Monday, October 20, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

(Image) [Security Circus]

Posted: 20 Oct 2008 05:04 AM CDT


This posting includes an audio/video/photo media file: Download Now

(Image) [Security Circus]

Posted: 20 Oct 2008 04:55 AM CDT


This posting includes an audio/video/photo media file: Download Now

Grecs’s Infosec Ramblings for 2008-10-19 []

Posted: 19 Oct 2008 11:59 PM CDT

Information Gathering with Maltego []

Posted: 19 Oct 2008 08:51 PM CDT

Last Wednesday I gave a presentation to the Northeast Ohio Information Security Forum on Maltego which is a fantastic tool for information gathering. The presentation focused on a high level overview of the application and how it can be used for all types of security related work including security assessments, investigations and helping find public information about a company or person.

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on or

ISSA - Baltimore Chapter Infosec Meetup Event - Wednesday, 10-22: Network Pen Testing []

Posted: 19 Oct 2008 05:40 PM CDT

Here is some information regarding this week’s Wednesday ISSA - Baltimore Chapter infosec meetup event. You can’t go wrong attending a general pen test talk! There’s always something more to learn.

For more information on the ISSA - Baltimore Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISACA - NCA Chapter Infosec Meetup Event - Wednesday, 10-22: ERP and Continuous Audit Monitoring []

Posted: 19 Oct 2008 05:25 PM CDT

Here is some information regarding this week’s Wednesday ISACA - National Capital Area (NCA) Chapter infosec meetup event.

  • Who: Don Adams
  • What: ERP and Continuous Audit Monitoring
    • This full-day conference will provide participants an overview of (1) Oracle Security and controls, (2) automating ERP application audits using real-life examples in an SAP environment, (3) Continuous Controls Monitoring, and (4) Governance Risk and Compliance 101 - GRC Perspectives and Building Blocks within SAP 101.
  • When: 10/22, 8:00 AM - 4:45 PM EST
  • Where: Ronald Reagan Building & International Trade Center (1300 Pennsylvania Avenue NW;  Washington, DC 20004; the Federal Triangle metro stop is located on site and Metro Center is two blocks away)

For more information on the ISACA - NCA Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

ISSA - DC Chapter Infosec Meetup Event - Tuesday, 10-21: Endpoint Security 2.0 []

Posted: 19 Oct 2008 04:42 PM CDT

Here is some information regarding this week’s Tuesday ISSA - DC Chapter infosec meetup event. This looks to be a very interesting session on whitelisting applications. I’ve been thinking for a while that this is probably the only way we’re going to make a dent in curving the proliferation  of malware. It’s useless trying to play detect and react. The security industry needs to be more proactive and whitelisting may be one tool that we can use. It’s been done with firewalls and many companies are now doing it for web sites as well. Applications are probably next in line.

  • Who: Daniel Teal, CoreTrace
  • What: Endpoint Security 2.0: The Emerging Role of Application Whitelisting Solutions
    • Traditional endpoint security solutions are becoming less effective against the constantly changing threats of today. Anti-virus, anti-adware, host IPS, and other solutions have been defeated by skilled attackers and insider threats. This session will review the limitations of current generation products and present new technologies being developed by the security industry-most notably application whitelisting solutions–that can address the ever changing threats organizations face.
  • When: 10/21, 6:30 - 8:00 PM EST
  • Where: Radio Free Asia (2025 M Street NW; Washington, DC 20036; in the first floor conference room)

For more information on the ISSA - DC Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

Silverlight 2 Released [CGISecurity - Website and Application Security News]

Posted: 19 Oct 2008 03:41 PM CDT

From the blog. "Today we shipped the final release of Silverlight 2. You can download Silverlight 2, as well the Visual Studio 2008 and Expression Blend 2 tool support to target it, here. Cross Platform / Cross Browser .NET Development Silverlight 2 is a cross-platform browser plugin that enables rich...

Chinese hackers score goal on S. Korean soccer website [The Dark Visitor]

Posted: 19 Oct 2008 09:06 AM CDT

On 17 October, Chinese hackers defaced the South Korean Soccer Association website.  According to the article, the Chinese soccer team has suffered a “Korean Phobia” in past encounters with the South Korean team.  This may have been an attempt by the Red Hacker Alliance to show that no such phobia exists…somehow.

The defacement also illustrates that the hackers are not happy with claims that Chinese characters and Confucianism originated in South Korea.

