I finally broke down and purchased a copy of Microsoft Office 2004 for my Mac. “Why 2004?” you might ask? Well there’s a deal on now that if you purchase Office 2004 you’ll get a free upgrade to 2008 when it’s launched in mid-January. I can’t pass that up 🙂

Here is the list:
Diversification and Security – Very informative article which discusses, among other things, how the U.S. Army is shifting it’s IT infrastructure over to Macs and how this is not a bad thing.

Not to give the false impression that there is an Apple on every desk in the army. In fact, Wallington estimates around 20,000 of the Army’s 700,000 or so desktops and servers are Apple-made. He estimates that about a thousand Macs enter the Army’s ranks during each of its bi-annual hardware buying periods. The development of the software should help clear one barrier to Apple desktop deployment.

Jonathan Broskey, a former Apple employee who now heads the Army’s Apple program, argues that the Unix core at the center of the Mac OS makes it easier to lock down a Mac than a Windows platform. Whether you accept Broskey’s statement or not, it is certain that the Mac OS will face growing targeted attacks. A end-of-year data security wrapup by F-Secure highlights the growing number of attacks targeting Apple systems with malicious software. To quote from the report, “at the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.”

NIST releases final draft of FISMA guidance – Get it while it’s hot 🙂

The National Institute of Standards and Technology has released the final public draft of a framework that will assist agencies create the security assessments mandated by the Federal Information Security Management Act (FISMA).

Copies of Draft Special Publication 800-53A, “Guide for Assessing the Security Controls in Federal Information Systems,” can be downloaded from the NIST site. NIST expects to publish the final edition in March.

Follow-up on using unicornscan for a big scan (400,000+ public IPs) – I’m glad someone has been stress testing this tool. Also interesting is the Tate’s comment on them switching to unicornscan as their primary tool for large job scanning.

We performed a sweep of 400,000+ public IPs across multiple continents by configuring the scans to do a full TCP port scan of each IP, sustained ~55 Mbits/s using between 3 and 5 systems, and completed it in a matter of days.

This is pretty good considering by sending two SYN probes per port it meant sending ~52.5 billion packets and producing some 3 Terabytes of data.

Nmap is often our preferred tool, and we used it to spot check our results with unicornscan, but from now on it will come down to the details of the gig to make the choice.

Black Hat USA 2007 Video and Audio Podcasts now live – I like the RSS feed format that they used to present these audio and video podcasts.

Black Hat USA 2007 was a great success, and the presentations were wider-ranging than ever. As part of our ongoing effort to spread useful security knowledge everywhere, we offer video of the entire Briefings roster free online. If by chance you didn’t make it to the event in Las Vegas, or if you attended and missed some talks you wanted to see, subscribe to the podcast feed linked here and get your fill. If what you see here piques your interest, consider attending our upcoming conferences – in DC in February, Amsterdam in March and returning to Vegas in August.

TEMPEST by Chris Gates – How about a paper on TEMPEST security? I find that you don’t see as many of these kinds of papers as you should. Perhaps TEMPEST security just isn’t as “sexy” as compliance, hacking, etc.?

TEMPEST is said to stand for ‘Telecommunications Electronics Material Protected From Emanating Spurious Transmissions’ but I also found; ‘Transient Emanations Protected From Emanating Spurious Transmissions’, ‘Transient Electromagnetic Pulse Emanation Standard’, ‘Telecommunications Emission Security Standards’, and several similar variations on the theme but there is no official meaning for TEMPEST it is more the name of the phenomenon rather than an acronym.

How do these “intelligence-bearing emanations” occur? Basic electromagnetic theory tells us that electromagnetic fields occur as current flows through a conductor. A conductor can be anything metal (your power cord, your CAT5 cable, your phone cord, etc). How does your CAT5 cable pass data? In a simple explanation, current is pushed along the wire and the data goes with it; the more current pushed down the wire and the longer the wire the greater potential for these “emanations” because of growing electromagnetic fields.

“Big money! Big prizes! I love it!” – I agree with Tate on this one. The attackers are certainly the winners here.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

Establishing a Practical Routine for Reviewing Security Logs – The good thing about Anton being on vacation is that I beat him to commenting about others log management posts 😉

The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don’t get me wrong—sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.

The MAC Daddy – Great post from Harlan on how to find the MAC address on a system image.

I received a question in my inbox today regarding locating a system’s MAC address within an image of a system, and I thought I’d share the response I provided…

Deleted Apps – Another great post from Harlan. I’m convinced that neither of us really took vacation over the holidays 🙂

As Windows performs some modicum of tracking of user activities, you may find references to applications that were launched in the UserAssist keys in the user’s NTUSER.DAT file. Not only would you find references to launching the application or program itself, but I’ve seen where the user has clicked on the “Uninstall” shortcut that gets added to the Program menu of the Start Menu. I’ve also seen in the UserAssist keys where a user has launched an installation program, run the installed application, and then clicked on the Uninstall shortcut for the application.

