Suggested Blog Reading – Monday May 5th, 2008

ReadI went and played my first round of golf yesterday…and boy am I sore. I probably won’t be posting a SBR next weekend as I’ll be busy at SANS Toronto 2008. If you’re there then please pull me aside and say hello.

Here is the list:

Virtual server sprawl highlights security concerns – This is a security risk that management really needs to be made aware of.

Think server sprawl is bad now? Just wait till you experience virtual server sprawl. When users can clone a virtual machine with the click of a mouse, or save versions of applications and operating systems for later use, you’re asking for trouble if IT doesn’t maintain tight control, virtualization management vendor Embotics warned in a session at Interop Las Vegas Tuesday. (Look through our slideshow at other products shown at Interop.)

Interpol: Olympics cyberattack not a major threat – I’m still not convinced. I think that the Olympics would be a prime political target to make a statement.

The main concern for the Olympic Games is the physical security of the visitors who are going to China and to avoid any terrorism attack. Of course, Interpol is involved in the security of the Olympic Games and we are in a close relationship with the authorities. We are going to provide access to our global databases. We will send a team which will be connected to the Interpol network. We have already trained people.

But of the time being, we are providing threat assessment for the Olympic Games and we did not detect a main threat regarding cybercrime. It would maybe be an attack on a small network regarding the tickets.

The Hunt for the Kill Switch – How scary is the thought of this?

Last September, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of a Syrian radar—supposedly state-of-the-art—to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident of electronic warfare—and not just any kind.

Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar.

88,000 Patients at Risk After Computer Theft – Tsk, Tsk…should have protected the data better.

Staten Island University Hospital is alerting patients about a December 07 equipment theft. Thieves made off with a desktop computer and backup hard drive from an administrative office in Rosebank. This equipment contained names, Social Security numbers and health insurance numbers on 88,000 SIUH patients. According to a statement from the hospital, letters are being sent to affected individuals and the hospital is offer one year of free credit monitoring. SIUH spokesperson Arleen Ryback said that the equipment does not contain any medical records but would not comment on why it took SIUH so long to notify patients.

Radio Free Europe hit by DDoS attack – Ironic that a CIA sponsored project, started to prevent the spread of Communism during the cold war, wasn’t better prepared to deal with an attack.

Websites run by Radio Free Europe have been under a fierce cyber attack that coincided with coverage over the weekend of a rally organized by opposition to the Belarusian government.

The distributed denial of service (DDoS) attack initially targeted only the RFE’s Belarus service, which starting on Saturday was inundated with as many as 50,000 fake pings every second, according the this RFE account. On Monday, it continued to be affected. At least seven other RFE sites for Kosovo, Azerbaijan, Tatar-Bashkir, Farda, South Slavic, Russia and Tajikistan, were also attacked but have mostly been brought back online.

UCSF Patient Information Available Online – Tsk, tsk again.

The University of California, San Francisco is alerting patients after personal patient information connected with the university was found online. In October of 2007, UCSF became aware that patient information the university had shared with Target America Inc. to help identify potential donors was available online. The information available included the names, addresses, names of departments where patient received care and in some cases patient medical record numbers and physicians providing care on 6,313 UCSF patients. UCSF took immediate action to remove public access to the data once it was aware of the incident. In addition, UCSF ended the business agreement it had with Trade America shortly after the incident was discovered. UCSF is mailed notification letters to the affected patients in April. It is not known why UCSF waited so long to notify patients about the exposure.

Botnet attacks military systems – I wonder just how much spam you would have to receive before you considered it an “attack”? I get around 300-400 per day right now 🙂

Security researchers have discovered a complex spamming scheme that hijacks users’ PCs in order to attempt to send junk mail via university and military systems.

Researchers at Romania-based BitDefender said the scheme, based on a backdoor called Edunet, was one of the most complicated and mysterious they’ve come across.

Stepped Up Cyber Role for Spy Agencies – I suspect that this has been going on for years but the government is probably making it public as a token offering to show their “commitment to fighting the great cyber threat”.

America’s spy agencies for the first time would be tasked with gathering intelligence on threats to the nation’s computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community’s offensive capabilities in defense of government and civilian computer systems

Cubans able to shop for PCs – Good for residents of Cuba. I’m glad to see that things are starting to turn around down there.

Personal computers have gone on sale to the general public in Cuba for the first time.

President Raul Castro’s government authorized the sale of computers to average Cubans more than a month ago, but they are only now arriving on store shelves.

Personnel computers are the latest in a growing list of measures the younger brother of long time leader Fidel Castro has taken to make life easier for ordinary Cubans.

China mounts cyber attacks on Indian sites – I’d be interested to see the logs and traffic to determine their capabilities and attack vectors.

China’s cyber warfare army is marching on, and India is suffering silently. Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability.

Suggested Blog Reading – Sunday April 20th, 2008

ReadI really apologize for not posting a SBR post since February but I was a touch burnt out. Now that I’m back from vacation, expect to see more frequent posting (I promise this time…no fooling).

Here is the list:
RegRipper – Harlan Carvey has posted several posts lately (here, here, here, and here) about his RegRipper tool. I suggest you check it out.

Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside – I haven’t read through the entire article yet but, from what I did read, it looks quite promising. I may do a full post in response to the key points in the coming days.

The second paper in my series on PCI DSS log management compliance, “Using PCI DSS Compliant Log Management To Identify Attacks From The Outside” is now available.

And, as I’ve been blogging about over the past few days, log management is about much more than systems; it is about the entire management process, and the need to have policies, procedures and address the ways in which personnel review and know how to interpret the logs.

Expanding Government Liability for Data Breach – I think “damages” are probably due to be redefined.

An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.

SANS Internet Storm Center Starts Monthly Podcast – Wow this is cool. I’m glad that this is happening.

If you dont have the time or interest to read about the latest IT security news the podcast or some of the other security podcasts might help you keep up.

CEH/CPTS Certification != competent pentester – Tools are only good in the hands of people who are trained to use them but tools, combined with experience, will always produce superior results.

Bottom line, tools are just tools, they help humans get jobs done. They aren’t and shouldn’t be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught “the shortcut.” Oh, and passing a multiple choice test is not a real demonstrable measure of ability.

Network IDS & IPS Deployment Strategies from the SANS Information Security Reading Room

Solera V2P Tap – It was only a matter of time until someone invested this. I personally think that this is a great, and very useful, invention.

It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I’m glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.

What’s new in vulnerability management? – Curious what’s happening with your vulnerability management solution? Have a read.

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the “mature” label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon.

The Top 10 Security Events of 2008 – Were you “where it was at”?

The event season is here, bringing a flood of security-related conferences, seminars, trade shows and other gatherings designed to help business owners and managers learn how to better protect their IT environments. Here’s a quick rundown of the top 10 events coming up in 2008. And check out theIT Security blog for live blogging and event updates.

Windows Server 2008 Security Events Posted – Awesome! Here is the link to the spreadsheet:

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference.

Check it out in the Knowledge Base.

Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center. I’ll publish the link when it’s online.

Loads.CC Bot Still Live, Still Targeted – More info about the Loads.CC bot that you should probably check out.

Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit, CIO magazine,, this PC Week article by Scott B, and Adam T for a good background. The team is still quite active.

Fun Reading on Security – 1 – Here’s a pile of Anton’s favorite links over the past few days.

Instead of my usual “blogging frenzy” machine gun blast of short posts, I will just combine them into my new blog series “Fun Reading on Security.” Here is an issue #1, dated April 18, 2008.

The Six Dumbest Ideas in Computer SecurityMarcus Ranum takes a run at the dumbest ideas in computer security.

Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible – which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.

Ned on Auditing – I’m going to add this to my RSS watch list. Perhaps something good will show up from the elusive Ned that will help me out.

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I’d point you guys there. His recent posts on auditing include a description of how to deploy the special groups logon auditing feature with group policy.

Suggested Blog Reading – Monday February 18th, 2008

ReadUgh….I haven’t had a case of the flu like this for years. I’m finally over it (I think) and hopefully things will be getting back to normal soon.

Here is the list:

PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications – This is an interesting tool that I haven’t heard about until today.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

From the SANS Information Security Reading Room:

Enterprise Security 2008 Learning Guide – Good collection of articles to check out.

2008 won’t just be a year of the same old network, application and compliance issues. New malware has hit the scene, cyberterrorist attacks have become more common, and virtualization technology has presented different enterprise network security challenges. Mike Chapple, Michael Cobb, Joel Dubin, Mike Rothman and Ed Skoudis explore various information security areas and point out the new threats that every organization needs to be ready for.

More on Hating Agents – Everyone hates them but they are required – no, not lawyers….I’m talking about log agents. Anton lists some good pros and cons for leveraging an agent to get you your logs.

I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged.

Password Cracking Wordlists and Tools for Brute Forcing – Ever want to find a good word list for your audits?

I quite often get people asking me where to get Wordlists, after all brute forcing and password cracking often relies on the quality of your word list.

Do note there are also various tools to generate wordlists for brute forcing based on information gathered such as documents and web pages (such as Wyd – password profiling tool) These are useful resources that can add unique words that you might not have if your generic lists.

Also add all the company related words you can and if possible use industry specific word lists (chemical names for a lab, medical terms for a hospital etc).

Is the mobile malware threat overblown? – Overblown…maybe. Under-exploited…possibly. Not receiving the amount of attention it deserves…definitely!

The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.

Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.

True, enterprises continue to experience little by way of mobile phone attacks. But that’s only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.

New Docs at SWGDE – Some new docs on forensics. Thanks Harlan.

The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on “Live Capture”.

Could computer forensics help your organisation? – Umm…ya?

Forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs…

Scary concept: Friendly worms – If this ever became a reality, which I doubt it will, how long would you expect it would take before someone exploited the updating and transport mechanism to “do evil”?

This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.

SQL Injection Tutorial Now Available! – Very cool. Good for Oracle in taking a step to help people secure their product and applications.

By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. This tutorial employs text and diagrams to present concepts, design issues, coding standards, processes, and tools. Flash-based demos and simulations allow you to visualize what you have learned, and assessment quizzes help you gauge your learning progress.

Scroll to top