I’m quite happy that the golf courses are starting to open up. In fact I think I’ll go tonight for 9 holes 🙂

Here’s the list for today:

Social Engineering & the Need for Awareness & Training: Fraudsters Are Calling Businesses Pretending to Be SEC Staff Members – Good angle of attack.

On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding “immediate access to confidential records.”

New Release of Libewf – Will have to give it a whirl…

The program library libewf supports the SMART and EnCase data formats which are widely used in disk imaging. The library compiles under Linux, *BSD, OS-X and Microsoft Windows. The latest version was released on May 12, 2007 by its authors Robert-Jan Mora and Joachim Metz.

Filipino Cybersleuth Named World’s Best For 2007 – That’s quite the honor. I wonder if he’ll be talked into leaving for a position in North America?

A Filipino cybersleuth was awarded the world’s best computer investigator for 2007 by an international organization of computer forensics experts.

Alexander Ramos, a computer forensics analyst with the Philippine National Police, was awarded the 2007 Timothy Fidel Memorial Award by organizers of the Computer Enterprise Investigations Conference for his work in cracking down a hacking group that preyed on telecommunications networks worldwide.

VoIP Security Testing Tools List from VoIPSA – I find it funny how big VoIP testing is these days. I wonder if consultants are starting to see an influx of requests for VoIP related security engagements.

This list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. It is separated into the following seven broad categories:

* VoIP Sniffing Tools
* VoIP Scanning and Enumeration Tools
* VoIP Packet Creation and Flooding Tools
* VoIP Fuzzing Tools
* VoIP Signaling Manipulation Tools
* VoIP Media Manipulation Tools
* Miscellaneous Tools
The key objectives of the list are as follows:
1. Provide links to tools that help test the efficacy of implemented best practices outlined by VOIPSA’s Best Practices Project.
2. Facilitate the open discussion of VoIP security tool information to help users better audit and defend their VoIP devices and deployments.
3. Provide vendors the information needed to proactively test their VoIP devices’ ability to function and withstand real-world attacks.

Forensic Laws – Quite a few comments materialized from this post.

I mentioned a concept or idea in my book, but I wanted to follow up on it a bit…I believe to be a theorem. Okay, maybe not a theorem (there’s no math involved), so how about a law. Let’s call it the First Law of Computer Forensics. Yeah, yeah…that’s the ticket! Kind of like “Murphy’s Law”.

Using Rootkits to Defeat Digital Rights Management – Well written article.

The Sony rootkit debacle highlighted the use of rootkits to prevent pirates and authors of CD burning, ripping, and emulation utilities from circumventing Digital Rights Management (DRM) restrictions on access to copyrighted content. It’s therefore ironic, though not surprising, that several CD burning and disc emulation utilities are also using rootkits, though the technology is being used in the opposite way: to prevent DRM software from enforcing copy restrictions.

Because PC game CDs and DVDs do not need to be compatible with set-top players software vendors can store data on media in unorthodox ways that require software support to read it. Attempts to make a copy of such media without the aid of the software results in a scrambled version and the software has DRM measures to detect and foil unauthorized copying.

Introduction to Identity Management – Part III – The third, and final part, in the Identity Management series.

Mergers and acquisitions tend to grow IT organizations horizontally. Companies such as Johnson and Johnson or Proctor and Gamble may have dozens of divisions that developed as the result of such activity. The challenge of integrating processes and personnel is big enough without trying to force a common directory environment. In these cases, the Meta Directory shines. As we mentioned early, today’s LDAP products are incredibly flexible in their ability to synchronize with AD, Novell, and other LDAP directories. By leveraging this capability, an organization can maintain a common Meta Directory that contains information from every business unit, without ever changing the way that business unit operates. Something as simple as a company Whitepages can scale very easily to include new divisions using this method.

F.R.I.D.A.Yay!!!!!

Here’s the list for today:

Do we need 100Gbps IPS? – I don’t see why we wouldn’t but it sounds like Alan’s main problem is the profitability of the company, not the product itself.

To me this is just a classic case of my marbles are bigger than your marbles. This boys and their toys mentality may be great for NASCAR racing, but this kind of folly will I think continue to drag down the bottom line over at 3Com. Who are they going to sell a 100Gbps IPS to and how many can they buy. I disagree with Masri that 100Gbps is at the core of enterprise networks. I can understand being out in front of a market, but when you haven’t been profitable for 6 years and as the article points out because of the financial structure involved in the H3C partnership buyout, allocations of expenses make it harder to show profitability, can you afford to chase white elephants.

PPT Metadata – Sounds like a good script. I haven’t quite made it to chapter 5 yet 🙂

I received an email recently asking if I had any tools to extract metadata from PowerPoint presentations. Chapter 5 of my book includes the oledmp.pl Perl script, which grabs OLE information from Office files; this includes Word documents, Excel spreadsheets, and PowerPoint presentations. I’ve run some tests using this script, and pulled out things like revision number, created and last saved dates, author name, etc.

