS Changer trojan – Grab your popcorn…it’s MOVIE TIME!

Adam Thomas in our malware research labs took a video of a Trojan DNS Changer a while back. This is a piece of malware that uses rootkit technology and changes your Windows DNS settings. Its purpose is to redirect your search results in popular search engines.

Log Management Summit Wrap-Up – I’ll have to go to this some day.

My favorite presentation on Monday, though, was Chris Brenton’s talk, entitled Compliance Reporting – The Top Five most important Reports and Why. As you know, I’ve been doing a lot of work recently on NSM reports, and although log reporting isn’t quite the same, the types of things that an analyst looks for are very similar. I got some great ideas which may show up in my Sguil reports soon.

Ahhhh….Friday!

Here’s the list for today:

Introduction to Identity Management – Part II – A topic that is on everyone’s mind.

Before we delve any deeper into IDM, we should take a moment to acknowledge three “interim solutions” to the IDM problem that have supported IT for many years. Each of these solutions was designed to support centralized credentials for a specific class of system.

Student evades Cisco NAC; gets suspended – Should the student be suspended for bypassing the default setting on the device that the Administrator left unchanged?

The exploit was the work of a sophomore who was suspended for doing it, and further use of the weakness has been blocked by changing a setting on the Cisco Clean Access box involved, according to Cisco.

NY teen hacks AOL, infects systems – That’s quite the list of alleged exploits.

In a complaint filed in Criminal Court of the City of New York, the DA’s office alleges that, between December 24, 2006 and April 7, 2007, 17-year old Mike Nieves committed offenses like computer tampering, computer trespass and criminal possession of computer material.

Bot Infections Surges to 1.2 Million – Something needs to be done.

The number of compromised computers that are part of a centrally controlled bot net has tripled in the past two weeks, according to data gathered by the Shadowserver Foundation, a bot-net takedown group.

The weekly tally of bot-infected PCs tracked by the group rose to nearly 1.2 million this week, up from less than 400,000 infected machines two weeks ago. The surge reversed a sudden drop in infected systems–from 500,000 to less than 400,000–last December.

Project Honey Pot Files Massive Anti-Spam Suit Against Millions of IP Addresses – I guess that’s one tactic.

An anti-spam organization that collected millions of spam messages sent to fake email addresses seeded on volunteers’ websites and blogs filed a lawsuit against every spammer who harvested those addresses and spammed them. The suit, filed in the Eastern District of Virginia, seeks more than $1 billion in damages. The suit names John Doe defendants based on their IP addresses.

Pen-test cost versus being sued – No one wants to pay the money up front…but they typically regret after the fact.

I had to laugh, well kind of anyways, when I saw the following article. Reason being is that I have had clients in the past balk at the cost of my per diem, and by extension the pen-test that I was contracted for. Well, if you factor in the cost of a class action lawsuit, or simple litigation, guess which is by far cheaper. Much as I stated to the client, is that my fee, while four figures, is a heck of a lot less then being sued for not practicing due diligence. Having a yearly pen-test of vulnerability assessment done is no longer an option, but a business necessity.

I’ve got another new CoOp student starting today. That brings my team up to 8 people in total (including two CoOp students). Everything at work is finally starting to fall into place

Here’s the list for today:

Intro to hackernomics – I wonder if this term will make it into the next Webster’s version?

Hackernomics (noun, singular or plural): A social science concerned with description and analysis of attacker motivations, economics and business risk. It is characterized by five fundamental laws and eight corollaries.

New approaches to malware detection coming into view – Good idea of what’s coming down the pipe.

The traditional signature-based method to detect viruses and other malware is increasingly seen as an insufficient defense given the rapid pace at which attackers are churning out virus and spyware variants. All of which raises the question: What’s next?

SSA 1.5.1 Released – Security System Analyzer an OVAL Based Scanner – Something to test out.

SSA is a scanner based on OVAL, the command line tool provided by MITRE is not very easy to use so the guys at Security Database decided to write a GUI to make it simple to use and understand and then free the security testers community to take advantage of it.

Spam Attack: RARed Trojan – More details on this piece of malware.

Symantec Security Response has seen an increasing number of submissions of Trojan.Peacomm and related malware arriving in emails containing password-protected RAR archives.

White House Task Force Proposes Criminalizing Harmless Hacks – I can’t wait to see who the first person to burn at the stake for this is.

The Identity Theft Task Force appointed by President Bush and headed by embattled attorney general Alberto Gonzales wants to close a loophole in a federal computer crime law that’s letting slick computer intruders escape federal prosecution merely by doing no harm.

Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS – Good reference article if you don’t have a Snort sensor and analysis station up and running.