The defacment reads:

“In addition to Confucius, the Emperor and Bush…martians are also South Korean”


Grecs’s Infosec Ramblings for 2008-10-18 []

Posted: 18 Oct 2008 11:59 PM CDT

Cloud Computing, Virtualization and IT Diseconomies [ARCHIMEDIUS]

Posted: 18 Oct 2008 06:19 PM CDT

Cloud computing has become a reality, yet the hype surrounding cloud has started to exceed the laws of physics and economics.  The robust cloud (of all software on demand that will replace the enterprise data center) will crash into some of the same barriers and diseconomies that are facing enterprise IT today.   Certainly there will always [...]

Workaround for Kubuntu 8.10 (Intrepid) problems with “.local” DNS addresses [Robert Penz Blog]

Posted: 18 Oct 2008 08:25 AM CDT

I installed Kubuntu 8.10 (Intrepid) Beta on one of my Workstations at work this week and I had really problems to get into the internet. Why? We have a PAC (proxy auto-config) script for our proxies and that PAC is reachable under http://pac.companyname.local (You put that into your Browser.). The problem with this setup is that somehow Kubuntu has problems resolving the .local DNS Zones. I did following as a workaround:

$ sudo vim /etc/nsswitch.conf

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

hosts: files dns

I hope Google helps others to find this post fast, so they don’t need to search that long for a workaround.

Grecs’s Infosec Ramblings for 2008-10-17 []

Posted: 17 Oct 2008 11:59 PM CDT

  • PERFECT CLIENT: Encapsulation options could include MokaFive and MojoPac. #

IRS Computers Full of Security Holes [The IT Security Guy]

Posted: 17 Oct 2008 09:17 PM CDT

The IRS has sensitive data about 130 million people filing tax returns. But their computer systems storing that data have inadequate security controls, according to a study by the Treasury Inspector General for Tax Administration in a report released in September.

The security issues run the gamut from inadequate access controls, lack of auditing of privileged users and weak application security.

The study focused on the Customer Account Date Engine (CADE, for you acronym junkies who aren't US government employees), which is meant to streamline access to taxpayer data. I guess now that would also streamline access for hackers, as well.

The IRS was aware of the issues but didn't think they were important. Now, they do, and have agreed to work with the Inspector General's office to fix the vulnerabilities, the report says.

OWASP European Summit 2008 is November 3-7 in Portugal [CGISecurity - Website and Application Security News]

Posted: 17 Oct 2008 03:33 PM CDT

Matthew Chalmers submitted the following news. "With the theme "Setting the AppSec Agenda for 2009" the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just...

An interesting (to me) discovery... [PaulDotCom]

Posted: 17 Oct 2008 03:26 PM CDT

For you listeners of the podcast, you may be aware that I'm doing some research into utilizing document metadata, and the inferences that an attacker can make about the victims overall operating environment. This analysis would allow an attacker to be able to deliver more accurate, targeted attacks against a victim.

One of the tools that I've been using is Exiftool, which at it's core, is an over driven command line front end to all of the options of libexif.

The other day I discovered an advisory about a integer-overflow proceed_with_caution_2.jpgvulnerability in libexif, the basis to several other tools I've been looking at as well. There is no know vulnerability, but from the description, it seems fairly trivial to create a corrupt file to trigger the condition.

Time to proceed my analysis with more caution.

That said, you should always be analyzing unknown, untrusted files in a protected environment. Maybe the environment is an air-gapped machine, or a VM with no networking that you can revert to a known state. This, all in your non-production lab of course.

This also brings up some more points. I relate this to some of the updates to the tools that many of us use every day that introduce vulnerabilities into our environments. Don't forget that the complexity of the options in a tool (Wireshark for example), or the complexity and implementation if a standard (Exif, 802.11) all contribute to some potential downfall.

That said, I love multi-purpose, extensible tools and standards (Wireshark, Exif and 802.11 included!), but for these complexity reasons, it is important to keep them up to date, and evaluate the implementations.

Sometimes this is easier said than done.

- Larry "haxorthematrix" Pesce

PRC .gov to photograph net cafe patrons [The Dark Visitor]

Posted: 17 Oct 2008 08:31 AM CDT

I only post this article because it mentions one of Heike’s favorite subjects.

This China Journal article covers news that the PRC government is requiring net cafes to skim ID cards for patrons and to take a photograph for first time users. Advocates of this new measure point to widespread problems with Internet addiction.


Grecs’s Infosec Ramblings for 2008-10-16 []

Posted: 16 Oct 2008 11:59 PM CDT

What does VERT do? [360 Security]

Posted: 16 Oct 2008 11:09 PM CDT

This week was Microsoft's monthly patch release and you may have noticed that we didn't blog a list of the released advisories, since you can find them all over the net (here, here or even here). I did, however, want to mention a few things.

