I was so swamped at work yesterday that by the time I got home I was exhausted. Needless to say I didn’t get a chance to post a Suggested Blog Reading (SBR) post so I’ll combine them today. Enjoy your weekends!

Here’s the list:

Secure browsing with Squid and SSH – Not anything new but a good refresher for those looking to browser securely and for those looking to detect such activities 😉

Public areas that offer access to the Internet (airports, open wireless networks etc.) have no security in place. If you’re at a public WiFi spot, your personal information can be sniffed by other malicious users. This hack will show you a way to secure your web browser when using public networks.

In a nutshell, we’re going to setup a proxy server (Squid) on a trusted SSH server and create a secure connection from our laptop, over a public network to a secure remote server. We’ll tell the browser to use the secure SSH tunnel as a HTTP proxy.

Musings on 100% Log Collection – I’ve always agreed with Anton on collecting as much log data as you can in order to get a full view of what is happening. You wouldn’t pay a security guard to close his eyes and take 20 minute naps during his shift would you?

One of the most exciting, complicated and at the same time very common questions from the field of log management is the “what logs to collect?” question (this, BTW, implies that logs not collected will be left to rot wherever they were generated and thus might or might not be available at the time of dire need. You are collecting logs, aren’t you?). This comes up during compliance-driven log management projects (in the form of “what to collect for PCI DSS compliance?”) as well as operationally-driven (in the form of “what logs from this application do I need to detect faults and errors?”) or security-driven log management projects (in the form of “which logs will help me during the incident response?”)

FTester – Firewall Tester and IDS Testing tool – Another tool to check out.

The Firewall Tester (FTester) is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

The tool consists of two perl scripts, a packet injector (ftest) and the listening sniffer (ftestd). The first script injects custom packets, defined in ftest.conf, with a signature in the data part while the sniffer listens for such marked packets. The scripts both write a log file which is in the same form for both scripts. A diff of the two produced files (ftest.log and ftestd.log) shows the packets that were unable to reach the sniffer due to filtering rules if these two scripts are ran on hosts placed on two different sides of a firewall. Stateful inspection firewalls are handled with the ‘connection spoofing’ option. A script called freport is also available for automatically parse the log files.

Web Page Exposes Purdue Student Information – Here’s an “eye bleeder” for you.

Purdue University is apologizing to students after it discovered a web page containing student information was available on the Internet. This page, containing the names and Social Security numbers of 50 students, was discovered during a routine review of the Purdue web space. The individuals affected by this incident involve those students enrolled in the university’s industrial engineering 500-level course between spring 2002 and fall 2004. Purdue has already mailed out letters to those affected students, but has setup a hotline – 866-605-0013 – and a web site – www.purdue.edu/news/coe0706.html – to help answer any questions students have about the incident.

Nearly Ten Percent of Companies Have Fired Bloggers, Survey Claims – Uh oh!

Nearly ten percent of companies have fired an employee for violating corporate blogging or message board policies, and 19 percent have disciplined an employee for the same infractions, according to a new survey from Proofpoint, a messaging security company.

Almost a third of companies “employ staff to read or otherwise analyze outbound email,” while more than fifteen percent have hired people whose primary function is to spy on outgoing corporate email. A quarter have fired an employee for violating corporate email policies. Twenty percent of the companies and almost thirty percent of companies with more than 20,000 employees had been ordered by a court or a regulator to turn over employee emails.

Learn to use Metasploit – Tutorials, Docs & Videos – Good link to check out.

Metasploit is a great tool, but it’s not the easiest to use and some people get completely lost when trying to get the most out of it.

To help you guys out here is a bunch of links, videos, tutorials and documents to get you up to speed.

You can start with this, a good flash tutorial that shows you step by step how to use it

Nessus 3.2 BETA — Example ‘nessuscmd’ usage – I may have to give this a shot this weekend. I haven’t had a chance to test the beta yet.

The BETA of Nessus 3.2 includes support for a new command line method to invoke quick Nessus scans. This blog entry details some interesting examples for port scanning, operating system identification, testing of a certain bug and testing Windows and UNIX credentials using the nessuscmd tool.

Lots of information out there today. I’ve made a decision not to post any links to the InfoSecSellout debacle…oh wait…crap!

Here’s the list:

Creating and Managing an Incident Response Team for a Large Company from the SANS Information Security Reading Room

From Elk Cloner to Peacomm: A quarter century of malware – Good article here on maleware.

