I know I say this on almost every Friday but boy am I glad it’s Friday.
That being said it was only a matter of time before I missed one of my Suggested Blog Reading posts. Being out of the country for the first half of this week certainly caused some bumps in my normal routine. Hopefully I’m back on track and shouldn’t miss another post 😉
I’d also like to take a moment to congradulate fellow blogger and CTO of Whitehat Security Jeremiah Grossman on being named to the 2007 InfoWorld CTO 25 list. He’s in good company for sure.
Here’s the list:
How to rate the value of your websites (Road to Website Security part 2) – Part two in the series.
Part 1 (How to find your websites) of the series describes a process for website discovery. This piece (part 2) describes a methodology for rating the value of a website to the business that many of our customers have found helpful. Website asset valuation is a necessary step towards overall website security because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing brochure-ware. Some websites transact million of dollars each day, others make no money or maybe a little with Google AdSense. The point is we all have limited security resources (time, money, people) so we need to prioritize and focus on the areas that offer the best risk reducing ROI.
Lets talk vulnerability discovery – Another quality post by Jeremiah.
Last year I began talking about how vulnerability “discovery” is becoming more important than disclosure as we move into the Web 2.0 era. Unlike traditional software, web applications are hosted on someone else’s servers. Attempts to find vulnerabilities, even with honest intentions, on computers other than your own is potentially illegal. Eric McCarty and Daniel Cuthbert serve as examples as covered by Robert Lemos from SecurityFocus. Whatever your opinion on the issues, few outside web application security field appreciate the finer points or understand the potential long term affects. People have been listening though.
stealth techniques – syn – Good review of how powerful hping is.
This is a series of three to come articles about stealth scanning, everything that I am going to present is hping oriented so if you want to learn this techniques you’d better get a copy of hping.
This method is invoked when you add nmap the -sS parameter… so let’s start…
Encrypt a file in Windows – Reminder on how to hide your files from prying eyes.
If you’re sharing a computer with other users and don’t want them to read certain files, you’re going to need a decent protection mechanism. Fortunately, Windows provides a built-in encryption mechanism that protects your files at the file system level.
Windows Encrypting File System provides a file encryption technology used to store encrypted files on NTFS file system. Once you encrypt a file or folder, you work with the encrypted file or folder just as you normally do. This means that you do not have to manually decrypt the encrypted file before you can use it.
On remote log injection attacks – Daniel actually showed me, on his laptop, just how easy it was to make this happen. I was amazed, as were the people running the projects involved, how easy it was to inject bogus data. Luckily Daniel is a good guy and let the proper people know about the issue prior to releasing his paper 🙂
A fun paper on remote log injection attacks from Daniel Cid (of OSSEC fame): “the goal of this document is to show some of the most common problems with log injections that we need to be aware when developing programs that parse log messages.”
Recommended Windows Audit Logging Policy – This is a great post. People ask me all the time what types of events they should be logging. The ideal answer is “all logs” but in some environments this isn’t possible or practical. This article gives you some good suggestions on key events to log.
Here is a great post from Randy Smith on preferred Windows logging policy. This is indeed a very common question we face: what logging to enable (my guide on what logging to enable to assist with PCI compliance is coming soon)
Priamos Project – SQL Injector and Scanner – Interesting tool to try out. There is also a demo video to learn more.
You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.
You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).
Matasano Preps ‘Firewall Mixer’ – I’m anxious to give this a try. Since it runs on VMWare it will be quite easy to evaluate and implement.
The new Clockwork software, currently in beta, provides centralized and easier-to-understand control and change management for multiple vendors’ firewalls. Firewalls are typically manually configured and managed separately. “The problem enterprises have is that they have 200 firewalls from multiple vendors and no control or change management for what the rules are, let alone any understanding of what all those rules mean and why they’re there,” says Thomas Ptacek, principal and founder of Matasano.