Andrew Hay

These three day work weeks are fantastic! I’ve taken vacation tomorrow just to chill out before I head to Houston and boy am I looking forward to it.

Here’s the list:

Storage Array for your Splunk datastore – Oh how I wish I had one of these.

New Hotness: (Sun’s new “Low Cost Array” 25×0 series)

Announcing the Information Protection Assessment Toolkit (IPAT) – I suspect, based on the presenter, that this would be a very good program.

The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It is the first step in protecting your organization from a breach. The launch program begins June 19th.
IPAT is unique in that it includes every member of your organization in the process of protecting information. Many of us already understand that we need to do this but struggle as to how. IPAT shows you how. Through the IPAT process you will more accurately identify key details about your information and clarify where it exists in your organization. It involves every person and prepares them to be more receptive to awareness training. The results are transformative. I’ll share a story with you next week.

Webcast Today – SIEM Shifts to Log Management – I wish I had more advanced notice of this Webcast so I could have made arrangements to participate.

LogLogic roundtable discussion on log management and intelligence is today. The panel will discuss the shift in the Security Information and Event Management (SIEM) paradigm as it moves toward log management. Topics covered in the panel include how leading enterprises use log management, when they use it, and some pragmatic approaches to deploying it enterprise wide and across different geographies.

An inside look at a targeted attack – Good analysis of a targeted attack.

With targeted attacks becoming regular news items, it might be a good time to have a closer look at a sample of a somewhat older one. Recently I received a potentially malicious e-mail that was originally distributed early 2006. After one year, the dropper, a Word document exploiting MS05-035 was recognized by only 9 out of VirusTotal’s 36 AVs as malicious.
This attack was clearly targeted through the scope of its distribution, limited to members of a specific organization, and the purported/spoofed source and content of the e-mail message. Each of these taken together created a valid context in which the message was interpreted by the recipient.

Auditing Secure Shell – Part I – This should be a good series if the first post is any indication of what is to come

This blog entry outlines a wide variety of audits and monitoring techniques that can be used to keep watch over the Secure Shell applications in use on your network. Examples for auditing SSH client and server configurations, vulnerabilities and logs will be discussed using Nessus, the Passive Vulnerability Scanner, the Security Center and the Log Correlation Engine.

Google Acquires Web Security Startup GreenBorder – This is all over the internet and I had many choices when referencing an article that spoke of it but I choose the DarkNet one because it was simple and to the point.

GreenBorder, a venture-backed startup founded in 2001 and based in Mountain View, California, where Google is also headquartered, offers security software that sets up temporary, virtual sessions each time a computer users surfs the Web, then discards the resulting data once the user is finished surfing.

The software allows technicians to insulate corporate networks so that malicious code hidden inside e-mail, instant messages or Web sites is automatically detected and contained.

Anton Security Tip of the Day #10: Email Tracking Through Logs – Good articles like this keep me coming back to Anton’s blog every day

Email tracking – oh, need I say more? A nightmare for privacy fans – an “evil” weapon of lawyers and HR. Email tracking raises concerns that vary from a severe inability to do it all the way to having too much ability to do it. In this tip, we will focus on the following scenario: your boss says she just sent you an email; you never received it. What’s the story?

I’ve got everything booked for my trip to Houston and I’m looking forward to the BBQ I plan on enjoying

Here’s the list:

Soloway: Another spammer bites the dust – Chalk one up for the good guys!

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

NIST readies guidance on IT security assessments – If you’ve got comments you have until July 31st to make them.

The National Institute of Standards and Technology has finished the third and possibly final draft of its revised guidelines for assessing the adequacy of IT security. Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, will be released for comment June 4.

Germany declares hacking tools ‘verboten’ – This is terrible because there is no clear indication of what a “hacking tool” is.

Updates to Germany’s computer crime laws banning so-called “hacking tools” have been criticised as ill-considered and counterproductive.
The revamp to the German criminal code is designed to tighten definitions, making denial of service attacks and attempts to sniff data on third-party wireless networks, for example, clearly criminal. Attacks would be punishable by a fine and up to 10 years imprisonment.

A New Vector For Hackers — Firefox Add-Ons – Something to look out for.

Makers of some of the most popular extensions, or “add-ons,” for Mozilla’s Firefox Web browser may have inadvertently introduced security holes that criminals could use to steal sensitive data from millions of users.

By design, each Firefox extension — any of a number of free software applications that can be added to the popular open-source browser — is hard-coded with a unique Internet address that will contact the creator’s update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available.

IPS app available for free – I look forward to testing this out.

Network managers looking for an inexpensive way to better secure traffic crossing their nets might want to check out a free application from Intoto.