I hope everyone is enjoying their holidays. I decided to take some time off from my guests to post another SBR.

Here is the list:
How to Spy Using Van Eck Phreaking – Great video showing Van Eck Phreaking. If you’re unfamiliar with the concept it looks like something out of a James Bond movie. A description of Van Eck Phreaking can be found at the related Wikipedia entry:

Van Eck phreaking is the process of eavesdropping on the contents of a CRT display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept.

Four new papers from the SANS Information Security Reading Room:

• WiFi with BackTrack
• VoIP Security Vulnerabilities
• Log Analyzer for Dummies
• Corporate Espionage 101

A Christmas Packet Challenge – In case you need a break from your guests you can take some time away and rip through some packets.

There is no better Christmas gift, that I can think of to give, than one that involved packets. Its been awhile since I posted a packet challenge, but I couldn’t let Christmas go by without posting one. So for all you fellow packet heads out there, here is one for you to spend your holidays pondering. This challenge is different from last year, so let me tell you the rules for solving this one.

From description to exploit – Great explanation of the work flow used to discover and categorize an exploit.

Every once in awhile I get an opportunity to work on a “known” vulnerability, but with very little or even no available technical details. These known vulnerabilities tend to be “known” just to their finder and to the vendor that fixed the vulnerability. We know they exist because an advisory is published, but not much more than that.
From the point where the vulnerability got fixed, no one (researcher or vendor) has any interest in disclosing the vulnerability details – as it is no longer interesting – leaving security researchers with insufficient information to confirm whether this vulnerability affects anyone else beside the specific vendor – and specific vendor version.

Perl Scripting Book – Harlan just released his latest book on Perl Scripting for IT Security. Check it out! 🙂

Perl Scripting for IT Security is not a follow-on or companion to my previous book, Windows Forensic Analysis. Rather, it goes more into showing what can be done, and how it can be done, in the world of Incident Response and Computer Forensics Analysis using an open-source solution such as Perl. The book, in part, shows that with a little bit of knowledge and skill, we are no longer limited to viewing only what our commercial forensic analysis tools show us.

Nikto 2 Released – Web Server Scanning Tool – Cool!

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Here are a few security papers for you to check out:

• Using Perl, Postgres and SQL to build a Comprehensive, Searchable Database of Firewall Activity on a Checkpoint firewall on the Cheap
• PREVENTION!!! – Network Intrusion Prevention Systems
• Session Hijacking in Wireless Networks
• MPLS and MPLS VPNs: Basics for Beginners

VizSEC 2008 Call For Participation – Work with the visualization of security? Why not check out the CFP?

As a result of previous VizSEC workshops, we have seen both the application of existing visualization techniques to security problems and the development of novel security visualization approaches. However, VizSEC research has focused on helping human analysts to detect anomalies and patterns, particularly in computer network defense. Other communities, led by researchers from the RAID Symposia, have researched automated methods for detecting anomalies and malicious activity.

The theme for this year’s workshop, which will be held in conjunction with RAID 2008, will be on bridging the gap between visualization and automation, such as leveraging the power of visualization to create rules for intrusion detection and defense systems. We hope that VizSEC participants will stay for the RAID Symposium and RAID participants will consider coming a day early to participate in VizSEC.

Fierce 1.0 – I haven’t checked it out yet but I plan on it 😉

Okay, it’s about time. I am finally releasing Fierce 1.0 as a production ready DNS enumeration tool. What does that mean? It means it works. We have now gotten rid of all the kinks that made me think that it was crippled in a way that made me not want to rely on it. So what was fixed? Well, thanks to Jabra we have now patched fierce so that when it does a zone transfer it continues working, in the off chance that someone messes with the zone transfer to fool fierce into stopping before it sees the real output. Alas, it was a small but important issue to fix.

Enabling NetFlow on Virtual Switches – Use VMWare? What about an NBAD solution? Ever wanted to collect flow information from your virtual switches? Well now you can.

NetFlow is a general networking tool with multiple uses, including network monitoring and profiling, billing, intrusion detection and prevention, networking forensics, and SOX compliance. NetFlow sends aggregated networking flow data to a third‐party collector (an appliance or server). The collector and analyzer report on various information such as the current top flows consuming the most bandwidth in a particular virtual switch, which IP addresses are behaving irregularly, and the number of bytes a particular virtual machine has sent and received in the past 24 hours.

