Suggested Blog Reading – Wednesday July 18th, 2007

ReadLots of information out there today. I’ve made a decision not to post any links to the InfoSecSellout debacle…oh wait…crap!

Here’s the list:

Creating and Managing an Incident Response Team for a Large Company from the SANS Information Security Reading Room

From Elk Cloner to Peacomm: A quarter century of malware – Good article here on maleware.

A quarter century of malware. You’d think we would have had this problem licked by now, yeah? No, not even close. Self replicating code was first theorized in 1949, the dawn of the computing age, and appeared in the wild around the early 1980s. The fundamental theories on computer viruses were worked out by Fred Cohen; you can read his original paper online from the early 1980s. The tension between usability and security is directly discussed in this seminal paper. From the paper’s ending, “To quickly summarize, absolute protection can be easily attained by absolute isolationism, but that is usually an unacceptable solution. Other forms of protection all seem to depend on the use of extremely complex and/or resource intensive analytical techniques, or imprecise solutions that tend to make systems less usable with time.” In fact, because of the nature of a general purpose computer, Cohen points out, you can never fully protect against viruses.

FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats / FBI’s Magic Lantern Revealed / FBI Spyware: How Does the CIPAV Work? — UPDATE – Three really good articles from WIRED on the FBI’s CIPAV software.

In general, a CIPAV utilizes standard Internet computer commands commonly used over local area networks (LANs) and the Internet to request that an activating computer respond to the CIPAV by sending network level messages, and/or other variables, and/or information, over the Internet to a computer controlled by the FBI. The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other on-going investigations and/or future use of the technique.

What’s up with Snort licensing – Clarification for the masses on Snort licensing and GPL3.

There have been a lot of questions and speculation about the things we (Sourcefire) have been changing in Snort’s licensing recently and it needs to be addressed so that we can clear the air.

There are three things that people have been asking questions about or having issues with.

1) GPL v2 lock that we put in place on June 29th.
2) “Clarifications” in Snort’s license language (Snort 3.0).
3) “Clarifications” with regard to assignments of ownership for contributed code (Snort 3.0).

Let me address these issues in order.

Outlook Email Forensics – Not a bad read for anyone who has to do some Outlook forensics in a pinch.

I have done this previously and can’t recall everything, however I would like to share here about what I have done before I’m out of memory. I myself don’t use outlook mail client therefore I need to convert it to unix mbox mail format so that I can examine them, I found libpst that can do the job for me and install it via FreeBSD port

Biometrics could guard Australian borders by 2010 – I’ll believe it when I see it fully implemented.

The Department of Immigration and Citizenship (DIAC), the Department of Foreign Affairs and Trade (DFAT) and the Australian Customs Service are all using biometrics for varying levels of identity management.

A DIAC spokesperson said the department will increase the use of biometrics for identification in the lead-up to 2010, when it expects to provide a single identity for DIAC clients “regardless of what business function is being undertaken”.

Under its three-year identity management strategy, covered by the Migration Legislation Amendment (Identification and Authentication) Act of 2004 and the Privacy Act, DIAC will employ facial recognition, iris scanning, and fingerprinting to verify the identity of noncitizens entering Australia.

Louisiana State Student, Faculty Information Left Unprotected For Two Years – I’m going to start calling these “eye bleeders” because when I read them I get so flustered I think my eyes will start to bleed.

The Louisiana Board of Regents announced that it has determined that information on students and staff at universities within the Louisiana State University system were left available to unauthorized individuals for an unknown amount of time. This information included information such as the names and Social Security numbers on groups of individuals including all 10th grade students within Louisiana students between 2001 and 2003 that took the state’s Educational Planning and Assessment Plan test as well as any individual employed within the state university system between 2000 and 2001. An investigation is still ongoing to help determine what exactly happened, but the information has been secured and there is no evidence that it was accessed by any unauthorized individuals. The board first learned of the problem from Richard Angelico, a reporter at WDSU-TV in New Orleans.

Free ePO Vulnerability Scanner – Interesting idea by eEye to release a free scanner aimed at detecting vulnerabilities in ePO/CMA/ProtectionPilot. Probably worth checking out if you’re using these products.

Just wanted to give a quick heads-up that the eEye R&D team has put together a free Class C scanner (available here: for the latest vulnerabilities found within McAfee ePO, CMA, and ProtectionPilot. These are some pretty serious vulnerabilities with a very large impact in networks where ePO/CMA/PP are installed, therefore warranting the free scanner.

Scroll to top