Busy, busy busy. If only I had more time during the day.

Here’s the list:

Searching inside payload data – Good little SQL statement to hang on to.

Almost all of my searches involve IPs and/or port numbers, and Sguil has a lot of built-in support for these types of database queries, making them very easy to deal with. Sometimes, though, you want to search on something a little more difficult.

This morning, for example, I had a specific URL that was used in some PHP injection attack attempts, and I wanted to find only those alerts that had that URL as part of their data payload.

Constructing a query for this is actually pretty easy, if you use the HEX() and the CONCAT() SQL functions. If you’re using the GUI interface, you only have to construct the WHERE clause, so you can do something like the following…

Explaining Sensitive Information – Unfortunately there is no definitive method for classifying sensitive information. Which begs the question…shouldn’t there be?

Classification of data starts with defining that data. Unfortunately there are many definitions for personal or private information and these definitions are often different depending on country, state, organization, regulation, and other factors.

Network Security Monitoring Case Study – I love case studies!

So this is the major question. How do you convince management or other functional areas that monitoring is important? It sounds to me like my friend has already scored some wins by freeing bandwidth used by misconfigured systems, simplifying firewall rules, and examining individual problematic hosts.

It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.

If I need to spend $1000 to hire a guard to protect my $10000 taxi, I am not earning a return on my investment — I am preventing the theft of my taxi. If I invest that $1000 in a ticketing and GPS system that makes me more productive ferrying passengers (perhaps increasing my dollars per hour worked), then I have enjoyed a ROI once my $1000 expense is covered.

Breach vs. Incident: Semantics or Something More? – Personally, I tend to think that a “breach” is an intrusion outside of policy whereas an “incident” would be the proceeding results of the aforementioned breach (attack a server, obtain sensitive documents, etc.).

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

Evtx Event Record – Interesting.

This article documents the structure of a single event record within a Vista Event Log (.evtx) file.

The event record starts with a magic string, two asterisks followed by two null bytes. It is framed by matching length indications. They state the whole record’s size, from the magic string to the trailing length indicator. This is similar to the record structure of the old NT event logging service. The length indications at the beginning and at the end of an event record allow the logging service to traverse the chain of records efficiently in both directions.

Laptop Containing UMN Student Information Stolen from Locked Car – Sigh…..

The University of Minnesota is alerting students after a laptop containing student grade information was stolen from a professors car during a trip to Palo Alto. The laptop, belonging Elizabeth Beaumont of the political science department, contained the names, e-mail address, internal University IDs and grades for students enrolled in Beaumont’s classes from fall 2005 until present. While the University has a policy that all non-public information must be encrypted, 70-80% of the political science laptops, including Beaumont’s, have no encryption. The University has plans in place to ensure all political science laptops are encrypted by the end of the summer.

Even though I felt recharged yesterday I was still quite tired from the flying and the “relaxing” over the weekend. I’m starting to get back into the swing of things so expect posts to get back to normal frequency.

Here’s the list:

My New and Fun Fun Fun Role! – Well it looks like Anton has himself a new role and title. I hope he fares better than Martin did when he moved into an evangelist role.

I have a sneaking suspicion that not everybody checks my site regularly. And that’s OK – you need to check my blog, not the site 🙂

However, if you do check the site, you might have noticed that my position title has changed! My new position is … drum-roll … Chief Logging Evangelist.

Yes, I joined the ranks of “evangelists” which take its origin from Guy Kawasaki.

Am I excited? That would be the understatement of the year!

Nduja Cross Domain/Webmail XSS Worm – Webmail XSS Worm??? Interesting and a little scary considering how much people rely on webmail these days.

Rosario Valotta sent me an email today describing a webmail XSS worm he has written – the first I am aware of that is cross domain. There has been a few webmail worms, like Yamanner but nothing quite like this. Rosario picked four Italian webmail services, Libero.it, Tiscali.it, Lycos.it, and Excite.com and built a worm that works across all four domains.