A quarter century of malware. You’d think we would have had this problem licked by now, yeah? No, not even close. Self replicating code was first theorized in 1949, the dawn of the computing age, and appeared in the wild around the early 1980s. The fundamental theories on computer viruses were worked out by Fred Cohen; you can read his original paper online from the early 1980s. The tension between usability and security is directly discussed in this seminal paper. From the paper’s ending, “To quickly summarize, absolute protection can be easily attained by absolute isolationism, but that is usually an unacceptable solution. Other forms of protection all seem to depend on the use of extremely complex and/or resource intensive analytical techniques, or imprecise solutions that tend to make systems less usable with time.” In fact, because of the nature of a general purpose computer, Cohen points out, you can never fully protect against viruses.

FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats / FBI’s Magic Lantern Revealed / FBI Spyware: How Does the CIPAV Work? — UPDATE – Three really good articles from WIRED on the FBI’s CIPAV software.

In general, a CIPAV utilizes standard Internet computer commands commonly used over local area networks (LANs) and the Internet to request that an activating computer respond to the CIPAV by sending network level messages, and/or other variables, and/or information, over the Internet to a computer controlled by the FBI. The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other on-going investigations and/or future use of the technique.

What’s up with Snort licensing – Clarification for the masses on Snort licensing and GPL3.

There have been a lot of questions and speculation about the things we (Sourcefire) have been changing in Snort’s licensing recently and it needs to be addressed so that we can clear the air.

There are three things that people have been asking questions about or having issues with.

1) GPL v2 lock that we put in place on June 29th.
2) “Clarifications” in Snort’s license language (Snort 3.0).
3) “Clarifications” with regard to assignments of ownership for contributed code (Snort 3.0).

Let me address these issues in order.

Outlook Email Forensics – Not a bad read for anyone who has to do some Outlook forensics in a pinch.

I have done this previously and can’t recall everything, however I would like to share here about what I have done before I’m out of memory. I myself don’t use outlook mail client therefore I need to convert it to unix mbox mail format so that I can examine them, I found libpst that can do the job for me and install it via FreeBSD port

Biometrics could guard Australian borders by 2010 – I’ll believe it when I see it fully implemented.

The Department of Immigration and Citizenship (DIAC), the Department of Foreign Affairs and Trade (DFAT) and the Australian Customs Service are all using biometrics for varying levels of identity management.

A DIAC spokesperson said the department will increase the use of biometrics for identification in the lead-up to 2010, when it expects to provide a single identity for DIAC clients “regardless of what business function is being undertaken”.

Under its three-year identity management strategy, covered by the Migration Legislation Amendment (Identification and Authentication) Act of 2004 and the Privacy Act, DIAC will employ facial recognition, iris scanning, and fingerprinting to verify the identity of noncitizens entering Australia.

Louisiana State Student, Faculty Information Left Unprotected For Two Years – I’m going to start calling these “eye bleeders” because when I read them I get so flustered I think my eyes will start to bleed.

The Louisiana Board of Regents announced that it has determined that information on students and staff at universities within the Louisiana State University system were left available to unauthorized individuals for an unknown amount of time. This information included information such as the names and Social Security numbers on groups of individuals including all 10th grade students within Louisiana students between 2001 and 2003 that took the state’s Educational Planning and Assessment Plan test as well as any individual employed within the state university system between 2000 and 2001. An investigation is still ongoing to help determine what exactly happened, but the information has been secured and there is no evidence that it was accessed by any unauthorized individuals. The board first learned of the problem from Richard Angelico, a reporter at WDSU-TV in New Orleans.

Free ePO Vulnerability Scanner – Interesting idea by eEye to release a free scanner aimed at detecting vulnerabilities in ePO/CMA/ProtectionPilot. Probably worth checking out if you’re using these products.

Just wanted to give a quick heads-up that the eEye R&D team has put together a free Class C scanner (available here: http://www.eeye.com/html/downloads/other/ePOScanner.html) for the latest vulnerabilities found within McAfee ePO, CMA, and ProtectionPilot. These are some pretty serious vulnerabilities with a very large impact in networks where ePO/CMA/PP are installed, therefore warranting the free scanner.

Not sure why but “Tuesday” feels like it’s been preceded by about 10 working days already this week. That’s just not right.

Here’s the list:

CfP open for ACM SIGOPS Special Issue on Computer Forensics – Anyone looking to get an article published should check this out.

