Wow, February already. I find it hard to believe that at the end of the month I will be starting into my 30th year. Oh well….I’ve looked like I’m 30 for the past 10 years anyway 🙂

Here is the list:

OSVDB API and enhanced cross-referencing – I’m interested to see how well this works. Feedback from anyone?

We are pleased to announce the OSVDB API beta.

Integration and cross-referencing with OSVDB just got a lot easier via the new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, particularly during beta, and suggestions for improvements are quickly and easily implemented by the OSVDB development team.

InfoSec’s Secret Star Promoter: Lauren Nelson, Miss America 2007 – This is a step in the right direction. Also, let’s face it, Al Gore wouldn’t look this good in a bathing suit.

On hand for the crowning will be Miss America 2007, Lauren Nelson. The former Miss Oklahoma has spent the past year traveling the country to promote Internet safety, and appeared on the TV show, “Are You Smarter Than A Fifth-Grader.” (my emphasis)

Open University launches computer forensics course – I’m going to check this one out for sure.

The Open University in the UK has launched a postgraduate course designed to offer a basic understanding of digital evidence collection, forensic computing and IT incident management in criminal investigations. Computer Forensics and Investigations balances the legal and technical aspects of the collection of evidence in internet related crimes such as email bullying, online fraud, and electronic identity theft…

Metasploit Framework 3.1 is out! – Wicked! I love the quote too.

HDM and the metasploit crew have officially released the Metasploit Framework 3.1 release

here is the release note

https://metasploit.com/RELEASE-3.1.txt

when asked to come up with a quote for the new release…

“if that new drag and drop meterpreter file browser in the GUI doesnt make you hot for your INFOSEC job, nothing will.”

Are companies doing enough to avoid becoming the first true poster child for data loss? – I think I already knew the answer to this question before reading the article 🙂

Data loss is a burning issue that should be on the mind of every C-level executive and board member, if it isn’t already. According to a recent Ponemon Data Loss Study, the costs associated with data breaches rose 55% in 2007.
What is troubling is the scope and opportunity for such abuse and loss of data, even worse is the fact that the intentional, or malicious, attacks are the easiest to spot and manage, with the unintentional data losses caused by rogue emails and employee ignorance doing the most damage.

Technology helps, but people matter most – Tools are an important part of information security but are useless in the wrong hands. Take this random analogy: Could you build a house without a hammer? Probably, but it’d take you a long time. Conversely, just because you have a hammer, does it mean that you can (or in some cases should) build a house? Probably not. What about giving the hammer to a skilled builder with the knowledge to build the house? Do you think they would have the correct mix of tools and talent to do the job. Probably.

The other day a friend called me up asking what the best scanner (web application vulnerability) is these days because he hadn’t been following the field closely. He recently left a consulting role and signed on as an InfoSec manager at a large organization. His first action was to roll out a website security initiative. He knew of course that I would be highly biased towards Software-as-a-Service. Apparently he would have gone that route, but the company had a policy against outsourcing. No one could quite remembered why. Anyway, before answering his question, I wanted to know more about his environment.

From the SANS Information Security Reading Room – looks like I have some reading to catch up on:

• Electronic Contracting In An Insecure World
• Secure Authentication on the Internet
• Auditing a Corporate Log Server
• Detecting Attacks on Web Applications from Log Files
• Firefox VS Windows Internet Explorer
• Baselines and Incident Handling

What is PCI all about? – Ever wonder what this “PCI thing” was all about?

This seems to come up every year, or perhaps that’s only the frequency that I address it. It seems everyone has their own view about what PCI compliance is meant to accomplish.
Martin, a friend of mine, writes that PCI is about transferring risk and not mitigating it. This implies that the acquiring bank somehow has the ability or responsibility to prevent a merchant from loosing your credit card number. This is entirely wrong. The heart of the PCI DSS is about mitigating the risk of a direct attack on the cardholder data. I think the one thing we both agree on is that it’s the responsibility of the person closest to the data to protect it – and this just happens to be the merchant in many cases.

The Real Costs of Ignoring IT Security – Interesting article. I really hope people read it because many struggle with the concept of ROI on security investment.

