What a crazy, crazy, crazy week.

Here is the list:

XORSearch V1.2.0: XOR & ROL – I look forward to Didier’s upcoming post with further details.

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. 😉 Or did I, what do you think?

Is That a Hole in Your Kernel or Are You Just Pleased to See Me? – Interesting article. Pulll that cert 🙂

Anyway, before these came another example, though I’ve only just got around to blogging about it. Why is it a good example? Well it was in a common open-source driver which is signed by a third-party and used pretty widely by the technical community. The driver is WinPCap, the packet-sniffing driver used by tools such as WireShark. The vulnerability is a bug that allowed arbitrary kernel memory to be written to.

An Evening With a Friend – I promised Ron I’d include this in my SBR today. It’s quite a good story (Shimmy agrees) and would serve as a good article to use when speaking to a small business about security (for all you consultants out there).

Several weeks ago, a good friend of my family who is a lawyer for an application hosting company and I were speaking about network security and I brought up Nessus. “Can you scan one of our hosted sites?” he asked. A short while later, especially after asking the right sort of legal questions, we were looking at the results of a non-credentialed Nessus scan for a high traffic web site.

Preventing XSS Using Data Binding – Cool demo.

Stefano Di Paola sent me an interesting email the other day. Honestly, it took me a good hour of playing with it before I finally wrapped my brain around what was going on. Using data binding he can make JavaScript attach user content to the page while validating that it does not contain active content. That is, styles are okay, but JavaScript is not. Very interesting. Here’s the demo (warning, not for the technically feint of heart).

Detecting and Preventing Rogue Devices on the Network from the SANS Information Security Reading Room

U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available – “Helping corporate America receive an F on their audit since 2007”

I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all organizations that handle personally identifiable information (PII).

rtpBreak – RTP Analysis & Hacking Tool – Another tool for your belt.

rtpBreak detects, reconstructs and analyzes any RTP [rfc1889] session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesn’t require the presence of RTCP packets (voipong needs them) that aren’t always transmitted from the recent VoIP clients.

Advance your career – master the fundamentals – Great article for those starting out in security and a refresher for those who have been involved in it for some time.

I’ve been really impressed by the exploration and resulting discussion of the fundamentals taking place in the Security Catalyst Community. Join the discussion: What are your “fundamentals” for security?

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues – and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

PCI Poll results – Too complex but equally easy as dirt? I don’t understand the voters.

Now I know that the numbers don’t add up but voters were allowed to select multiple answers and the percentage is based on the total number of voters.

So I guess it goes back to my original thought that the level of difficulty that PCI compliance involves depends on the shape of the network you are working with. Large or small if it is a poorly designed network you are going to have a struggle. If it is a securely designed network then your job will be much easier. The issue isn’t understanding what is required it’s putting the requirements into practice.

Virtual Machine Replication & Failover with VMWare Server & Debian Etch (4.0) – Something I’ve always thought about but haven’t investigated further. Good article.

This tutorial provides step-by-step instructions about how to create a highly available VMware Server environment on a Debian Etch system. With this tutorial, you will be able to create Virtual Machines that will be available on multiple systems with failover/failback capabilities.

The system is based using components of “The High Availability Linux Project” , namely “DRBD” and “Heartbeat”.
The free open-source edition of DRBD will only allow a 2-node active/passive environment, so this is not for large businesses!. Also, the heartbeat/drbd setup configured in this tutorial, is by using 2 Ethernet NIC’s. I recommend that at least the nic to be used for DRBD replication (eth1 in this tutorial) is 1Gbit or more.

WebCast On Hacking Intranets – “Webcasts….get your webcasts here…..”

If you missed our Blackhat talk the other day and wanted to hear it, Whitehat is sponsoring a webcast this Tuesday. It’s at Tuesday, August 21, 2007 at 11:00 AM PDT (2:00 PM EDT). This is going to be almost a direct repeat of our Blackhat talk, so for those of you who already made it, don’t worry if you miss it.

MPack: Getting More Dangerous – Good follow up article with more information on the latest version of MPack.

In our previous analysis we discussed ‘What is Mpack and how it works’. We had reviewed MPack version 0.84 in our previous blog. This time we will compare it with an updated version, MPack v 0.91.

Vacation….over 🙂

I was able to get away from the office for an entire week. No phone, internet, computers, email…it was glorious! I highly recommend it as a way to recharge your batteries if you’re feeling a little worn out.

And now back to our regularly scheduled programming:

There were a bunch of SANS Information Security Reading Room papers posted while I was away including:

• Microsoft Vista Firewall; Dissected
• Implementing Single Sign-On — Imprivata OneSign™
• Automated Scanning of Oracle 10g Databases
• Software Engineering Security as a Process in the SDLC
• UNIX System Management and Security: Differences between Linux, Solaris, AIX and HP-UX
• Malware Analysis: Environment Design and Artitecture

Two kickass Web security papers recently published – A couple of papers for you to check out.

The first out of the Stanford security lab, Protecting Browsers from DNS Rebinding Attacks by Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh.

The second paper is from Sensepost, It’s all about the timing…, by Haroon Meer and Marco Slaviero.

So Easy even I could do it – Find it hard to wrap your head around XSS attacks in a real world environment? Thanks to Martin McKeay for pointing this podcast out and to Dan Kuykendall for setting this up.

A friend of mine, Dan Kuykendall, recorded a podcast that will walk you through your own attempt at a SQL injection attack. He’s even got a server set up for you to hack, though it’s a bit deceiving in that he’s got a lot of security built into the back end to keep you from getting too evil on the site. Take an hour or so to walk through it and see how easy it is for yourself. And you’ll be wondering why this isn’t happening more often too.

Why virtual honeypots are sweet – Good interview. I’d really like the opportunity to review the Virtual Honeypots book 😉

In an interview with Network World Senior Editor Ellen Messmer, Provos (a senior staff engineer at Google who’s credited with developing the open-source honeypot Honeyd) and Holz (founder of the German Honeynet Project and graduate student at the University of Mannheim’s Laboratory for Dependable Distributed Systems) discuss the latest in tools for building virtual honeypots.

What is Server-side Polymorphism? – Very good post on polymorphism.

server-side polymorphism is a type of polymorphism where the polymorphic engine (the transformation function responsible for producing the malware’s many forms) doesn’t reside within the malware itself…

just as conventional polymorphism was constrained to housing the polymorphic engine within the virus its meant to operate on (because the code doing the copying has to have access to the transformation function), server-side polymorphism requires the polymorphic engine to be part of the system (generally a website) that serves (hands out) copies of the non-replicative malware it’s used on instead of being in the malware itself…

A Parser to Transform Vista Event Log Files into Plain Text – Hey that’s kind of cool. Good work!

I am pleased to announce the release of my parser framework for Vista event log files. It mainly consists of a set of Perl modules that implement the data structures which are known to me at this time. The archive also contains two sample programs that transform the native, binary event log file into textual XML. This release accompanies my talk at the DFRWS 2007 in Pittsburgh.

A few eye bleeders were released as well:

• Improperly Discarded Computer Contains Information On 5,800 Loyola Students
• 10,200 SSNs Exposed After Yale Computer Theft
• Stolen UT Hard Drives Thought To Contain Personal Information

mssql-hax0r v0.9 – Multi-purpose MS-SQL injection script – Another tool to add to your belt.

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute (Brute Force).

You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).

Free PCI Compliance Book Chapter: On Logging! – Look for my review of this book sometime this week. Very good chapter.

Wow! Syngress/Elsevier has released one chapter from our “PCI Compliance” book: and it is my chapter on logs in PCI! Enjoy!