Bookmarks for June 5th through June 22nd

Published on 1 week, 4 days ago in del.icio.us. Comments

These are my links for June 5th through June 22nd:

  • Security Onion – The Security Onion LiveCD is a bootable CD that contains software used for installing, configuring, and testing Intrusion Detection Systems.
  • YouTube – Episode 4: Visualization of Crime – In the fourth episode of Team Cymru's 'The Who and Why Show', Marcel van den Berg takes us through a few animations charting our unique global insight into the Underground Economy.
  • Social Engineering: 5 Security Holes at the Office (Includes Video) – CSO Online – Security and Risk – We poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data
  • Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments – Microsoft Research – HTTPS is designed to provide secure web communications over insecure networks. The protocol itself has been rigorously designed and evaluated by assuming the network as an adversary. This paper is motivated by our curiosity about whether such an adversary has been carefully examined when HTTPS is integrated into the browser/web systems. We focus on a specific adversary named “Pretty-Bad-Proxy” (PBP). PBP is a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers – they affect all major browsers…
  • SandCat | PenTestIT – SandCat has two versions – free & pro. Both these versions are programmed with the Open Web Application Security Project (OWASP) and the SANS Institute vulnerabilities in mind. You can also scan for the latest buzz word in the security market: WebDav with this tool. Basically, SandCat is a remote web application security assessment scanner. You can scan for almost all web application flaws. Sandcat remotely injects data in the web applications and analyzes the application response. This helps it to determine if the application code is vulnerable to specific attacks such as SQL Injection, XSS, and many other web application vulnerability flaws.
  • Greg Miller’s Guide to Lock Picking for Beginners
  • The Ultimate Lock Picker Hacks Pentagon, Beats Corporate Security for Fun and Profit – Tobias is laughing. And laughing. The effect is disconcerting. It's a bwa-ha-ha kind of evil mastermind laugh—appropriate if you've just sacked Constantinople, checkmated Deep Blue, or handed Superman a Dixie cup of kryptonite Kool-Aid, but downright scary in a midtown Manhattan restaurant during the early-bird special.
  • Security Musings » Blog Archive » How does SSL work anyway? – We talk a lot about how SSL is useful, but how exactly does it work? Most systems today use SSL v3/TLS v1 rather than “SSL”, and the nitty gritty details are found in RFC 2246.
  • MIR-ROR – Home – MIR-ROR: Motile Incident Response – Respond Objectively, Remediate MIR-ROR is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful tools, to provide live capture data for investigation.

    You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
    For incident response resource, we’ve found it indispensable.
    Windows Systinternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them.

  • Nine out of ten work PCs fail on basic security | Graham Cluley’s blog – Ninety percent of corporate PCs are a security risk because they are not fully patched, or do not have basic security such as anti-virus software and firewalls properly installed.

Bookmarks for May 15th through June 3rd

Published on 4 weeks, 1 day ago in del.icio.us. Comments

These are my links for May 15th through June 3rd:

  • 10 Essential Firefox Plugins for the Infosec Professional | dmiessler.com
  • Free: USAF-Hardened Windows Build (…well kinda…)
  • r00tkit Analysis: What Is A Rootkit
  • The CFReDS Project – NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination. Since CFReDS would have documented contents, such as target search strings seeded in known locations of CFReDS, investigators could compare the results of searches for the target strings with the known placement of the strings. Investigators could use CFReDS in several ways including validating the software tools used in their investigations, equipment check out, training investigators, and proficiency testing of investigators as part of laboratory accreditation. The CFReDS site is a repository of images. Some images are produced by NIST, often from the CFTT (tool testing) project, and some are contributed by other organizations. National Institute of Justice funded this work in part through an interagency agreement with the NIST Office of Law Enforcement Standards.
  • Test the strength of your password policy | Security Central – InfoWorld – Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack
  • Registry Structure – This web page contains the full report of this MSc project complete with the source code to all the programs and utilities that were produced. It is reproduced and made available here in support of the Computer Forensic community in particular and of knowledge in general.
  • DIY CISS Degree: 100 Open Courses on Computer Information Systems and Security | Computer Colleges – Whether you’ve been accepted to a degree program and want to work ahead, already have a degree and want to learn more or just want to delve into the world of computer and information systems, you’ll find plenty to keep you busy through a variety of open courseware offerings. From courses that teach the basics of computer science to those that delve into specialty areas, you’re sure to find something that will help you learn more and gain confidence in the field.
  • :: Bonsai Information Security – moth :: – Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