Intoto, a provider of security software for enterprise network equipment and CPE gateways, last week at Interop, introduced a stand-alone intrusion-prevention system (IPS) application that the company says will help small and midsize companies looking for enterprise-scale security tools.

Web application scan-o-meter – Another document to put on your “to-read” list.

The new OWASP Top 10 2007 has recently be made available. Excellent work on behalf of all the contributors. As described on the website, “This document is first and foremost an education piece, not a standard.”, and it’ll do just that. Educate. Last week I provided project team with updated text (unpublished) that more accurately describes the current capabilities of “black box” automated scanners in identifying the various issues on the list. The exercise provided ideas for the remainder of this blog post; estimating how effective scanners are at finding the issues organized by OWASP Top-10.

I’m back home after my NSM presentation in Ottawa only to find out that I’m heading to Houston, TX on Sunday for a few days.

Here’s the list:

Find vulnerable Windows wireless drivers – Maybe it’s a good time to audit your own laptop

As more and more businesses move from legacy wireless security models, attackers are looking for new techniques to exploit wireless networks. One technique that is rapidly gaining popularity is to exploit vulnerabilities in wireless network drivers.

Taxonomy of glitch and side channel attacks – Very interesting article.

There are a number of things to try when developing such attacks, depending on the device and countermeasures present. We’ll assume that the attacker has possession of several instances of the device and a moderate budget. This limits an attacker to non-invasive and slightly invasive methods.

Technitium Free MAC Address Changer v4.5 Released – Be on the lookout for a tool of this nature on your network.

Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample of information regarding each NIC in the machine. Every NIC has an MAC address hard coded in its circuit by its manufacturer. This hard coded MAC address is used by windows drivers to access Ethernet Networks (LAN). This tool can set a new MAC address to your NIC, bypassing the original hard coded MAC address. Technitium MAC Address Changer is a must tool in every security professionals tool box.

MPack, Packed Full of Badness – Nice piece of analysis in this article.

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader. This malware is yet another malware distribution and attack kit in the same vein as other kits, such as WebAttacker. This kit, called MPack, is a professionally written collection of PHP software components designed to be hosted and run from a PHP server with a database backend. It is sold by a Russian gang and comes ready to install on a PHP server, and it also comes complete with a collection of exploit modules to be used out of the box.

Snort Report 6 Posted – I’m looking forward to reading this whole report (probably some time this weekend when I have some time).

This is the first of two Snort Reports in which I address output options. Without output options, consultants and VARs can’t produce Snort data in a meaningful manner. Because output options vary widely, it’s important to understand the capabilities and limitations of different features. In this edition of Snort Report, I describe output options available from the command line and their equivalent options (if available) in the snort.conf file. I don’t discuss the Unix socket option (-A unsock or alert_unixsock). I will conclude with a description of logging directly to a MySQL database, which I don’t recommend but explain for completeness.

There’s just something about having to get up at 4:15am to get on a plane that kind of ruins your day.

Here’s the list:

Enhanced Operating System Identification with Nessus – I’m in favor of finding better ways to profile OS’…how about you?

Tenable’s Research group recently introduced a highly accurate form of operating system identification. This new method combines input from various other plugins that perform separate techniques to guess or identify a remote operating system. This blog entry describes this new process and shows some example results .

Prefetch Analysis – I’ve never known so much about something I previously knew nothing about

I’ve seen a couple of posts recently on other blogs (here’s one from Mark McKinnon) pertaining to the Windows XP Prefetch capability, and I thought I’d throw out some interesting stuff on analysis that I’ve done with regards to the Prefetch folder.

Essential Bluetooth hacking tools – I can honestly say that I haven’t run into a situation where I’ve had to test and/or analyze Bluetooth devices yet. At least I now know where to get some tools.

If you are planning to gain a deeper understanding of Bluetooth security, you will need a good set of tools with which to work. By familiarizing yourself with the following tools, you will not only gain a knowledge of the vulnerabilities inherent in Bluetooth-enabled devices, but you will also get a glimpse at how an attacker might exploit them.

VMware Security and NAT Problems – This is the first I’ve heard of such problems.

As helpful as VMware is I can honestly say that it has caused me quite a bit of grief lately. My feelings of frustration have mainly been my fault but tonight I also received a warning to update to the latest version of VMware Workstation. And when Ed Skoudis tells you to update immediately I listen, as should you.

The problems with VMware started on Tuesday when the culmination of the SANS Hacker Techniques, Exploits & Incident Handling started. During the last week of this SANS @Home course the whole class is given access to a virtual lab which contains a vulnerable environment for the hacking. As it is a training situation Ed provides detailed instructions on how the students are suppose to set up their attacking systems. I spent the better part of that night and the next night hacking with a team and individually. I thought that I would do really well but in the end I just could not get anything to work correctly.

