Well Friday is finally here and man am I tired. It’s been a hectic week at work and I’m looking forward to some relaxation time.

Here’s the list for today:

Scapy – Interactive Network Packet Manipulation – Another tool to add to your IDS testing kit.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

How to check if your WebMail account has been hacked – I love the idea of trying to trick hackers with crafted spam messages…that’s classic!

WebMail accounts are a popular target for malicious hackers, law enforcement conducting investigations, and rouge insiders. WebMail security is very important, perhaps even more so than your online bank account. If your WebMail is hacked, every web-account associated to that address (using send-an-email-forgot-password-system) could be compromised, including your bank. Phishing scams, password brute-force attacks, cross-site scripting exploits, and insufficient authorization vulnerabilities are all commonplace. And for the most part these attempts are impossible for normal users to detect or do anything about. The problem is that unless your password changed without our knowledge, how can you tell if your account has been compromised? Fortunately there is a fairly simple way.

Ineffective User Awareness Training Revisited – Amrit gets his legs under him for the 2nd round…..ready…fight!

A recent post on the ineffectiveness of user awareness training (here) has sparked some lively discussion, some agree and others not so much. Interestingly enough those that disagree with my position seem to feel that it implies that one can make a similar argument about technology, a completely absurd leap. Anyway I was not trying to weigh user-awareness training against technology alone.

It Was All Him, That Bad Boy 10.11.2.3 – The main problem with “Identity Management” is that you need to have logs from all devices in the infrastructure in order to properly track down the “Bad Boy” and a good way to correlate it.

As security people we are used to answering questions such as “Who attacked that system?” with a curt “Oh, it was 10.13.13.13.” But is the IP address really a who? No, really, is it? I seriously doubt that an auditor, a judge or a lawyer will agree that “an IP address is a who.”

Where am I going with this? I think the time when we start making broader use of identity traceback to link the faceless, inhuman 🙂 IP addresses to a nice (or nasty, as the case may be :-)) warm-blooded humans, who actually press the buttons and write programs.

RSA public keys are not private (implementation) – It’s too early for math! 🙂

Previously, I described a proposed system that will both sign and encrypt code updates using an RSA private key. The goal is to derive the corresponding public key even though it is kept securely within the device.

Steganography for the Mac! – I’ll have to give it a shot.

This might be old news, but I hadn’t seen it until recently. There’s a steganography application for the mac! It’s called Pict Encrypt and it’s a free download. The downside is that it only saves files in MacPICT format. Anyhow, here’s a little something for all you Mac users out there that want to play with it.

Thursday and lots of meetings. Didn’t quite catch up on everything I wanted to yesterday but I’ll have to tackle that this morning.

Here’s the list for today:

Rain Forest Puppy comes out of retirement – He’s alive!

4 years after retiring from the public security scene, rain forest puppy (rfp) breaks his silence and agrees to an interview where he shares his thoughts. For those that haven’t been around webappsec that long, rfp is one of the REAL pioneers of the industry who contributed a ton of cutting-edge research that we still use today. You’ll also notice that he’s a very humble guy who prefers to continue giving back rather than taking the credit he deserves. Welcome back rfp.

The 6 Steps of Incident Handling in Action PICERL – the easiest way to remember is to think of the fish 🙂

Incident handling is a specialized field which is done best after proper training, guidance and experience. However, if you follow the six core steps to incident handling, you will have a better chance of recovering favorably from an unforeseen incident. The example below is an actual incident I experienced recently. I have outlined the steps taken as they pertain to the six steps of Incident Handling.

Commtouch: Malware Writers’ Tactics Evolving – The article mentions how most network admins fall back to blocking all attachments in emails when an outbreak hits. Had they been prepared, prior to the outbreak, they may have been able to mitigate the infestation without disrupting the business.

“The server-side polymorphic distribution method is an evolution of earlier tactics, where malware writers would introduce new variants over a period of weeks or months, to try to bypass anti-virus engines,” said Rebecca Herson, senior director of marketing at Commtouch, based in Sunnyvale, Calif., in an interview with eWEEK. “Since the end of 2006, this has become the primary distribution method for e-mail-borne malware.”

Battle of the Colored Boxes (part 2 of 2) – Part 2 in the series

Coverage and comprehensiveness is key to effective vulnerability assessment. The more vulnerabilities identified and weeded out the harder it is for the bad guys to break in. In web application security, black box testing is a fairly standard measure of the difficulty and commonly used as a method to improve it. That’s why when Fortify recently published a new white paper entitled “Misplaced Confidence in Application Penetration Testing” (registration required), it immediately peaked my interest. Plus a title like that is bound to generate some controversy (score 1 for marketing). I highly recommend reading their paper first before moving on and having your opinions colored by mine.

The ineffectiveness of user awareness training – I don’t agree…user awareness training should be a requirement for all organizations. Obviously if the checks fail then your training needs to be updated or restructured to be more impact-full.

Some argue that you can effectively train the average user to be “secure” – be one with the password, become the token, know the malware – personally I think it is a losing battle. Security must be transparent to the end user, controls must be implemented that support security but do no inhibit productivity of the average user.

The ineffectiveness of technology solutions – Someone who agrees with me.

Amrit thinks that user awareness training is a waste of time and money. I think he is wrong. I think ineffective user training is a waste of time and money. I also think that if we follow his line of thinking on this that we should abolish user training and all technology designed to secure our networks. After all we spend lots of time and money on them and they still have vulnerabilities that allow the bad guys access to our systems.

Evaluating Forensic Tools: Beyond the GUI vs Text Flame War – Very good points.

Each interface mechanism has its pros and cons, and when evaluating a tool, the interface mechanism used can make an impact on the usability of the tool. For instance displaying certain types of information (e.g. all of the picture files in a specific directory) naturally lend themselves to a graphical environment. On the other hand, it’s important to me to be able to use the keyboard to control the tool (using a mouse can often slow you down). The idea that graphical tools “waste CPU cycles” is pretty moot, considering the speed of current processors, and that much forensic work focuses on data sifting and analysis, which is heavily tied to I/O throughput.