Only Tuesday and it feels like it should be Wednesday or Thursday (not sure why…it just does). I’m hoping to get back to setting up my home security lab this week and next but we’ll see how the weather is (nice == outside stuff, rain == inside stuff).

Here’s the list for today:

Dueling updates – is Apple quicker? – Only time will truly tell.

So, is Apple just inherently faster at patching security vulnerabilities? Did Apple rush out a fix faster than normal because of the media exposure about this particular vulnerability? Or maybe Microsoft is either just slower at the process or too busy with their own backlog of security patches – or both? Not many would argue against claims that Microsoft Windows has many more vulnerability found compared to Mac OS X.

Review – InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing – Good to see other people review training and courses.

I just returned from attending InfoSec Institute’s AEH course. Given the relevance of penetration testing to PCI, I thought that it would be worthwhile to post a review for anyone who’s considering attending.

France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws – I like this idea and I hope it catches on in North America.

In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII).

TSA: We’re not saying our hard drive is gone but… – My dog ate my hard drive.

On May 3, the TSA discovered the drive was missing from a controlled area at the Headquarters Office of Human Capital. The agency immediately reported the incident to law enforcement officials, the Department of Homeland Security and launched into an investigation.

Did it fall behind the desk? No.

Did Jim take it home to transfer his Phil Collins music collection to his desktop? No.

Maybe check behind the desk again?

The investigation hit a brick wall. By Friday night, it was time to fess up with a statement. The TSA doesn’t know whether the device is still within headquarters or was stolen. It has found no evidence an unauthorized individual is using the personal information.

Web Application Security Professionals Survey (May 2007) – Please take a minute to go through the survey when you get a chance.

Several people have asked where the surveys have gone to in the past several months. The answer is that I’ve been amazingly busy the last couple of months and simply haven’t had the time. The survey helps us learn more about the web application security industry and the community participants. We attempt to expose various aspects of web application security we previously didn’t know, understand, or fully appreciate. From time to time I’ll repeat some questions to to develop trends. And as always, the more people who submit data, the more representative the will be. Please feel free to forward this email along to anyone that might not have seen it.

Glitch attacks revealed – “First in a series of articles on attacking hardware and software by inducing faults”

One of the common assumptions software authors make is that the underlying hardware works reliably. Very few operating systems add their own parity bits or CRC to memory accesses. Even fewer applications check the results of a computation. Yet when it comes to cryptography and software protection, the attacker controls the platform in some manner and thus faulty operation has to be considered.

Fault induction is often used to test hardware during production or simulation runs. It was probably first observed when mildly radioactive material that is a natural part of chip packaging led to random memory bit flips.

ESI Searches: Getting to the Drive – Good overview on how the legal system leverages hard drives for forensic purposes.

Traditionally, we’ve relied on producing parties to, well, produce. Requesting parties weren’t entitled to rifle file cabinets or search briefcases. When evidence meant paper documents, relying on the other side’s diligence and good faith made sense. Anyone could read paper records, and when paper was “deleted,” it was gone.

What a nice, relaxing weekend it was. I was fortunate enough to find time to catch up on some reading, do a little work around the house, and get the dog out to the dog park. We’re also supposed to have fantastic weather this week so the BBQ is going to be busy 🙂

Here’s the list for today:

Securing a RADIUS server – Good refresher for those who have been away from RADIUS configurations for a while.

For any corporate wireless infrastructure to remain secure, using 802.1X for authentication is a must – after all, it provides much more granular control of authentication credentials and can provide accounting for wireless LAN usage. Setting everything up can be a complex process fraught with choosing the right EAP type that both your clients and your RADIUS server supports in addition to putting in place the PKI infrastructure that some EAP types require. During this whole process one thing can often be overlooked – the security of the RADIUS server itself.

“Is your PC virus-free? Get it infected here!” – Didier sent me this on the weekend. I can’t believe how many people clicked the link!

Last fall, my attention got caught by a small book on Google Adwords at our local library. Turns out it’s very easy to setup an ad and manage the budget. You can start with a couple of euros per month. And that gave me an idea: this can be used with malicious intend. It’s a way to get a drive-by download site on the first page of a search result (FYI, I’ve reported on other ways to achieve this). So I started an experiment…

Hacker Files, Tools & Software Repository – leetupload.com – “dedicated as a repository for hacking programs for Windows and Linux”

This site is dedicated as a repository for “hacking” programs for Windows and Linux. Please note that hacking means nothing but tweaking or cleverly resolving a problem. Use the programs as you wish, but this site or its provider are not responsible in terms of how you use these programs, (i.e. for educational purposes only).

Admit It – Email is Broken – Fine…I admit it!

The Security Catalyst Community just released the results of their first survey titled “Five Minute Survey on Messaging Security.” Although the results are not surprising one thing did catch my eye and I had to write a response. In case you do not want to register for the Security Catalyst Community (although I recommend that you do) the following is the content of my rant. If you would like to see the survey, however, you will have to log into the community.

Unified Risk Management (URM) and the Secure Architecture Blueprint – Good read.

The point of URM is to provide a holistic framework against which one may measure and effectively manage risk. Each one of the blocks above has a set of sub-components that breaks out the specifics of each section. Further, my thinking on URM became the foundation of my exploration of the Security Services Oriented Architecture (SSOA) model.

