Month: April 2007

Blogs I Read: The Security Catalyst

The next blog on the “blogs I read” list is The Security Catalyst. From the ‘About’ page:

Get engaged and prepare to be entertained as expert on security and the protection of information and professional speaker Michael Santarcangelo (and friends) takes a refreshingly direct but entertaining (and easy to follow) look at the important issues in how we think about and protect our information assets.

From discussing the basics of securing your home computer in an easy-to-understand manner to preparing you to make the right choices in your important projects, the Security Catalyst has you covered. Our goal is to make your job easier and allow you to be more effective (check out our programming improvements for 2007 below).

The Security Catalyst is designed and produced in a way to provide value to security professionals, interested business professionals and even consumers. Security happens easier when the ‘catalyst’ is involved. Listen today and improve the way you practice information security. Plus, earn valuable CPE credits by listening (or even guest writing!).

I first saw this blog mentioned in a post referencing the Security Catalyst Community Forums, of which I am a proud member.

Pros:
– Provides podcasts for professionals and a “family security series” for all computer users
– Qualified list of contributors that produce quality content
– Associated forum that is open to all security professionals and is very active

Cons:
– Not as frequently updated as most sites but the content makes up for the lack of updates

Conclusion:
5stars– A great blog, community forum, and podcast resource. I strongly encourage everyone to join the Security Catalyst Community.

Suggested Blog Reading – Monday April 30th, 2007

ReadWell it’s the last day of April (can’t believe it!) and I’m stuck home with the Flu. I hadn’t been sick all winter so I guess I was due.

Here’s the list for today:

A Safer Apple Experience per Grandma Roberts

In these days where everyone is getting worked up over OS X vulnerabilities it’s somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It’s really quite touching and means a lot that she cares enough to take an interest in what I do.

Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved – I completely agree.

I’ve written about many times, but it is worth repeating many times more; technology alone will not solve a company’s information security, privacy or compliance challenges and requirements. The human factor is significant and must be addressed.

Friday Quickies – April 27, 2007 – I don’t agree with Rothman’s declaration that SIM is dead. Just because a vendor adds log management, an important data point when performing incident handling, doesn’t mean that they’re grasping at straws. As he said in his own article…the space is “evolving”.

SIMs not dead, eh? – Then why is almost every SIM vendor announcing a dedicated log management appliance? NetForensics is the latest (NetForensics press release) and they also extended their monitoring capability to databases (another NetForensics release). How many more data points do we need about the evolving SIM space before we can finally start shoveling dirt on it?

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 1 – Make sure you turn down your volume as the music is A LITTLE LOUD FOR WORK!!!!

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running auxiliary modules against a server running MSSQL, and then we’ll take a look at using the MSFweb GUI to run the idq exploit with the meterpreter payload. What is unique about the idq bug is that it will NOT give you administrator or system on the box, but you can use the rev2self command in meterpreter to elevate your privileges from IUSR_MACHINENAME to SYSTEM. While we’re at it, we also dump the hashes using hashdump for a little extra fun.

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 2 – Part 2 (and the music isn’t as loud this time)

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running “browser” exploits where you have to get the victim to connect back to your listening Metasploit instance. We’ll use the ie_createobject exploit via the MSFweb GUI, and then we’ll use the wmf_setabortproc exploit using the built in msfconsole (a new addition in MSFWeb 3.0). We’ll also take a look at using custom meterpreter scripts; first to see if the victim is running in vmware and second, to clear the event logs.

Something New To Look For – Danger…danger…

So, what’s this all about? Remember how some malware tries to shut off AV software or the Windows Firewall? Well, the script that Hogfly found uses reg.exe to set all of the values (except the first one) to 0, and effectively shuts down any error reporting, which is essentially a visual notification that something is wrong on the system.

CSIRTM resources online – I’ll have to make time in the coming days to read through this white paper.

As part of the preparations for a new graduate course in CSIRTM to be offered to students as an elective in the Norwich University Master’s of Science in Information Assurance (MSIA) program, I put all my articles together into an edited white paper on the subject and added some new material.

Protected but Owned: My Little Investigation – Good write-up with screen captures.

Check out my write-up here. It is about my investigation of a desktop protected by various security software, but 0wned nonetheless. And to those paranoids who are dying to ask a question “Was this my own system?” I can give a resounding “NO!” 🙂

Movie Time: DNS Changer trojan – Grab your popcorn…it’s MOVIE TIME!

Adam Thomas in our malware research labs took a video of a Trojan DNS Changer a while back. This is a piece of malware that uses rootkit technology and changes your Windows DNS settings. Its purpose is to redirect your search results in popular search engines.

Log Management Summit Wrap-Up – I’ll have to go to this some day.

My favorite presentation on Monday, though, was Chris Brenton’s talk, entitled Compliance Reporting – The Top Five most important Reports and Why. As you know, I’ve been doing a lot of work recently on NSM reports, and although log reporting isn’t quite the same, the types of things that an analyst looks for are very similar. I got some great ideas which may show up in my Sguil reports soon.

Suggested Blog Reading – Friday April 27th, 2007

ReadAhhhh….Friday!

Here’s the list for today:

Introduction to Identity Management – Part II – A topic that is on everyone’s mind.

Before we delve any deeper into IDM, we should take a moment to acknowledge three “interim solutions” to the IDM problem that have supported IT for many years. Each of these solutions was designed to support centralized credentials for a specific class of system.

Student evades Cisco NAC; gets suspended – Should the student be suspended for bypassing the default setting on the device that the Administrator left unchanged?

The exploit was the work of a sophomore who was suspended for doing it, and further use of the weakness has been blocked by changing a setting on the Cisco Clean Access box involved, according to Cisco.

NY teen hacks AOL, infects systems – That’s quite the list of alleged exploits.

In a complaint filed in Criminal Court of the City of New York, the DA’s office alleges that, between December 24, 2006 and April 7, 2007, 17-year old Mike Nieves committed offenses like computer tampering, computer trespass and criminal possession of computer material.

Bot Infections Surges to 1.2 Million – Something needs to be done.

The number of compromised computers that are part of a centrally controlled bot net has tripled in the past two weeks, according to data gathered by the Shadowserver Foundation, a bot-net takedown group.

The weekly tally of bot-infected PCs tracked by the group rose to nearly 1.2 million this week, up from less than 400,000 infected machines two weeks ago. The surge reversed a sudden drop in infected systems–from 500,000 to less than 400,000–last December.

Project Honey Pot Files Massive Anti-Spam Suit Against Millions of IP Addresses – I guess that’s one tactic.

An anti-spam organization that collected millions of spam messages sent to fake email addresses seeded on volunteers’ websites and blogs filed a lawsuit against every spammer who harvested those addresses and spammed them. The suit, filed in the Eastern District of Virginia, seeks more than $1 billion in damages. The suit names John Doe defendants based on their IP addresses.

Pen-test cost versus being sued – No one wants to pay the money up front…but they typically regret after the fact.

I had to laugh, well kind of anyways, when I saw the following article. Reason being is that I have had clients in the past balk at the cost of my per diem, and by extension the pen-test that I was contracted for. Well, if you factor in the cost of a class action lawsuit, or simple litigation, guess which is by far cheaper. Much as I stated to the client, is that my fee, while four figures, is a heck of a lot less then being sued for not practicing due diligence. Having a yearly pen-test of vulnerability assessment done is no longer an option, but a business necessity.

Scroll to top