Suggested Blog Reading – Wednesday November 7th, 2007

ReadAh vacation….I’ve taken a week off to recharge my batteries and hopefully catchup on some reading, blogging, updating my other website, and whatnot.

Here is the list: 

First Line of Defense for Web Applications – Part 2 – Part 2 in the series.

Hello everyone, as promised I am back with the next post on input validation series for web applications. Knowledge is power right :). So knowing what all things to validate when you start your web project can save you a lot of headache down the road. So here are some of most important aspects on input validation every developer should be aware of.     

Making Progress in the Battle against Rootkits – Not quite winning the battle…but making progress at least.

The results of that test, conducted by Thompson CyberSecurity Labs, indicate that McAfee was able to detect 16 of the 17 rootkits tested (a 94 percent success rate), and was able to remove 15 of the 17 rootkits (88 percent). Symantec detected 15 and removed 15 of the 17 (88 percent in both cases). We’re even more pleased to note top-notch detection AND removal of the sample set of rootkits used in the test. And this is in our existing, shipping AV product deployed across more than 100 million machines worldwide. 

SANS’s Fun Securty Book List – Is your favorite book (or maybe YOUR book) on the list? 🙂

“The Best Security Books to have in your library” by SANS GIAC Advisory Board. “Security Warrior” is, of course, proudly featured among other good books, such as “Tao of NSM”, “Security Metrics”, ” Hacker’s Challenge” and many others. Check it out!    

Poll Results: Which Logs Do You Collect? – I also expected firewalls to be number one on the list. I wonder if compliance regulations were the drivers behind Linux/Unix servers being ranked so high? I figure that’s why the database came in at 5th spot.

First, which of my expectations were NOT met? Well, I did expect that firewalls will be #1, not Linux/Unix servers. Admittedly, the difference is not so big, but I am impressed: Unix syslog still rocks the logging world :-)Second, the top source of collected logs is also the hardest to analyze due to its lack of structure. Nowadays I treat syslog from Unix/Linux as “broken English” and not as “data.” It is a dog to parse (that is why we try to find something novel)Third, I was amazed that database logs were THAT high on the list. Wow! All the evangelizing seems to have worked out :-)Fourth, Windows server log collection is still in the dumps – but we need it! Go grab LASSO and dump those event logs into syslog without pesky agents. Easy!Firth, other Unix logs – what are those? We might never know what the respondents meant: still, I think that these are binary audit logs and other fine-grained audit logging. Indeed, many people starting to look at BSM audits and other “ugly ducklings” of logging.Sixth, web server logs are gold – everybody knows it. The poll confirms this as well: they are #2. Some fun analysis tips from me are coming soon.    

Pimp my PE presentations now available – I haven’t had a chance to review but it certainly sounds interesting from the abstract.

A foundational requirement in the security world is the capability to robustly parse and analyze Windows Portable Executable files. Coping with the full spectrum of PEs found in the wild is, in fact, quite challenging. While white files are typically well structured, malicious files can be quite difficult to analyze, often due to deliberate malformations intended to stymie static analysis. In this paper we will survey and attempt to classify some common and interesting malformations we have studied in our work at Sunbelt Software. We will analyze PE structural information, discuss the PE specification, and highlight specific hurdles we have overcome in the course of developing a parsing facility capable of dealing reliably with the full range of images found in the wild, especially malware. We will also cover specific problems we faced along the way, examine structural heuristics we’ve developed in the course of classifying common malformations, and include a discussion of some interesting tools and techniques we’ve developed.   

Exploring Protocols 2: Writing some tools – Delayed…but worth it 🙂

In this much delayed installment I’d like to expand on my last one entitled “Exploring Protocols 1″. This is going to be a long one, folks. I guess the big delay in getting this out resulted in a backlog of all the things I wanted to cover. The discussion veers into tools and samples some simple code for dissecting unfamiliar PDUs. There’s more to the “protocol tool” category than just dissecting, of course. But it’s usually the first step and this post will try to focus mostly on it. 

Screencast: Snort — Tactics for basic network analysis – Refresher on Snort anyone?

Snort is a robust tool that can be used in a number of ways to assess the security posture of a network, but it takes time to learn and it can be tricky to obtain all the data that Snort can provide.In this step-by-step demonstration, contributor Tom Bowers offers a brief introduction and history of Snort, and explains what it can do for information security pros and how to use it for the first time.   