One of the things that I wanted to mention was MS08-060, which was discovered by a colleague of mine - Paul Miseiko. Paul discovered this vulnerability while working on another MS Update earlier this year. We worked with the Proof of Concept code for a little while to make sure we didn't waste Microsoft's time by reporting something they'd already fixed. After testing we passed the proof of concept and details along to Microsoft, and now we have a patch.

The reason I wanted to bring this up is actually completely unrelated to Microsoft and Patch Tuesday, and leans more towards Paul's discovery. When I mention I work in security or security research, the first thing people tend to say is, 'Oh, you're a hacker.' In fact, on my way home last night the cab driver asked why I was out so late (working on MS Tuesday of course). I said I was working, and he asked what I did... I said I work with computer security and he immediately said, "So a hacker?". I only mention this because it's a common misconception that occurs in the general public when you put the words 'computer' and 'security' together. I actually find it's similar to a common misconception that occurs within the IT community.

Quite often when I'm speaking to others in the community, be it IT or IS, I'll find myself saying I do security research. A common response is, "So have you found any interesting vulnerabilities lately?" While the general public equates 'security research' or 'computer security' to 'hacking', we tend to equate it to 'vulnerability discovery'. Yet that's not what I do on a daily basis, nor is it what the other members of VERT do. The same is true for many people that perform research on a regular basis (AV Researchers, IDS Signature Developers, etc).

So then, what do we do? If you already know, you might just want to skip to the links at the bottom of the post. For those who don't know what we do every day: I'd like to say we do everything... but that would be a little far-fetched. Some of what we do can be summed up as Vulnerability Detection and Application Feature-printing. However this entails a lot of different things. Reverse engineering and packet analysis are a couple of things that come to mind. That being said we also work extensively with multiple operating systems, perform a fair amount of python development and analyze various protocols.

While vulnerability detection doesn't sound very interesting (compared to say vulnerability discovery or exploit development) it is quite often harder than either of those tasks. One of the key points it to be non-invasive. If you know something is vulnerable and are able to reach the vulnerable code, you can trigger the vulnerability (even if you perform a denial of service, instead of actually performing a buffer overflow, for example). It's much harder to figure out what else has changed between versions of the software. That's how you feature-print the application and based on accurate feature-printing of specific versions of applications, that's one way to identify which versions are vulnerable. This is more than writing a banner check, as banners are quite often hidden or modified, this is about understanding how the application acts on a protocol level.

Since we delve rather deeply into the applications, looking for differences that won't trigger the vulnerability, we find ourselves discovering vulnerabilities such as MS08-060. It isn't our intended focus but when you dig in like we do it's bound to happen.

For those of you that already knew what we did, maybe you picked up something new. For those of you that didn't... now you know.

Techno Forensics Conference Infosec Event []

Posted: 16 Oct 2008 09:59 PM CDT

TheTrainingCo will be holding this year’s Techno Forensics Conference infosec event at the end of this month. Here are the logistics for this year’s conference:

  • Who: TheTrainingCo
  • What: Techno Forensics Conference
    • Techno Forensics 2008 is presented by NIST, Maryland InfraGard, ICFP,  and University of Fairfax. The conference is founded on the principles of standardization in the field of digital evidence investigation. The conference will cover many of the general disciplines in the areas of digital evidence investigation to include some of the latest information on software and hardware solutions.
  • When: 10/27 - 10/29/2008
  • Where: NIST (100 Bureau Drive, Gaithersburg, MD 20899; Administration Bldg. 101)

For more information on the Techno Forensics Conference, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the Techno Forensics Conference main page for more information.

Autumn 2008 Edition of 2600 on Newstands [The IT Security Guy]

Posted: 16 Oct 2008 09:34 PM CDT

It seemed a bit early, but I happened to see the latest issue of 2600 on the newstand this week, and snapped it up, as I do every three months.

As always, there's some good stuff in here. There are articles about Tor, cyberwar, Google Analytics, Blackhat SEO, pen testing and USB forensics.

New & Improved PaulDotCom Mailing List [PaulDotCom]

Posted: 16 Oct 2008 03:33 PM CDT

While we love Google (I mean, they make a fantastic search engine), it was time to say goodbye to Google groups and get our very own mailing list server. Look for more good things to come on that front...

In the mean time, I have moved everyone over from the old Google groups mailing list to the new one. The "PaulDotCom" mailing list is for discussions about the show, general computer and network security topics, hacking, and the like. Feel free to discuss and ask questions. If you don't get an answer right away, be patient, it may take some time before people are able to respond.

If you have not yet joined the mailing list, then what are you wait for?

You can subscribe here.

You just have to join the debate, who knows, we may even bat around the old "Ninjas Vs. Pirates" debate just for fun.

(Just sayin', Ninjas rule!)



No comments: