Andrew Hay

Only a couple of days left until I head out on vacation. Just so everyone knows I will not be able to post anything during my time off as I will be someplace that does not have Internet access (crazy I know!).

“But Andrew…how will you survive?”

Don’t cry for me readers…I’ll be fine

Here’s the list:
Preventing and Detecting Sensitive Data on P2P Networks – Interesting post.

The problem is not so straightforward. It’s a mix of company policies, perimeter and endpoint protection, data protection, and culture. Alan fails to see the problem all the way through. Sure, your NAC might prevent P2P apps from existing the network.. But what about on employee’s home networks? Many people are being issued laptops so they can work from home, on the go, etc. How is NAC going to stop P2P there? How do you stop people from installing P2P apps on their personal computers? From bringing or sending data home through email, thumb drive, cd-rw?

Chief Security Strategist @ Splunk – Looks like Raffey is heading over to Splunk. Congratulations to you Raffey. I hope everything works out well for you.

Effective immediately, I have a new employer! I am leaving ArcSight to start working for Splunk, an IT search company in San Francisco. As their Chief Security Strategist, I will be working in product management, with responsibility for all of the UI and solutions.

The work I have been doing in my past with log management and especially visualization is going to directly apply to my new job. I will be spending quite some time to help further the visual interfaces and define use-cases for log management. Exactly what I’ve been doing for the last four years already

For the first time – 4.1.2 CAM/CAS guides in HTML – You don’t really have to read this as it’s more for my future reference

CAM Guide:

http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

CAS Guide:

http://cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/412_cas_book.html

The Inner Structure – Good post explaining the Vista event log XML structure.

By far the largest part of an event record consists of a complex binary XML structure. I’m going to explain its internals in a series of postings. I’m starting with an overview of the XML schema.

Fortunately the XML structure is not completely undocumented. The Microsoft Developer Network provides an extensive documentation of the XML schema.

Black Hat speaker denied entry to the US – This same thing happened to a co-worker of mine. He has been performing professional services for Q1 Labs for a few years now and only recently has it come up that he couldn’t enter the U.S. from Canada without paperwork. Andrew’s trick when asked what he is doing in the United States “Training”. The follow-up is always “Giving or receiving” and my answer is always “Giving”. Another option is to simply say “meetings”.

Halvar Flake, well-known speaker on reverse engineering, was denied entry into the United States this weekend for his presentation at Black Hat 2007. Halvar had given presentations at Black Hat for the last seven years, but when he tried to gain entry to the US after a 9 1/2 hour flight, he was sent back to Germany due to a mistake he made in the visa process. The chances of him getting a visa and being allowed back into the US in time for his presentation are slim to none.

Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications – Another tool to check out.

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

YACoSTO, One Year Ago – Come on people…read the post

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

Zero day IPS sigs leave a trail of crumbs for hackers – Interesting idea. I would have never thought about that. Perhaps I’m just inherently good

Its Black Hat and the fur is going to fly this year it appears. Those two wild and crazy guys of Mac attack fame, Dave Maynor and Robert Graham of Errata Security lead things off this year. According to this article in Dark Reading by Kelly Jackson Higgins, the former ISS guys are going to demonstrate how Black Hats can reverse engineer zero-day signatures like those used by Tipping Point to figure out where these perhaps unknown vulnerabilities exist and how to exploit them. Lets be clear Maynor and Graham say that this is not a Tipping Point only problem. But that is what they will be demonstrating. Could be a little payback from back in their ISS days.

Virtual Machine = Virtual Vulnerability? – Not good.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still “shaky” in terms of it’s not perfect and it’s not complete but the potential consequences of this is pretty severe. VM’s are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it’s no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM’s are also used by companies to save space, hardware and time. Lots of security software runs on VM’s and this has the potential to put all of that at risk.

F-Secure Reverse Engineering Challenge 2007 – Damn, bad timing. I wish this was happening in a few weeks instead.

Be ready to compete in the F-Secure Reverse Engineering Challenge (http://www.khallenge.com) this Friday. I expected the challenge to start on Thursday like last year, so now I have a scheduling conflict!

It looks like the challenge is organized like last year: go to the website and download the first challenge. Start the program, and provide the correct password (this is where reversing skills come in handy). You’ll be given an e-mail address in exchange for the correct password (a wrong password yields no e-mail address).

I’m not sure where this heat wave came from but to give you an idea of what I’m living through:

• Friday, July 27th – 33.7C (93F)
• Saturday, July 28th – 31C (88F)
• Sunday, July 29th – 33C (91F)

Yuck!

