I really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.
The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.
And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.
Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.
An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.
SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.
If you dont have the time or interest to read about the latest IT security news the SANS.org podcast or some of the other security podcasts might help you keep up.
CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.
Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.
Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room
Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.
It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.
What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.
For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.
The Top 10 Security Events of 2008 – Were you “where it was at”?
The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.
Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet: http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b&DisplayLang=en
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.
Check it out in the Knowledge Base.
Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.
Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.
Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine, 2-viruses.com, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.
Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.
Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.
Wow, February already. I find it hard to believe that at the end of the month I will be starting into my 30th year. Oh well….I’ve looked like I’m 30 for the past 10 years anyway 🙂
Here is the list:
OSVDB API and enhanced cross-referencing – I’m interested to see how well this works. Feedback from anyone?
We are pleased to announce the OSVDB API beta.
Integration and cross-referencing with OSVDB just got a lot easier via the new application programming interface (API), which can provide multiple result formats to fit various needs. Queries can be run against any number of correlation factors, including CVE ID, Microsoft Bulletin ID, Bugtraq ID, and a host of other common reference points. The API is also under constant development, particularly during beta, and suggestions for improvements are quickly and easily implemented by the OSVDB development team.
InfoSec’s Secret Star Promoter: Lauren Nelson, Miss America 2007 – This is a step in the right direction. Also, let’s face it, Al Gore wouldn’t look this good in a bathing suit.
On hand for the crowning will be Miss America 2007, Lauren Nelson. The former Miss Oklahoma has spent the past year traveling the country to promote Internet safety, and appeared on the TV show, “Are You Smarter Than A Fifth-Grader.” (my emphasis)
Open University launches computer forensics course – I’m going to check this one out for sure.
The Open University in the UK has launched a postgraduate course designed to offer a basic understanding of digital evidence collection, forensic computing and IT incident management in criminal investigations. Computer Forensics and Investigations balances the legal and technical aspects of the collection of evidence in internet related crimes such as email bullying, online fraud, and electronic identity theft…
Metasploit Framework 3.1 is out! – Wicked! I love the quote too.
HDM and the metasploit crew have officially released the Metasploit Framework 3.1 release
here is the release note
when asked to come up with a quote for the new release…
“if that new drag and drop meterpreter file browser in the GUI doesnt make you hot for your INFOSEC job, nothing will.”
Are companies doing enough to avoid becoming the first true poster child for data loss? – I think I already knew the answer to this question before reading the article 🙂
Data loss is a burning issue that should be on the mind of every C-level executive and board member, if it isn’t already. According to a recent Ponemon Data Loss Study, the costs associated with data breaches rose 55% in 2007.
What is troubling is the scope and opportunity for such abuse and loss of data, even worse is the fact that the intentional, or malicious, attacks are the easiest to spot and manage, with the unintentional data losses caused by rogue emails and employee ignorance doing the most damage.
Technology helps, but people matter most – Tools are an important part of information security but are useless in the wrong hands. Take this random analogy: Could you build a house without a hammer? Probably, but it’d take you a long time. Conversely, just because you have a hammer, does it mean that you can (or in some cases should) build a house? Probably not. What about giving the hammer to a skilled builder with the knowledge to build the house? Do you think they would have the correct mix of tools and talent to do the job. Probably.
The other day a friend called me up asking what the best scanner (web application vulnerability) is these days because he hadn’t been following the field closely. He recently left a consulting role and signed on as an InfoSec manager at a large organization. His first action was to roll out a website security initiative. He knew of course that I would be highly biased towards Software-as-a-Service. Apparently he would have gone that route, but the company had a policy against outsourcing. No one could quite remembered why. Anyway, before answering his question, I wanted to know more about his environment.
From the SANS Information Security Reading Room – looks like I have some reading to catch up on:
What is PCI all about? – Ever wonder what this “PCI thing” was all about?
This seems to come up every year, or perhaps that’s only the frequency that I address it. It seems everyone has their own view about what PCI compliance is meant to accomplish.
Martin, a friend of mine, writes that PCI is about transferring risk and not mitigating it. This implies that the acquiring bank somehow has the ability or responsibility to prevent a merchant from loosing your credit card number. This is entirely wrong. The heart of the PCI DSS is about mitigating the risk of a direct attack on the cardholder data. I think the one thing we both agree on is that it’s the responsibility of the person closest to the data to protect it – and this just happens to be the merchant in many cases.
The Real Costs of Ignoring IT Security – Interesting article. I really hope people read it because many struggle with the concept of ROI on security investment.
IT security is like insurance: a foolish waste of money — until disaster strikes.
Still, businesses need to be intelligent about planning and deploying IT security technologies and practices. Just as a driver wouldn’t insure a rusty 1971 Ford Pinto for $1 million, a company shouldn’t adopt security measures that, in the long run, wind up costing more than they’re worth.
Many businesses are tempted, however, to skip key security measures and simply pay to fix things if and when a problem occurs. Is this a good idea? Let’s examine several worst-case security scenarios and see what effect they would have on a business.
A couple of weeks ago I followed a link and wound up on a blog called Security Uncorked, JJ’s complete unofficial guide to Infosec. Though it was a fairly new blog, the person writing it obviously was a pretty hands on security practitioner who knew what they were doing and was doing a good job of writing about it. with some good tips and tricks. Further investigation revealed that the blog belonged to Jennifer Jabbusch. I don’t know a lot about Jennifer other than what she has up on the blog, but she is obviously very deeply involved in nuts and bolts information security and has a great writing style.
