Again I let the post slip to noon. Must be the nice weather outside 🙂

Here’s the list for today:

Bots on the Corporate LAN I agree with his comment in the article: “So it’s obvious that there are bots on corporate networks, but it’s not obvious how serious a problem it is.” Until a massive outbreak happens to your organization most will continue to consider a bot infestation something that happens on “other organizations” networks.

Opinion: Of course bots exist on corporate networks, but how big a problem are they? It could be that nobody knows.

People like me, who write about security, are flooded with reports on the state of malware. They’re often valuable enough and say interesting things, but on certain points they are invariably, and infuriatingly, vague.

Retailers haven’t learned from TJX – still running WEP – I guess my above statement applies to this as well 🙂

When I blogged earlier this week about TJX’s failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn’t already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX’s WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they’re doing today. The reason I looked at the large retailers is because they’re the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I’m going to tell you what I found.

More on Snort 3.0, GPL and derivatives – Word on the street is that Marty was saying some things in the IRC channel that a man in his position shouldn’t have been saying.

In response to my post yesterday a few comments (you can click on the right column to see them) have responded that as GPL, there is nothing really changing with Snort 3.0, Sourcefire in order to “avoid misunderstandings” is defining what they consider to be a derivative work. I think therein lies the rub. What Sourcefire is saying is that if you want to do a front end for Snort, you can do so and just point people to snort.org to download Snort which will run separate and apart from the front end (lets not even talk about rules for the moment).

Forensics in the Enterprise – I was sent an demo copy of EnCase v5 but I never got around to playing with it.

I had the opportunity last night to attend a demo of Guidance Software’s EnCase Enterprise product. I use the standalone version of their product, EnCase Forensic already, and the Enterprise edition looks like an interesting extension.

EnCase Forensic runs on a single Windows workstation and allows you to image suspect hard drives and conduct detailed analysis on their contents. It’s got a number of handy features built in, like the ability to do keyword searches, extract web viewing history and identify email messages. Pretty nice, and it makes most common forensic tasks a breeze.

How To Back Up MySQL Databases Without Interrupting MySQL – Good bit of information to have.

This article describes how you can back up MySQL databases without interrupting the MySQL service. Normally, when you want to create a MySQL backup, you either have to stop MySQL or issue a read lock on your MySQL tables in order to get a correct backup; if you don’t do it this way, you can end up with an inconsistent backup. To get consistent backups without interrupting MySQL, I use a little trick: I repplicate my MySQL database to a second MySQL server, and on the second MySQL server I use a cron job that creates regular backups of the replicated database.

Little late posting this one today…better late than never!

Here’s the list for today:

Note to Universities: Web Sites Providing A Security Breach Playground – Remember when Universities were only breeding grounds for STD’s?

While I was compiling the Educational Security Incidents (ESI) Year in Review – 2006, I noticed something interesting. Of the 83 information security incidents in 2006 reported by colleges and universities, 20 such incidents were due to Unauthorized Disclosure. Unauthorized Disclosure on ESI is defined as incidents involving the release of information to unknown and/or unauthorized individuals. In other words, Unauthorized Disclosure tends to involve employee or organizational mistakes at some level.

Management and security: Still separate but equal? – Should they really be separate?

I’ve said it before and I’ll say it again: It makes sense to use certain technologies to both manage and secure your network. Yet while vendors continue to provide integration between, say, configuration management software and endpoint security products, most companies are keeping the tools separate — for now.

Liability of reverse engineering – I’m not sure where I stand on this…

Christopher Hoff asks an admittedly naïve question: “If I … engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA’s that expressly forbids reverse engineering, how would I deflect liability for violating these tenets …”.

This reflects that while such issues are frequently discussed in our industry, few know what the words actually mean. For example, reverse-engineering a patent is a contradiction in terms, because you can just read the patent rather than reversing the code that implements a patent.

Automated Security Scanning Considerations – Good article.

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

Is Snort 3.0 going to be open sourced? – I think it would be a mistake to close the source on this now. It would only look bad on Marty.

This is a question which has come up recently and I understand was a recent topic on a Snort IRC channel. It seems recent comments by me and on our podcast have raised some questions about what the future course of licensing for new versions of Snort are going to be. I also spoke about this with Thomas Ptacek of Matasano a while back and we never finished our conversation. Obviously, I am not the final word on this topic and you should look at Sourcefire for the definitive answer. However that being said, my understanding is that Snort 3.0 will have some license changes. My belief is it will still be open sourced and released under a GPL license as Marty Roesch has said many times. However, the licensing change, again from what I understand, will deal with people who embed Snort into their applications and under current license do not fall under the derivative clauses of the GPL. So under Snort 3.0 there will be changes to the base GPL as to what constitutes a derivative work. My opinion is that in essence what is happening here is Sourcefire is going to move Snort to more of a dual-licensed system.