I really apologize to my readers for not updating my blog in a while but I’ve been trying to focus all of my time and effort on my book. I’ll do my best to try and keep-on-postin’ 😉

Here is the list:
Regulatory Compliance Q&A – This is very interesting. I plan on checking this out since regulatory compliance has such a large impact on my day to day work.

We just opened a new topic area in our online forum. Dr. Heather Mark, who did her PhD work in Public Administration and Public Policy, will be leading the Regulatory Compliance track.

Cyber-crime–More Lucrative Than Drugs?? – I believe it. With drug trafficking, based on what I see in movies and read in the media, there are too many middlemen to make it truly profitable unless you are at the top of the food chain. With cyber-crime there tends to be very few people between the attacker and the target and, I would imagine, even less outsourcing of work. Plus, cyber-crime, when compared to drug trafficking, is a relatively new concept in the world of crime. That being said, there are far less people dedicated to the apprehension of the cyber-criminal than there are for drug traffickers.

Recently, the assistant secretary for Cyber-security at the Dept. of Homeland Security made some startling comments about the dangers of online crime. “We’re all at risk of attack,” he announced, and added that Cyber-crime is threatening our infrastructures. He also said it exceeds the drug trade.

Scanning those other wireless technologies beyond 802.11abg – Great post by Michael Dickey with some very good information about some powerful tools.

Josh Wright earlier this year posted a couple wireless security papers which are quite valuable. First he talks about wireless framing; basically a blitz through how wireless 802.11 works. There is also a paper about 5 wireless threats we may not know about. In the list, Wright mentions 802.11n (Greenfield mode) and Bluetooth rogue APs. I think scanning for rogue APs using kismet is becoming fairly common in concerned organizations (or by concerned geeks anyway). But how does one begin to scan to find these other wireless technologies?

Windows Remote Desktop Heroes and Villains from the SANS Information Security Reading Room.

Announcing – Microsoft Bloggers Network! – Excellent idea from Mitchell Ashley to bring Microsoft bloggers together under one banner.

I’ve started reading many more blogs related to Microsoft since joining Network World where I now blog about topics related to Microsoft and the broader industry. So, it naturally made sense to create a network for blogs covering Microsoft topics.

Botnets linked to political hacking in Russia – Yep…well…I’m not surprised 🙂

Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there’s nothing by way of evidence that the Kremlin had a hand in the assaults.

Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines.

BackTrack 3 Beta out! – I’ve been waiting for this for quite some time. I can’t wait for the final revision.

Max Martin and I are ecstatically happy to announce that Backtrack 3 Beta is available for download.

We are all suffering from lack of sleep – we will make a public announcement about this tomorrow.

nmap-4.50.tgz is out – Time to update your nmap version 🙂

This is the first stable release since 4.20 (more than a year ago), and the first major release since 4.00 almost two years ago. Dozens of development releases led up to this. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and and nearly 1,500 new version detection signatures. More than 300 other improvements were made as well.

Breaking News: Successful SCADA Attack Confirmed – Mogull Is pwned! – Great story! This is what happens when security geeks get bored. Note to self – Don’t “Hassle The Hoff (C)”

Rich and I are always IM’ing and emailing one another, so a few days ago before Rich left town for an international junket, I sent him a little email asking him to review something I was working on. The email contained a link to my “trusted” website.

The page I sent him to was actually trojaned with the 0day POC code for the QT RTSP vulnerability from a couple of weeks ago. I guess Rich’s Leopard ipfw rules need to be modified because right after he opened it, the trojan executed and then phoned home (to me) and I was able to open a remote shell on TCP/554 right to his Mac which incidentally controls his home automation system. I totally pwn his house.

How to Do Database Logging/Monitoring “Right”? – Great post Anton. With compliance requirements on everyones minds these days, database security has jumped to the forefront as a primary security concern.

So, people sometimes ask me about how to do database logging/auditing/monitoring and log analysis right. The key choice many seem to struggle with for database auditing and monitoring is reviewing database logs vs sniffing SQL traffic off the wire. Before proceeding, please look for more background on database log management, auditing and monitoring in my database log management papers (longer, more detailed – shorter)

NIST working on new method for finding software bugs It’s worth a shot since reviewing code and following common sense programming practices doesn’t appear to be cutting it.

Researchers a the National Institute of Standards and Technology and the University of Texas at Arlington hope to release for beta testing next month a tool to help spot possible problems in complex software.

FireEye will generate tables of tests to look for adverse reactions that can cause applications to crash. Because crashes can be caused by unexpected interactions between large numbers of configurations, testing possible configurations can be prohibitively costly and time consuming. The project has reduced the number of parameters that need to be tested to a manageable level, and FireEye will calculate which possible combinations need to be tested for an application.