Suggested Blog Reading – Sunday January 27th, 2007

ReadI’ve got everything into the publisher for my book, with the exception of a few edits, so I’m quite excited/relieved/tired. You can already pre-order on most popular book sites.

Here is the list:

SVASE Guerrilla PR – Not security related but for those trying to heighten their PR presence it is certainly a good read.

A few days ago I was at a SVASE meeting and the topic was on guerrilla PR. This was my first SVASE meeting, so I didn’t really know what to expect. I felt like I was the only bootstrap startup, as everyone I talked to were funded by angels or VCs.

Free AV Scanners – Harlan was kind enough to point out a collection of free AV tools. Check it out.

Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.

Social Engineering Schemes Increase: Great Case Study From An Actual Event – I do love a good case study.

Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…

The Worst IT Security Breaches of 2007 – They’re probably still fresh in your head but here is a link in case you need to reference them for a future presentation.

Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers’ personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007’s worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.

Tips from an RHCE: Visualizing audit logs with mkbar – Log visualization on-the-cheep.

The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.

Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar…

Great Malware Visualizations – Wow…that IS really cool 🙂

Wow, these are tre’ cool. They are from Alex Dragulescu done for messagelabs‘ latest marketing. found via the always excellent infosthetics blog. Hit infosthetics for more information on the visualization technique.

Top IT Security Threats of 2008 – Hmmm…do you agree or disagree?

The SANS (SysAdmin, Audit, Networking and Security) Institute has released its list of the top 10 cybersecurity threats for 2008. The list includes new developments of evergreen security risks: new exploitations of browser vulnerabilities; worms with advanced P2P (peer-to-peer) technologies; and insider attacks by rogue employees, consultants or contractors.

malware unpacking tutorial videos – Good catch Michael. I agree with you…reverse engineering is cool but it’s not something that I think I could wrap my head around.

I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.

The growth of malware – This is somewhat alarming…

It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

NERC CIP Rules Out – Logs In! – You should check this out too.

NERC security rules [PDF], that were updated and became mandatory last week, might well become “a new PCI DSS” and trigger “a golden age” of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.

Visa reports high compliance numbers – Good to see that compliance levels are high…repeat….compliance levels are high.

Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants [Level 1] and nearly two-thirds of medium-sized merchants [Level 2] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.

Bridging Security and Visualization – Cool post, and associated video, from Raffy.

OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.

Top Ten Web Hacks of 2007 (Official) – Incredible. I’m having a hard time wrapping my head around the number of web hacks in 2007. Kind of makes you sick, doesn’t it?

The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!

Metasploit Framework GUI – Hot new MSF3 GUI.

I’m behind on my posting, but I’m going to do a quick post on the shiny new MSF3.1 GUI.

I’m not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files…way cool.

here is the post from the framework list talking about getting it up and running on linux and windows

I think its technically still in beta and not officially released but its working well and I would expect a release soon.

From the SANS Information Security Reading Room:

Suggested Blog Reading – Saturday January 19th, 2007

ReadWow, what a week. It’s been crazy but I’ve finally found some time to post.

Here is the list:
Offensive Security 101 v.2.0 – Looks like Offensive Security 101 v2.0 is out.

Offensive Security 101 v.2.0″ is a course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. The course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.

Calling all Web Hacks of 2007 – Good list of the web hacks that came out in 2007.

The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be compiled and I’ll create an open survey.

Two articles from SANS Information Security Reading Room:

GIAC Certified Incident Handler (GCIH) Exam and Beyond – Great post about the path to the GCIH certification and the next steps.

I find myself wondering, what is my next objective? I simply do not know. DoD offers great opportunities and they are attempting to addressing cyber security threats.

