Infosec Ramblings

And we’re off.

From the Blogosphere

Via F-Secure’s blog, a discussion of what needs to happen to exploit the Microsoft Access Viewer vulnerability under a couple of different scenario’s. Worth a look.

Gunnar Peterson has an pointed view of outside vs. inside as it applies to our enterprise networks. I won’t spoil it for you since it is a good read.

Jeramiah has survey up for Web Application Security Professionals. He will be releasing the results in the near future. I took it and so should you if you have anything to do with WebApp security. Good questions.

Via Wesley McGrew, Princeton released their tools for dumping and retrieving keys from memory after a cold boot. There was a bit of twittering going on about these tools during The Last Hope conference. Intersting stuff.

Via DevCentral, a new Google tech talk is up. This time covering SQL injection, XSRF, and XSSI. Good stuff.

LearnSecurityOnline has released Crackme 0×04 for us to solve.

TaoSecurity has a perspective on the recent DNS vulnerability that is worth reading.

The tisecurityguy brings to our attention an open source tool for tracking your laptop should it be stolen. As he says, “best of all, it’s open source, which means free.”

From the Newsosphere

DarkReading: The U.K.’s Ministry of Defence lost some USB sticks….with secret information on them.

DarkReading: Damballa Inc. is to release and new tool for malware analysis at Black Hat 2008 in Las Vegas. Free to enterprises and vendors.

Information Week: RIM has fixed the BlackBerry Enterprise Server pdf vulnerability.

That’s all folks. Have a great day.

Kevin

Technorati Tags: vulnerablity, perimeter, web appsec, memory, keys, google tech talk, crackme, laptop

Here ya go.

From the Blogoshpere

0×000000 has the first of a series of pieces that cover Mozilla malware, how to write it and how to detect it, posted. Interesting stuff.

CG has a post up about a tool called Metagoofil and how it can be used to develop an email list. Very interesting stuff. I haven’t played with it yet, but will be soon.

Tenable has setup a way for charities and classrooms that provide information security training to get a full professional feed for free. Way to go Tenable.

Have a good one.

Kevin

Technorati Tags: malware, mozilla, pentest, nessus

Hello all. I apologize for the lack of posts over the last couple of weeks. Life and death have taken up all my time. Things should be back to normal now. So without further ado, here’s are some things to take a look at today.

From the Blogosphere

Wesley over at McGrewSecurity has collected a bunch of links and embedded a bunch of videos of Dan Kaminsky talks. Very cool.

Craig at SecurityWannabe gives us a link to a video of Lee Kushner and Mike Murry’s talk about a career in Information Security. I attended their session at Defcon 15 and the informal Q&A after. Really good stuff. Go watch the video or even better attend their session at this year’s Defcon.

Rich Mogull writes on Securosis that he will be giving a webcast entitled Using Data Leakage Prevention and Database Activity Monitoring for Data Protection on July 29th. Register here. I’ll be watching. You should too.

Via security4all, VMWare has released an updated paper on hardening ESX 3.5 and VirtualCenter 2.5. It can be found here.

From the Newsosphere

Via Dark Reading, Half of Financial Firms Don’t Investigate. That’s not good.

Via Tech Republic, When your network admin hijacks your system. Talks about the San Fransisco situation you have already heard about.

Via Search Security, Blackberry server faced with critical zero-day. There is a flaw in the PDF handling function of the BlackBerrty Attachement Service. Bad stuff.

Via Dark Reading, MessageLabs Reveals Most Spammed States. Illinois apparently has the largest bulls eye painted on its forehead.

Via Information Week, Gmail Privacy Hole Shows User Names. Be careful with Google calendar.

That’s it for today’s bits. Have a great day.

Kevin

Here we go.

From the Blogosphere.

F-Secure has released their Security Threat Summary for the First Half of 2008.

(IN)SECURE Magazine issue 17 is available. Good stuff as always.

Continuing their week of War on WAF’s (Web Application Firewall), ts/sci security talks about language specificity in WAFs.

Well, looky there, there’s as a new Zero-day flaw in Internet Explorer. Who’d a thunk it? Caveat: It is for version 6.

From the Newsosphere.

Nothing today.

Have a good one folks.

Kevin

Technorati Tags: insecure, waf, ie

Hi there. Here are today’s interesting bits.

From the Blogosphere.

F-secure has posted a notice about two Mac OSX trojans.

Adobe is in the news again with a patch for yet another critical PDF Reader flaw. Head-up provide by Zero Day.

Via TaoSecurity, a post by Pascal Meunier, Virtualization Is Successful Because Operating Systems are Weak, puts forth an interesting way to look at virtualization.

What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization…

Chris Eng at Veracode has Part 1 of Minimizing the Attack Surface up. Good read.

