Tag: threats

Suggested Blog Reading – Monday February 18th, 2008

ReadUgh….I haven’t had a case of the flu like this for years. I’m finally over it (I think) and hopefully things will be getting back to normal soon.

Here is the list:

PHPIDS – Security Layer & Intrusion Detection for PHP Based Web Applications – This is an interesting tool that I haven’t heard about until today.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt.

From the SANS Information Security Reading Room:

Enterprise Security 2008 Learning Guide – Good collection of articles to check out.

2008 won’t just be a year of the same old network, application and compliance issues. New malware has hit the scene, cyberterrorist attacks have become more common, and virtualization technology has presented different enterprise network security challenges. Mike Chapple, Michael Cobb, Joel Dubin, Mike Rothman and Ed Skoudis explore various information security areas and point out the new threats that every organization needs to be ready for.

More on Hating Agents – Everyone hates them but they are required – no, not lawyers….I’m talking about log agents. Anton lists some good pros and cons for leveraging an agent to get you your logs.

I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged.

Password Cracking Wordlists and Tools for Brute Forcing – Ever want to find a good word list for your audits?

I quite often get people asking me where to get Wordlists, after all brute forcing and password cracking often relies on the quality of your word list.

Do note there are also various tools to generate wordlists for brute forcing based on information gathered such as documents and web pages (such as Wyd – password profiling tool) These are useful resources that can add unique words that you might not have if your generic lists.

Also add all the company related words you can and if possible use industry specific word lists (chemical names for a lab, medical terms for a hospital etc).

Is the mobile malware threat overblown? – Overblown…maybe. Under-exploited…possibly. Not receiving the amount of attention it deserves…definitely!

The trouble for some IT pros is that security experts have been warning of growing mobile phone attacks for more than three years and the big event has yet to materialize.

Does this mean the mobile phone threat has been overblown all this time, over-hyped by security vendors generating FUD to sell new products? Not exactly.

True, enterprises continue to experience little by way of mobile phone attacks. But that’s only because companies are still limiting the functionality of such devices among employees. Just about everyone uses cell phones with Internet capabilities these days. But in the working world, use of the devices are still limited to making phone calls and checking email.

New Docs at SWGDE – Some new docs on forensics. Thanks Harlan.

The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on “Live Capture”.

Could computer forensics help your organisation? – Umm…ya?

Forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs…

Scary concept: Friendly worms – If this ever became a reality, which I doubt it will, how long would you expect it would take before someone exploited the updating and transport mechanism to “do evil”?

This isn’t a new idea, the concept of creating worms that patch your computer when you catch them. There are even some malware out there now that patches vulnerabilities on systems to make sure other worms can’t exploit the same vulnerabilities. But the problem is, if both beneficial and malign software show the same basic behavior patterns, how do you differentiate between the two? And what’s to stop the worm from being mutated once it’s started, since bad guys will be able to capture the worms and possibly subverting their programs.

SQL Injection Tutorial Now Available! – Very cool. Good for Oracle in taking a step to help people secure their product and applications.

By taking this self-study tutorial, you can arm yourself with techniques and tools to strengthen your code and applications against these attacks. This tutorial employs text and diagrams to present concepts, design issues, coding standards, processes, and tools. Flash-based demos and simulations allow you to visualize what you have learned, and assessment quizzes help you gauge your learning progress.

Suggested Blog Reading – Sunday February 10th, 2008

ReadI’m a little confused why more snow has fallen over the past 3 months than has fallen over the past 2 years. I’m getting sick of clearing it!

Here is the list:

Birth of IPv6 – Is your organization pushing towards IPv6? I didn’t think so 🙂

Well tonight’s the night. For the first time, IPv6 domain resolution will be possible from a root server. Just a few addresses mind you, according to this article. You may ask “what took so long?”. The answer is that we did not really need it. IPv6 bakes in some security that was addressed by SSL in IPv4 so that driver did not help. The other issue, a rapidly depleting address space, was managed by NAT(Network Address Translation). But now depletion is really staring us in the face. It is getting hard to get address space. Soon you will see the first bidding wars for owners of large blocks of free IP addresses. Technically you are not allowed to sell IP addresses so don’t expect a market for them. But do expect high valuations for shells that control IP address blocks.

