Category: Suggested Blog Reading
Suggested Blog Reading – Tuesday April 17th, 2007
Stupid rain!
Here’s the list for today:
I wanted to point out to the readers of this blog that Syngress/Elsevier has a sample chapter of my book available online for free download. The sample chapter is chapter 3, Windows Memory Analysis.
Deterrent Safeguards… They can’t prevent anything, so why bother?
Did you ever wonder why businesses put up silly signs that say “If we do not offer you a receipt, your purchase is free” at the checkout counter? There’s a very good reason for this, and many other seemingly useless signs. Have you noticed the sign that says “There is never more than $50 in the safe”, which tells thieves that it’s not likely to be worth robbing the convenience store? It’s a lot cheaper than trying to implement technology to prevent every possible attack with “Preventative Safeguards”. These signs, and other types of warnings, are called “Deterrent Safeguards”.
Chocolate the key to uncovering PC passwords
A train station survey of 300 office workers carried out by Infosecurity Europe researchers in London revealed the disturbing statistic that 64 per cent would hand over their office computer passwords for a bar of chocolate “and a smile”.
This month we looked at a wide variety of digital forensic tools. This category has been growing rapidly, diversifying and maturing in the past two years. However, there are some interesting aspects to those growth phenomena. First, we are beginning to see real innovation in tool sets, but virtually none of it is in traditional computer forensics tools. In that class, we saw, essentially, nothing new since we reviewed them last year. If anything, they are becoming more alike.
Should Apple secure its iPods?
Few corporations are likely to ban iPods in the workplace, but whether Apple and other manufacturers of MP3 players shoulder some responsibility to add security to their devices — and how effective that security would be – is a growing debate.
Watchfire online community shares vulnerability testing knowledge
Watchfire is opening up its Web application-vulnerability software so customers can create their own security tests of corporate applications.
Spam-Bot Intrusion Caught — Now What?
“I’ve recently detected and halted an intrusion on my home computer, taken some actions to prevent further intrusions, and located the software that was running a bot agent. Cursory examination showed that the bot software is intended for acting as an agent for spamming. Configuration files distinctly point at the user/host/domain of several bot-herders — damning evidence. Nothing would please me more than to see this botnet to be caught and disassembled, I’m sure much of the internet-using community would support this. Thanks in advance for your suggestions. So, to whom should I disclose this information for appropriate investigation, follow up, and countermeasures? “
Damn Vulnerable Linux – DVL – IT-Security Attack and Defense
Damn Vulnerable Linux (DVL) is a Linux-based (modified Damn Small Linux) tool for IT-Security & IT-Anti-Security and Attack & Defense. It was initiated for training tasks during university lessons by the IITAC (International Institute for Training, Assessment, and Certification) and S²e – Secure Software Engineering in cooperation with the French Reverse Engineering Team.
Researchers: Botnets Getting Beefier
A select group of some 40 security researchers gathered on April 10 in the first Usenix event devoted to these networks of infected machines. The invitation-only event, called HotBots, was held in Cambridge, Mass. At the event, researchers warned that botnets—which can contain tens or even hundreds of thousands of zombie PCs that have been taken over for use in spamming and thievery of financial and identity-related data—are on the brink of a technological leap to more resilient architectures and more sophisticated encryption that will make it that much harder to track, monitor and disable them.
How do I change the default port that OpenSSH server uses?
OpenSSH by default listens to port 22 of all local addresses. To provide additional security to the OpenSSH server, the ListenAdress and Port directives in /etc/ssh/sshd_config file can be used.
New Rinbot scanning for port 1025 DNS/RPC
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability.
New blog on event log management
Dorian Software and Andy Milford over there has started a new blog just on event log management. You can see it at http://eventlogs.blogspot.com/. If you’re into event log management or analysis, it’s worth putting the site into your RSS feed.
New DShield Feature: Highly Predictive Blacklists.
The algorithm compares your submissions to others and finds groups of similar submitters. Next, it will generate blacklists based on how close you are to these other submitters.
Nirbot’s Latest Move: MS DNS Exploits
The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.
Secure Socket Tunneling Protocol
The article will give a clear understanding of SSTP and compare standard VPN vs SSTP VPN. The article will also cover the advantages of utilizing both SSTP and VPN simultaneously and what the benefits of using SSTP will be.