Security4all points us at a way to get Nessus 3 installed on Backtrack 3. Very cool, but watch that new licensing.

From the Newsosphere.

Verisign has been picked by Microsoft as the OpenID provider for users of HealthVault.

The Marshall Islands, a small country in the South Pacific, was effectively denied access to email by a denial of service attack.

Yahoo! Mail was vulnerable to a XSS attack which allowed access to confidential information. It’s fixed now.

Some HSBC websites are also susceptible to XSS attacks.

Surprise, Surprise, China networks host a large number of the websites pushing malware.

That’s it for today folks.

Have a good one.

Kevin

Technorati Tags: macosx, trojans, pdf, adobe, virtualization, attack surface, nessus, backtrack

Here are today’s bits.

From the Blogosphere.

Marcin has posted a really interesting treatise at the ts/sci security blog about Web Application Firewalls. Some really good stuff to think about.

The Princess of Antiquity continues her series on Cryptography (Non-Technical) with a post titled Earlier Forms of Cyptography. Very well written and easy to understand with really good info.

Didier has given us another tool written in python, apc-pr-log, which uses the AirPcap adapter to log all probe requests with a SSID for easy viewing. Should be fun to play with.

From the Newsophere.

Whitehat Security has raised some VC cash. Congrats Jeremiah.

Sun has released version 8 of Identity Manager.

That’s it for today. Have a good one.

Kevin

Technorati Tags: waf, cryptography, airpcap, iam

Hi folks. Lots of stuff today so let’s just get to it.

From the Blogosphere.

Alan over at Security Thoughts answers Dre’s post about the CISSP is on it way out. I tend to agree with Alan more that Dre, but understand Dre’s point also. How’s that for being wishy washy. Go read both.

Jeremiah asks 5 questions about webappsec in order to generate some conversation. Good reading in there.

By way of Zero Day, Sourcefire has released a free tool, OfficeCat, that attempts to scan Microsoft Office files for detection of possible exploits. Very nifty.

Rebecca has an article up that gives us Sixs Ways Organizations Can Lessen Mobile Computing Risks. Good collection of things to think about.

Matasano has some comments available about several vulnerabilities in Ruby. Everybody using Ruby has some patching to do.

Anton is happy about the release of their CEE (Common Event Expression) white paper.

Jeremiah is really on a roll with the asking of interesting questions that spark some great interaction. The question this time, “Day 1: Starting at the beginning“. Your a new hire in charge of security, what are your first steps. BTW - Congratulate him on achieving his purple belt in Brazillian Jiu Jitsu while you are there.

From the Newsophere.

Via Dark Reading, a researcher is going to be demonstrating a remote permanent denial-of-service (PDOS) attack at EUSecWest this week. Should be interesting.

Also from Dark Reading, Fortinet has been awarded four new patents for network virtualization and security related inventions.

Information Week has a Reuters article up that informs us that the bill shielding U.S. telephone companies from lawsuits has passed the House.

Well that’s it. Have a great day.

KevinTechnorati Tags: webappsec, cissp, generalist, specialist, officecat, sourcefire, mobile computing risk, cee, pdos, fortinet

And another Friday dawns. I hope yours goes well. Here we go with today’s bits.

From the Blogosphere.

Via Alan over at StillSecure, the Aberdeen Group is looking for some data on IT Security Patch and Vulnerability Management. To get it, they are asking for us to participate in a survey. We get a shiny report gratis if we do. I probably will.

There is post up over at tssci-security that is taking a look at a several of topics all mashed together, the value of the CISSP certification, specialist or generalist when it comes to InfoSec and a new project being put together by the OWASP group, the People Certification Project. Some interesting thoughts in both the post and comments. BTW - he references Dan Greer’s Source Boston keynote speech. It is well worth reading several times as I believe I have noted before.

Looks like there are some local root shennanegins that can be excersized on a Mac with versions 10.4 and 10.5 of Mac OS X installed. Good old suid fun, but does it really matter? Check out Zero Day’s post and come to your own conclusions.

The Princess of Antiquity is tackling fairly daunting task in bringing a series of articles to us about cryptography that are couched terms the layman can understand. The first is up and is well written. Check it out.

Tom over at Spylogic gave a talk about Online Social Networks: 5 threats and 5 ways to use them safely. He has made his presentaion available here.

JJ has some good guidance for us if we are considering the implimentaion of 802.1x. Very good stuff.

Via Security4All, Backtrack 3 Final has been released.

From the Newsosphere.

Via NetworkWorld, Mitchell Ashley reports to us that Red Hat has decided to develop their own virtualization platform based on the Kernel Virtual Mode which is built into the Linux kernel. Go read his article for the reasons for this decision.