Here’s the list:
Interview with Richard Bejtlich — GE Director of Incident Response – A very good interview with Richard Bejtlich, author, blogger, and most recently GE Directory of IR.

Back in May, I attended a meeting to get a feel for the company and group I would be working for this summer as an IT Security Intern. Much to my surprise, Richard Bejtlich was in attendance and as it turned out we’d be working for the same company. Anyways, Richard agreed to do be interviewed on network security monitoring and his new role as Director of Incident Response.

Parsing XML on the Command Line – This is something I’ll have to check out.

I haven’t written about UNIX scripting in a while. It was yesterday in the afternoon that our QA guy came over and asked me some questions about VI. Among his problems was the “parsing of an XML” file. He wanted to extract elements from specific branches of an XML structure. I told him that VI was not XML aware. It treats XMLs just like any other text file; line by line. He was not happy with my answer and kept bugging me. Then he said: “You should write a tool called XMLgrep”. And that was it. I was pretty sure that someone had written a tool that would do exactly that.

Doctors Use of USB Storage Leads to Theft of Medical Data – Eye Bleeder – Adam, I hope these incidents upset when you blog about them as much as they upset me when I link to them!

A thief made off with a USB thumb drive belonging to a Nottingham University Hospitals junior doctor that contained sensitive patient medical information. After reviewing the incident, it looks like using USB drives to store patient information is a common practice among Nottingham University Hospitals junior doctors. During research for the British Medical Journal, Matthew Daunt a foundation year one doctor, recently questioned 50 junior doctors about storing patient data. Of the 20 doctors that admitted to using USB drives to store data, not one of them used encrypted USB drives, leaving patient data readable to anyone with a computer and the drive itself. Since this incident, the Nottingham University Hospitals trust plans to being offering 128-bit encrypted USB drives to all junior doctors.

PCI Progress – It’s good to see that this standard is making headway.

Level 2 merchants, those generating 1 million to 6 million annual Visa transactions, aren’t as far along, though they have a later compliance deadline, Dec. 31. According to Perez, 33% are complaint while an additional percentage in the “high 20s” is in remediation. PCI compliance is at 52% for Level 3 merchants—those generating 20,000 to 1 million Visa e-commerce transactions annually. This group currently does not have an explicit compliance deadline.

Leak-testing update revealed another Excellent anti-leak protection – Good to know.

We have finished another leak-testing update today. It revealed two firewalls that are worth of mention. The new version of Online Armor reached an Excellent score with only two failed tests. A Very good result was scored by the new version of ProSecurity with three failed tests.

Compliance and Information Security: Common Sense Confirmed – This is a very good article/interview that everyone should check out.

So many times I’ve heard business leaders complain that the data protection requirements within the multiple laws and regulations only hurt business; that they are not necessary and have no true impact on really protecting data…they are just bureaucratic hoops forced upon businesses to placate the politicians’ constituents by lawmakers who know nothing about the nuts and bolts of implementing information security…and that the cost of compliance is only hurts the business’ bottom line.

gsLaptop Security: Windows® Vista? vs. XP – from the SANS Information Security Reading Room.

Threat hierarchy: experimental hacking – I’m looking forward to the future articles in this series.

There are five levels of threats. In the next few days I will walk though each of the levels, starting with the lowest level: experimental hacking. (I will be in Reykjavik for most of next week where I assume I will have no trouble getting online but you never know.)

Experimental hacking has been with us since the first days of computers and networks. Can you remember using gopher or Archie to “surf the net”? If you found a US Air Force server in Antarctica you tried to login regardless of what the warning page said.

Marine Information Exposed by Penn State Web Site – Another Eye Bleeder!

A Marine looking for his own name on Google came across more then he expected. Personal information on 10,554 Marines was available for a 10-11 day period on a Penn State web site. The site contained information on Marines who had rifle range requalification records while attending Marine Corps Recruit Depot Parris Island, S.C., from January 2004 through December 2006 and was collected by Penn State as part of a research program. Information collected by Penn State included names and Social Security numbers. According to Penn State officials, logs indicate that the information was only accessed once by the individual Marine that reported the incident. The information was pulled from the site as soon as Penn State was aware of the problem.

UK University Identity Theft Lecturer Arrested For Identity Theft – Another Eye Bleeder…I think I’m a pint low. Time for a cookie and some orange juice.

University of Galmorgan identity theft lecturer Eni Oyegoke has been sentenced after pleaded guilty to 13 fraud, deception and theft offences. Oyegoke began at Glamorgan as a PhD student in 2005, a position he gained using a false passport. Soon after, Oyegoke began lecturing students on the topic of identity theft, a topic he apparently was very familiar with. Authorities were first made aware of the problem when Oyegoke applied for a drivers license using his fake passport information. During a raid on his house, authorities found credit cards Oyegoke had opened under other identities and a fake drivers license. Oyegoke used the two credit cards to help pay for his tuition and the fake drivers license was part of his doctoral thesis according to his lawyer. Oyegoke faces a two year jail sentence and will be deported after serving his time.