The $100 Million InfoSec Budget – How would one get in on this spend-a-pa-looza anyway? 🙂

TJX’s breach-related bill could surpass $1 billion over five years — including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities — estimates Forrester Research, a market and technology research firm in Cambridge, Mass. The security upgrade alone could cost $100 million, says Jon Olstik, a senior analyst for Enterprise Strategy Group, a Milford, Mass., consulting firm, based on his conversations with industry experts and people familiar with the work being done.

How forensic tools recover digital evidence (data structures) – Excellent way to explain digital forensics to anyone with programming or development backgrounds.

In a previous post I covered “The basics of how digital forensics tools work.” In that post, I mentioned that one of the steps an analysis tool has to do is to translate a stream of bytes into usable structures. This is the first in a series of three posts that examines this step (translating from a stream of bytes to usable structures) in more detail. In this post I’ll introduce the different phases that a tool (or human if they’re that unlucky) goes through when recovering digital evidence. The second post will go into more detail about each phase. Finally, the third post will show an example of translating a series of bytes into a usable data structure for a FAT file system directory entry.

Clearing swap and hibernation files properly – Never too early to start some spring cleaning…

Unfortunately, your swap file knows a lot about you. Pretty much anything you do with your computer can leave traces there. Files you’ve opened and their contents, websites you’ve visited, online chats you’ve had, emails you’ve sent and received, virtually anything can end up archived in it for quite a long time – months, and even years. You can delete, even wipe securely, the original data, and still your swap file might tell on you by retaining duplicate traces of your computing behaviour. Forensics practitioners consider the swap file to be a real bonanza of data traces, because swapping is an automatic, background process that users – even privacy-conscious ones – can’t control completely.

MS Needs Your Credit Card Details? – I didn’t want to give them my money in the first place…now they want more?!? 😉

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical – it’s really just another classic social-engineering attack. What makes it interesting is that the author has obviously taken great pains to make it appear legitimate.

Few Bits on Log Management Trends

– The one trend that I feel is going to blossom is integrating physical security logs into log management practices (UPS brownouts, fire sensors, etc.).
Some time before the recent SANS Log Management Summit, somebody asked me: What are the top three trends in the log analysis industry?

What’s new in SELinux for Red Hat Enterprise Linux 5? – Good overview of SELinux and what’s available in RHEL5.

For many people, security is a subject that they only think about after something bad happens. Like buying a home alarm system after your home has been burgled. Why? One reason is denial–after all, bad things always happen to someone else. Additional reasons may be the perception that security, especially in software, is too hard. People either don’t use it, or use it incorrectly1. Computer security may prevent you from performing tasks that you want to accomplish. Or the security is not all that effective.

Well Friday is finally here and man am I tired. It’s been a hectic week at work and I’m looking forward to some relaxation time.

Here’s the list for today:

Scapy – Interactive Network Packet Manipulation – Another tool to add to your IDS testing kit.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

How to check if your WebMail account has been hacked – I love the idea of trying to trick hackers with crafted spam messages…that’s classic!

WebMail accounts are a popular target for malicious hackers, law enforcement conducting investigations, and rouge insiders. WebMail security is very important, perhaps even more so than your online bank account. If your WebMail is hacked, every web-account associated to that address (using send-an-email-forgot-password-system) could be compromised, including your bank. Phishing scams, password brute-force attacks, cross-site scripting exploits, and insufficient authorization vulnerabilities are all commonplace. And for the most part these attempts are impossible for normal users to detect or do anything about. The problem is that unless your password changed without our knowledge, how can you tell if your account has been compromised? Fortunately there is a fairly simple way.

Ineffective User Awareness Training Revisited – Amrit gets his legs under him for the 2nd round…..ready…fight!

A recent post on the ineffectiveness of user awareness training (here) has sparked some lively discussion, some agree and others not so much. Interestingly enough those that disagree with my position seem to feel that it implies that one can make a similar argument about technology, a completely absurd leap. Anyway I was not trying to weigh user-awareness training against technology alone.

It Was All Him, That Bad Boy 10.11.2.3 – The main problem with “Identity Management” is that you need to have logs from all devices in the infrastructure in order to properly track down the “Bad Boy” and a good way to correlate it.

As security people we are used to answering questions such as “Who attacked that system?” with a curt “Oh, it was 10.13.13.13.” But is the IP address really a who? No, really, is it? I seriously doubt that an auditor, a judge or a lawyer will agree that “an IP address is a who.”

Where am I going with this? I think the time when we start making broader use of identity traceback to link the faceless, inhuman 🙂 IP addresses to a nice (or nasty, as the case may be :-)) warm-blooded humans, who actually press the buttons and write programs.

RSA public keys are not private (implementation) – It’s too early for math! 🙂

Previously, I described a proposed system that will both sign and encrypt code updates using an RSA private key. The goal is to derive the corresponding public key even though it is kept securely within the device.

Steganography for the Mac! – I’ll have to give it a shot.

This might be old news, but I hadn’t seen it until recently. There’s a steganography application for the mac! It’s called Pict Encrypt and it’s a free download. The downside is that it only saves files in MacPICT format. Anyhow, here’s a little something for all you Mac users out there that want to play with it.