Recovering a FAT filesystem directory entry in five phases – Good article to cap things off.

This is the last in a series of posts about five phases that digital forensics tools go through to recover data structures (digital evidence) from a stream of bytes. The first post covered fundamental concepts of data structures, as well as a high level overview of the phases. The second post examined each phase in more depth. This post applies the five phases to recovering a directory entry from a FAT file system.

Supposed to be a nice day today so perhaps I’ll try and get 9 holes in before I have to pick my wife up at the airport tonight

Here’s the list:

The Big Ol’ Ubuntu Security Resource – This is a few days old but a good article to read through regardless.

If you’ve recently switched from Windows to the Linux distribution Ubuntu, you’ve probably experienced a decrease in spyware — and malware in general — on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu’s default install has its flaws, like every other operating system.

To combat these weaknesses, IT Security has prepared a guide to help you close your system’s backdoors and protect you from some of the common Ubuntu exploits. Look at this big ol’ Ubuntu security resource as an introductory guide to securing Ubuntu, along with a list of the software you’ll need to stay protected.

Insider Threat Example: Ex-Coca-Cola Employees Sentenced to Prison For Trying To Sell Trade Secrets To Pepsi – This is the example I typically use when justifying the purchase of an SEM/SIM/SEIM/NSM solution. Nice to see that I wasn’t inventing a scenario that wasn’t possible

CNN reported that a couple of ex-Coca-Cola employees were sentenced to prison and ordered to pay $40,000 each for “conspiring to steal and sell trade secrets to rival Pepsi.”

One will get 8 years in prison and the other will get 5 years.

Another ex-Coca-Cola-worker was also involved and will be charged with wire fraud and unlawfully stealing and selling trade secrets, as were the other two, and sentenced this summer.

Pepsi notified Coca-Cola that the three had offered to sell samples of a new Coke product to Pepsi for $1.5 million.

Foundstone Blast – TCP Network Service Stress Test Tool – Another cool tool to add to your kit.

Foundstone Blast v2.0 is a small, quick TCP service stress test tool. Blast does a good amount of work very quickly and can help spot potential weaknesses in your network servers.

Features:

/trial switch adds the ability to see how the buffer looks before sending it
/v switch adds verbose option – off by default
/nr switch turns off initial receive after initial connect – HTTP services don’t send and initial response, Mail services do
The /nr switch fixes the effect of HTTP timeouts when sending GET strings
/dr adds double LF/CR’s to buffers(useful for GET requests) off by default

“Defeating” Whole Disk Encryption – Part 2 “Ok, I’ve got the password, now what” – Part two in the series.

In my last post I discussed some techniques for obtaining a PGP encrypted password from a DD image of the physical memory. Let’s quickly take a look at how to tackle a dead box before we start to tie all this together.

Latest test results from Andreas Marx – Sounds like a good test.

We tested 29 products for the detection of most recently seen verified working Win32 PE malware of the last 12 month — separated into the four categories backdoors, bots, trojan horses and worms.

Only detection has been tested, as this was the main request of magazines and readers, some more reviews regarding the system disinfection capabilities and the proactive (behaviour-based) detection will follow within the next two months. Furthermore, as announced during the International Antivirus Testing Workshop last week, we will more closely review the lifecycle of the products, to get a better impression about the developments of the products over time and also risky situations.

Dell & Google Secretly Installing Software to Make Money Off Your Typos – Those….bastards….how is this business practice not illegal?

New Dell machines that include the Google toolbar as part of a marketing agreement also include a secret program that redirects non-url information typed into a browser window to a Dell-branded page filled with ads. For example if you type in dogfood.cim, instead of getting a browser error message, the secret Google Address Redirector redirects the query to an ad-filled page of search results.

The Most Famous (or Infamous) Viruses and Worms of All Time – This is a great slide show that would make a great presentation to senior management.

The last few years have seen no shortage of viruses and worms. Here’s a not-so-fond look back.

Protecting against SSH brute-force attacks – Good article on a common attack method.

Practically all UNIX-based servers run a SSH server to allow remote administration across the Internet. From time to time, you might notice a large number of failed login attempts. Often, these are brute-force attacks against your SSH server

In this hack, we’ll show you 5 tips to protect machines running SSH daemons from brute-force attacks.

Adobe Lies, Badly – This blows my mind!

Adobe just posted a workaround for a security bug in their installer: Security bulletin: Workaround available for security vulnerability caused by installing Adobe Version Cue CS3 Server on some Mac systems.

In the Details section of the advisory, Adobe says:

To be granted access to these ports, the installer must first turn off the personal firewall. Currently, it is not automatically re-activating the firewall once it sets up Version Cue CS3 Server, creating a potential security vulnerability.