Security Stallions Blog "Musings of all things infosec…"

15Sep/09Off

Daily Digs – 09.15.2009

Amazing, I actually started tonight's digs before 10pm.  Then I realized that I hadn't read most of what I marked for tonight so it'll take me just as long by the time I actually get this one posted.  I just can't beat time these days!

The 'ctricky and Web Application Security' blog had a post on some great insight of things to ask during an app sec test.  I've never actually run across this particular scenario before but the point is that JS pop-up warnings mean nothing to your proxy and may present warnings that the tester will never see (like "If you do this you'll break all of prod").  Anyway, read the post for the full rundown.
[BToD Target Scope and Precautions]

VeriSign's new DDoS attack protection service is an interesting topic for me.  I've dealt with countless large enterprise carrier services along with the architecture around load balancing and multi-homed environments.  So offloading all of your traffic in an event (i.e. throwing the BGP switch) to VeriSign seems a tad bit scary, oh - but no worries they'll route the good traffic back.  The other thing is all of the Netflow data VeriSign collects (to do this) is an interesting concept.  To me, architecturally, this looks like a bad idea and maybe I'll just have to dig into this one a little more.  For now you can start your own opinions by starting to read about it at the link.
[VeriSign Extends DDoS Attack Protection]

Work in defense?  Then COTS is something you probably deal with on a daily basis.  The funny thing is that when I started my career in the defense industry a lot of proprietary hard and software were being gutted for COTS.  Even I knew (as I started out as a System Engineering Associate), that the square peg they were jamming in the round hole didn't fit.  Apparently the cyclical monster is coming around in the DOD on this one.
[DoD Rethinking Build Versus Buy]

West side what?  Go figure - China modeling how to take down the US power grid for fun.  Reminds me of a conference I was at a few years ago in which a consultant disclosed some interesting facts about the substation and grid connections the Mall of America has in it's substructure.  We then learned how to shut the lights off in all of the neighboring communities that particular day.
[DHS to Review Report on Vulnerability in West Coast Power Grid]

This was one of the best / most disturbing banking related articles I've read in a while.  It's also why you shouldn't do most any online business with HSBC.  I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block.  This one's just downright "special" (and not really from today, but I ran across it in my feeds).
[So Funny I Forgot To Laugh]

This one came across the OSF data loss incidents list and it made me think.  Do you really think Jones General Store has any idea of PCI?  It's so focused today in big business and infrastructure security yet these types of processes still exist in hundreds of thousands of small businesses day in and day out.  In fact, this past weekend, I saw more carbon copies of card data at a local art fair than I'd care to pretend were still around.
[University Hill Shops Burglarized; Credit Cards Stolen]

As of this posting less than 19 hours until the Social Engineering Framework is released.  Mark it on your smartphone yo.
[Social Engineering: Exploiting Human Vulnerabilities]

All you need to know about this one: "Operation Hot Date", Dumb Sheriff in Florida, and Craigslist for your evening entertainment.
[Another Sheriff Goes After CL]

That's all he wrote for tonight boys and girls.  We'll leave you with some links to peruse, but without the colorful commentary.  Take care and keep your stick on the ice!  Also, first person to tweet "I won the easter egg hunt at www.securitystallions.com" and @s me in the message wins a $20 Starbucks gift card (first person = one winner).  Figuring out where to find me on Twitter should be trivial.  Get your tweet in before 10:30pm on Wednesday, September 16th 2009 Central.

[Does IBM Have a Fix for Banking Infrastructure?]
[Security Attitudes]
[Thoughts on the Cult of Schneier]
[Pwnage Tool and iPhone 3.1]
[AMD 'Eyefinity' Powers 24 Monitors]
[A BSoD and Possibly More]
[No TCP/IP Patches for XP]
[OpenDNS Announces Premium Cloud Services]

Tagged as: , , , , , , , , , , , , , , , , , No Comments
8Sep/09Off

Daily Digs – 09.08.2009

Good evening ladies and gentlemen!  I almost inadvertently said it was Monday and it feels like forever since the last digs.  I've been out of pocket and/or busy unfortunately and digs usually takes a little time to get together.  But they're back and for our Labor Day week we started out with a lot of great articles.  On to the show...