From Hack in the Box and ARN, a new report is out about a skills shortage in IT positions, including security specialists, is causing salaries to rise. Good for those down under.

Have a great Friday and wonderful weekend.

Kevin

Technorati Tags: survey, cissp, owasp, dan greer, macos, cryptography, social networking, 802.1x, backtrack, virtualization, salaries

Good day all. Got a pretty good bunch o bits to take a look at today. So, without further ado, here we go!

From the Blogosphere.

The Sunbelt blog warns us about some CareerBuilder jobs being emailed out which are scams. Be careful out there. They will get you any way they can.

Finjin came across over half a gigabyte of stolen US Healthcare and airline data. Ouch.

Adam writes that Identity Theft is more than Fraud By Impersonation. He points out than in many cases, the real pain of identity theft is not monetary, but dealing with the tarnishing of you good name as you try to clean things up. He has a good suggestion for trying to help with this issue. Go read about it.

Security4all points us to a couple of white papers that are worth giving a gander. The Extended HTML Form Attack Revisited by Sandro and Enablesecurity and Defeating the Network Security Infrastructure by Philippe at Radarhack.com. They are both on my reading list now.

Irongeek has released a little tool called DecaffeinatID that

“DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games”

Looks pretty nifty.

Rich has another missive that deserves to be read more than once. He talks about Database connections and Trust. I am not going to attempt to summarize what he puts forth. Go read it.

You may have already heard about this, but a vulnerability exploit has been found in FF 3.0. It was reported to Tipping Point and passed on to Mozilla. They are working on a fix.

Amrit and Hoff both are talking about wheither virtualization security is a technical problem or an operational problem. Both are good reads. I won’t spoil it for you by giving away their conclusions.

F-Secure has released version 3.0 of their Rescue CD. Could come in handy.

From the Newsosphere.

Via cjonline.com, some Kansas state equipment that was to be sold to the public contained confidential information. People, please make sure you have data retention, handling and destruction policies and procedures and that they are adhered to.

From Dark Reading, ICSA Labs Forum has advanced a security standard for IPv6.

Pointed to by Hack in the box and reported by Computer World UK, two laptops without encryption have been lost. This time by the HNS trust in the U.K.

Again via Hack in the box and reported by Wired, it looks like Citibank had an intrusion that allowed a couple of men to grab at least $750,000 from atm machines in New York City. Oops.

That’s it for today. Have a good one.

Kevin

Technorati Tags: scam, breach, data loss, white papers, tools, database, trust, vulnerability, virtualization

Hello all. Sorry I didn’t get yesterday’s post out. Today’s includes yesterday’s stuff and today’s so it is a bit long.

From the Blogosphere.

DVLabs put a post up yesterday that is the first in a weekly feature that Cody is starting regarding reverse engineering tips and tricks. The first post takes a look at the Rhapsody Media Player. Interesting stuff.

Rafal gives us a real-world example of XSS. Worth a look.

Frank Cassano has part 2 of his Assessing your Organization’s Network Perimiter available. Part 1 is here. Good stuff.

Rich points out that it in the world of SQL injection, it is very important that collaboration occur with our database admins and architects to ensure we are restricting rights appropriately.

Lori points out that dynamic resource obfuscation can help us make the target much harder to find, let alone hit for the evil haxors out there. She is not promoting security through obscurity, but suggesting that we can actively make it very difficult for an attacker to figure out what to attack.

Donald Donzal, the editor in chief at the Ethical Hacker Network has posted a recording and slides of the presentation he gave at the Sans What Works in Pen Testing Summit titled “Remodeling your career for little to no money down“. I’ve got my copies downloaded and will be listening soon.

Via Xavier are /dev/random, Michael Boelen, the creator RootKit Hunter, has released a new tool that should be welcomed by all UNIX folks, Lynis: Security and System Auditing Tool. Go take a look.

Adam Dodge has a post up over at Security Catalyst that reminds us to keep in mind the samples used when reading a report. This applies to every report you might read that has statistical data in it, but he is specifically talking about the number of reports that have come out recently regarding breach statistics.

0×000000 has updated the mod_rewrite signatures used as a poor man’s web application firewall to add some banner obsfucation stuff. If you haven’t seen the full set, poke around on the site. It is good stuff.

Finally, the folks at wartchfire have an article up talking about cross environment hopping. This is where an XSS vulnerability is exploited to hop to another service hosted on the target client machine. Not cool. Go read it…twice

I will be posting the interesting bits from news sources a little later today.

Kevin

Technorati Tags: reverse engineering, xss, perimiter, sql injection, resource obfuscation, career, lynis, breach reports, mod_rewrite, cross environment hopping