This tutorial describes how you can install and configure the Snort IDS (intrusion detection system) and BASE (Basic Analysis and Security Engine) on an Ubuntu 6.06 (Dapper Drake) system. With the help of Snort and BASE, you can monitor your system – with BASE you can perform analysis of intrusions that Snort has detected on your network. Snort will use a PostgreSQL database to store/log the data it gathers.

Cisco Security Advisory: Default Passwords in NetFlow Collection Engine – “The upgrade to NFC version 6.0 is not a free upgrade” – ya…that makes sense.

Versions of Cisco Network Services (CNS) NetFlow Collection Engine (NFC) prior to 6.0 create and use default accounts with identical usernames and passwords. An attacker with knowledge of these accounts can modify the application configuration and, in certain instances, gain user access to the host operating system.

The upgrade to NFC version 6.0 is not a free upgrade. This default password issue does not require a software upgrade and can be changed by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to change the passwords in 5.0.

Asking Vista for its list of network interfaces

Tenable’s research group recently released plugin ID #24904 which speaks with the Link Layer Topology Discovery protocol. This is an Ethernet “layer 2″ scan, so it is something you need to perform against a server within the collision domain of a Nessus scanner. LLTD allows you to enumerate a wide variety of information about the remote host.

Why Risk Management Fails (Or At Least Is Really, Really, Hard For Us) – Everyone has their opinion. I, however, think Risk must be able to be measured. It’s usually a question of “if” not “how” risk can be measured.

What really gets me, though, is when I see folks online and in mailing lists come up with all sorts of nonsense about how risk can’t be measured, or, even worse, that it’s too difficult and should be discarded in favor of their version of witchcraft.

Be Prepared – Just as you’re always prepared for Ninja’s to spring into attack….so should you be prepared for security problems

As security professionals, shouldn’t we also “Be Prepared?” We need to have a “tool bag of knowledge” that we can open whenever an event occurs. This is a set of resources, instructions or processes that you can use when responding to a security event. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.

Battle of the Colored Boxes (part 1 of 2) – Good overview of the “colored box” methods of testing.

Lets look at Black, White, and Gray Box software testing from a high-level as it relates to a website security standpoint and highlight their strong points. I realize that not everyone will agree with my conclusions. So as always, feel free to comment and let me know if anything has been overlooked and should be considered. Also for perspective I’m of the opinion that all three methodologies require tools (scanners) and experienced personnel as part of the process. No exceptions.

Universities highlight IT forensics boom – Where was this kind of stuff when I was in school?

Universities offering postgraduate courses for IT professionals claim to be seeing increasing interest in computer forensics skills, both from employers and from applicants.

Peacomm RARs Its Ugly Head

Just like last time, a lot of this seems to be getting by traditional signature-based AV detection routines.

Security Leadership – I couldn’t agree more.

In my opinion the security industry is in need of leadership. It is a industry that is widely varied in scope and objective. You have many different disciplines that often doesn’t communicate with each other and often even openly criticizes or looks down on each other. If we are all fighting against a common enemy then why can’t and don’t we work together. Why should we each fight our own battles also fight each other?

URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating – UhOh…..

Remember what I said about “living dangerously”? Stop living dangerously, right now. Turn Java off in your browser. Watch this space for more details.

Default Deny All Applications (Part 1) – Good article on on SRP.

Software Restriction Policy (SRP) was introduced in October 2001 with the launch of Microsoft Windows XP Professional. Since then it has lived a pretty silent life – much too silent you could say. The purpose of this article series is to bring SRP ‘back to life’ out there in the real world, to encourage administrators around the world to re-think their software policies and maybe even implement SRP in its strongest setup: by the use of Whitelisting.

Hardware Key Logging Part 2: A Review Of Products From KeeLog and KeyGhost – A good review of some products out there.

As stated in the first article, installation of these sorts of devices is simple. Just plug the keylogger inline with the keyboard. From there it should start logging key strokes. Retrieval and configuration, on the other hand, varies somewhat from model to model.

I went to my first HTCIA meeting last night and got to hear an interesting presentation on “The Importance of E-Mail Preservation in Litigation”. I’m not sure if I can post it or not but I’ll find out.

Here is today’s list:

Social Engineering Gets a Big Diamond Heist

It just goes to show, sometimes the simple things are the most effective. A box of chocolates can defeat all the most hi-tech security systems if you add a little charm.

Optical link hacking unsheathed – I guess my Windows NT 4 networking books were wrong

Instead of breaking a fibre and installing a device (splicing), an approach that might easily be detected, off-the shelf equipment makes it possible to extract data from an optical link without breaking a connection.

MS’ New Malware Protection Center to Go Global with Fighting e-Threats – I’m interested to see how this turns out.

Microsoft has unveiled what’s it’s calling its Malware Protection Center: a new think tank comprising security and threat experts that will provide global malware research, response and protection capabilities in order to help protect customers from new or existing threats.

