I spoke with Ryan Narine last night about my ethical obligations towards shutting down botnets if I had, or had somehow obtained, the power to. I basically equated the prospect to “vigilante justice” and took the moral high-ground on the topic. I don’t believe that individuals should be solving this issue on their own. Ryan mentioned that we’ve been doing the exact same thing for years and botnets are worse than ever (paraphrasing). Regardless, we, as private citizens, do not have the right to invade others privacy to do what we think is best for them. My quote from the article:
Andrew Hay, product manager at Q1 Labs, a network security management company, said the concept of tampering with a user’s machine without consent, even if it’s to remove malicious software, is “ethically questionable.”
“I couldn’t in good conscience send any command to a machine without the user’s knowledge and approval,” Hay said. “Ethically speaking, we just can’t make that decision regardless of if it’s right or whether it’s the best thing to do for the good of the Internet.”
The full article can be seen online here (my part is the last two paragraphs on the second page).
I really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.
The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.
An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.
SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.
If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.
CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.
Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.
Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room
Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.
It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.
What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.
For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.
The Top 10 Security Events of 2008 – Were you “where it was at”?
The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.
Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.
Check it out in the Knowledge Base.
Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.
Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.
Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.
Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.
Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.
Ugh….I haven’t had a case of the flu like this for years. I’m finally over it (I think) and hopefully things will be getting back to normal soon.
Here is the list:
PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications – This is an interesting tool that I haven’t heard about until today.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.
From the SANS Information Security Reading Room:
Enterprise Security 2008 Learning Guide – Good collection of articles to check out.
2008 won’t just be a year of the same old network, application and compliance issues. New malware has hit the scene, cyberterrorist attacks have become more common, and virtualization technology has presented different enterprise network security challenges. Mike Chapple, Michael Cobb, Joel Dubin, Mike Rothman and Ed Skoudis explore various information security areas and point out the new threats that every organization needs to be ready for.
More on Hating Agents – Everyone hates them but they are required – no, not lawyers….I’m talking about log agents. Anton lists some good pros and cons for leveraging an agent to get you your logs.
I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged.
Password Cracking Wordlists and Tools for Brute Forcing – Ever want to find a good word list for your audits?
I quite often get people asking me where to get Wordlists, after all brute forcing and password cracking often relies on the quality of your word list.
Do note there are also various tools to generate wordlists for brute forcing based on information gathered such as documents and web pages (such as Wyd – password profiling tool) These are useful resources that can add unique words that you might not have if your generic lists.
Also add all the company related words you can and if possible use industry specific word lists (chemical names for a lab, medical terms for a hospital etc).
Is the mobile malware threat overblown? – Overblown…maybe. Under-exploited…possibly. Not receiving the amount of attention it deserves…definitely!
The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.
Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.
True, enterprises continue to experience little by way of mobile phone attacks. But that’s only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.
New Docs at SWGDE – Some new docs on forensics. Thanks Harlan.
The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on “Live Capture”.
Forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs…
Scary concept: Friendly worms – If this ever became a reality, which I doubt it will, how long would you expect it would take before someone exploited the updating and transport mechanism to “do evil”?
This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.
SQL Injection Tutorial Now Available! – Very cool. Good for Oracle in taking a step to help people secure their product and applications.
By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. This tutorial employs text and diagrams to present concepts, design issues, coding standards, processes, and tools. Flash-based demos and simulations allow you to visualize what you have learned, and assessment quizzes help you gauge your learning progress.