Month: June 2007

Suggested Blog Reading – Thursday June 21st, 2007

ReadThere will be no Suggested Blog Reading post today as I have injured my back. Typing this post is hard enough 😐

Suggested Blog Reading – Wednesday June 20th, 2007

ReadIn talks to write a book….stay tuned for more info 🙂

Here’s the list:

A Taxonomy of Information Systems Audits, Assessments and Reviews – from the SANS Information Security Reading Room

Security Implications of the Virtualized Data Center – from the SANS Information Security Reading Room

UserAssist Q&A – Didier answers questions from his recent talk on his UserAssist tool.

I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want to share here.

Fake NetBIOS Tool – Simulate Windows Hosts – Another tool to add to the collection.

FakeNetbiosDGM sends NetBIOS Datagram service packets on port UDP 138 to simulate Windows hosts bradcasts. It sends periodically NetBIOS announces over the network to simulate Windows computers. It fools the Computer Browser services running over the LAN and so on.

FakeNetbiosNS is a NetBIOS Name Service daemon, listening on port UDP 137. It responds to NetBIOS Name requests like real Windows computers: for example ‘ping -a’, ‘nbtstat -A’ and ‘nbtstat -a’, etc.

The iPhone, our new security nightmare – I don’t see this being any more of a nightmare than an iPod or PDA. It’s use must be regulated as with any outside electronic device in your organization.

The dawn is near; the iPhone blitz lays prepared to turn your security team into zombies. On June 29th, your helpdesk systems will be inundated with whines to “make my new flashy iPhone work with my work PC”. No amount of beer, ThinkGeek gadgets or favors will get me or my team to kowtow.

DHS to Answer for Hundreds of Cyber Break-Ins – Looks like someone was looking for a patsy and they found one in Scott Charbo.

DHS CIO Scott Charbo is scheduled to appear tomorrow before a House Homeland Security subcommittee hearing entitled “Hacking the Homeland.” The panel follows a hearing April in which Commerce and State department officials recounted how hackers broke into and gained control over a number of systems in a series of targeted attacks. Since that testimony, committee leaders demanded answers to dozens of questions about DHS’s compliance on cyber-security standards, and whether it, too, had suffered similar break-ins.

MySQL Database Tuning Tips – Not specific to security but important none the less.

I came across a great article on MySQL performance tuning. It’s got a few very practical tips for examining the database settings and tweaking them to achieve the best performance.

“What’s this got to do with security”, you ask? As you know, Sguil stores all of it’s alert and network session data in a MySQL backend. If you monitor a bunch of gigabit links for any amount of time, you’re going to amass a lot of data.

I try to keep a few months of session data online at any given time, and my database queries have always been kinda slow. I learned to live with it, but after reading this article, I decided to check a few things and see if I could improve my performance, even a little.

Using Access Control Lists and authentication in Squid (Part II) – Part 2 in the series.

Now that everyone has mastered the basics of Squid, we are ready to have a little more fun. In case you missed it, we published Part I of this series recently. Access Control Lists (ACLs) allow Squid to do many interesting things in addition to just providing a caching proxy server. A properly configured set of ACLs can do things like:

  • restrict access to websites by IP address,
  • limit or block websites by name, such as www.badsite4kids.com2,
  • restrict web access by time and day, or
  • regular expression matches, such as .exe files or “porn” in URL names.

You can additionally add custom html error messages that let your users or children know why they have been blocked from the web.

I neglected to mention the cost for these services, as many commercial software programs provide these features too. It is free, you just need to configure it yourself. How’s that for some motivation to learn a little more advanced Squid?

Suggested Blog Reading – Tuesday June 19th, 2007

ReadOne round of golf and my back is shot. This getting old thing really sucks.

Here’s the list:

Mpack attack infects PCs on massive scale – I’m sure you’ve seen this all over the internet but why should I be the only one not mentioning the Mpack attack?

A malware distribution and attack kit sold commercially through underground channels on the Internet has compromised hundreds of thousands of systems in the past six months, including an epidemic of infections that hit Italian Web servers this past weekend, according to security and antivirus firms.

Known as Mpack, the kit consists of commercial-grade software components written in the PHP Web programming language and apparently sold by a group of Russian programmers. The software, which comes with a year of support, was first mentioned in an analysis penned by antivirus firm Panda Software. In mid-May, Panda stated that the software had compromised at least 160,000 computers.

How to get the most out of a SIM – OooOoOoOoo…I can’t wait until Bejtlich gets a hold of this article 🙂

However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.

AfterGlow Example – Visualizing IP Tables Logs – I love this idea of visualizing logs.

I am sitting in Seville, at the First conference, where I will be teaching a workshop on Wednesday. The topic is going to be insider threat visualization. While sitting in some of the sessions here, I was playing with my iptables logs.

Phishers and Malware authors beware! – Interesting release. I’ll leave it up to the developers of the world to comment on it’s usefulness.

OK, so it might be a little early to declare victory, but we’re excited about the Safe Browsing API we launched today. It provides a simple mechanism for downloading Google’s lists of suspected phishing and malware URLs, so now any developer can access the blacklists used in products such as Firefox and Google Desktop.

The API is still experimental, but we hope it will be useful to ISPs, web-hosting companies, and anyone building a site or an application that publishes or transmits user-generated links. Sign up for a key and let us know how we can make the API better. We fully expect to iterate on the design and improve the data behind the API, and we’ll be paying close attention to your feedback as we do that. We look forward to hearing your thoughts.

CA Mainframe Security Blacked Out Globally – “Sources say that the problem was so secret that they didn’t know how to fix it” 😛

Computer Associates’ Top Secret security product for the mainframe blacked out worldwide on June 16, staying dark for 19 hours and bringing down financial institutions such as banks and insurance systems.

CA said in a statement that the bug affected approximately 50 customers worldwide and did not introduce any security issues. “It prevented a subset of CICS users from signing on during a 19-hour period (from 6/16 to 6/17) because of an internal memory representation of the time/date value, which caused the host to deny the sign-on request,” according to the statement.

An Incident Handling Process for Small and Medium Businesses – From the SANS Information Security Reading Room

HP Acquires SPI Dynamics – Interesting move by HP. I wonder if they plan on extending the SPI offerings in their product lines?

Early this morning, so early that the cat was still snug beside me in bed on the west coast, HP announced its acquisition of security assessment firm SPI Dynamics, headquartered in Atlanta, GA.

HP already integrates SPI security technology into its software, and the acquisition is expected to add more quality management capabilities to HP’s software portfolio and strategy.

Scroll to top