Month: April 2007

Suggested Blog Reading – Sunday April 15th, 2007

ReadWell today was the first day back at the gym since I hurt my foot and I must say it felt good to get out and get moving. Now for the suggested reads…

Student charged with hacking school computers

A Mauldin High student has been charged with violating the state Computer Crime Act, after telling police he accessed personal data in the Greenville County school district’s computer network to show the district how easy it is to do, according to a warrant and incident report.

Who Moved My Packet?

Getting up at 4:30 am on a Sunday morning in order to chase down packets is not my idea of fun. Unfortunately that is exactly what I found myself doing today.

XMagic to Find Processes

Brendan Dolan-Gavitt wrote in and pointed me to his fine collection of XMagic definitions. With the help of these patterns and a config file (Brendan provides a sample) FTimes can pull some information about processes from a memory dump.

Drive Encryption

One of the challenges posed by Vista to traditional forensic analysis is the use of BitLocker to encrypt data on the hard drive. However, this really isn’t any different from other similar technologies such as PGP, etc., that already allow encryption of files, partitions, or drives.

Exaggerated Insider Threats

In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in “organizational ineptitude” rather than dedicated insiders out to do the company intentional harm.

Dear Mr. Blizzard

It’s not that I don’t trust my wife and kids, it’s that I don’t trust the Internet. 99% of the stuff my family needs to do doesn’t need admin privileges. WHY DOES WARCRAFT III?

Free WiFi in Airports and Public Hotspots

Recently while traveling I noticed a hot spot and wanted to surf the internet. Once I connected to the AP I had seen that they wanted to charge me $8 per day to surf the internet. I thought that was just too much money for a quick internet connection, and my layover between flights was about 3 hours. I decided to see what I could access while connected to there AP.

Packet Fragmentation

Many people associate fragmented packets with an attack against a network. While that is quite often true, it is not always the case.

Data Storage Must Be Secured to Protect Privacy

Often times privacy breaches occur because the access controls are not configured appropriately for databases, or inadequate processes weren’t even established to protect data within the network perimeter. Too many organizations still focus almost all of their efforts on securing the typically highly fuzzy and porous perimeter to the exclusion of other highly vulnerable areas. Many incidents can be prevented by putting more attention and time to securing the data storage areas.

Compliance is a Business Issue

Annual loss expectancy (ALE) is the yearly cost of security breaches to a company, including fines for non-compliance, which is calculated by taking the single loss expectancy (SLE) and multiplying it by the number of occurences in a year (ARO = Annual Rate of Occurence). If ALE exceeds the cost of securing against ALE, why bother, right?

Suggested Blog Reading – Saturday April 14th, 2007

ReadI’m planning a lazy Saturday this weekend since I spent two days last week driving for 12 hours each day. Perhaps I’ll catch up on some reading 🙂

The reading…
When IPS isn’t enough

Yesterday I blogged about how useful IPS tech is and today I’m going to blog about how it isn’t enough. How’s that for being conflicted!

White House Missing Five Million Emails

The White House has “lost” roughly five million emails from 2003 to 2005, according to a report (.pdf) yesterday by watchdog group Citizens for Responsibility and Ethics in Washington (CREW).

FISMA Dogfights

Imagine if FISMA was the operational theme guiding air combat. Consultants would spend a lot of time and money documenting American aircraft capabilities and equipment. We’d have a count of every rivet on every plane, annotated with someone’s idea that fifty rivets per leading edge is better than forty rivets per leading edge. Every plane, every spare part, and every pilot would be nicely documented after a four to six month effort costing millions of dollars. Every year a report card would provide grades on fighter squadrons FISMA reports.

The Forensic Felons: The Next Generation of Cyber Thieves

The new thieves care less about quiet entrances because they intend to meticulously clean the crime scene before they leave. They’re not just covering their tracks—they’re erasing them.

U.S. Government Contractor Injects Malicious Software into Critical Military Computers

This is just a frightening story. Basically, a contractor with a top secret security clearance was able to inject malicious code and sabotage computers used to track Navy submarines.

When is a security researcher (white hacker) a journalist?

The analogy is that a journalist uncovers fraud, mis-use, bad quality, etc in products, one example is poisonous food for cats informs the public, is he liable to being sued for damages by the company making the food?

Notes On Vista Forensics, Part One and Part Two

In part one of this series we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners. In this article we will look at the user and system features of Vista which may (or may not) present new challenges for investigators and discuss the use of Vista itself as a platform for forensic analysis.

House-trash party girl blames ‘hackers’

An English teenager whose house was trashed after she posted a party invite on MySpace has blamed computer hackers for the gatecrashing debacle.

An example of why human effort is helpful when assessing web applications

It can take some digging to discover if you’ve successfully injected any code into a web application. I was using the ALL-FUZZ-STRINGS that comes with Suru (added additional strings from sources like ha.ckers.org XSS Cheat Sheet) to run through a list of popular input validation attacks.

More info on the Windows DNS RPC interface vulnerability

Some more information for the community regarding the Windows DNS RPC vulnerability that we have been reporting on http://isc.sans.org/diary.html?storyid=2627. We have knowledge of a successful attack that occurred on April 4, 2007. This appears to be an opportunistic attack (instead of a targeted attack).

Dungeons and Dragons and Networks

This editorial on Dungeons & Dragons & Networks talks about how the boundaries present in both network troubleshooting and the D&D play format promote creativity, while tasks with less boundaries are more difficult.