The Good, The Bad, And The Risk Assessment

RAs can be conducted internally, however a RA conducted by an external third-party typically carries more weight should the information within the RA be questioned. It’s that whole impartiality thing, ya know?

0wning Vista from the boot – Interesting interview with the guys who wrote the VBootkit.

Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the “features” of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1500 bytes), and the chance to use it to bypass Vista’s product activation or avoid DRM.

Analyzing Mac OS X Applications 101: CrashReporter and Malloc – Very good article from the guys at Matasano…but if you read it then they get to keep your laptop.

For the most part, these tips apply to both GUI and command line apps. This isn’t rocket science, but is a good primer for people looking to dive into OSX vulnerability analysis. I am going to use Safari as an example, since it is somewhat topical. It isn’t the best example since enough of it is opensource that you can gain a lot more insight via debug builds.

NSA Attacks Student Soldiers in … Cyber War!

The NSA held its annual Cyber Defense Exercise last week in Annapolis, pitting the agency’s elite Red Team against Air Force cadets and Navy midshipmen in all out simulated cyber war. Can the NSA’s crusty electronic warriors slip the bulwark of firewalls and anti-virus products erected by the fresh-faced, tech savvy recruits, or will they be blockaded by the elite skills of the student defenders?

Companies Are Waking Up to the Reality of Data Theft

I was at my usual Starbucks this morning and saw a well-dressed guy using the Wi-Fi hotspot. For all I know he might have been a struggling author trying to write the next great novel. Or maybe not. Maybe he was a claims administrator for the hospital up the street—with a few thousand very personal records on his laptop, and with absolutely no idea that during his morning coffee he could end up having his most valuable data maliciously copied over the Wi-Fi network.

How can I change the default size of an inode when I create an ext2/ext3 filesystem? – Never hurts to have a refresher on some Linux commands

It is possible to define a non-standard sized inode by using the mke2fs tool with an undocumented option, -I. The size of the inode has to be a power of two and between the size of EXT2_GOOD_OLD_INODE_SIZE (128 bytes) and size of blocks in bytes. One reason for doing this could be that user is going to use extended attributes. Extended attributes are arbitrary name/value pairs used to store system objects like Access Control Lists (ACL). If the size of the inodes is larger than the default size, then sufficiently small attributes can be stored in inode. However, use this option with caution because of compatibility issues. It may render the filesystem unusable on most systems.

Storm Worm vs. IDS – Do we really need a new Gartner category?

The technology is ready for 0day viruses, the problem is that the market still isn’t. The technology I describe above doesn’t fit within any easy market category, it’s neither precisely what people understand as “intrusion-prevention” nor “anti-virus”. It’s like a thousand other bits of technology that languish in our industry because there is no neat category for them. I created the first IPS (BlackICE Guard aka. Proventia), but it was a just an IDS feature until Intruvert showered money on Gartner to create a new category for it.

Put your OpenSSH server in SSHjail – Lock it up for life (‘life’ being 2 years with good behavior in some States)

Jailing is a mechanism to virtually change a system’s root directory. By employing this method, administrators can isolate services so that they cannot access the real filesystem structure. You should run unsecured and sensitive network services in a chroot jail, because if a hacker can break into a vulnerable service he could exploit your whole system. If a service is jailed, the intruder will be able to see only what you want him to see — that is, nothing useful. Some of the most frequent targets of attack, which therefore should be jailed, are BIND, Apache, FTP, and SSH. SSHjail is a patch for the OpenSSH daemon. It modifies two OpenSSH files (session.c and version.h) and allows you to jail your SSH service without any need for SSH reconfiguration.

Building application firewall rule bases

During the past decade, most enterprises have made significant investments in network and perimeter security. Organizations have tightened their controls and moved toward a defense posture that dramatically limits the effectiveness of hackers’ network-scanning attacks. Unfortunately, while security professionals were busy building up network controls, attackers spent their time developing new techniques to strike at the next Achilles’ heel: the application layer.

Anti-debugging techniques of the past – Most of this stuff pre-dates me but it’s still a good history lesson

Most targeted anti-debugger techniques rely on exploiting shared resources. For example, a single interrupt vector cannot be used by both the application and the debugger at the same time. Reusing that resource as part of the protection scheme and for normal application operations forces the attacker to modify some other shared resource (perhaps by hooking the function prologue) instead.

Bastille for OS X? – Finally!

Apple customers ought to know that the OS is not secured as it is delivered to them, but is secureable (sounds like MS Windows). There is a great script to assist in securing OS X available as part of the Bastille project. This script is still in Beta, though I saw it demonstrated last year at DefCon and was very impressed. More can be found at: http://www.bastille-linux.org/running_bastille_on.htm#osx