(IN)SECURE Magazine Issue 15 – Looks like Issue 15 is finally out.

Articles in this issue include: Proactive analysis of malware genes holds the key to network security, Advanced social engineering and human exploitation, part 1, Free visualization tools for security analysis and network monitoring, Hiding inside a rainbow, Internet terrorist: does such a thing really exist?, Weaknesses and protection of your wireless network, Fraud mitigation and biometrics following Sarbanes-Oxley, QualysGuard visual walkthrough, Application security matters: deploying enterprise software securely, Web application vulnerabilities and insecure software root causes: solving the software security problem from an information security perspective, A dozen demons profiting at your (jn)convenience, The insider threat: hype vs. reality, Interview with Andre Muscat, Director of Engineering at GFI Software, How B2B gateways affect corporate information security, Reputation attacks, a little known Internet threat, Italian bank’s XSS opportunity seized by fraudsters, The good, the bad and the ugly of protecting data in a retail environment, Interview with Mikko Hypponen is the Chief Research Officer for F-Secure, Interview with Richard Jacobs, Technical Director of Sophos and Interview with Raimund Genes, CTO Anti-Malware at Trend Micro.

A funny thing happened on the way to reviewing my logs – Interesting article from Andy Willingham on his journey implementing a SIEM solution.

At work we’re in the process of implementing a SIEM (Security Information Event Management) system. I’ll leave the vendor nameless for the moment but they have a reputation of making most everything harder than it needs to be. Until that time all logs have to be reviewed manually and obviously that means that they are not reviewed in real time. I have others that monitor most of the logs but I monitor our IPS logs from the UTM device. Usually I review them each morning when I come in but last week I didn’t get a change to so yesterday I was playing catchup.

Interesting tool – pdump.exe – I’ll have to give this a shot.

Toni at Teamfurry.com has a new tool that has some interesting functionality, it dumps process memory, but it also saves each allocated memory region to a separate file.

I’ve played with it a little bit and it seems like it has potential.

Rebecca Herold’s 2008 speaking dates – If you’re in the area I strongly suggest you drop by and check out one of Rebecca’s presentations.

January 18: The Importance of Verifying Third Party Security Programs
Learning event at the Grand Rapids, Michigan ISSA chapter meeting
Web Site: http://www.gr-issa.org/

February 21: Anatomy of a Privacy Breach
Learning event at the University of California, Berkeley
Web Site: http://www.truststc.org/seminar.htm

March 18: Anatomy of a Privacy Breach
Learning event at the Iowa ISACA chapter meeting

April 27: The 30 Second Security Pitch
Learning event at the CSI SX conference
Web Site: http://www.csisx.com/conference/view-by-day.php

April 30 & May 1: Executive Summit: Security and Privacy Collaboration
2-day learning workshop at the CSI SX conference
Web Site: http://www.csisx.com/conference/workshops.php

July 23 & 24: Executive Summit: Security and Privacy Collaboration
2-day learning workshop hosted by the Charlotte, North Carolina ISACA chapter.

Getting over the hump with vulnerability counts – What is more important? The total number of vulnerabilities or the number of highly exploitable vulnerabilities?

Should our vulnerability counts be going up or going down? That is an important question every security professional should be considering when laying out a security program.

If you believe vulnerability counts should be increasing, then presumably you believe that we are only covering the tip of the iceberg with respect to the total number of vulnerabilities in production. In this case, you are taking a short-term view of what is happening in security – it is okay to be hoping the counts increase in the short term, but eventually you want them to decrease (right?).

Give yourself a little time with SQL Injection – Interesting article on blind SQL injection.

I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.
To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?
Answer? Time.

Security Metrics – How Often Should We Scan? – Personally, I think your frequency of scans should be dictated by the criticality of the systems, the type of systems, the data stored on the systems, and of course…your documented security policy.