Suggested Blog Reading – Monday April 16th, 2007
Looks like a slow day around the blogosphere (I hate that word). Could partially be due to the bad weather moving up the eastern US or simply because it’s a Monday. Anyway, here is the list…
Having multiple online identities for different types of web sites is a good idea. I’m afraid that it’s not a common practice among mom and pop though.
Security and IT are tough these days. While we keep getting an influx of people with their MCSE and A+ certs that can do fun things with desktop support, it is all those other more specific areas of IT that still are not getting the love they should be getting. Maybe it is because they’re a layer or two out of the eyes of most normal users (and managers). Too often, us techs can do a lot of good things, but sometimes don’t get a chance to try things out when we’re already swamped with an overload of work, not enough money, and too many fires to put out.
About the strategy I followed during my CISSP exam
In a previous CISSP exam post I promised to blog about the exam-taking strategy I followed.
Face-off: Certifications are not important for career enhancement
IT career advancement has become like a jigsaw puzzle. Certification is only one piece, giving way to clusters of critical attributes that define the modern IT role.
Update on Microsoft DNS vulnerability
We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.
OSSEC is an open source host based intrusion detection system. The website states, “It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response.” That is a mouthful.
Nessus 3.2 BETA – IPv6 Scanning
More and more operating systems are shipping with IPv6 enabled by default. Both Vista and OS X ship with IPv6 stacks. The presence of IPv6 on your network may dramatically alter how computers communicate with each other and connect to the Internet. Communication that occurs over IPv6 may not be blocked by local or network firewalls, observed by network IDS or even correctly logged by your SIM.
Zombies infiltrate US military networks
Security researchers have traced spam-sending botnet clients back to networks run by the US military.
DHS No Longer Gets Failing Cybersecurity Grade
They got a D.
William Jackson | For virus detection, don’t write off signatures
So just because a vendor talks up the advanced heuristics capabilities of your latest antivirus tool, do not fall prey to the temptation to ignore the signature updates. They still are your first and best line of defense.
Suggested Blog Reading – Sunday April 15th, 2007
Well today was the first day back at the gym since I hurt my foot and I must say it felt good to get out and get moving. Now for the suggested reads…
Student charged with hacking school computers
A Mauldin High student has been charged with violating the state Computer Crime Act, after telling police he accessed personal data in the Greenville County school district’s computer network to show the district how easy it is to do, according to a warrant and incident report.
Getting up at 4:30 am on a Sunday morning in order to chase down packets is not my idea of fun. Unfortunately that is exactly what I found myself doing today.
Brendan Dolan-Gavitt wrote in and pointed me to his fine collection of XMagic definitions. With the help of these patterns and a config file (Brendan provides a sample) FTimes can pull some information about processes from a memory dump.
One of the challenges posed by Vista to traditional forensic analysis is the use of BitLocker to encrypt data on the hard drive. However, this really isn’t any different from other similar technologies such as PGP, etc., that already allow encryption of files, partitions, or drives.
In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in “organizational ineptitude” rather than dedicated insiders out to do the company intentional harm.
It’s not that I don’t trust my wife and kids, it’s that I don’t trust the Internet. 99% of the stuff my family needs to do doesn’t need admin privileges. WHY DOES WARCRAFT III?
Free WiFi in Airports and Public Hotspots
Recently while traveling I noticed a hot spot and wanted to surf the internet. Once I connected to the AP I had seen that they wanted to charge me $8 per day to surf the internet. I thought that was just too much money for a quick internet connection, and my layover between flights was about 3 hours. I decided to see what I could access while connected to there AP.
Many people associate fragmented packets with an attack against a network. While that is quite often true, it is not always the case.
Data Storage Must Be Secured to Protect Privacy
Often times privacy breaches occur because the access controls are not configured appropriately for databases, or inadequate processes weren’t even established to protect data within the network perimeter. Too many organizations still focus almost all of their efforts on securing the typically highly fuzzy and porous perimeter to the exclusion of other highly vulnerable areas. Many incidents can be prevented by putting more attention and time to securing the data storage areas.
Compliance is a Business Issue
Annual loss expectancy (ALE) is the yearly cost of security breaches to a company, including fines for non-compliance, which is calculated by taking the single loss expectancy (SLE) and multiplying it by the number of occurences in a year (ARO = Annual Rate of Occurence). If ALE exceeds the cost of securing against ALE, why bother, right?