Suggested Blog Reading – Tuesday July 17th, 2007

ReadNot sure why but “Tuesday” feels like it’s been preceded by about 10 working days already this week. That’s just not right.

Here’s the list:

CfP open for ACM SIGOPS Special Issue on Computer Forensics – Anyone looking to get an article published should check this out.

ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.

The call for paper closes on December 1st, 2007.

So you want to be a writer? – Don is offering to help you out if you’re looking to get started on that book you’ve always wanted to publish. You might want to drop him a line.

Has it ever crossed your mind, in the recent past, that becoming a writer would be neat? Take myself for an example. About six or seven years ago I took stock of my career. I decided that I wanted to implement some career goals. The first was to become a computer security contractor. Problem was, just how do you go about becoming one? For me the solution was to start writing articles about computer security. This would help me reach my goal in that it would get my name and skillset out there to potential clients. Not to mention that if your writing is good enough you can also get paid for it.

Sandcat by Syhunt – Web Server & Application Vulnerability Scanner – Another tool to check out.

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

New Paper: “Log management in the age of compliance” – Another paper by Anton. I’m starting to wonder when he finds time to sleep 🙂

Yeah, I know, not too technical, but still fun – my paper “Log management in the age of compliance” on ComputerWorld: “In my previous article, I described the way in which three regulations (FISMA, HIPAA and PCI-DSS) affect incident response processes. This triumvirate also affects log management, since they [A.C. – these and other regulations] call for enabling logging as well as for log review.”

UserAssist V2.3.0 – Didier has updated his UserAssist tool with some cool new features. Check out UserAssist here

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

* saved CSV files have a header.
* entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
* the Save command also supports HTML.
* support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
* registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

010 Template to Parse an Evtx File – This may come in handy some day soon. I’ll add this link and file it away for later.

I’m excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By “outer structure” I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record – and provably never will. For this task I will provide a more complex tool in a few weeks.

The template parses the following structures:

* File Header
* Chunk Header
* String Table
* Template Table
* Event Record

Detecting the Apple iPhone and other ‘Shadow IT’ Technology

Worried about people using their fancy new iPhones on your corporate network?
While reading the ‘Declaration of Interdependence’ series of articles in the July 1st issue of CIO Magazine (including an additional online article named ‘Users Who Know Too Much and the CIOs Who Fear Them’), the term “Shadow IT” was used to describe the aggregate amount of personal, walk-in and employee owned software and hardware that makes its way onto corporate networks and computers.

This blog entry discusses strategies to look for applications that should not be running on your network as well as understanding which “unsanctioned” applications may be the most popular. It also discusses how the Passive Vulnerability Scanner can be used to detect Apple iPhones connected to the local IP network.

Some new papers from the SANS Information Security Reading Room:

Open ports for a bunch of servers – Kind of cool.

This is a first attempt at visualizating open ports detected by nmap in around 60 servers. I’ve used Freshcookies-Treemap and custom scripts. Ports are all TCP.

Beat by a girl! – Hahah…catchy article title. Good post though.

I’ve written before about WhiteHat Security office events in which we race to find the first and best vulnerability in never-seen-before websites – the winner receiving company-wide bragging rights. Speed hack contests are also great for learning and testing one’s skills. They get the competitive juices flowing, typically finish in less than 20 minutes, and keep the day-to-day work fun! Lately, winning has proved to be extremely challenging, especially when you’re up against people like Bill Pennington, Arian Evans, and the entire Operations Team who does this stuff everyday.

We ran two bouts last week. The first was a financial application, which was a little bit different, because it had a social networking aspect. We weren’t provided any usernames or passwords, couldn’t self-register without a special code; and, as a result, the attack surface was limited. This meant we could still probably find the first XSS fast, but the high-severity issue probably wasn’t going to be there. The domain was called out, fingers hit the keyboard, and we were off. Bill P. and I went immediately after XSS in the search fields, but struck out because of proper HTML encoding. Arian, who only sees filters as a challenge, busied himself with some crazy encoding attacks. The rest of the Operations Team were eagerly trying to take down the giants.

Scroll to top