I get this question from Nessus users and Tenable customers very often. They want to know if they are scanning too often, not often enough and they also want to know what other organizations are doing as well. In this blog entry, we will discuss the many different reasons why people perform scans and what factors can contribute to their scanning schedule.

German Police Creating LE Trojan – “Law Enforcement Trojan”? I’m not sure if this will fly.

German cops are pushing ahead with controversial plans, yet to be legally approved, to develop “remote forensic software” – in other words, a law enforcement Trojan. Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks…

From the SANS Information Security Reading Room:

Spending for IT security gains ground in 09 budget – I can’t remember a time when security/IT/(random item) spending wasn’t “gaining ground”.

New details on federal IT spending plans, made available by the Office of Management and Budget today, show that $103 out of every $1,000 requested for IT spending next fiscal year — or about $7.3 billion in total — will be devoted to improving IT security. That is 9.8 percent more than what was slated for fiscal 2008, and 73 percent more than the $4.2 billion budgeted for cybersecurity in fiscal 2004.

DFRWS 2008 Announcement – I need to come up with a paper for this 🙂

The DFRWS 2008 CfP and Challenge have been posted!

The CfP invites contributions on a wide range of subjects, including:

  • Incident response and live analysis
  • File system and memory analysis
  • Small scale and mobile devices
  • Data hiding and recovery
  • File extraction from data blocks (“file carving”)

And here’s a couple that should be interesting:

  • Anti-forensics and anti-anti-forensics
  • Non-traditional approaches to forensic analysis

Submission deadline is 17 Mar, with author notification about 6 wks later.

Python for Bash scripters: A well-kept secret – Good post for all of us who know Bash scripting but want to break into Python.

Python is easy to learn, and more powerful than Bash. I wasn’t supposed to tell you this–it’s supposed to be a secret. Anything more than a few lines of Bash could be done better in Python. Python is often just as portable as Bash too. Off the top of my head, I can’t think of any *NIX operating systems, that don’t include Python. Even IRIX has Python installed.

The Flow of MBR Rootkit Trojan Resumes – Why…won’t…this…die?

Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR) in order to take control of a compromised computer. The people responsible for this threat kept busy cranking out newly compiled versions of this Trojan in the weeks following its discovery. However, near the beginning of January the output of new variants mysteriously halted. Taking a quick look at the following table of Trojan.Mebroot sample data it appears as though a massive QA plan was performed by the gang, starting back in November 2007.

A Practical Approach to Managing Information System Risk – Another paper to check out.

The mantra spinning around in the heads of most security managers affirms that managing security is about managing risk. Although they know this is the right approach, and they understand the importance of balance in designing and implementing security controls, many of them—including me—came up through the ranks of network engineering, programming, or some other technical discipline. While this prepared us for the technology side of our jobs, the skills necessary to assess and understand business risk arising from the use of information systems were not sufficiently developed.

Suggested Blog Reading – Sunday January 27th, 2007

ReadI’ve got everything into the publisher for my book, with the exception of a few edits, so I’m quite excited/relieved/tired. You can already pre-order on most popular book sites.

Here is the list:

SVASE Guerrilla PR – Not security related but for those trying to heighten their PR presence it is certainly a good read.

A few days ago I was at a SVASE meeting and the topic was on guerrilla PR. This was my first SVASE meeting, so I didn’t really know what to expect. I felt like I was the only bootstrap startup, as everyone I talked to were funded by angels or VCs.

Free AV Scanners – Harlan was kind enough to point out a collection of free AV tools. Check it out.

Many times during an examination, you may want to do a little data reduction, by scanning your image for the presence of malware. While this should not be considered a 100% guarantee that there is no malware if there are no hits, this may lead you to something and narrow your search a bit. Again, this is just a tool, something that as a forensic analyst you can use.

Social Engineering Schemes Increase: Great Case Study From An Actual Event – I do love a good case study.

Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…

The Worst IT Security Breaches of 2007 – They’re probably still fresh in your head but here is a link in case you need to reference them for a future presentation.