First up is the SMB vulnerability.  Ahhhh, flashback to the early 90s when BSODs were all the rage and ripe for the picking.  Microsoft has handed us a blast from the past - providing this undocumented feature in Vista and Windows 7!  I'm sure you've already read about this one today, but if not here's the original source:
[Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D]

As a strong proponent for great OSS I noticed today that OSSEC v2.2 is out.  Now sporting some fabulous WordPress plugin functionality and some other extra bells and whistles.  Check the changelog for all the dirt.
[OSSEC v2.2 Released]

Are you a web dev that happens to be working with Flash?  Sucks to be you.  I mean HP has just the thing to help make sure your code doesn't completely suck!  HP SWFScan to the rescue.  (Disclaimer: I haven't tried this software so I'm not vouching / recommending this in any way)
[HP SWFScan]

Apparently beer and pizza can is some great brainstorming food because 'cktricky' and 'jack_mannino' came up with how to use Burp through TOR to maintain your anonymity.  Mubix is the voice for the screencast if you're a fan.  Yeah, there's vid for all ya'll #lazyweb folk.  No reading required.
[Obfuscating your IP using a Burp/TOR/Privoxy Combo]

I'm not sure where some of these organizations come from but here's a new one for me: ITIPA (Industry Trust for IP Awareness).  Yeah, not overly obvious but these guys came up with the all-clever 'Generation Y-Pay' label that they've given to the bulk of 16 to 34 year olds.  I fit this age range and gladly pay for all of my digital media.  Well, not always gladly, but I see the value and effort required to produce.  We're not all leechers ITIPA, maybe it's just those Brit youngsters.
[Generation Y-Pay]

Bored on your morning commute?  There's plenty of people out there that'll yammer their perspective on just about anything related to security these days.  Chris John Riley's compiled a great list.  Some of them are great and some of them sound like a broken record of Core Impact / Nessus advertisements, let's be honest.  Either way you can't beat the price!
[Filling Your iPod]

Ars has a fabulously more-in-depth-than-I-probably-needed article on the status of IPv4.  I don't agree with the general FUD laced throughout, but it's something to keep in mind.  Dust off those IPv6 books you bought from the last round of "OMG-THE-INTARWEBZ-IZ-ENDING-OH-HAI-IPV6", you'll need it - eventually.
[2010 Could be the Last Year of IPv4]

Not exactly the typical security relation here, but security in a different way.  More like security of interoperability when venturing into uncharted waters with regards to new tech.  Enter TomTom's OpenLR.  OpenLR will enhance your once boring drive to the grocery store through whizbang location based services that you'll wonder how you lived without.  OK, maybe not, but it's never a bad idea to be the first to open things up a bit - especially when it can be rather costly to build proprietary data stores that constantly repeated and generally lack optimum updates when it comes to the GPS market.  The times they are a-changin'.
[TomTom Launches Open Source Navigation Product]

Apparently DHS wants to be accountable to PCI these days.  Philosecurity brings us the info on what was retrieved from the ATS system in a real copy of an American citizen's record.  Scary scary.  Scary.
[What does DHS Know About You]

FUN STUFF - I just had to throw this in because apparently one of the largest games of Monopoly starts tomorrow.  Best be stayin' away from 4th Ave N in the 612 - all mine.
[Google Maps Giant Game of Monopoly]

I remember the days gone by when I used to rent a Nintendo on a Saturday morning and play non-stop until I had to return it the next day (my parents allowed computers but not consoles).  Now you can rent a botnet by the day!  Who'd have thunk?
[Want to Rent and 80-120k DDoS Botnet]

And here we go with some new trials and tribulations.  Some favorited tweets of the day:
--------------------------------------------------------------------------------------------------------

Tagged as: , , , , , , , , , , , , , , , , , , , , , No Comments
10Aug/09Off

Daily Digs – 08.10.2009

Monday, bloody Monday.  At least we're in the clear!  Some interesting news as of today so with no further announcements let's dig right in.

Our first link is for a tool distributed, for free, from Sophos: Anti-Rootkit software.  It's recently been updated to support 64-bit versions of Windows and the upcoming Windows 7 (which, let's hope, brings the majority of Windows users into the 64-bit world).  No black-tie release event for this version, but at least Sophos is still putting it out there for "free".
[Sophos Anti-Rootkit Updated]

If you're in the Minneapolis / St. Paul area and you're in, well, pretty much any field you've probably heard horror-stories stories of United Health Group.  If we haven't had enough reasons to hate on UHG they're giving us a new one apparently!  Let's see here - they're not only selling the marketing data but also mapping risk ratings for health and life insurance purposes.  Way to go UHG!  You get my swift-kick-in-the-ass award for today.  If you can, do business elsewhere, UHG seems to treat their employees badly on top of the shady business practices.
[Your Prescription Data Has Been Sold For Profit]

Next up is some new functionality that will probably find it's way into Metasploit.  Max's Remote-Exploit blog has all the details on 'psnuffle' including a screencast of the functionality.  Jam out to the techno beats while you watch the module in action!
[Psnuffle Password Sniffer]