    1. Testing Web Application Security Scanners
    2. Testing Static Code Analysis tools (SCA)
    3. Giving an introductory course to Web Application Security

  • 8 Tools to Find Someone Online – Stepcase Lifehack – Finding a way to contact someone has gotten a lot easier: just type their name into Google and follow a few links. For many people, you’ll quickly find a profile on Facebook, a blog or even an email address you can use to get in touch. But a Google search doesn’t turn up good results for everyone. Maybe the person you’re trying to reach has a fairly common name. You may need a tool a little better than a simple Google search to find him.
  • SANS Institute – Network, Security, Computer, Audit Information & Training – Interested and want to learn more? Try one of the four free SANS mini courses. These mini courses are designed to take 20-30 minutes to complete. They will introduce you to this learning environment and teach you something that you can apply immediately to make your network more secure. Simply click on the free mini course below that interests you.

Bookmarks for May 1st through May 14th

Published on 1 month, 2 weeks ago in del.icio.us. Comments

These are my links for May 1st through May 14th:

Windows 7 and XP Mode (XPM)

Published on 1 month, 4 weeks ago in Security and Windows. Comments Tags: , , , , .

An interesting thought came to mind while reading the Windows Incident Response blog yesterday. A link provided by Claus brings up an interesting concept, XPM.  Windows XP Mode (XPM) is a “Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site.”  Sound cool, but what happens with the security patches that come out after SP3?  With so many people who don’t bother to patch their systems, would this just create a bigger problem with 2 possibly unpatched operating systems available as a target to exploit?  There seems to be some kinks that need to be worked out on the security end as I have not heard any talk of how this will be patched and what will happen once XP is no longer supported.  I will be curious to see how this pans out in the near future.

EDIT: Some more interesting news has been coming out about XPM (via Slashdot):

Microsoft, Intel goof up Windows 7’s “XP Mode”

Windows 7’s ‘XP mode’: Right idea, wrong technology

Windows 7’s ‘XP Mode’: A Great Idea, on Paper

Great week for Webcasts/Podcasts or Cheap Training

Published on 2 months ago in Security and Twitter. Comments Tags: , , , , , , .

As I looked at my calendar last weekend, I wondered why it was so packed.  Aside: Hey, I am a Sys Admin.  My meetings tend to be more spontaneous, like my computer is on fire or the website is down.

Turns out there were 6 great events going on this week:

1.  Pauldotcom put on Part 2 of Zen and the Art of an Internal Penetration Testing, which covered using tools such as Nessus, Core Impact, and Metasploit for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process.  I did not get a chance to listen to all of this, but look forward to a recording being released at a later time.

2.  Rob Lee brought us Memory Analysis for Incident Responders and Forensic Analysts.  I thought that this was an incredible webcast which gave great insight about why memory analysis is important, which tools to use for acquisition and analysis, and sample cases on memory analysis.  I would highly recommend anyone interested in security/forensics to go back and listen to this webcast.  Also, version 1.3 of the SIFT Workstation just released, so be sure to pick that up.

3.  Larry Pesce brought us the monthly Late-Breaking Attack Vectors Webcast where he discusses the latest happenings in attacks.  Items covered were the every so popular Mikeyy Twitter worm, OS X botnets, and many others.  Larry did an excellent job and this webcast is always worth a listen.

4.  Chris Nickerson and Mike Murray discussed Modern Social Engineering Part II – Top 5 Ways to Manipulate Humans Over the Wire.  Social Engineering is a technique usually not discussed as much as using vulnerabilities or exploits to get inside a network, but Chris and Mike go deep into how to manipulate people.  They do an excellent job expanding on Part I and give real world examples throughout.  Also at the end there is a fairly long Q&A which discusses some interesting techniques.  If you would like to learn more, check out ChicagoCon coming up.  Looks like a great opportunity to interact with some of the great minds in security and it is cheap! ($100).  Also be sure to check out Chris’ new podcast Exotic Liability.

