I apologize for not blogging more lately but the Rugby World Cup has been on TV for the past two months and, being a huge rugby fan, had to dedicate a portion of my life to it. Now that it’s over, Go Springboks, I’m back 
Here is the list:
Air Force Ready to Drop Cyber Bombs – You had to know it was coming.
“In the wake of several Chinese probes into the Defense Department’s non-classified computer and communications network, known as the NIPRNET, as well as German and British defense networks, the Air Force has made it clear it feels that, to fight effectively in cyberspace, a military must be on the offensive.”
Reading List – October 10, 2007 – Good collection of posts to check out.
A few things on my reading list for today … The first is a three part series on crimeware (malware specifically designed to yield money for the operators of the malware through direct financial theft) by CSO magazine. It’s an interesting look and shows that the underground economy is just as skilled as the fully legit software economy at adapting to “everything as a service”. It’s a three party series and they cover all sorts of links between groups and techniques. Excerpts below …
A collection of educational security incidents as of late:
Finanical Information On Thousands E-mailed To Student
Contractor Loses Decade Worth of Louisiana Student Financial Aid Data
Stolen Flash Drive Contained Student Data
Student Worker Steal UNCC Student Credit Card Information
MSU Extended University Computer Breached
Open FTP Files Contain Student Information
Cisco closing internal research group? – For all the money Cisco makes I can’t figure out why they think they can afford to not keep funding this group.
Dark Reading quotes a Cisco spokesman as saying that the CIAG still exists but the article goes on to say that the group’s research projects were on hold, as of Tuesday. Some of the research include SCADA security research, a honeynet for SCADA systems, Internet DNS scanning, study of “collateral damage” on network devices from malware attacks, a VoIP threat study, and the Common Vulnerability Scoring System (CVSS), reports Dark Reading.
BlackEnergy DDoS Bot – Analysis Available – Check out the report. It’s quite interesting.
BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most
common bots, this bot does not communicate with the botnet master using IRC. Also, we
do not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small
(under 50KB) binary for the Windows platform that uses a simple grammar to
communicate. Most of the botnets we have been tracking (over 30 at present) are located
in Malaysian and Russian IP address space and have targeted Russian sites with their
DDoS attacks.
This report is based on analysis of the distribution package of the BlackEnergy botnet,
tracking approximately 30 live and distinct botnets, and disassembly of several samples
captured in the wild.
Transient Electromagnetic Devices (TEDs) Can Threaten Our IT Infrastructure – Didn’t they do this in Ocean’s 11?
Many people recognize an old term – electromagnetic pulse or EMP. The ElectroMagnetic Pulse (EMP) effect was first observed during the early testing of high altitude airburst nuclear weapons. In the past EMP’s generally required the use of a nuclear detonation. Today a destructive EMP can be produced without the use of a nuclear device. The development of Transient Electromagnetic Devices (TEDs) now makes the threat of an EMP attack much more likely.
Web Application Scanning Depth Statistics – Agreed, it’s not easy to find a ‘one size fits all’ approach when evaluating web application scanners.
One of the most difficult aspects of web application security scanners is understanding how to evaluate them. Obviously the false positive false negative ratios are important, but it’s often difficult to measure, as it depends on the web application in question. However, Larry Suto came up with a very interesting concept on how to do unbiased measurements of web application scanners. One of the most important measurements is to understand how well the spider portion of the scanner works.
Forensics: New Options for the Enterprise – Nice tip of the hat to the importance of log analysis and log retention for use in forensic investigations.
Log analysis in particular has long been a thorn in IT’s side. Either you tried hard to forget that terabyte or so of raw log data just sitting there, or you paid through the nose for a security information manager. Now, affordable log analyzers are available from companies like LogLogic that can justify their existence by satisfying provisions of Sarbanes-Oxley and the Payment Card Industry Data Security Standard. Meanwhile, packet-capture products from vendors such as Network Instruments and NetWitness not only enable investigators to do full session reconstruction, they also help the network team diagnose performance problems. Finally, products from Clearwell Systems and Athena Archiver mean IT can handle e-mail analysis in-house. While aimed at e-discovery, these tools will also be invaluable when investigating claims of harassment or other inappropriate behavior involving e-mail communications.
Auditing and Securing Multifunction Devices from the SANS Information Security Reading Room
Honeynet Project’s status report for 2007 – I especially enjoyed the ‘lessons learned’ section. Thanks Anton for pointing this out.
Securing the Gateway to Your Enterprise: Web Services – Great article that you should take a look at if you run an IIS web server.
