Well my wife is heading to New York with work for 3 months so I guess I’ll have lots of time to read and blog. One of the downsides to her leaving for the next 3 months is that I won’t have a chance to head to a major city to sit for my CISSP exam until the fall. Perhaps this is a good thing as now I can enjoy my spring/summer and work on my horrible golf score 🙂

Here’s today’s list:
Vulnerabilities Are Not Marketing Fodder – I don’t agree with TippingPoint holding out but the funding for the prize had to come from somewhere…

I was a huge fan of the hack a mac (pwn to own) contest at CanSecWest last week. But I was only a fan because I, like many of us, wanted to see a point proven to the Apple Macintosh users that they suffer from the same security concerns that the rest of us do. I think that point has been proven.

U.S. Army team wants second chance at hacker contest – We’ll do better this time…..we promise…no foolin’

A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month, the conference organizer said Tuesday.

Techm4sters Releases ProTech Security Distribution – I’ll have to check this out.

– Is this like Nubuntu? It is similar, yes! But we wanted something friendlier to the end-user and so we tried a different approach and tested new tools. You’ll see that there are many differences amongst them. Many ideas have been taken from NUbuntu as well as other security distributions to try to make the most complete, reliable and easiest tool for your use. I hope you can appreciate our work.

XSS Attacks book — Congrats on the book Jeremiah! Hopefully he’ll let me review it 🙂

At long last, we put the finishing touches on our new book (XSS Attacks), the cover art, and sample chapter (including ToC). It’ll be sent to the printers May 5 and shipped a few days after. Woohoo!

Russinovich: Malware will thrive, even with Vista’s UAC – Wait…you mean a shiny new product won’t solve all of my problems?

Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system.

Follow the Bouncing Malware: Day of the Jackal – Funny story or scary story? You be the judge?

Otte Normalverbraucher leaned back in his chair, stretched and yawned. It was nearing midnight, and now that he stopped to think about it, he realized that he was going to be very tired in when his alarm clock went off in the morning.

SMTP Authentication Update – You can invent all the technologies in the world but unless people use it it’s useless (remember Betamax?)

Opinion: It’s about 2 and a half years since the standards bodies threw up their hands and left SMTP authentication to the industry. Implementation progress has been slow but positive. And there have been some surprises.

I apologize for not having any weekend updates but the weather was far too nice to sit at my computer. Going forward I will probably not have an update on Saturday and may only post one on Sunday if there is some good quality news that can’t wait for Monday. Here is the list for Today (including some from Saturday and Sunday):

Nirbot Neutered?

Nirbot’s been a huge source of another set of attacks we’ve been tracking in the past few months, as well, the Symantec AV realtime VirusScan attack on TCP ports 2967 and 2968. Given that Nirbot’s involved in that, we would expect to see a similar drop in attack activity at about the same time and, sure enough, we do.

Apple Safari 0Day Demonstrated

According to the contest rules the OSX box was fully patched and the exploit had to require no user intervention. This first attack “owned” the OSX box with user privileges but under the contest rules that was all the exploit had to do. The second OSX box is still up for grabs and for that one a new exploit has to be used and the flaw must lead to a root level compromise.

LLTD – Link Layer Topology Discovery Protocol

Gomor released a LLTD (Link Layer Topology Discovery Protocol) implementation written in Perl (using Net::Frame framework).

CanSecWest RoundUp

It was a great week in Vancouver, Canada. It began with some really good instructional classes that the CanSecWest guys call Dojo Sessions then moved into some excellent and not so excellent presentations. Here is my breakdown of each day and what talks I thought were the best, the worst and why.

Reverse engineering with a VM

In a previous comment, Tim Newsham mentions reverse engineering an application by running it in a VM. As it so happened, I gave a talk on building and breaking systems using VMs a couple years ago. One very nice approach is ReVirt, which records the state of a VM, allowing debugging to go forwards or backwards. That is, you can actually rewind past interrupts, IO, and other system events to examine the state of the software at any arbitrary point. Obviously, this would be great for reverse engineering though, as Tim points out, there haven’t been many public instances of people doing this. (If there have, can you please point them out to me?)

Noisy Decloaking Methods

Yesterday while I was helping Jeremiah with he forced basic auth cookie testing he asked a good question, which is how you can better de-anonymize users through alternative methods. Some of the initial thoughts he had wouldn’t work, but the first thing that popped into my head was FTP and Gopher. Using out of bound methods to make TCP or UDP connections to a monitoring site are easy ways to correlate users (compared with time).

NetSecAnalyst: The Handbook

My initial idea is to have all my blog posts regarding usages of network security tools to be included and packaged into the book, but I realize that this won’t make it a good book for Network Security Analyst. I have more thoughts about the book lately hence I can’t have it shipped sooner. There are four primary sections for the book which I think very important for network security analyst wannabe

Understanding Stealth Malware

Ever wondered whether Blue Pill really works or was just a PR stunt? Ever wanted to see how practical are various timing attacks against it? (And can even those “unpractical” be cheated?) Or how many Blue Pills inside each other can you run and still be able to play your favorite 3D game smoothly? Or how deep Alex can hook into Windows NDIS to bypass your personal firewall? Do you want to see Patch Guard from a “bird’s eye view” perspective? Or do you simply want to find out how well the latest Vista x64 kernel is protected? Ever wondered how rootkits like Deepdoor and Firewalk really worked? You can’t sleep, because you’re thinking constantly about how Blue Pill-like malware can be prevented? Does Northbridge hacking sound sexy to you? 🙂

Spider Trap For Stopping Bots

David Naylor (a semi-reformed SEO Blackhat) has an interesting writeup on how to stop badly behaving robots from spidering your site. I would hardly call this technique new (I’ve seen this scripts in one form or another for nearly a decade). However, it’s a good primer for anyone who runs a big website and who is otherwise powerless to stop people from doing it.

what I learned a few weeks ago: http request smuggling

Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!

PCI: Is Compliance Really the Goal?

I think that really is the goal for larger merchants, but I’m not so sure about the smaller one’s. I can’t help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven’t done the serious research to determine whether that’s true, but given the implementation time lines referenced in the article, it seems plausible. It’s also possible that there aren’t outsourcing services that really meet the needs of smaller merchants.