AIX: 2007’s Security Manatee – It’s not often you hear about AIX outside of organizations who installed it years (and I do mean years) ago. Personally, if you’re going to continue to support an operating system you should try and keep it as secure as your competition, lest your customers jump ship.

In the past, I have acknowledged QNX and IRIX as security manatees for their complete lack of effort around local security.iDefense released seven, count them, seven local privilege escalation vulnerabilities in AIX today. Four of them are actually stack overflows. Yes, you heard me, stack overflows. One of them is actually in ftp. Another one is in dig. Yes, dig is setuid root on AIX.   

Visa Payment Application Mandates and Deadlines – Need to comply with PCI? Make sure you note these dates on your calendar.

  • Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (“VNPs”) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications. Effective date: 1/1/08
  • VNPs (VisaNet Processors) and agents must only certify new payment applications to their platforms that are PABP-compliant. Effective date: 7/1/08
  • Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PABP-compliant applications. Effective date: 10/1/08
  • VNPs and agents must decertify all vulnerable payment applications. Effective date: 10/1/09
  • Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications. Effective date: 7/1/10

Understanding the Common Vulnerability Scoring System (CVSS): Part 1 – Ever wonder what the CVSS acronym being thrown around means? Is it THE answer…probably not. Is it AN answer…probably more accurate 🙂

The Common Vulnerability Scoring System (CVSS), initially announced in February 2005 on the U.S. Department of Homeland Security’s web site, is designed to “provide open and universally standard severity ratings of software vulnerabilities”. Oracle was one of the first software vendors to adopt CVSS to provide a standard-based indication of the severity of the vulnerabilities fixed in its products. Oracle has provided CVSS Base Scores in the risk matrices of the CPU documentation since the October 2006 Critical Patch Update (CPUOct2006). In June 2007, FIRST (Forum of Incident Response and Security Teams) published the second version of the standards: CVSS 2.0, which was implemented by Oracle with the October 2007 Critical Patch Update (CPUOct2007). Note that in this discussion, we will address the new CVSS 2.0 Scoring System if not otherwise noted  

EH-Net Exclusive: BackTrack 3 Teaser Video – Ummm….WOW!!!!

Most of you by now have heard of BackTrack (, the highly popular and regarded Linux Security Distro for ethical hackers. Straight from the project’s developers come this teaser video. With several examples of what the new version can do and a running time of 6:16, we hope to have you on the edge of your seat in anticipation. Especially nice are the demos of the new features highlighting Offensive Security’s Wireless Security Course, Aircrack-ng ( This is the second offering of an eventual triumvirate of classes to be offered by OffSec.  

Daemonlogger 1.0 released – Hey, cool. I may have to give this a shot this weekend. I really like the idea of being able to create a “tap-on-demand” without paying the big bucks for a hardware tap.

Daemonlogger 1.0 is available on my user page on It’s got a couple new features but nothing major, if you’re a Daemonlogger fan it’s definitely worth a download!  

Stack Based Overflows: Detect & Exploit from SANS Information Security Reading RoomMy goal: play on a bigger stage – Turns out Mr. Ashley is striking out on his own. Good luck to you Mitchell!

So putting this nudge into action, to play on a bigger stage, I am joining the Network World blog . I’ll have some posts up beginning in the next few days or so. I’m VERY excited about this. It fulfills some of my key goals and it’s definitely playing on a bigger stage. I’ll still be blogging here, on The Converging Network, and podcasting along with Alan, but my posts on each blog will be different, not duplicates. When I have the URL for the Network World blog, I’ll post it up.   

Database tripwires… – Interesting idea. Anyone have any comments either way on this approach?

I was thinking about the problem of creating a cheap tripwire for database servers that doesn’t require a third party agent and it will alert us to when someone’s snooping around places in our databases where they shouldn’t be snooping. We could set up a honeypot table or view with an appropriately attractive name like USERNAMES_AND_PASSWORDS. Because this is a fake table no-one should ever really be looking at it and we can get the database to alert us when anyone touches it: there’s a snooper online.This could be achieved with a trigger in the case of an UPDATE, INSERT or DELETE of course but not so with a SELECT query. This limitation is easy to fix in Oracle with the use of fine grained access control by setting a policy on the table in question using DBMS_FGA. But what about other database servers that don’t have an equivalent? Well, we can still achieve the same results with a simple view.  

And finally, here are a bunch of eye bleeders:

Scroll to top