Some people think that writing code in Java is a silver bullet against implementation flaws such as buffer overflows. The truth is a little murky.
But real code, though it might be written in 100% Java, depends heavily on the Runtime Environment (JRE) and the JRE contains methods that are written in straight C. We all know what happens when C hangs out with its buddies: fixed size buffer, strcpy and user input.
OWASP Books Released – Hot off the…umm….press?
An interesting download to come out of the OWASP camp — books are now available for your reading pleasure. The initial group of books are:
- OWASP CLASP v1.2
- OWASP Top 10 – 2007 Edition
- OWASP Top 10 – Testing – Legal 07′
- OWASP WebGoat and WebScarab
- OWASP Code Review – 2007 (RC1)
- OWASP Evaluation and Certification Criteria
- OWASP Top 10 – Ruby on Rails Version
- OWASP SpoC 2007
- OWASP World (Nov2007)
- OWASP Guide 2.0 (2005)
Bruter 1.0 Released – Parallel Windows Password Brute Forcing Tool – Here is another tool to try out.
Bruter 1.0 BETA 1 has been released. Bruter is a parallel login brute-forcer. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.
I received an email from someone recently asking me about checklists for determining the attack vector of an incident. Yeah, I know…that’s a pretty broad question, but I do see the issue here. Sure, some folks are “finding stuff”, but the question is now becoming, how did it get there? That’s the next logical question, I suppose, and it is being asked.
Nessus UNIX Configuration Auditing “sudo” Support – Nice addition.
Tenable’s research group recently added support to all SSH enabled UNIX configuration audits to make use of “sudo”. Support is available in version 1.4.4 of the UNIX compliance checks.
Some organizations explicitly prohibit remote “root” logins to their UNIX servers. However, many of these organizations do allow a “non-root” login which has access to the “sudo” command. The “sudo” facility allows a non-root user to run specific restricted commands at the root level. Activity related to “sudo” can be logged as well.
dc3dd, Version 6.9.91 – Another tool I’ll have to try out.
Jesse Kornblum has released the first version of his new acquisition tool dc3dd. It is based on GNU dd which ship with the coreutils (that explains the version number) and incorporates ideas from the well-known dcfldd. More information is available from the ForensicWiki article on dc3dd and the manual page.
Router Hacking Challenge. – Anyone interested in a little competition? 🙂
So are you up to it? can you handle it? can you find a vulnerability in your personal router? Then you are the perfect candidate to join!
The contest runs from 2 February until 29 February. If there are enough submissions, I will write about it and compose a list of the best router hacks that where submitted. I also pick my personal favorite out of that list as the main winner. The Hacker Webzine currently grows each day. The site has 100 to 150K hits each week, so this can give you a lot of attention and spotlight! The rules are very flexible, every kind of exploit is allowed. From buffer overflows to CSRF issues that plague many routers. My personal favorites are CSRF issues since they always work in any situation.
Here is the list:
SVASE Guerrilla PR – Not security related but for those trying to heighten their PR presence it is certainly a good read.
A few days ago I was at a SVASE meeting and the topic was on guerrilla PR. This was my first SVASE meeting, so I didn’t really know what to expect. I felt like I was the only bootstrap startup, as everyone I talked to were funded by angels or VCs.
Free AV Scanners – Harlan was kind enough to point out a collection of free AV tools. Check it out.
Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.
Social Engineering Schemes Increase: Great Case Study From An Actual Event – I do love a good case study.
Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…
The Worst IT Security Breaches of 2007 – They’re probably still fresh in your head but here is a link in case you need to reference them for a future presentation.
Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers’ personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007’s worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.
Tips from an RHCE: Visualizing audit logs with mkbar – Log visualization on-the-cheep.
The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.
Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar…
Great Malware Visualizations – Wow…that IS really cool 🙂
Wow, these are tre’ cool. They are from Alex Dragulescu done for messagelabs‘ latest marketing. found via the always excellent infosthetics blog. Hit infosthetics for more information on the visualization technique.
Top IT Security Threats of 2008 – Hmmm…do you agree or disagree?
The SANS (SysAdmin, Audit, Networking and Security) Institute has released its list of the top 10 cybersecurity threats for 2008. The list includes new developments of evergreen security risks: new exploitations of browser vulnerabilities; worms with advanced P2P (peer-to-peer) technologies; and insider attacks by rogue employees, consultants or contractors.
malware unpacking tutorial videos – Good catch Michael. I agree with you…reverse engineering is cool but it’s not something that I think I could wrap my head around.
I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.
The growth of malware – This is somewhat alarming…
It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.
NERC CIP Rules Out – Logs In! – You should check this out too.
NERC security rules [PDF], that were updated and became mandatory last week, might well become “a new PCI DSS” and trigger “a golden age” of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.
Visa reports high compliance numbers – Good to see that compliance levels are high…repeat….compliance levels are high.
Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants [Level 1] and nearly two-thirds of medium-sized merchants [Level 2] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.
Bridging Security and Visualization – Cool post, and associated video, from Raffy.
OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.
Top Ten Web Hacks of 2007 (Official) – Incredible. I’m having a hard time wrapping my head around the number of web hacks in 2007. Kind of makes you sick, doesn’t it?
The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!
Metasploit Framework GUI – Hot new MSF3 GUI.
I’m behind on my posting, but I’m going to do a quick post on the shiny new MSF3.1 GUI.
I’m not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files…way cool.
here is the post from the framework list talking about getting it up and running on linux and windows
I think its technically still in beta and not officially released but its working well and I would expect a release soon.
From the SANS Information Security Reading Room: