Suggested Blog Reading – Saturday December 29th, 2007

ReadI finally broke down and purchased a copy of Microsoft Office 2004 for my Mac. “Why 2004?” you might ask? Well there’s a deal on now that if you purchase Office 2004 you’ll get a free upgrade to 2008 when it’s launched in mid-January. I can’t pass that up 🙂

Here is the list:
Diversification and Security – Very informative article which discusses, among other things, how the U.S. Army is shifting it’s IT infrastructure over to Macs and how this is not a bad thing.

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.”

NIST releases final draft of FISMA guidance – Get it while it’s hot 🙂

The National Institute of Standards and Technology has released the final public draft of a framework that will assist agencies create the security assessments mandated by the Federal Information Security Management Act (FISMA).

Copies of Draft Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” can be downloaded from the NIST site. NIST expects to publish the final edition in March.

Follow-up on using unicornscan for a big scan (400,000+ public IPs) – I’m glad someone has been stress testing this tool. Also interesting is the Tate’s comment on them switching to unicornscan as their primary tool for large job scanning.

We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.

This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.

Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.

Black Hat USA 2007 Video and Audio Podcasts now live – I like the RSS feed format that they used to present these audio and video podcasts.

Black Hat USA 2007 was a great success, and the presentations were wider-ranging than ever. As part of our ongoing effort to spread useful security knowledge everywhere, we offer video of the entire Briefings roster free online. If by chance you didn’t make it to the event in Las Vegas, or if you attended and missed some talks you wanted to see, subscribe to the podcast feed linked here and get your fill. If what you see here piques your interest, consider attending our upcoming conferences – in DC in February, Amsterdam in March and returning to Vegas in August.

TEMPEST by Chris Gates – How about a paper on TEMPEST security? I find that you don’t see as many of these kinds of papers as you should. Perhaps TEMPEST security just isn’t as “sexy” as compliance, hacking, etc.?

TEMPEST is said to stand for ‘Telecommunications Electronics Material Protected From Emanating Spurious Transmissions’ but I also found; ‘Transient Emanations Protected From Emanating Spurious Transmissions’, ‘Transient Electromagnetic Pulse Emanation Standard’, ‘Telecommunications Emission Security Standards’, and several similar variations on the theme but there is no official meaning for TEMPEST it is more the name of the phenomenon rather than an acronym.

How do these “intelligence-bearing emanations” occur? Basic electromagnetic theory tells us that electromagnetic fields occur as current flows through a conductor. A conductor can be anything metal (your power cord, your CAT5 cable, your phone cord, etc). How does your CAT5 cable pass data? In a simple explanation, current is pushed along the wire and the data goes with it; the more current pushed down the wire and the longer the wire the greater potential for these “emanations” because of growing electromagnetic fields.

“Big money! Big prizes! I love it!” – I agree with Tate on this one. The attackers are certainly the winners here.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

Establishing a Practical Routine for Reviewing Security Logs – The good thing about Anton being on vacation is that I beat him to commenting about others log management posts 😉

The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don’t get me wrong—sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.

The MAC Daddy – Great post from Harlan on how to find the MAC address on a system image.

I received a question in my inbox today regarding locating a system’s MAC address within an image of a system, and I thought I’d share the response I provided…

Deleted Apps – Another great post from Harlan. I’m convinced that neither of us really took vacation over the holidays 🙂

As Windows performs some modicum of tracking of user activities, you may find references to applications that were launched in the UserAssist keys in the user’s NTUSER.DAT file. Not only would you find references to launching the application or program itself, but I’ve seen where the user has clicked on the “Uninstall” shortcut that gets added to the Program menu of the Start Menu. I’ve also seen in the UserAssist keys where a user has launched an installation program, run the installed application, and then clicked on the Uninstall shortcut for the application.

Scroll to top