ACM SIGOPS is soliciting the submission of papers for its Operating Systems Review. This special issue will be dedicated to computer forensics, especially with the upcoming arts of live forensics and the analysis of volatile data.

The call for paper closes on December 1st, 2007.

So you want to be a writer? – Don is offering to help you out if you’re looking to get started on that book you’ve always wanted to publish. You might want to drop him a line.

Has it ever crossed your mind, in the recent past, that becoming a writer would be neat? Take myself for an example. About six or seven years ago I took stock of my career. I decided that I wanted to implement some career goals. The first was to become a computer security contractor. Problem was, just how do you go about becoming one? For me the solution was to start writing articles about computer security. This would help me reach my goal in that it would get my name and skillset out there to potential clients. Not to mention that if your writing is good enough you can also get paid for it.

Sandcat by Syhunt – Web Server & Application Vulnerability Scanner – Another tool to check out.

Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

New Paper: “Log management in the age of compliance” – Another paper by Anton. I’m starting to wonder when he finds time to sleep 🙂

Yeah, I know, not too technical, but still fun – my paper “Log management in the age of compliance” on ComputerWorld: “In my previous article, I described the way in which three regulations (FISMA, HIPAA and PCI-DSS) affect incident response processes. This triumvirate also affects log management, since they [A.C. – these and other regulations] call for enabling logging as well as for log review.”

UserAssist V2.3.0 – Didier has updated his UserAssist tool with some cool new features. Check out UserAssist here

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

* saved CSV files have a header.
* entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
* the Save command also supports HTML.
* support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
* registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

010 Template to Parse an Evtx File – This may come in handy some day soon. I’ll add this link and file it away for later.

I’m excited to release the first version of a template for the 010 Editor which parses the outer structure of a Vista event log file. By “outer structure” I refer to the structures described earlier in this blog, from the file level down to the single record. However, the template can not yet decode the binary XML inside of an event record – and provably never will. For this task I will provide a more complex tool in a few weeks.

The template parses the following structures:

* File Header
* Chunk Header
* String Table
* Template Table
* Event Record

Detecting the Apple iPhone and other ‘Shadow IT’ Technology –

Worried about people using their fancy new iPhones on your corporate network?
While reading the ‘Declaration of Interdependence’ series of articles in the July 1st issue of CIO Magazine (including an additional online article named ‘Users Who Know Too Much and the CIOs Who Fear Them’), the term “Shadow IT” was used to describe the aggregate amount of personal, walk-in and employee owned software and hardware that makes its way onto corporate networks and computers.

This blog entry discusses strategies to look for applications that should not be running on your network as well as understanding which “unsanctioned” applications may be the most popular. It also discusses how the Passive Vulnerability Scanner can be used to detect Apple iPhones connected to the local IP network.

Some new papers from the SANS Information Security Reading Room:

• Information Security Policy – A Development Guide for Large and Small Companies
• Redefining your perimeter with MPLS – an integrated network solution
• How to Avoid Inofrmation Disclosure when Managing Windows with WMI

Open ports for a bunch of servers – Kind of cool.

This is a first attempt at visualizating open ports detected by nmap in around 60 servers. I’ve used Freshcookies-Treemap and custom scripts. Ports are all TCP.

Beat by a girl! – Hahah…catchy article title. Good post though.

I’ve written before about WhiteHat Security office events in which we race to find the first and best vulnerability in never-seen-before websites – the winner receiving company-wide bragging rights. Speed hack contests are also great for learning and testing one’s skills. They get the competitive juices flowing, typically finish in less than 20 minutes, and keep the day-to-day work fun! Lately, winning has proved to be extremely challenging, especially when you’re up against people like Bill Pennington, Arian Evans, and the entire Operations Team who does this stuff everyday.

We ran two bouts last week. The first was a financial application, which was a little bit different, because it had a social networking aspect. We weren’t provided any usernames or passwords, couldn’t self-register without a special code; and, as a result, the attack surface was limited. This meant we could still probably find the first XSS fast, but the high-severity issue probably wasn’t going to be there. The domain was called out, fingers hit the keyboard, and we were off. Bill P. and I went immediately after XSS in the search fields, but struck out because of proper HTML encoding. Arian, who only sees filters as a challenge, busied himself with some crazy encoding attacks. The rest of the Operations Team were eagerly trying to take down the giants.