Not a very busy day out in the blogosphere today but there were some quality posts.

Here’s the list:

The Right Way to Establish a Culture of Security – Quite the interesting concept.

After reading this article, my hat is off to Yahoo’s Arturo Bejar. Not only does he have the worlds coolest job title (“Chief Paranoid Yahoo”), but he’s taken some extremely creative measures to help build a pervasive culture of security at the Internet behemoth. I especially like the part about the t-shirts, since it not only gives people a reward to strive for, but they are also free advertising for the program. And the multiple tiers sounds like it would really spur some competition to get those coveted red shirts.

Cisco MARS Exam 642-544 – Hmmm…I wonder if the other large SEIM vendors are going to follow suit by offering certifications in their products through places like VUE and Prometric?

Cisco Security Mitigation and Response System (CS MARS) is a family of high performance, scalable appliances for threat management, monitoring and mitigation, enabling customers to make more effective use of network and security devices by combining network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification and automated mitigation capabilities. CS MARS solutions empower customers to readily and accurately identify, manage and eliminate network attacks and maintain network compliance.

Worms 2.0! – The Metasploit menace inside your firewall – Good interview with Wade Alcorn.

In his research he focused on using a web browser as a beachhead to launch Metasploit-style attacks. What this means is that any Javascript enabled web browser might be used to launch an attack against a service, for example a VoIP server, and gain complete control of the box.

Generally exploits are executed inside a development framework such as Metasploit, or run directly from the code. But this time, the code would run inside the browser, using Javascript. And all of this takes palce without exploiting any bugs in the browser itself.
Your browser is now an active menace against the security of your internal network. However, the problem can’t be easily fixed, because it is not based on a bug: it simply uses “Web 2.0” technologies against you.

NBA – Can it be the star of the show? – I agree with Alan. One of the best ways to detect zero-day type of attacks is to perform behavioral analysis on your network traffic.

No, I am not talking about Kobe, Shaq, Tim Duncan and the rest of the athletes over at the National Basketball Association. I refer of course to Network Behavior Analysis. The estimable Mr. Rothman in his daily rant laments the fact that 5 years later we are still trying to explain what it is and that is pretty sad. I don’t think it is sad at all, it is just the facts. In spite of this though, I think NBA has made terrific strides. Here is why:

Memory Analysis Cheat Sheet – Might want to print this off 🙂

I’ve created a cheat sheet in order to accompany the tutorial held at the FIRST Conference 2007. On four pages it lists the most frequently used commands of Microsoft’s Debugger and some other memory analysis tools along with some structures and kernel variables. Get the cheat sheet here.

It appears that someone has already added me to his group of “Anti-Mircosoft Fanboys” based on my earlier post. Let’s get one thing straight. I am, and have never been, anti-Microsoft. Anyone who claims that Microsoft is evil and bad are uninformed morons. The computing industry would not be where it is today if it wasn’t for the Microsoft. They changed the way we think about personal computers and server deployments. That’s my rant for the day.

Here’s the list:

Nessus 3.0.6 Available – Good to see the users and watchers of these tools driving change.

Tenable Network Security has released version 3.0.6 of the Nessus Vulnerability Scanner which fixes a variety of performance issues and bugs.

Israeli researchers map the whole Internet. Boy are they tired. – You should have seen the size of the paper they used!

Israeli researchers have created a topographical map of the Internet by enlisting more than 5,600 volunteers across 97 countries who agreed to download a program that tracks how Internet nodes interact with each other.

IT Security Warfare, part deux – This is the first time I’ve seen Carl von Clausewitz mentioned in our industry. When asked on the Security Catalyst Community what is the one security book I could not live without I didn’t even have to think about it: On War – Carl von Clausewitz. This is a must have book for anyone involved in any aspect of security.

Culminating Point Of The Offensive

One of his areas of interest was the inherit superior strength of defense versus offense. For example, he was impressed with the strength of entrenchments and fixed fortifications. Both represent established, fortified points of contact with the enemy and can be compared to firewalls, HIPS, VLAN ACLS, etc. Typically in battle there are stages of trenches to fall back to if the threat of being over-run becomes real. In network security we do the same; firewalls are the outermost point of contact, then we fall back to the IPS, then the VLAN ACLS and so on.

Article on DDoS Tarpitting – I like the idea and plan to implement this for security research purposes.

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

ExtractScripts – Another tool to check out.

ExtractScripts is another one of my little tools I use to analyze malware. Extractscripts.py takes an HTML file as argument and generates a separate file for each script in the input file. I use it to extract (potentially) malicious scripts from a webpage and execute them with my patched spidermonkey.
Extractscipts is written in Python to be portable across multiple platforms.

Blocking Bots By HTAccess – Not a bad idea either.

While doing a little research into some random stuff for a client I ran into a bot that was spidering in a bad way. Within a few search results pages I found my way to a blog entry by BrontoBytes talking about blocking spiders by HTAccess. This is a pretty interesting pro-active approach to stopping request level attacks, and something used commonly by mod_security, for instance. You can check out the blog entry which shows how to set up an .htaccess file to block some modern robots.