Eugene Siu, a Senior Security Consultant on the ACE Team has just published a great article summarizing some of the pitfalls and issues around web services security. You can read the whole article here.
First Line of Defense for Web Applications – Part 1 – Good review of validating input when developing software.
There are lots of security principles which one should be aware of while developing software but at the heart of any secure application, there should be a first line of defense – and the mother of all defenses is: Input Validation!
There is so much buzz around for how hackers hack and what offensive techniques do they use to break in, but at the core it is the mitigation strategy which matters to me and many of my customers. Lack of input validation is one of the _core_ vulnerabilities for almost all web attacks. If we can get this thing right, we can save lot of $(s) down the road. This series of blogs will talk in detail about Input validation strategies for web applications. We will also take a look at some interesting top Validation bloopers.
The DMZ Isn’t Dead…It’s Merely Catatonic – I agree, the DMZ does not provide “defense in depth” but does help isolate systems.
Joel Espenschied over at Computerworld wrote a topical today titled “The DMZ’s not dead…whatever the vendors are telling you.” Joel basically suggests that due to poorly written software, complex technology such as Web Services and SOA and poor operational models, that the DMZ provides the requisite layers of defense in depth to provide the security we need.
I’m not so sure I’d suggest that DMZ’s provide “defense in depth.” I’d suggest they provide segmentation and isolation, but if you look at most DMZ deployments they represent the typical Octopus approach to security; a bunch of single segments isolated by one (or a cluster) or firewalls. It’s the crap surrounding these segments that is appropriately tagged with the DiD moniker.
md5deep Version 2.0 – Hey…cool
Jesse Kornblum has released version 2.0 of his popular file-hashing application md5deep. The tool now supports unicode characters in file names when run on the Microsoft Windows platform. From now on md5deep also processes hash values from hash sets in EnCase format (.hash). Please see the changelog for details and further bug fixes.
Poll: Which Logs Do You Collect? – Please contribute to the poll…I’m curious what people are collecting as well.
I figured I’d do a poll a week since people really like it. So, my first poll-a-week: Which Logs Do You Collect?
Defining Digital Forensics – Yes…it would be great.
Wouldn’t it be great if we could just look up the term “digital forensics” in the dictionary? Unfortunately, as you and others have found, it is not that easy. Even better, wouldn’t it be great if we could sort out who is really performing digital forensics versus those performing media analysis, software code analysis, and/or network analysis? In the past, most have used other terms such as computer forensics; intrusion forensics; video forensics; audio forensics; and digital and multimedia forensics. It is past time for someone to succinctly coin this term…
[PCI] Compliance Stats Q3 2007 – Interesting results. I wonder how many people care outside of PCI ASV’s…and maybe the customers of the non-compliant organizations.
You should check out the newly released compliance statistics for Q3 2007.
98% of Level 1 and 2 merchants confirmed that they do not store prohibited data. Acquirers of Level 1 and 2 merchants that continue to store prohibited data are currently subject to monthly fines.
Intro to Reverse Engineering – Part 2 – Yay, part 2 of the article.
In Part 1, Intro to Reverse Engineering – No Assembly Required, we extended the series of coding articles for non-programmers with an area of high interest in the infosec community. We’re proud to be able to bring you the highly anticipated follow-up complete with screen shots, sample code and applications. This one is long and detailed, so strap yourselves in for some great educational content.
This paper is designed to outline some essential reverse engineering concepts, tools and techniques – primarily, debuggers and using the debugging process to reverse engineer application functions and algorithms. It is assumed you have knowledge of basic assembly and C programming. An understanding of Win32 programming and API calls is also helpful. This tutorial does not necessarily have to be read in order (although it is strongly advised), as some sections do not contain information that directly relates to subsequent sections. However, if you begin skipping around and find that you have trouble understanding a concept, or feel like you missed an explanation, it would be best to go back to previous sections of the tutorial and read them first.
Andrew Hay | 
10 29th, 2007| 
Join Andrew Hay for the SANS@Home SEC401R review/preparation session for the GIAC Security Essentials certification exams. This six session review course will allow GSEC candidates to prepare to pass the GSEC exam. Each session focuses on a particular book of the Security 401: SANS Security Essentials material. Class format is to review GSEC practice exam questions and answers to make sure that students understand the material covered in each book.
Hey everyone. It turns out that 
Andrew Hay is a Canadian security professional, author, and speaker living in Lethbridge, Alberta, Canada.
For more information please see the 
