Month: May 2007

Suggested Blog Reading – Wednesday May 9th, 2007

ReadLittle late posting this one today…better late than never!

Here’s the list for today:

Note to Universities: Web Sites Providing A Security Breach Playground – Remember when Universities were only breeding grounds for STD’s?

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Management and security: Still separate but equal? – Should they really be separate?

I’ve said it before and I’ll say it again: It makes sense to use certain technologies to both manage and secure your network. Yet while vendors continue to provide integration between, say, configuration management software and endpoint security products, most companies are keeping the tools separate — for now.

Liability of reverse engineering – I’m not sure where I stand on this…

Christopher Hoff asks an admittedly naïve question: “If I … engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA’s that expressly forbids reverse engineering, how would I deflect liability for violating these tenets …”.

This reflects that while such issues are frequently discussed in our industry, few know what the words actually mean. For example, reverse-engineering a patent is a contradiction in terms, because you can just read the patent rather than reversing the code that implements a patent.

Automated Security Scanning Considerations – Good article.

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

Is Snort 3.0 going to be open sourced? – I think it would be a mistake to close the source on this now. It would only look bad on Marty.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel. It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be. I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation. Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer. However that being said, my understanding is that Snort 3.0 will have some license changes. My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times. However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL. So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work. My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

The five phases of recovering digital evidence – Part 2 in the series…

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In this post we’ll examine each of the five phases in finer grained detail.

Another educational institution, another SIEM eval – Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

Report available for WASCs Distributed Open Proxy Honeypot Project – It’s quite a good report. Lots of detail.

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff.

That’s all for today…I’m busy 🙂

Suggested Blog Reading – Tuesday May 8th, 2007

ReadOnly Tuesday and it feels like it should be Wednesday or Thursday (not sure why…it just does). I’m hoping to get back to setting up my home security lab this week and next but we’ll see how the weather is (nice == outside stuff, rain == inside stuff).

Here’s the list for today:

Dueling updates – is Apple quicker? – Only time will truly tell.

So, is Apple just inherently faster at patching security vulnerabilities? Did Apple rush out a fix faster than normal because of the media exposure about this particular vulnerability? Or maybe Microsoft is either just slower at the process or too busy with their own backlog of security patches – or both? Not many would argue against claims that Microsoft Windows has many more vulnerability found compared to Mac OS X.

Review – InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing – Good to see other people review training and courses.

I just returned from attending InfoSec Institute’s AEH course. Given the relevance of penetration testing to PCI, I thought that it would be worthwhile to post a review for anyone who’s considering attending.

France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws – I like this idea and I hope it catches on in North America.

In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII).

TSA: We’re not saying our hard drive is gone but… – My dog ate my hard drive.

On May 3, the TSA discovered the drive was missing from a controlled area at the Headquarters Office of Human Capital. The agency immediately reported the incident to law enforcement officials, the Department of Homeland Security and launched into an investigation.

Did it fall behind the desk? No.

Did Jim take it home to transfer his Phil Collins music collection to his desktop? No.

Maybe check behind the desk again?

The investigation hit a brick wall. By Friday night, it was time to fess up with a statement. The TSA doesn’t know whether the device is still within headquarters or was stolen. It has found no evidence an unauthorized individual is using the personal information.

Web Application Security Professionals Survey (May 2007) – Please take a minute to go through the survey when you get a chance.

Several people have asked where the surveys have gone to in the past several months. The answer is that I’ve been amazingly busy the last couple of months and simply haven’t had the time. The survey helps us learn more about the web application security industry and the community participants. We attempt to expose various aspects of web application security we previously didn’t know, understand, or fully appreciate. From time to time I’ll repeat some questions to to develop trends. And as always, the more people who submit data, the more representative the will be. Please feel free to forward this email along to anyone that might not have seen it.

Glitch attacks revealed – “First in a series of articles on attacking hardware and software by inducing faults”

One of the common assumptions software authors make is that the underlying hardware works reliably. Very few operating systems add their own parity bits or CRC to memory accesses. Even fewer applications check the results of a computation. Yet when it comes to cryptography and software protection, the attacker controls the platform in some manner and thus faulty operation has to be considered.

Fault induction is often used to test hardware during production or simulation runs. It was probably first observed when mildly radioactive material that is a natural part of chip packaging led to random memory bit flips.

ESI Searches: Getting to the Drive – Good overview on how the legal system leverages hard drives for forensic purposes.

Traditionally, we’ve relied on producing parties to, well, produce. Requesting parties weren’t entitled to rifle file cabinets or search briefcases. When evidence meant paper documents, relying on the other side’s diligence and good faith made sense. Anyone could read paper records, and when paper was “deleted,” it was gone.

Speaking At Technology Awareness Sessions (TAS) 2006-2007 Next Generation Networks

presentationOn May 28th, 2007 at 10am – 11am EST I will be presenting a session on Network Security Protection at the Technology Awareness Sessions (TAS) 2006-2007: Next Generation Networks conference. The presentation will discuss the detection of emerging network security threats and how to leverage Network Security Management products, such as Q1 Labs QRadar, to comply with Management of Information Technology Security (MITS) and other requirements.

For registration please contact:
Innovatec Demo Center – 0B1
Place du Portage, Phase III
NCR.Innovatec@pwgsc.gc.ca
(819) 956-0013
Information Technology Services Branch
PWGSC

For program and speaker information please contact:
Andrew Robinson
TAS Program Organiser,
Information Systems Architects
andrewro@allstream.net
(613) 237-4151

Scroll to top