I'm all about the Verizon Business Data-Breach Report.  That being said I think big vendors / carriers generally have over-hyped and under-performing security services in general.  Hopefully the security service doesn't share any of the service provisioning speeds that generally are, shall we say, not break-neck?  Anyway, if you're into hiring a big firm to do your due diligence for you Verizon can offer it on a silver-platter with a bill to match I'm sure.
[Verizon Business to Offer Risk-Based Security Service]

I happened to post this one earlier in the day and it got quite a bit more attention than I had expected.  The RedTeam blog has some Gimp pwnage fun that shows you how to embed some sneaky PHP in a GIF.  That and @hdmoore pointed out to me some extra fun to go along with the 'sploit. Double whammy!
[0wning with Gimp]

All your base are belong to...  Committers?  Sure.  Or just go patch Subversion if you haven't already!
[Holes Closed in Subversion]

One of the more prominent elite when it comes to OS X hacking: Dino Dai Zovi has posted to his blog a new article all about, you guessed it, rootkits!  This goes with his recent Black Hat talk and includes the preso, paper and code.
[Advanced OS X Rootkits]

So you want to speak at RSA in 2010?  Well, you better get in gear because the call for proposals is quickly coming to a close.
[RSA Call for Speaking Proposals Due August 14th]

SANS has a rockstar intro up to memory forensics today.  The write up includes looking at Mantech MDD and Volatility (which we've linked previously).  If you're just getting your feet wet in forensics this quick run through definitely won't hurt!
[Memory Forensics: A Practical Example]

I asked myself a couple weeks ago this very question: "Why in the **** is the .NET Framework Extension installed in Firefox?" and now I have a fabulous answer.  Wladimir Palant, of Adblock Plus fame, has a very thorough write up with linkage to other articles in the press.  If you use Adblock, you'll want to read this.  Microsoft up to their shady shenanigans - again.
[The Return of .NET Framework Assistant]

Tsk tsk, reinventing the wheel is BAD.  Especially when dealing with crypto.  And doing crypto in JS!  Don't believe me?  Well, you don't have to take my word for it, but how about going back to the link to Nate Lawson's "Crypto Strikes Back!" Google Tech Talk and you'll understand why.  The devs themselves even say it's only a "base level of security" (uhhh, there's no auth), so why not just save yourself the trouble and avoid it?
[jCryption 1.0 Released]

Fortinet is, apparently, going for the gold.  And in this case "gold" being public shares.  El Reg has a story up regarding the rare happening.
[Fortinet IPO]

Put this link out in mainstream C-Level inboxes and you'll have all kinds of heads rolling on Tuesday afternoon.  SANS has a post up about the consideration of renewing your A/V solution.  If you're not a complete security n00b you probably already knew that A/V is a waste of CPU cycles and whitelisting, not signature based blacklisting, is the only way to really go forward in today's shikata ga nai world.  Duh.
[Don't Renew that Antivirus Contract]

Looks like DHS is in the tubes these days.  Obama has another catastrophic fail on his hands with the latest being Mischel Kwon putting in her resignation to (shocker) go work in the, much higher paying, private sector.  Maybe if I tweet The Prez he'll mention me on Facebook and we can talk about it over Skype later.  Or how about this: maybe stop trying so hard with the communications outlets and focus on doing and not talking for a few months.  Because, we all know, Cash for Clunkers is really helping out!
[Mischel Kwon Resigns]

We end todays string of ranty-posts with the exclusive in-depth that Tom's Hardware has posted of Charlie Miller on the iPhone SMS exploit.  Check it out, I was slightly tickled when I saw reference on the first page to AT commands.  GO GO GADGET MODEM!
[Exclusive Interview with Charlie Miller]

We commented all the good articles today so, don't hold your breath, no grab bag for today!

-windexh8er

Tagged as: , , , , , , , , , , , , , , No Comments
   

Tags

Adobe announcement Apple AV Black Hat breach Cheerleader Cisco Cloud Craigslist DDoS DEFCON DHS encryption exploit Facebook forensics google Heartland IDS ie6 Intel iPhone IPv6 linux Lockpick Malware MasterCard Microsoft news OpenDNSSEC pci PIN Pirate Bay Pwnies skimmer Social Engineering SSL tools Tor Twitter Volatility wikileaks X.509 ZF05

 

September 2010
M T W T F S S
« Feb    
 12345
6789101112
13141516171819
20212223242526
27282930  

Random Musings

Previous Next

» Leave A Reply!



Twitter: windexh8er