Why Security Pros Use Macs – Interesting points. I purchased my MacBook so that I could have the power of Unix with the usability of Windows (without the frequent crashing).

Laptops are tools. You use them to provide a service to a vast array of clients. What tool is going to enable you to multi-task the best, save you time, and serve the broadest possible customer base?

Snort 3.0 licensing – Marty chimes in on the recent Snort 3.0 licensing.

If you want to know what Snort 3.0’s licensing language is going to be, try reading it. It’s available in the first Snort 3.0 pre-alpha release I did last month and we’re using the GPL. Apparently it was hard to locate because it was in a file called COPYING instead of one called LICENSE. The origin of naming the license file COPYING comes from the FSF as I recall and is typical of most GPL projects. Anyway, to avoid further confusion (and so I can tell people to look at my blog if it comes up!) I’ll post the preamble that we added to the COPYING file before the GPL license language in Snort 3.0 right here

Blogging on corporate laptops is risky business – …..as I blog this from my work laptop during my lunch break 🙂

When employees fire up their company-issued mobile devices at home or at the airport, they often use the technology for both business and personal pursuits like blogging. According to one industry expert, it’s a very dangerous trend.

Hardware Security Modules: part I – the basics – The quality of articles from these guys never cease to amaze me.

HSMs and PKI are pretty big subjects, and putting every piece of information about them into a blog post would make it fairly unreadable. What follows is therefore a basic primer of information you will need to understand before I go any further with the meat of the issue, which I hope will be expanded on arising from any questions that people may have. If you know this already, great stuff, we’ll pick up on the actual HSMs tomorrow.

Removal Instructions for Trojan.Kardphisher – Tuck this one away in case you get infected.

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan, which “attempts to steal credit card numbers by tricking the user into entering their credit card details to activate Windows.” This entry explains how to remove the Trojan.

Again I let the post slip to noon. Must be the nice weather outside 🙂

Here’s the list for today:

Bots on the Corporate LAN I agree with his comment in the article: “So it’s obvious that there are bots on corporate networks, but it’s not obvious how serious a problem it is.” Until a massive outbreak happens to your organization most will continue to consider a bot infestation something that happens on “other organizations” networks.

Opinion: Of course bots exist on corporate networks, but how big a problem are they? It could be that nobody knows.

People like me, who write about security, are flooded with reports on the state of malware. They’re often valuable enough and say interesting things, but on certain points they are invariably, and infuriatingly, vague.

Retailers haven’t learned from TJX – still running WEP – I guess my above statement applies to this as well 🙂

When I blogged earlier this week about TJX’s failure to secure their wireless LAN and how it may end up costing TJX a billion dollars, I knew that it was merely the tip of the iceberg with so many retailers still running WEP encryption. As if WEP wasn’t already broken enough, WEP is now about 20 times faster to crack than in mid-2005 when TJX’s WEP-based wireless LAN was broken and I knew from experience that most retailers were still running WEP. I decided to stroll through town and check on some of the largest retail stores in the country to see how they’re doing today. The reason I looked at the large retailers is because they’re the big juicy targets with millions of credit card transactions that the TJX hackers love. What I found was truly disturbing and I’m going to tell you what I found.

More on Snort 3.0, GPL and derivatives – Word on the street is that Marty was saying some things in the IRC channel that a man in his position shouldn’t have been saying.

In response to my post yesterday a few comments (you can click on the right column to see them) have responded that as GPL, there is nothing really changing with Snort 3.0, Sourcefire in order to “avoid misunderstandings” is defining what they consider to be a derivative work. I think therein lies the rub. What Sourcefire is saying is that if you want to do a front end for Snort, you can do so and just point people to snort.org to download Snort which will run separate and apart from the front end (lets not even talk about rules for the moment).

Forensics in the Enterprise – I was sent an demo copy of EnCase v5 but I never got around to playing with it.

I had the opportunity last night to attend a demo of Guidance Software’s EnCase Enterprise product. I use the standalone version of their product, EnCase Forensic already, and the Enterprise edition looks like an interesting extension.

EnCase Forensic runs on a single Windows workstation and allows you to image suspect hard drives and conduct detailed analysis on their contents. It’s got a number of handy features built in, like the ability to do keyword searches, extract web viewing history and identify email messages. Pretty nice, and it makes most common forensic tasks a breeze.

How To Back Up MySQL Databases Without Interrupting MySQL – Good bit of information to have.

This article describes how you can back up MySQL databases without interrupting the MySQL service. Normally, when you want to create a MySQL backup, you either have to stop MySQL or issue a read lock on your MySQL tables in order to get a correct backup; if you don’t do it this way, you can end up with an inconsistent backup. To get consistent backups without interrupting MySQL, I use a little trick: I repplicate my MySQL database to a second MySQL server, and on the second MySQL server I use a cron job that creates regular backups of the replicated database.