Running…out…of…steam…must…get…sleep…this…week.

Here’s the list:

FBI aims to disrupt bot masters – Well one is in Texas so maybe we’ll see some stiff jail time.

The FBI announced on Wednesday that an ongoing cybercrime initiative, dubbed Operation Bot Roast, has identified more than a million PCs compromised with bot software and resulted in charges against three people for violations of the Computer Fraud and Abuse Act.

Darknet Videos – I love this idea. People don’t always understand the importance of security unless you present it to them in a way they can relate to.

I was thinking that the darknet authors should create videos when they write about different tools… It should be fun to see presentations… and also would bring darknet more hits…
I made a video for my previous article, and uploaded it to youtube: stealth techniques – syn

Classified US Intel Accidently Leaked via Powerpoint – If this isn’t a reason for implementing extrusion prevention policies I don’t know what is.

This is why these powerpoint slides should be made into .pdfs or flash presentations! The leak occurred via the data object used to create one of the slide graphs. Here’s the original article:

By reverse engineering the numbers in an underlying data element embedded in the presentation, it seems that the total budget of the 16 US intelligence agencies in fiscal year 2005 was $60 billion, almost 25% higher than previously believed.

10 reasons why the Black Hats have us outgunned – I think one of the items missing from the list is that it’s just not cool to be on the defensive. The perception has always been that being the blackhat cowboy is more fun that being the security pro sheriff.

So, you want to be a hacker? It’s as easy as…

Waking up at 3am for no good reason is like getting punched in the face when you’re not looking. Those are my words of wisdom for the day. Talk amongst yourselves.

Here’s the list:

Why IT doesn’t really get security – Teach them a lesson. When they hand you their thumb drive kindly thank them and put it in your pocket 🙂

Since I’ve started my new job I’ve there have been four (4) different occasions where members of the IT staff have given me their USB thumb drives to transfer data to. These are guys that I work with daily but I don’t know them and they don’t really know me. One guy even gave me a U3 drive.

Teaching Viruses and Worms – I think this would be a very good class to teach in parallel with a course on ethics in IT.

Computer science students should learn to recognize, analyze, disable, and remove malware. To do so, they must study currently circulating viruses and worms, and program their own. Programming is to computer science what field training is to police work and clinical experience is to surgery. Reading a book is not enough. Why does industry hire convicted hackers as security consultants? Because we have failed to educate our majors.

Google Ranked Worst In Privacy – For a company that prides itself on a “do no evil” motto they don’t understand the concept of protecting their user base.

This is a non-technical post and completely my own opinion (as if you asked). I’m sure you all have seen this by now, in the news, on blogs, or even on Google’s employees’ sites but it’s time for me to discuss my view on Google’s recent ranking of the absolute worst privacy of the top 23 companies chosen for scrutiny by Privacy International in their latest report. They ranked lower than anyone else looked at, and the list included companies like Microsoft, eBay, Yahoo and MySpace.

Security Education Conference – Toronto (November 20-21, 2007) – I wonder if I’ll be able to get away to attend?

The Security Education Conference is unique to central Canada and provides an opportunity for IT professionals to collaborate with their peers and learn from their mentors. Held this year at the Metro Toronto Center in downtown Toronto, this conference runs two days and features Keynotes from North America’s most respected and trusted experts. Speakers are security professionals with depth of understanding on topics that matter. This conference is a must attend for every IT professional.

NY man pleads guilty to spamming AOL subscribers – Good…now change the venue to Texas and give him the chair.

Adam Vitale, 26, pleaded guilty in federal court in Manhattan to breaking anti-spam laws. He was caught making a deal with a government informant that sent spam e-mails advertising a computer security program in return for 50 percent of the product’s profits, prosecutors said.

“Defeating” Whole Disk Encryption, Part 3 – Part 3 in the series.

In Part One, we reviewed obtaining the last 16 characters of the PGP password from a computer that was live. In Part Two, we reviewed how to set up your VMware box so you can boot the image. In this post we will review the options for imaging the computer, be forewarned, neither is a perfect solution.

