Month: June 2007

Suggested Blog Reading – Tuesday June 26th, 2007

ReadIt appears that someone has already added me to his group of “Anti-Mircosoft Fanboys” based on my earlier post. Let’s get one thing straight. I am, and have never been, anti-Microsoft. Anyone who claims that Microsoft is evil and bad are uninformed morons. The computing industry would not be where it is today if it wasn’t for the Microsoft. They changed the way we think about personal computers and server deployments. That’s my rant for the day.

Here’s the list:

Nessus 3.0.6 Available – Good to see the users and watchers of these tools driving change.

Tenable Network Security has released version 3.0.6 of the Nessus Vulnerability Scanner which fixes a variety of performance issues and bugs.

Israeli researchers map the whole Internet. Boy are they tired. – You should have seen the size of the paper they used!

Israeli researchers have created a topographical map of the Internet by enlisting more than 5,600 volunteers across 97 countries who agreed to download a program that tracks how Internet nodes interact with each other.

IT Security Warfare, part deux – This is the first time I’ve seen Carl von Clausewitz mentioned in our industry. When asked on the Security Catalyst Community what is the one security book I could not live without I didn’t even have to think about it: On War – Carl von Clausewitz. This is a must have book for anyone involved in any aspect of security.

Culminating Point Of The Offensive

One of his areas of interest was the inherit superior strength of defense versus offense. For example, he was impressed with the strength of entrenchments and fixed fortifications. Both represent established, fortified points of contact with the enemy and can be compared to firewalls, HIPS, VLAN ACLS, etc. Typically in battle there are stages of trenches to fall back to if the threat of being over-run becomes real. In network security we do the same; firewalls are the outermost point of contact, then we fall back to the IPS, then the VLAN ACLS and so on.

Article on DDoS Tarpitting – I like the idea and plan to implement this for security research purposes.

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

ExtractScripts – Another tool to check out.

ExtractScripts is another one of my little tools I use to analyze malware. Extractscripts.py takes an HTML file as argument and generates a separate file for each script in the input file. I use it to extract (potentially) malicious scripts from a webpage and execute them with my patched spidermonkey.
Extractscipts is written in Python to be portable across multiple platforms.

Blocking Bots By HTAccess – Not a bad idea either.

While doing a little research into some random stuff for a client I ran into a bot that was spidering in a bad way. Within a few search results pages I found my way to a blog entry by BrontoBytes talking about blocking spiders by HTAccess. This is a pretty interesting pro-active approach to stopping request level attacks, and something used commonly by mod_security, for instance. You can check out the blog entry which shows how to set up an .htaccess file to block some modern robots.

Worst Jobs in Science 2007 – Microsoft Security Grunt

huh?Popular Science had an interesting article about The Worst Jobs in Science 2007, their annual bottom-10 list, in which they salute the men and women who do what no salary can adequately reward. Number 6 on the list was Microsoft Security Grunt. From the article:

The people manning secure@microsoft .com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other products. It’s tedious work. Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations). Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless.

I do not envy the techs who suffer day after day in this role but I can’t help but think that I’d rather be doing this job than the one in the Number 10 spot: Whale-Feces Researcher:

“Brown stain ahoy!” is not the cry most mariners long to hear, but for Rosalind Rolland, a senior researcher at the New England Aquarium in Boston, it’s a siren song. Rolland, along with a few lucky research assistants, combs Nova Scotia’s Bay of Fundy looking for endangered North Atlantic right whales. Actually, she’s not really looking for the whales—just their poo. “It surprised even me how much you can learn about a whale through its feces,” says Rolland, who recently published the most complete study of right whales ever conducted.

Suggested Blog Reading – Monday June 25th, 2007

ReadIt’s a miracle…I can walk again! OK maybe not a “miracle” but I do feel quite a bit better.

Here’s the list:

Google Talk over SSH – Wow, good idea. I can’t believe I haven’t done this yet. Not exactly a big deal but a good thing to consider doing.

In this hack, we will show you how to tunnel Google Talk instant messaging client over SSH. We will create a secure communication tunnel from our computer, over an insecure network to a trusted remote server. This hack is for both Mac OS X and Windows users.

Crop circles appear in the photocopier room… does your Incident Response Team ever hear about it? – Good article on something most of us overlook.