Every year sees a fresh crop of security breaches. Most go unreported, unless they involve consumers’ personal data, at which point companies are required to give timely public notice of security breaches. The following list of 2007’s worst security breaches consists mainly of such reportable incidents. The incidents are sorted in descending order of severity based on how many individuals were potentially affected.

Tips from an RHCE: Visualizing audit logs with mkbar – Log visualization on-the-cheep.

The 2.6 Linux kernel comes with a very flexible and powerful auditing subsystem called auditd. auditd is composed of two parts. The main work is done in kernel-space (kernel/audit.c, kernel/auditsc.c). In user-land, auditd is listening for generated audit events. auditd is able to log file-watches as well as syscalls. All LSM-based subsystems–for example, SELinux–are logging via auditd as well. All events are written to /var/log/audit/audit.log.

Steve Grubb wrote a small script called mkbar. It converts these lines into gnuplot-compatible data. Gnuplot is a 2D/3D plotting program which is able to produce nice-looking graphics. If you would like to get a graphic showing which SELinux file types are generating an AVC message (and in what proportions), just call aureport and pipe its output through mkbar…

Great Malware Visualizations – Wow…that IS really cool 🙂

Wow, these are tre’ cool. They are from Alex Dragulescu done for messagelabs‘ latest marketing. found via the always excellent infosthetics blog. Hit infosthetics for more information on the visualization technique.

Top IT Security Threats of 2008 – Hmmm…do you agree or disagree?

The SANS (SysAdmin, Audit, Networking and Security) Institute has released its list of the top 10 cybersecurity threats for 2008. The list includes new developments of evergreen security risks: new exploitations of browser vulnerabilities; worms with advanced P2P (peer-to-peer) technologies; and insider attacks by rogue employees, consultants or contractors.

malware unpacking tutorial videos – Good catch Michael. I agree with you…reverse engineering is cool but it’s not something that I think I could wrap my head around.

I’m not a big software de-engineering guy or reverser and I don’t see myself gaining those skills in the next couple years, but someday I might get interested in the topic. While books and blogs and personal contacts are good resources, I really like seeing everything put together and the end results. Here are two video tutorials on unpacking and examining malware from Frank Boldewin over at Offensive Security.

The growth of malware – This is somewhat alarming…

It’s worth noting that these numbers are also increasing because of variants — i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it’s not like there’s over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

NERC CIP Rules Out – Logs In! – You should check this out too.

NERC security rules [PDF], that were updated and became mandatory last week, might well become “a new PCI DSS” and trigger “a golden age” of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.

Visa reports high compliance numbers – Good to see that compliance levels are high…repeat….compliance levels are high.

Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants [Level 1] and nearly two-thirds of medium-sized merchants [Level 2] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.

Bridging Security and Visualization – Cool post, and associated video, from Raffy.

OnSecrity just released another video of the conversation we recorded last year during RSA. I am talking about security visualization in light of the book I am working on. This video cast is the sequel to the first one that I posted a few days ago.

Top Ten Web Hacks of 2007 (Official) – Incredible. I’m having a hard time wrapping my head around the number of web hacks in 2007. Kind of makes you sick, doesn’t it?

The polls are closed, votes are in, and we have ten winners making up the Top Ten Web Hacks of 2007! The competition was fierce. The information security community put 80 of the newest and most innovative Web hacking techniques to the test. The voting process saw even some attempts at ballot stuffing, but to no avail, and very few techniques received zero votes. The winners though stood head and shoulders above the rest. Thanks to everyone who helped building the list of links, took the time to vote, and especially the researchers whose work we all rely upon. Congratulations!

Metasploit Framework GUI – Hot new MSF3 GUI.

I’m behind on my posting, but I’m going to do a quick post on the shiny new MSF3.1 GUI.

I’m not usually a GUI kinda guy but I do like the GUI specifically the browser option where you can just drag and drop files…way cool.

here is the post from the framework list talking about getting it up and running on linux and windows


I think its technically still in beta and not officially released but its working well and I would expect a release soon.

From the SANS Information Security Reading Room:

Scroll to top