5.  Pauldotcom celebrated its 150th episode with a 12 hour extravaganza featuring guests such as Lenny Zeltser, Martin McKeay, Johnny Long, Stephen Northcutt, and many others.  This episode will surly keep you entertained for a long while to come!

6.  Mike Murray and Danni Lupisella presented on many of the threats that popped up in quarter 1 2009 in their Midnight Hacking webcast.  This was a great webcast that allowed for interaction directly with the presenters and covered great content such as mobile phone vulnerabilities, SSL exploits, and Conficker.  These appear to be monthly and I look forward to attending them on a regular basis.

A little while back this question came up to the SecurityTwits feed from michealc:

picture-3Well Micheal, here is your answer.  These types of webcasts are probably the best online security training you can have for the money (free).  They allow you to hear an excellent presentation from some of the best minds in information security and then interact with those great minds during question and answer sessions.  I have been to a few trainings in the last year or so, but some of these webcasts are much better as far as content, presenter knowledge and style.  Keep your eyes on Twitter and the securitytwits feed for great more great webcasts/podcasts.

Bookmarks for April 26th through April 29th

Published on 2 months ago in del.icio.us. Comments

These are my links for April 26th through April 29th:

Bookmarks for April 13th through April 23rd

Published on 2 months, 1 week ago in del.icio.us. Comments

These are my links for April 13th through April 23rd:

The cost of a lost laptop? $50,000

Published on 2 months, 1 week ago in Security. Comments Tags: .

An study(PDF) put out by the Ponemon Institute yesterday has the average cost of a lost laptop at $49,246.  This includes the following components: replacement cost, detection, forensics, data breach, lost intellectual property, lost productivity, and legal expenses.  The total variation was incredibly large from just over $1K to just under $1M.

2 interesting points that I see:

Encryption makes a difference.  When lost laptops have encryption, the average cost of the lost laptop is $37,443. If it is not encrypted, the average cost is $56,165. This is almost a $20,000 difference in the cost

Only $20K?  I would think that having a properly encrypted laptop would take out mostly all costs other than replacement and lost productivity.  Of course, the best encryption is not going to defeat the user who tapes the encryption key on the laptop.  However, if all encryption rules are followed I pretty much thought this was a safe bet?

The existence of a full backup increases the average cost of the lost laptop. There is an inverse relationship between the average cost of a lost laptop and the existence of a full backup. The average cost of a lost laptop with a full backup is $69,899 as opposed to $39,253 when there is no backup system. One possible reason for this is that the backup makes it easier to confirm the loss of sensitive or confidential data. In other words, it could be the ignorance is bliss hypothesis.

Wow, save money by not doing backups!  Quite an interesting piece of information with data to back it up.  Who is going to go to the VP and says we can save money by not doing backups? ;-)

Tie this in with 12,000 lost laptops per week at airports, and that is quite a large chunk of change.

Bookmarks for March 26th through April 13th

Published on 2 months, 3 weeks ago in del.icio.us. Comments

These are my links for March 26th through April 13th:

Calling all forensics experts!

Published on 2 months, 3 weeks ago in Security. Comments Tags: , , .

These questions have been on my mind for a while, and a recent data breach makes me want to get some answers from the experts.

On plenty of breaches I read the following lines:

“We have no reason to believe that this information was accessed by unauthorized individuals…”

“It cannot be determined with certainty that any data was pulled from a computer by infectious software…”

“there is no indication that any of the information has been misused…”

These lines seem to be from the first pages of the “Breach Notification for Dummies” because I have hardly read an announcement without one of these type of statements.  My questions are how do they know that it has not been misused and if they know that is has not been misused, why can it not be determined if the data has been pulled from the computer?  I kinda thought that this was the whole point of forensic investigation, finding out what the bad guy did once they were on the machine.  Is it money, time, notification time (i.e cannot analyze the drive quick enough before notification is necessary), historical data (obviously every breached computer with PII does not lead to ID fraud) or a combination of everything?

Am I missing something here?   I would love to hear what everyone thinks.

UPDATE 04/16/2009: Dave Hull tweeted a link the Security Breach Notification Symposium that should give some great insight to the topics discussed in this post.  The audio/slides for the talks have recently been posted.  Thanks everyone for the great comments!