Occasionally, things like the head engineer’s CV or a financial proposal on an acquisition may show up in that pile, and who wouldn’t be a little curious to find out some interesting tid-bits? The CV on the printer is not uncommon in any business, and it’s the employee’s personal agenda that is at risk. However, financial proposals or other sensitive information will eventually show up.

If this happens regularly (and you may only hear about it through the grapevine, if you don’t have an Incident Response program), you probably have bigger problems with IT Security throughout the organization that need attention. If this kind of thing is as rare as finding crop circles, that doesn’t mean you’re in great shape. In fact, the less often you have potential incidents, the more important it is that people know what to do when one does happen.

Firewalls Gain Strength as Main Line of Network Defense – So firewalls aren’t dead after all. If you know me you know that I’m a big fan of firewalls. It’s good to see that I’m not alone in the world 😛

“The firewall is the piece of network security infrastructure with all the traffic … every frame going in and out of the network. It is absolutely the perfect place to provide visibility and control into these [Web] applications,” said Dave Stevens, CEO of Palo Alto Networks, based in Alviso, Calif.

How to Kick Ass in Information Security — Hoff’s Spritually-Enlightened Top Ten Guide to Health, Wealth and Happiness – What a great article. Hoff tells it like it is without pulling any punches. Read it….read it now! 🙂

I thought that I’d summarize what I’ve heard and articulate it with my top ten things that anyone who is responsible for architecting, deploying, managing and supporting an information security program should think about as they go about their jobs. This isn’t meant to compete with Rothman’s Pragmatic CSO book, but if you want to send me, say, half the money you would have sent him, I’m cool with that.

CIS Certification for Nessus Red Hat audits – Congrats to Ron Gula and his team on obtaining this certification.

Tenable was recently awarded certification to perform Center For Internet Security (CIS) audits of Red Hat systems with the Nessus 3 scanner and Security Center. This blog entry discusses what the audit files look for, how customers should obtain the audit files and how this impacts PCI audits.

Usable Security – Unfortunately “usability” is often an afterthought for most products and services.

Lately I have been hearing a lot about “usable security.” As its name implies, usable security deals with making sure that security products and processes are usable by those who need them (in this case almost everyone with a computer). ISO 9241-11 defines usability as the, “extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.” Many would argue that if only security were more usable, then users would not (or at least not as much) fall for phishing scams, become infected with malware, or have their machines turned in to zombies. Of course, even the very well protected still fall victim to hackers, fraudsters, and the like but the argument is that if good security practices and products were easy to use and understand, then the volume of Internet fraud, botnets, malware, etc. would be significantly less. If you believe that achieving a goal of usable security would be a huge step in the right direction then keep reading; as computer/network security becomes more of an integral business requirement than an “add-on” technology, the need for usable security also arises.

MPack – The Movie – “Come with me if you want to live!”

In the past few days, much has been written about MPack and the mass hacking of legitimate web sites by inserting hidden iframes. These iframes had the purpose of redirecting web surfers to malicious sites, which served exploits and eventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the whole process. So without further ado, Symantec Security Response presents… MPack, The Movie.

Exploring Protocols – Part 1 – I have never read an article this detailed on iSCSI before. I’m quite impressed.

This will be the first of at least 2 blog posts. I’m going to start by discussing building blocks and see where that takes us. In the early phases of talking about this process, I’m not making a distinction between whether a protocol is “unknown” because of lack of documentation or because it’s simply “unknown to you/me” because we’re unfamiliar with it. Of course an undocumented protocol is going to be tricker to reverse. If there’s a point to these initial posts, it’s that working with documented protocols helps us understand the undocumented ones.

To illustrate some basic protocol dissection ideas, I’m going to talk about iSCSI. I mostly picked iSCSI since I happen to be working with it at the moment and it makes a pretty good case study.

How security assessments are like going to the dentist – I read through the entire article, half-expecting to see a comment about waking up with your shirt no longer tucked in and belt undone. Perhaps I’ve seen one too many episodes of Seinfeld.

Due to my bad judgement, I have not been to the dentist in quite a while (I won’t say how long it has been), and I am dreading going back (I have an appointment today). As I was pondering the pain that will be my payment for poor decision-making, I started thinking how going to the dentist is a lot like getting a security assessment performed.

Scroll to top