IT security is like insurance: a foolish waste of money — until disaster strikes.

Still, businesses need to be intelligent about planning and deploying IT security technologies and practices. Just as a driver wouldn’t insure a rusty 1971 Ford Pinto for $1 million, a company shouldn’t adopt security measures that, in the long run, wind up costing more than they’re worth.

Many businesses are tempted, however, to skip key security measures and simply pay to fix things if and when a problem occurs. Is this a good idea? Let’s examine several worst-case security scenarios and see what effect they would have on a business.

A golden nugget of a security blog – Thanks be to Shimmy for introducing me to a new security-oriented blog. I’ll put another drink on your “when we meet up” tab.

A couple of weeks ago I followed a link and wound up on a blog called Security Uncorked, JJ’s complete unofficial guide to Infosec. Though it was a fairly new blog, the person writing it obviously was a pretty hands on security practitioner who knew what they were doing and was doing a good job of writing about it. with some good tips and tricks. Further investigation revealed that the blog belonged to Jennifer Jabbusch. I don’t know a lot about Jennifer other than what she has up on the blog, but she is obviously very deeply involved in nuts and bolts information security and has a great writing style.

Three Categories of Buffer Overflow in the JRE – This is why people need a strong foundation in C/C++ before even starting with Java. Someone needs to “bring sexy back” to C/C++ 🙂

Some people think that writing code in Java is a silver bullet against implementation flaws such as buffer overflows. The truth is a little murky.

But real code, though it might be written in 100% Java, depends heavily on the Runtime Environment (JRE) and the JRE contains methods that are written in straight C. We all know what happens when C hangs out with its buddies: fixed size buffer, strcpy and user input.

OWASP Books Released – Hot off the…umm….press?

An interesting download to come out of the OWASP camp — books are now available for your reading pleasure. The initial group of books are:

• OWASP CLASP v1.2
• OWASP Top 10 – 2007 Edition
• OWASP Top 10 – Testing – Legal 07′
• OWASP WebGoat and WebScarab
• OWASP Code Review – 2007 (RC1)
• OWASP Evaluation and Certification Criteria
• OWASP Top 10 – Ruby on Rails Version
• OWASP SpoC 2007
• OWASP World (Nov2007)
• OWASP Guide 2.0 (2005)

Bruter 1.0 Released – Parallel Windows Password Brute Forcing Tool – Here is another tool to try out.

Bruter 1.0 BETA 1 has been released. Bruter is a parallel login brute-forcer. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.

Artifact Repositories, part deux A follow-up to Harlan’s last post on this topic.

I received an email from someone recently asking me about checklists for determining the attack vector of an incident. Yeah, I know…that’s a pretty broad question, but I do see the issue here. Sure, some folks are “finding stuff”, but the question is now becoming, how did it get there? That’s the next logical question, I suppose, and it is being asked.

Nessus UNIX Configuration Auditing “sudo” Support – Nice addition.

Tenable’s research group recently added support to all SSH enabled UNIX configuration audits to make use of “sudo”. Support is available in version 1.4.4 of the UNIX compliance checks.

Some organizations explicitly prohibit remote “root” logins to their UNIX servers. However, many of these organizations do allow a “non-root” login which has access to the “sudo” command. The “sudo” facility allows a non-root user to run specific restricted commands at the root level. Activity related to “sudo” can be logged as well.

dc3dd, Version 6.9.91 – Another tool I’ll have to try out.

Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.

Router Hacking Challenge. – Anyone interested in a little competition? 🙂

So are you up to it? can you handle it? can you find a vulnerability in your personal router? Then you are the perfect candidate to join!

The contest runs from 2 February until 29 February. If there are enough submissions, I will write about it and compose a list of the best router hacks that where submitted. I also pick my personal favorite out of that list as the main winner. The Hacker Webzine currently grows each day. The site has 100 to 150K hits each week, so this can give you a lot of attention and spotlight! The rules are very flexible, every kind of exploit is allowed. From buffer overflows to CSRF issues that plague many routers. My personal favorites are CSRF issues since they always work in any situation.