The five phases of recovering digital evidence – Part 2 in the series…

This is the second post in a series about the five phases of recovering data structures from a stream of bytes (a form of digital evidence recovery). In the last post we discussed what data structures were, how they related to digital forensics, and a high level overview of the five phases of recovery. In this post we’ll examine each of the five phases in finer grained detail.

Another educational institution, another SIEM eval – Most people, just like Michael Farnum, complain about the cost of a SEM/SIM/SEIM solution without taking the time to think about the people power required to do the same task. Think of the sick days, vacation, salary, and compensation package money saved on a product of this nature. Michael also complains that the correlation doesn’t work. Sure, out of the box it may not be able to handle all security events properly but that is where tuning comes into play. Just like any piece of hardware on your network you can’t expect it work for every environment out of the box…it has to be customized to your environment and policies.

I went to another client of ours from an educational institution (this time in Dallas), and they were similar to the client I spoke of in my last post. However, this site seemed to be a bit more proactive when it came to security, and he didn’t seem near as stressed as the other client.

Report available for WASCs Distributed Open Proxy Honeypot Project – It’s quite a good report. Lots of detail.

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff.

That’s all for today…I’m busy 🙂

Only Tuesday and it feels like it should be Wednesday or Thursday (not sure why…it just does). I’m hoping to get back to setting up my home security lab this week and next but we’ll see how the weather is (nice == outside stuff, rain == inside stuff).

Here’s the list for today:

Dueling updates – is Apple quicker? – Only time will truly tell.

So, is Apple just inherently faster at patching security vulnerabilities? Did Apple rush out a fix faster than normal because of the media exposure about this particular vulnerability? Or maybe Microsoft is either just slower at the process or too busy with their own backlog of security patches – or both? Not many would argue against claims that Microsoft Windows has many more vulnerability found compared to Mac OS X.

Review – InfoSec Institute Advanced Ethical Hacking: Expert Penetration Testing – Good to see other people review training and courses.

I just returned from attending InfoSec Institute’s AEH course. Given the relevance of penetration testing to PCI, I thought that it would be worthwhile to post a review for anyone who’s considering attending.

France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws – I like this idea and I hope it catches on in North America.

In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII).

TSA: We’re not saying our hard drive is gone but… – My dog ate my hard drive.

On May 3, the TSA discovered the drive was missing from a controlled area at the Headquarters Office of Human Capital. The agency immediately reported the incident to law enforcement officials, the Department of Homeland Security and launched into an investigation.

Did it fall behind the desk? No.

Did Jim take it home to transfer his Phil Collins music collection to his desktop? No.

Maybe check behind the desk again?

The investigation hit a brick wall. By Friday night, it was time to fess up with a statement. The TSA doesn’t know whether the device is still within headquarters or was stolen. It has found no evidence an unauthorized individual is using the personal information.

Web Application Security Professionals Survey (May 2007) – Please take a minute to go through the survey when you get a chance.

Several people have asked where the surveys have gone to in the past several months. The answer is that I’ve been amazingly busy the last couple of months and simply haven’t had the time. The survey helps us learn more about the web application security industry and the community participants. We attempt to expose various aspects of web application security we previously didn’t know, understand, or fully appreciate. From time to time I’ll repeat some questions to to develop trends. And as always, the more people who submit data, the more representative the will be. Please feel free to forward this email along to anyone that might not have seen it.

Glitch attacks revealed – “First in a series of articles on attacking hardware and software by inducing faults”

One of the common assumptions software authors make is that the underlying hardware works reliably. Very few operating systems add their own parity bits or CRC to memory accesses. Even fewer applications check the results of a computation. Yet when it comes to cryptography and software protection, the attacker controls the platform in some manner and thus faulty operation has to be considered.

Fault induction is often used to test hardware during production or simulation runs. It was probably first observed when mildly radioactive material that is a natural part of chip packaging led to random memory bit flips.

ESI Searches: Getting to the Drive – Good overview on how the legal system leverages hard drives for forensic purposes.

Traditionally, we’ve relied on producing parties to, well, produce. Requesting parties weren’t entitled to rifle file cabinets or search briefcases. When evidence meant paper documents, relying on the other side’s diligence and good faith made sense. Anyone could read paper records, and when paper was “deleted,” it was gone.