Citrix buys Caymas NAC assets – Golden rule in the networking business…don’t be the only company at the buzzword party without the latest buzzword solution as your date.

Citrix is buying the assets of NAC vendor Caymas Systems, which is out of business and whose products have some overlap with the Citrix’s SSL VPN products.

A spokesman for Caymas says the company’s assets have been bought by Citrix, but did not reveal the price. Citrix spokespeople could not be reached this morning for comment.

Router’s responses to port scans – Just in case you forget what it looks like 🙂

Recently I was trying to figure out what the various port states reported by Nmap really mean. This is what’s actually going on:

• If a packet is intercepted by a router’s access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
• If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
• If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
• In some cases, the router simply doesn’t reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).

I think we’re going to play the “how much golf can Andrew get in this week” game. 🙂

Here’s the list:

Introduction to Antispam Practices – Interesting read.

According to a research conducted by Microsoft and published by the Radicati Group, the percentage held by spam in the total number of emails sent daily has been constantly growing since 2005. As a result, spam is expected to represent 77% of emails sent worldwide by 2009, amounting to almost 250 billion unsolicited emails delivered every day.

PHPIDS Released – I wonder how effective this will be?

This has been in development for quite a while, but the intention is to react (more like an IPS than an IDS) to potential attacks. From the site:

The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

It’s all about Network Flow – I’m a big fan of NetFlow in corporate environments. It becomes quite useful when you run out of span ports or don’t have the money for a passive flow collector or expensive tap. I haven’t had a chance to try out silktools but I look forward to giving it a shot.

It is undeniable that all other projects are interesting too, but that doesn’t make my point here and I have no time to check them out yet. The main reason why I’m looking into silktools is because it also offers wide range of analysis tools like argus do. Instead of just doing flow data collection, one can perform in depth analysis on the netflow data using the analysis tools that packed with silktools. But again I found out all these great tools come with complexity and that blow away a lot of new comers.

And the answers please… – Hey did you do last nights homework? Can I take a look? I just want to check my answers….

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto’s hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you’ll learn a bunch.

Emerging Information Security Threats, 2007 – I can’t remember the last time Lenny posted something on his blog. I was starting to think the RSS feed was broken. Very good article though. Well worth the wait 🙂

As organizations erect barriers to protect their data, attackers are unleashing new ways of finding and exploiting weaknesses. The threat landscape is one of professional, highly skilled online criminals who create, buy or trade advanced tools that allow them to steal confidential company data, disrupt business operations or snatch logon credentials and other personal information. The teen-aged script kiddies who focused on compromising systems for fame and game are receding into the distant past. Today’s profit-minded attackers are more likely to carry a briefcase than a skateboard.

Managing expectations – a valuable skill and worth the time – This is a key skill in any business. I wish that the burger jockeys at the local fast food joint would take the time to understand this concept. Good post Michael!

One of the biggest things I have learned since I have been in IT is that you have to develop the skill of managing customer expectations (to clarify, the term “customer” means the people for whom you are doing your job – clients, users, etc.). If your customer believes you can perform a service that you cannot, then you have not done a good job in managing expectations, and you will likely end up dissapointing him and hurting the professional relationship.

February 2007 Root Server Attacks – A Qualitative Report – Very good analysis and notes.

During the ISP Security BOF at NANOG 40 last week in Bellevue, Washington, John Kristoff of Neustar Ultra Services provided a nice summary of what actually occurred during the February 6/7, 2007 DNS attacks.

He began by providing a summary of the considerable amount of mis-information provided about the attacks, with his personal favorite being an article titled UltraDNS attack targeted G and L root servers (1st Update). I suppose I can see how such a title might prove a bit misleading. From there, John noted some of the more useful information provided at the time, and in particular that from a lightning talk at NANOG 39 by Dave Knight at the tail end of the attacks.