A Bit More on Log Management vs SIEM (and Semantics) – Good rant/post/explenation by Anton on the differences between SEIM and Log Management. You can tell from the tone of the article that Anton gets very upset when you refer to Log Management as SEIM…but if you really want to see him blow his top then call the LogLogic offering a syslog server — “What’s that Anton? No I’m not calling it a syslog server…I’m on your side man…what are you doing with that knife Anton?”

So, if you are looking to collect, retain, review, analyze, and otherwise deal with all your logs for various uses, go for log management. If you are looking to build a SOC, you might need a SIEM (and, actually, log management since your SOC analysts will wants to see original logs pretty often)

Babel Enterprise – Cross Platform System Auditing Tool – Another tool for your belt.

Babel Enterprise has being designed to manage security on many different systems, different technologies and versions, and different issues and requirements. It is a distributed management system, multi-user, that allows redundant installation in all its critical components. Each change occurring in the system can be watched and marked automatically each time a new audit policy is executed. Users can add, delete or modify existing elements to see exactly if the system works better or worse and why. Babel Enterprise uses a pragmatic approach, evaluating those aspects of the system the represent a security risk and that can be improved with the intervention of an administrator.

Building a Security Practice within a Mixed Product-R&D and Managed-Service Business from the SANS Information Security Reading Room.

I’ll admit it. I’ve been having a hard time keeping up with daily posts due to work, self-study, vacation, white papers, presentations, potential book deals, and lack of content on the blogosphere, which I will chalk up to it being summertime. What I’m going to do is split up my SBR posts into a 3-a-week format posting on Tuesday, Thursday, and Sunday.

I’ll continue this format until the fall and then reevaluate based on the increase in blogosphere activity. I suspect this won’t dramatically change anyones life but if it does please let me know

Ack! I completely forgot to release a SBR yesterday!

Here’s the list:

Offensive Security Wireless Attacks – Backtrack WiFu – A new training offering presented by Offensive Security.

“Offensive Security Wireless Attacks”, also known as “BackTrack WiFu” is a course designed for penetration testers and security enthusiasts who need to learn to implement various active and passive Wireless (802.11 2.4 GHz) attacks. The course is based on the Wireless Attack suite – Aircrack-ng
The course was designed by Thomas d’Otreppe and Mati Aharoni in an attempt to organise and summarise today’s relevant WiFi attacks. This course will kick-start your WiFu abilities, and get you cracking WEP and WPA using the latest tools and attacks in no time!

Cisco & VMWare – The Revolution will be…Virtualized? – I like the idea but I wonder if this might be too far ahead of its time.

This is interesting for sure and if you look at the way in which the demand for flexibility of software combined with generally-available COTS compute stacks and specific network processing where required, the notion that Cisco might partner wThis is interesting for sure and if you look at the way in which the demand for flexibility of software combined with generally-available COTS compute stacks and specific network processing where required, the notion that Cisco might partner with VMWare or a similar vendor such as SWSoft looks compelling. Of course with functionality like KVM in the Linux kernel, there’s no reason they have to buy or ally…

Certainly there are already elements of virtualization within Cisco’s routing, switching and security infrastructure, but many might argue that it requires a refresh in order to meet the requirements of their customers. It seems that their CEO does.

Attribute-Based Cross-Site Scripting – Interesting topic to check out.

A couple of weeks ago I posted sections from one of our WhiteHat customer newsletters that focused HTTP Response Splitting. Newsletters are one way we keep customers informed of important industry trends and improvements to the Sentinel Service. Judging from the blog traffic and comments it was well received. So this time I’ll highlight Attribute-Based Cross-Site Scripting, which Arian Evans (WhiteHat’s Director of Operations) has been spending a lot of R&D time to get working properly. Enjoy.

Really Simple Reversing (RSR) – This is quite cool.

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

BIND cache poisoning vulnerability details released – You should probably check this out if you have any BIND servers in your realm of responsibility.

Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. This is one of the problems addressed by the latest version of BIND 9.

The very brief summary: BIND prior to version 9.4.1-P1 did not use a strong algorithm to create DNS transaction IDs. As a result, one can derive the next transaction ID BIND will use by knowning the last few transaction IDs. In this case, up to 15 queries are used.

Once the attacker knows the “state” of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries.