Pentagon E-mail System HACKED – “What can we do to take the heat off of DHS for failing so miserably on their audit??? Wait…let’s disclose a huge hack that occurred at the Pentagon…that’ll get them off our backs!”

The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.

I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.

IT Security Specialists See Salaries Rise in First Half – I love seeing articles like these considering friends and colleagues in the industry are not seeing the same thing. Who are these people getting all of these raises all the time anyway?

Demand for highly trained and certified IT security professionals is forcing CIOs and IT managers to shell out higher salaries, and to adjust their budgets to meet the increased security expectations of their customers and their executive management teams.

In the past six months, salaries for certified IT workers rose 2 percent, bucking a yearlong trend in declining pay for IT certifications, according to a report issued this week by IT work force research firm Foote Partners.

Just got back from a very enjoyable bachelor party in Ottawa over the weekend and I feel recharged. Funny how some downtime fixes you up 🙂

Here’s the list

AFF for Windows – Interesting…I’ll have to give it a shot.

Since version 2.3 the shared libraries and utility programs which implement the Advanced Forensic Format (AFF), are also available for the Microsoft Windows platform.

AFF is meant to be an open-source, extensible alternative to proprietary forensic image file formats. Beside the main program library, afflib, the package comes with the following utility programs:

* afconvert converts AFF into RAW/ISO and vice-versa
* afcopy copies a forensic image and verifies the resulting file
* affix attempts to repair a corrupted forensic image
* afinfo provides some information about the forensic image
* afstats calculates some statistics, e.g. the amount of data contained in an AFF image and the compression ratio
* aimage creates a new forensic image

ARP Spoofing in Real Life – Richard is right. This is probably one of the hardest attacks for students or people new to security to visualize actually happening and it’s great that a documented example is available.

Sometimes I wonder if students are thinking “That is so old! Who does that anymore?” In response I mention last year’s Freenode incident where Ettercap was used in an ARP spoofing attack.

Thanks to Robert Hensing’s pointer to Neil Carpenter’s post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.

“Good Practice Guide for Computer-Based Electronic Evidence” Updated – I would think this would also be very good for organizations who interact with law enforcement on a regular basis.

The Association of Chief Police Officers in co-operation with 7Safe released an updated edition of their Good Practice Guide for Computer-Based Electronic Evidence.

On 66 pages the free guide provides background information, flowcharts and sample questions to aide in the investigation of computer-related crimes. While it is primarily intended to be used by police officers, the guide is also helpful for investigators working within the private sector.

Vista security events get noticed – Notice how he says “for most security events”? My developers have noticed lately that Microsoft documentation has a lot of “most” scenarios where log files have more columns than documented and examples show what should happen “most of the time”.

Doriansoft noticed that there’s a relationship between our pre-Vista security event IDs and our Vista-era security event IDs.

For most security events:
VistaEventId = PreVistaEventId + 4096

Why is this?

We needed to differentiate the Vista events from the pre-Vista events, because we were significantly changing the event content and didn’t want to break automation. However we wanted to preserve the knowledge that security professionals already had in their heads about security events, so we wanted to make sure that there was a relationship between old and new event IDs.

We decided to offset the old IDs by some constant to get the new IDs. I wanted to offset them by a decimal number (say 6000, so 528 would become 6528, etc.). However event IDs are declared in hex in the source code and are all 3 digits long (528 = 0x210), and Raghu, my developer, wanted to conserve effort, and he won that battle so we added 0x1000 (4096) to the existing event IDs.

CarvFS at Work – Documentation is good but examples are always a bonus! Good work.

“Chopstick” published two articles about CarvFS in his blog Chirashi Security.

His first post describes the installation of CarvFS on Ubuntu Linux. he also installs libewf in order to access disk images in Expert Witness format, which is normally used by EnCase.

Just to give us an example of how CarvFS works, a second article shows the examination of a memory card.