My 2008 Security Predictions! – Anton’s predictions for 2008…let’s see what happens with them 🙂

So, just as in 2006 and 2007, I am coming up with security predictions that cover both technology and market. I just posted a review of my last’s year’s prediction where I mostly erred on the conservative side. I promise to be more ‘extreme’ this year, while still keeping the old wisdom of Richard Feynman in mind: if you predict the status quo, you are more likely to be correct…

Is Your Information Security Program Real or Only a Check box? – In a world where a check box is a marketers dream…

We all know that in order for a Information Security Program to really be successful it has to have support starting at the top. The IT manager can’t decide that a program is needed and start implementing it and expect it to really succeed. That doesn’t mean that it won’t succeed but the IT manager will have to do a lot of leg work to make it happen.

IR Immediate Actions – Great post by Harlan on the first thing you should do when approaching a compromised system.

If there is data leakage due to an intrusion (or this is suspected, or this is just a question that needs to be answered…), then the immediate reaction is (apparently) to shut the system down. This may be pertinent, particularly if there is no incident response plan in place that lets people know what they need to do, and time is required to notify and get approval for follow-on activities (such as calling consultants). This reaction appears to be fairly ingrained, and I’m not suggesting that we change it by saying DO NOT shut systems down. What I am going to suggest is that we modify those immediate actions such that pertinent information is collected from systems before they are shut down.

Certified Wireless Analysis Professional Online Book – Good catch Michael! I’ve never read the book before but, at first glance, the dedications chapter is a bit over the top.

The online book, Certified Wireless Analysis Professional study guide is up, offered from CWNP. This looks pretty darn detailed.

Data Recovery Challenge – Kind of cool. I can’t wait to see the results.

Is it possible to recover data from a hard disk drive that has been overwritten with zeros? This is the question behind the The Great Zero Challenge that starts today.

NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven, Top Spy Says – Ummm…ya….right…makes perfect sense…I guess?

The nation’s top spy, Michael McConnell, thinks the threat of cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.

Hunting Bugs Pre-Installation – Interesting new blog with an interesting post to go with it.

There are many things that can be automated in security testing, with the goal of freeing up time to perform manual analysis of interesting areas (or for pub lunches or playing pool etc.) Fuzzing is a great example of this – you leave the fuzzer crunching away while you review the source code or disassembly.

But fuzzing is just part of the work that needs to be done. If I have some downtime between consultancy gigs and I decide to do some bug hunting, I have to first choose a product that I think will have some interesting components, then I have to install it, then I have to do a quick informal analysis of its attack surface, then I have to attack it.

Linux Memory Analysis Challenge – Again, I can’t wait to see the results 🙂

Every year the Digital Forensics Research Workshop challenges the digital forensics community to work on a special assignment in order to stimulate focused research and the development of new tools. This year the challenge is to analyse the memory dump of a Linux host. The assignment and some details were just posted to the DFRWS web site. Submissions are due July 20, 2008.

Will Malware Kill the Internet? – I don’t know Andy. I have a feeling we’ll be fine.

I’m not normally negative about such things, but this has me worried. Also, not being one to point out a problem w/o offering up solutions I will repeat what all of you probably know. A few things that you can do to reduce the chance of getting malware on your system when surfing the Internet.

Logs = Accountability! – Anton’s right. Then again, it’s rare we’re not on the same page when talking about logs and their importance 🙂

Yes, there are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if you IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending?

Mexico and Africa to become malware hotspots – You had to know this was coming.

F-Secure reckons cybercrime will continue to be the main motive for malware creation over the next five years, but predicts that an alignment between broadband penetration and socio-economic factors such as economic development and lack of IT employment opportunities will see activity in the underground economy shifting towards India, Mexico and Africa.

NIST tests DCCIdd Version 2.0 – Cool doc that you should check out.

NIST has released the test results for version 2.0 of DCCIdd. According to the report DCCIdd did not acquire sectors that were hidden by a Device Configuration Overlay (DCO). Following a faulty sector the tool filled up to 7 additional sectors with null bytes.

Is This For Real? – A lot of people have been reporting this but I thought I’d link to Richard’s post on the topic. My question is, where was this inside knowledge obtained?

Paller said that Donahue presented him with a written statement that read, “We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

Scroll to top