Enterprise Visibility Architect – I like the concept but I”m not sure that an organization is going to create a new role that sits between the resources listed in the article and the CISO/CTO/CSO. Only time will tell.

I suggest that enterprises consider hiring or assigning a new role — Enterprise Visibility Architect. The role of the EVA is to identify visibility deficiencies in existing and future POAD and design solutions to instrument these resources.

How to Create a Security Team for $4.95, Plus Tax – Great article!

In addition to getting to break things in order to help our customers prevent assorted miscreants from doing so, one of the many hats I wear at QuietMove is the amorphous responsibility of ‘business development.’ In English, that means I identify organizations that could benefit from our services, sometimes travel to visit them, often buy them lunch, and explore ways we can help them. Though my background is technical, it’s something I’ve really grown to enjoy because I find it interesting to learn about different industries and business models and their unique security challenges.

That said, I’m often surprised by some of the organizations I visit – it’s shocking that some of the largest organizations in critical economic sectors don’t have security organizations, don’t have security programs, and don’t even have a single person for whom ‘security’ is part of their job description. In other cases, there’s a single ‘security’ person with no budget, staff, or authority. I’ve been that guy, so if that’s you, I feel your pain. I’d like to share an anecdote with you about a large company I visited last week who is in the former category – no security organization at all. If your organization has no security-focused staff, or if you’re the one guy or gal whose shoulders it all falls on, I’m also going to share a strategy for moving your organization in the right direction.

(IN)SECURE Magazine Issue 12 – The new issue of (IN)Secure Magazine is out.

Dr. Morena – Firewall Configuration Testing Tool – Another tool to add to your belt.

Dr.Morena is a tool to confirm the rule configuration of a Firewall.

The configuration of a Firewall is done by combining more than one rule. Sometimes a rule configuration may reside in a place other than the basic rule configuration place. In such a case, it is difficult to confirm whether it is an intended configuration by the system administrators. (Is an unnecessary hole open, or is a necessary hole open?).

We prepare a computer which has two network interface for this tool. Then, each network interface is connected to each of the network interfaces on both sides of the Firewall. The packet the source IP address and the destination IP address is forged and sent to the Firewall from one network interface. The packet which passed through the Firewall is confirmed in the other network interface. The rule of the Firewall is confirmed from the packets which passed through the Firewall, and the packets which didn’t pass.

What a nice, relaxing weekend. Back to the grind!

Here’s the list:

Get your second degree in “ethical hacking” – Not sure how many people will give this love as the term “ethical hacking” still doesn’t impress a lot of people.

If you’re looking to groom a new CSO for your company or looking to boost your career into an executive position, there’s a new master’s degree that might work for you. Just don’t expect a football home team, warns Information Week, since all the curriculum is online.

The new program, launched by the EC-Council University, currently has 6 students and 9 faculty, and students are expected to study only half-time, while working in the security industry in some capacity.

Four Solaris Virtual Machines – Need a Solaris test-bed? Why not use these pre-configured VMWare images?

There are now four Solaris VMs available from Sun, including S10U3 and Solaris Express (aka Nevada) build 55. VMware tools are pre-installed (at least in the two I downloaded), but the VMs are still using IDE disks so they won’t work for ESX/VI users.

Newsmaker: DCT, MPack developer – Interview with the MPack guys.

In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites.
Click here for Core!!

“ The project is not so profitable compared to other activities on the Internet. It’s just a business. While it makes income, we will work on it, and while we are interested in it, it will live. ”

“DCT”, one of three developers of the MPack infection kit

A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims’ systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it’s malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000.

You just got 0wned. Now what? – What would you do? What is the right answer for your type of incident?

Imagine that you are arriving at your office and you look through the window. Inside the building you can see someone burglarizing the building. What would you do?

You have a few options, you could (1) call the police; (2) you could ignore the burglary and go get a cafe’ latte double mocha espresso and hope that the burglar leaves before anyone sees him; (3) or you could open the door to the office, and shout, “Hey! Get out!”, wait for the burglar to leave.

Oracle refutes ‘SSH hacking’ slur – I think it’s great that Oracle blamed a paper by Daniel Cid, who works for me at Q1 Labs, as the root cause of their public perception as a “top attacker”. Well Daniel, I guess any press is good press

An investigation by Oracle has revealed the none of its systems were involved in launching a recent brute force attack on secure servers around the net.

From the beginning of May until earlier this week, “compromised computers” at Oracle UK were listed among the ten worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks. DenyHosts is a script for Linux system administrators designed to help thwart SSH server attacks. Around 6,800 users contribute to the data it collects.

The greatest virus of all time – This is fantastic work!