Mainstream Media is Figuring Out The Industries New Disclosure Dilemma

We’ve all debating the legal and ethical issues, but it doesn’t change the fact that we’re going to lose the canary-in-the coal-mine aspect of information security. Does that mean we’re going to have to rely on compliance rather than community peer review? Eeesh!

Top 10 IT priorities at the DoD

The U.S. Department of Defense is expected to spend an estimated $23.5 million this year on IT — the most of any federal agency — according to market research firm Input.

Windows Sec and User Tools

There are few tools that I would like to try out but it is only available on Windows platform. Guess I need to install Windows in VMware for testing. I haven’t really touch anything on Windows lately except for Windows Server 2003.

Suggested Blog Reading – Friday, April 13th, 2007

ReadFriday the 13th…queue ominous music…

Just when I thought winter was over Mother Nature shuffled the deck and dealt Fredericton another snow storm. We received about 15cm (~6in) in a 7 hour period. An hour away in St. John they only received 2cm (0.8in) which was quickly washed away by the rain that followed. I’m not sure how that’s fair, nor how it relates to security, but I had to rant about it.

Some interesting things happened this Friday, including the reports of a Zero-day RPC flaw in Microsoft DNS, details on the new Storm virus, an interesting article on “Top 10 Unusual Excuses Given for Losing Customer Data”, and a great paper on manipulating FTP clients using the PASV command.

Zero-day RPC flaw in Microsoft DNS

According to David Maynor of Erratasec, a zero-day exploit against Microsoft DNS server is being seen in the wild. This affects the most up-to-date Windows Server 2000, 2003, and 2003 R2 for all service packs. This is somewhat unusual for Microsoft’s DNS service because it’s been rock solid for many years without any DNS server flaws. Fortunately the attacks seem to be limited because this vulnerability isn’t normally exposed to the Internet on a properly configured firewall. I’ll also show you how to protect your Microsoft DNS servers below.

EXE/ZIP e-mail viruses (editorial)

Remember Bagel? It was just a couple years ago when a very similar set of viruses was making the round. Bagel arrived as a plain .exe, waiting for a gullible user to double click and execute it. It later, very much like the new “Storm” virus, used an encrypted ZIP file.

FISMA 2006 Scores

If I sound bitter, it’s because I’ve seen my taxpaying dollars wasted for the past five years while various unauthorized parties have their way with these agencies. FISMA is not working.

Spam Attack: Zipped Trojan

Security Response has seen a large spam run of what appears to be the latest in the line of Trojan.Peacomm variants. While this is nothing new, this time around the attachments are in the form of password-protected zip files. The recipient is being coerced into unzipping the attachment with the included password, then running the unzipped file, to counteract activity related to an unknown worm (with which the recipient has undoubtedly been infected).

Top 10 Unusual Excuses Given for Losing Customer Data

Keeping data secure is no easy task and requires constant vigilance. Turn your back for just a moment and just like Keyser Söze — POOF — it’s gone. All that’s left then is the dubious task of explaining to your customers why their credit card information or patient data is missing.

Insuring data breaches

Tech//404, a new venture by insurance company Darwin, sells insurance for losses due to technology and security failures. And they now publish a “Data Loss Archive”, a sort of repository of horrible acts of corporate data theft (it has potential, but should it only has a number of recent events and really should have an RSS feed).

I *heart* my IPS

Last year I vowed to do whatever I could to get myself weaned off as much dependence on Microsoft patches as I could. To wit; I started purchasing IPS and UTM devices for our offices. The main offices got the IPS units behind the beefcake firewalls and the satellite offices got UTM devices in lieu of a firewall. I also aggressively ramped up our HIPS deployment to try to get as close to 100% of our laptops covered as possible.

Bury WEP already – WEP R.I.P.

The WEP patient has been on life support for too long. Zero brain activity. Everyone agrees WEP should never be used now that WPA-PSK ships in all wireless equipment.

It’s the Data, Stupid!

Good medicine addresses root causes; bad medicine merely addresses symptoms. Likewise, good risk management methodologies address root causes; bad risk management merely addresses symptoms.

Mobile Malware Landscape?

Vulnerabilities like draining my battery? Maybe I’m goofy, but I tend to think that these sorts of articles have that “cry wolf” impact on real vulnerability/malware articles. How do we know if we can really expect an increase in Threat Events if articles like these are used to make up for a “slow news day”?

Manipulating FTP Clients Using the PASV Command

This paper discusses the FTP client flaw in detail and demonstrates how it can be used to attack common web browsers such as Konqueror, Opera and Firefox. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements “port banning” restrictions). Because of the way the same-origin policy is applied it is also possible to perform banner-grabbing scans against arbitrary hosts. Finally, for services that don’t return a banner an alternative fingerprinting technique is demonstrated which measures the time it takes servers to close inactive TCP connections.

Microsoft Bugs vs Features

I’m not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.

‘Storm Trojan’ biggest spam run this year

According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. “We’re seeing 50 to 60 times the normal volume of spam,” said Adam Swidler, senior manager of solutions marketing at Postini.

Bank Botches Two-Factor Authentication

Um, hello? Having a username and a password — even if they’re both secret — does not count as two factors, two layers, or two of anything. You need to have two different authentication systems: a password and a biometric, a password and a token.

Scroll to top