Month: October 2007

I Thought This Was Quite Funny…

So I thought I’d share:
xkcx

Suggested Blog Reading – Tuesday October 9th, 2007

ReadWell I’ve finally lost my cold…and as a reward…I’ve thrown out my back. *shakes fist*

Here is the list:
Virtualization Security Training? – That’s not a half bad idea 🙂

If the industry is having trouble finding IT generalists with training in virtualization security, I can only imagine the dearth of qualified security experts in the hopper. I wonder when the first SANS course in virtualization security will surface?

Common Criteria Web Application Security Scoring (CCWAPSS) Released – Interesting white paper. Has anyone implemented this scoring system internally?

The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

The Merits Of Threat Modeling – I suspect that threat modeling exercises would help prevent quite a few design flaws if organizations took the time to hold them.

As a consultant, I have been involved with many-a threat modeling exercise. Oftentimes, they are boring, process intensive sessions where you stare out the window praying that the meeting ends or that the lunch you ate contained botulism. They are also boring, process intensive meetings that have more impact on the longterm security of your organization than just about anything you are likely to do.

WinHex, X-Ways Forensics, X-Ways Investigator 14.4 released – Quite the list of features in this release.

Official release of SQL Power Injector 1.2 – Download Now! – Another tool to try.

SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

The emphasis for this release is maturity, stability and reliability with secondary goals of usability, documentation and innovation.

Lessons From a Cyberdefense Competition Red Team – Michael posted his insights from his recent ISU Red Team involvement (Part 1, Part 2, Part 3). It sounds like it was a good opportunity.

This weekend Iowa State University held its annual CyberDefense Competition in Ames, Iowa. The event is hosted by students and faculty from the Information Assurance Student Group and the Electrical and Computer Engineering department. In the event, teams of students attempt to deploy and manage various services representative of normal business applications. During the 20 hours the event covers, the teams are scored on their service uptimes as tracked by network monitoring (Nagios) and other neutral teams acting as normal users of the services. In addition, much like the real world, there is another team of students, faculty, and area professionals acting as attackers, intent on owning and bringing down those offered services. The services the teams were required to offer were web services (with pre-packaged web content), mail (smtp and imap), a telnet shell, ftp, wireless access for normal users, and dns to get it all working.

Something You Should Know: FTC Is Aggressively Going After Companies With Poor Security – Witch hunt or proactive initiative? 🙂

Of all the U.S. government regulatory oversight agencies, the Federal Trade Commission (FTC) is the most active and aggressive in looking for and applying penalties to organizations that not only are in noncompliance with laws and regulations, but also those who are not in compliance with their own information security and privacy promises; in other words, those that are practicing “unfair and deceptive trade practices.”

Indiana State Police Forensics Field Triage Program a Success – Good news!

Approximately two years ago, the Indiana State Police instituted a unique program in which examiners conduct on scene computer forensics. The goal of the Computer Forensics Field Triage program is to utilize departmental resources efficiently to improve cyber crime investigations by conducting on scene computer examinations in a forensically sound manner. The program was an immediate success. Investigators found that conducting examinations on scene was far superior to conducting examinations in a laboratory setting. Specific circumstances sometimes dictate that an on scene examination is the only viable alternative…

Website Vulnerability Statistics (17 mo. and counting) – Download the report and give it a read.

It’s that time of the quarter where we get to release our WhiteHat Website Security Statistics Report (PDF) – the aggregate vulnerability data we’ve collected when assessing the custom web applications of hundreds of the largest and most popular websites on a continuous basis (weekly is typical). This data is also very different from Symantec, Mitre (CVE), IBM (ISS) X-Force, and others who track publicly disclosed vulnerabilities in commercial and open source software products. WhiteHat’s report focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites

Auditing open source software – Great post on auditing open source software with some solid examples.

Google encourages its employees to contribute back to the open source community, and there is no exception in Google’s Security Team. Let’s look at some interesting open source vulnerabilities that were located and fixed by members of Google’s Security team. It is interesting to classify and aggregate the code flaws leading to the vulnerabilities, to see if any particular type of flaw is more prevalent.

More Justification for Logging

infosecmagIn the September 2007 issue of Information Security Magazine there was an interesting article entitled “CSI for the CISO” which has some excellent observations into why you need to enable logging within your environment for forensic investigations.

From the article:

Today’s digital forensics involves more than just laptops and desktops; investigators need to look at network and communication data, making logging essential. But Intel- guardians’ Hillery says he often gets a blank stare when he asks for logs, the lack of which impedes an investigation.

Yikes! I just don’t understand why something as simple as enabling logging isn’t part of the system deployment process in every organization? Is it because it is difficult to enable logging? In a word…no. I don’t know of a single system administrator who hasn’t heard of SNARE. Is it because configuring a central log repository is difficult? I’m going to reuse my aforementioned ‘no’. Dust off that old PC sitting in your storage closet, download your Linux distribution of choice (Use Ubuntu if you’re not very familiar with Linux), install it, and follow some easy instructions on configuring remote syslog. This may not fit your environment, however, if you have a lot of devices that you need to collect logs from.

If building your own centralized logging server isn’t your cup of tea, or if your syslog server is being overloaded, then why not give an enterprise-class solution a try. They’re fairly inexpensive compared to the functionality you receive for your investment.

Also from the article:

David Lang, director of information assurance and forensics at risk management firm Abraxas, also often encounters a lack of logging when investigating intrusions. System administrators tell him they turned off logging because it slows things down too much. “It’s going to cost you some system performance to have logging turned on, but if it’s a critical system, that’s a risk management decision you need to look at,” Lang says.

Enterprise network and systems architects need to start planning for logging as part of their initial design phases. That way they can avoid embarrassing forensic setbacks like those in the article.

Scroll to top