There is a virus on the net from a long time, the damage inflicted by it is unstoppable, or at least that was though, check it out yourself

Insider Threat Example: Payroll Employee Threatens To Illegally Use Other Employees’ PII If Not Given a Good Review – Good case study.

On June 27, 2007, the St. Louis Metropolitan Sewer District (MSD) fired an employee who had worked in the payroll department there for 10 years.

Why? He downloaded Social Security numbers and other personally identifiable information (PII) about 1,600 current and former MSD employees to his own personal computer, and then some of his coworkers reported to their management that he had threatened on June 20 to maliciously use the PII if his manager gave him a bad performance appraisal.

MSD contacted the FBI and the St. Louis police department right after learning of the threat, they obtained the now-ex-employee’s computer from his home and “said they are very confident that the document had not been copied or sent to another source.” The name of the ex-employee has not been released pending investigation.

piggy – Download MS-SQL Password Brute Forcing Tool – Another tool for you to play with.

Piggy is yet another tool for performing online password guessing against Microsoft SQL servers.

It supports scanning multiple servers using a dictionary file or a file with predefined accounts (username and password combinations).

CyberSpeak interview – Check out Didier’s interview.

My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m Flemish!

To a new kind of sleuth, phones leave a rich trail – Good article with some solid examples of how law enforcement leverages the forensic process for cell phones.

Because of the wealth of information they hold, cell phones are now part of almost every large forensic examination or criminal or civil case. Even so, Hanson estimated that Minnesota has less than a dozen full-time computer and cell phone forensic experts.

Law enforcement officials and forensics experts said cell phones are simply the latest in a long line of new technologies to which they have adapted, from land-line phones to camcorders to pagers to computers.

But they also agree that the cell phone’s ubiquity is unrivaled.

New Trend in Attacking the Java Runtime Environment? – I thought you just let it run long enough and it would eat up so much memory that it’s bloated corpse would block any malware

Attacks targeting vulnerabilities in the Java Runtime Environment are anything but new. Several researchers have previously visited this topic and the results have been some fantastic research. However, in recent weeks the DeepSight Threat Analyst Team has been investigating several Java issues resulting from a notable increase in vulnerabilities reported affecting the Java Runtime Environment and its associated components.

The threat landscape has seen a dramatic increase in attacks targeting client-side vulnerabilities in recent years. Vulnerabilities have been exposed in a variety of applications including media players, Web browsers, ActiveX controls and mail clients, to name just a few. The ubiquitous nature of the Java Runtime Environment makes it a prime candidate for attackers. With this in mind, it is not surprising to see much of the preliminary research into exploitation of environments like the Java Virtual Machine manifest itself both in recently disclosed vulnerabilities and the consequent exploitation of these issues “in the wild.” This research has likely been (or will be) exacerbated by the fact that portions of Java are now open-source.

OSVDB Search Tips & Tricks – Good article on how to efficiently search the OSVDB database.

I should have started a series of these posts long ago. One of the more frustrating parts of most VDBs is the lack of a helpful search function. Searching for some products (SharePoint) is easy enough, as the name is distinct and not likely to find many matches. If you happen to know the script affected (logout.php), that too can make the search fast and painless. However, what if you want to list all vulnerabilities in PHP?

New hacking technique exploits common programming error – This is where code reviews come in handy as well as knowledge of security concepts.

Researchers at Watchfire Inc. say they have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability.

Jonathan Afek and Adi Sharabani of Watchfire stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company’s AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn’t a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Dual Database Breach Exposes 5,500 UM Records – Today’s eye bleeder.

The University of Michigan is alerting current and former students about the exposure of personal information after an unknown individual(s) gained access to two School of Education databases. These databases contained the names, addresses, and some Social Security numbers of 5,500 individuals. At this point there is no evidence that the individual(s) that gained access were after personal information, but the university’s public safety department is investigating the incident. The breach was first discovered on July 3 and the university began sending out notifications on July 16. According to Kelly Cunningham, a university spokesperson, the notifications were sent out as a precaution.

Fox News, Directory Indexing, and FTP Passwords – Wow. I wonder how long it will take Bill O’Reilly to blame terrorists…or illegal aliens…or the Democrats?

A 19 year old photography student (Gordon Lowrey) found that the Fox News website had Directory Indexing enabled (now disabled). Sure it’s not a good practice (against PCI-DSS), but typically not a big deal security wise and it happens occasionally on other major websites. What made this one interesting in the person navigated up the directory tree their way to the /admin/ folder, no password required, where inside was a curious bash shell script thats still available.

ISP Seen Breaking Internet Protocol to Fight Zombie Computers — Updated – Can’t say that I agree with this approach.

Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.